How strong are the separation of duties within your P-Card program? An auditor who used my risk analysis template contacted me recently because one AP clerk performs accounting-related tasks that I recommend be split among two or three people. She described how this employee is responsible for: 1) downloading the file of transaction data from the card issuer, 2) making any necessary corrections to account/budget codes within the file, and 3) uploading the corrected file into their accounting/finance system. She asked me about the risks and what I would suggest they change. Certainly, this organization is not alone in having limited accounts payable resources, which makes complete separation of duties difficult to achieve. As a result, compensating controls are even more important. Keep reading to see more about the dilemma noted above and suggestions for improving the situation.
Within the text file format (.txt)—the format of the interface file downloaded from the issuer—someone can change any part of the data, not just account/budget codes. This organization confirmed to me that there is no record or report of the changes the AP clerk makes within this file. For instance, she could change a vendor name to hide where someone made a purchase.
If the AP clerk also has the ability to order/request new P-Cards, then she could order a card for herself, use it for personal purchases, and change the cardholder name of the resulting transactions in order to conceal her fraud. While this example is a bit far-fetched, it could still happen. Even though internal departments have the opportunity to review spend reports generated by the accounting system (as a compensating control), they may or may not catch something like this. On a side note, monitoring new cards issued each month is a control for catching unauthorized cards.
Make every effort to separate the duties and/or establish the appropriate oversight.
Avoid making any changes within the downloaded interface file. Besides the risks noted above, it is too easy to accidentally do something that shifts the data, which can cause problems when uploading to the accounting system. Make the necessary corrections after the file is uploaded.
Inquire about the ability of the accounting system to produce an audit trail—a record or report—of changes made. If one is available, a supervisor should review it.
Compare reports from the card issuer’s system to reports from the accounting/finance system to ensure accuracy. At least do some spot checking concerning vendor and/or cardholder totals. For example, if a report from the card issuer shows John Smith spent $3,100 for the cycle, verify against the accounting system. This type of activity should be completed by someone who is not involved with the three steps noted above in the post introduction.
Finally, contact cardholders and their manager-approvers about any coding errors, so they can learn from the mistakes.
Risk Analysis Event and Template
In June, I will be delivering a three-hour virtual workshop on P-Card risk assessments, hosted by AP Now. One of the planned topics is potential risks related to accounting processes. For details and registration, please visit AP Now. As a bonus, attendees will receive a copy of the risk analysis template by Recharged Education, which normally sells for $89.99. It includes more than 100 questions to help you do a robust evaluation of P-Card controls.
Available Products & Services from Recharged Education
Submit a contact form to request a quote for what your organization needs.
Subscribe to the Blog
Receive notice of new blog posts.
About the Author
Blog post author Lynn Larson, CPCP, is the founder of Recharged Education. With 20 years of Commercial Card experience, her mission is to make industry education readily accessible to all. Learn more…