Survey Results Reveal P-Card Control Opportunities

If you assume that most organizations require cardholders and the “manager-approvers” to sign an internal agreement pertaining to their card program role and responsibilities, I have contrary news. According to a survey on internal controls conducted by AP Now at the end of 2018, only 29% of the respondents whose organizations have a card program follow the best practice of requiring both groups to sign such an agreement. These organizations represent all types and sizes, proving that best practices are accessible to everyone. Keep reading to see more about the survey results, including a surprising outcome concerning card limits and restrictions.

Internal Agreements

Most organizations only require cardholders to sign an internal agreement, but there are even some organizations that do not utilize one at all. If you do not have one, make it a priority to develop one. Further, ensure your organization is not overlooking the manager-approvers who are responsible for confirming that cardholders’ transactions comply with program policies and procedures. Requiring them sign an internal agreement helps reinforce accountability for their role.

See more about internal agreements, including sample statements to include.

Card Controls

The survey by AP Now, which pertained to all sorts of AP-related controls—not just cards, also explored card controls like spend limits. Respondents were directed to check which ones—from a list of six—they apply to all or most cards. As shown in the graph below, it is very common to utilize a monthly/cycle spend limit, but the results for the other controls are lower than what I expected. Hence, there is ample opportunity here.

Card Controls Utilized_AP Now.JPG

Approximately one-third of respondents’ organizations only apply one or two of the above card controls to all or most employees’ cards. While I always try to steer end-user organizations away from being overly restrictive (to prevent declines of legitimate transactions and encourage card usage), I do recommend taking advantage of what is available. The key is to strike the right balance, aligning card controls with program goals. At a minimum, besides utilizing a monthly/cycle spend limit, organizations should block “high risk” merchant category codes (MCCs), including automated teller machines (ATMs).

Final Thoughts

Internal agreements and card controls are basic components of a program that help deter fraud. I have to wonder if the organizations that fall a bit short in these areas made conscious decisions about them or whether they simply got overlooked. The good news is both are easy to act on and improve.

If you are concerned about potential control gaps within your program, consider attending the three-hour virtual workshop on P-Card risk assessments June 25, hosted by AP Now.

Help your card program withstand the elements that could impede its success. Strengthen the protective controls.

Help your card program withstand the elements that could impede its success. Strengthen the protective controls.



Subscribe to the Blog

Receive notice of new blog posts.

About the Author

Blog post author Lynn Larson, CPCP, is the founder of Recharged Education. With 20 years of Commercial Card experience, her mission is to make industry education readily accessible to all. Learn more

A P-Card Separation of Duties Dilemma

How strong are the separation of duties within your P-Card program? An auditor who used my risk analysis template contacted me recently because one AP clerk performs accounting-related tasks that I recommend be split among two or three people. She described how this employee is responsible for: 1) downloading the file of transaction data from the card issuer, 2) making any necessary corrections to account/budget codes within the file, and 3) uploading the corrected file into their accounting/finance system. She asked me about the risks and what I would suggest they change. Certainly, this organization is not alone in having limited accounts payable resources, which makes complete separation of duties difficult to achieve. As a result, compensating controls are even more important. Keep reading to see more about the dilemma noted above and suggestions for improving the situation.

Risks

Within the text file format (.txt)—the format of the interface file downloaded from the issuer—someone can change any part of the data, not just account/budget codes. This organization confirmed to me that there is no record or report of the changes the AP clerk makes within this file. For instance, she could change a vendor name to hide where someone made a purchase.

If the AP clerk also has the ability to order/request new P-Cards, then she could order a card for herself, use it for personal purchases, and change the cardholder name of the resulting transactions in order to conceal her fraud. While this example is a bit far-fetched, it could still happen. Even though internal departments have the opportunity to review spend reports generated by the accounting system (as a compensating control), they may or may not catch something like this. On a side note, monitoring new cards issued each month is a control for catching unauthorized cards.

Suggestions

  • Make every effort to separate the duties and/or establish the appropriate oversight.

  • Avoid making any changes within the downloaded interface file. Besides the risks noted above, it is too easy to accidentally do something that shifts the data, which can cause problems when uploading to the accounting system. Make the necessary corrections after the file is uploaded.

  • Inquire about the ability of the accounting system to produce an audit trail—a record or report—of changes made. If one is available, a supervisor should review it.

  • Compare reports from the card issuer’s system to reports from the accounting/finance system to ensure accuracy. At least do some spot checking concerning vendor and/or cardholder totals. For example, if a report from the card issuer shows John Smith spent $3,100 for the cycle, verify against the accounting system. This type of activity should be completed by someone who is not involved with the three steps noted above in the post introduction.

  • Finally, contact cardholders and their manager-approvers about any coding errors, so they can learn from the mistakes.

Risk Analysis Event and Template

In June, I will be delivering a three-hour virtual workshop on P-Card risk assessments, hosted by AP Now. One of the planned topics is potential risks related to accounting processes. For details and registration, please visit AP Now. As a bonus, attendees will receive a copy of the risk analysis template by Recharged Education, which normally sells for $89.99. It includes more than 100 questions to help you do a robust evaluation of P-Card controls.

Do you have a gap in your P-Card controls? Evaluate the risk and the potential solutions.

Do you have a gap in your P-Card controls? Evaluate the risk and the potential solutions.



Subscribe to the Blog

Receive notice of new blog posts.

About the Author

Blog post author Lynn Larson, CPCP, is the founder of Recharged Education. With 20 years of Commercial Card experience, her mission is to make industry education readily accessible to all. Learn more

Keep an eye on your chip card.

Card/payment security is a key topic within organizations’ Commercial Card policies and procedures. You know the drill: lock them up when not in use, ensure a website is safe before entering payment information, be attentive to phishing tactics, etc. Have you overlooked anything? Maybe. According to sporadic media reports, a risk associated with chip cards is that the chip could fall out. The risk is very small, but possible. A displaced chip could be used to create a counterfeit card, but this requires a fraudster getting a hold of it. 

Generally speaking, chip cards are durable. I’m aware of card issuers trying all sorts of things to test the durability; for example, putting them through the washing machine. (Yes, the cards came out fine.) Now the question is, what should you do with this news?

What to Do

As part of your Commercial Card program management efforts, communication is important. The best overall advice is to be mindful, but not get hysterical.

  • Make cardholders aware.
  • Update your training presentations accordingly.
  • Ensure your policies and procedures direct cardholders to contact your card issuer if they realize their chip is missing or even loose.

To date, I have not heard of any chip problems with Commercial Cards. However, industry professional Theresa Blatner informed me about a case at her workplace involving an employee’s personal card. She explained, “It was being used in our cafeteria. I contacted the café manager who said that the chip was loose on the card. The reader indicated an error and defaulted to using the mag stripe. He also said that he has seen a few cards with faulty chips—two of them where the chip fell out.”

Final Thoughts

The small risk of chips becoming loose or falling out does not detract from the benefits of card usage. Chip cards still offer greater security than cards with only a magnetic stripe and, with any type of card, there is fraud protection. All this being said, it could be a driver for increased adoption of mobile payments if/when it makes sense. The beauty is, we have all sorts of options within the realm of Commercial Cards.


About the Author

Blog post author Lynn Larson, CPCP, is the founder of Recharged Education. With more than 15 years of Commercial Card experience, her mission is to make industry education readily accessible to all. Learn more

Subscribe to the Blog

Receive notice of new blog posts.