A P-Card Separation of Duties Dilemma

How strong are the separation of duties within your P-Card program? An auditor who used my risk analysis template contacted me recently because one AP clerk performs accounting-related tasks that I recommend be split among two or three people. She described how this employee is responsible for: 1) downloading the file of transaction data from the card issuer, 2) making any necessary corrections to account/budget codes within the file, and 3) uploading the corrected file into their accounting/finance system. She asked me about the risks and what I would suggest they change. Certainly, this organization is not alone in having limited accounts payable resources, which makes complete separation of duties difficult to achieve. As a result, compensating controls are even more important. Keep reading to see more about the dilemma noted above and suggestions for improving the situation.

Risks

Within the text file format (.txt)—the format of the interface file downloaded from the issuer—someone can change any part of the data, not just account/budget codes. This organization confirmed to me that there is no record or report of the changes the AP clerk makes within this file. For instance, she could change a vendor name to hide where someone made a purchase.

If the AP clerk also has the ability to order/request new P-Cards, then she could order a card for herself, use it for personal purchases, and change the cardholder name of the resulting transactions in order to conceal her fraud. While this example is a bit far-fetched, it could still happen. Even though internal departments have the opportunity to review spend reports generated by the accounting system (as a compensating control), they may or may not catch something like this. On a side note, monitoring new cards issued each month is a control for catching unauthorized cards.

Suggestions

  • Make every effort to separate the duties and/or establish the appropriate oversight.

  • Avoid making any changes within the downloaded interface file. Besides the risks noted above, it is too easy to accidentally do something that shifts the data, which can cause problems when uploading to the accounting system. Make the necessary corrections after the file is uploaded.

  • Inquire about the ability of the accounting system to produce an audit trail—a record or report—of changes made. If one is available, a supervisor should review it.

  • Compare reports from the card issuer’s system to reports from the accounting/finance system to ensure accuracy. At least do some spot checking concerning vendor and/or cardholder totals. For example, if a report from the card issuer shows John Smith spent $3,100 for the cycle, verify against the accounting system. This type of activity should be completed by someone who is not involved with the three steps noted above in the post introduction.

  • Finally, contact cardholders and their manager-approvers about any coding errors, so they can learn from the mistakes.

Risk Analysis Event and Template

In June, I will be delivering a three-hour virtual workshop on P-Card risk assessments, hosted by AP Now. One of the planned topics is potential risks related to accounting processes. For details and registration, please visit AP Now. As a bonus, attendees will receive a copy of the risk analysis template by Recharged Education, which normally sells for $89.99. It includes more than 100 questions to help you do a robust evaluation of P-Card controls.

Do you have a gap in your P-Card controls? Evaluate the risk and the potential solutions.

Do you have a gap in your P-Card controls? Evaluate the risk and the potential solutions.



Subscribe to the Blog

Receive notice of new blog posts.

About the Author

Blog post author Lynn Larson, CPCP, is the founder of Recharged Education. With 20 years of Commercial Card experience, her mission is to make industry education readily accessible to all. Learn more

Who audits the program manager?

In the life of a Commercial Card program, cardholders are routinely under a microscope. Yet, an auditor’s radar may fail to pick up the program manager or administrator (PM/PA). Even if the PM/PA is a rock star within the organization, no one should be exempt from an audit process. Following are six PM/PA aspects for your internal audit team to review.

PM/PA Aspects to Audit

1. Separate from the policies and procedures (P&P) cardholders must follow, are there current, documented procedures for tasks executed by the PM/PA? Examples include steps the PM/PA follows to establish a new card account, monthly reporting and analysis performed by the PM/PA, and how to resolve card usage issues like declined transactions.

2. Perhaps most important, does the PM/PA consistently follow documented procedures? For example: 

  • If the PM/PA must ensure a card applicant completes training prior to receiving a card, the auditor should review the timing of the training versus the timing of card issuance/activation.
  • If the PM/PA must notify a cardholder’s manager upon instigating a temporary limit increase, is there documentation (e.g., an email to the manager) to support this?   

3. What type of system access does the PM/PA have? Is there adequate separation of duties? For example, the same person should not be able to:

  • download transaction interface files from the issuer and upload into the finance system
  • upload transaction interface files into the finance system and make coding changes/other corrections to the uploaded information

If a lack of resources makes separation of duties impossible for certain activities, then, at a minimum, there should be sufficient means to monitor the PM/PA’s activity, such as an electronic audit trail and/or management oversight.  

4. Are there effective controls to ensure the PM/PA does not obtain unauthorized cards? In my role as a PM, an auditor asked what prevented me from getting and using a card without anyone knowing. I had to admit that it would be easy for me to obtain a card for myself, but I explained the detective controls that would catch this.

5. Is the PA/PM allowed adequate time to spend on card program management? If they are pulled in too many directions, it increases the risk to the organization and the program will likely flounder. An auditor can help shed light on this problem.

6. Is there sufficient backup for when the PM/PA is out of the office or otherwise unavailable? Select an appropriate employee—someone with the right skills—for this role. Also, if someone is trained as a backup, but does not routinely execute back-up duties, then he or she might get rusty. 


Final Thoughts

The PM/PA is critical to long-term card program success. An organization should design the role thoughtfully, hire wisely, and audit regularly (e.g., annually). 

Related Resources

If your organization would like assistance with developing the PM/PA role and/or audit process for the P-Card program, contact Recharged Education.


About the Author

Blog post author Lynn Larson, CPCP, is the founder of Recharged Education. With more than 15 years of Commercial Card experience, her mission is to make industry education readily accessible to all. Learn more

Subscribe to the Blog

Receive notice of new blog posts.

Should you regularly reassign program management?

During a recent presentation on detecting and preventing P-Card fraud, speaker Chris Doxey, Doxey Inc., suggested that the program administrator role should be rotated every two years to prevent collusion. I support the spirit of this control, but I’m not sold on the approach. (I’ll invite Chris to comment on this blog post.)

Rotating the responsibility comes with a training cost and it can result in the lack of a P-Card expert within the organization. Instead, focus on training a designated backup.

P-Card program management is a bona fide profession. While many program managers and administrators (PMs/PAs) do not spend 100% of their time on the program, effective program management requires specialized knowledge. Hire the right person for the job—a P-Card expert (look for the CPCP credential) with the skills to:

  • establish program buy-in
  • articulate and implement P-Card best practices
  • identify and resolve control gaps
  • quantify and communicate relevant metrics
  • suggest growth opportunities
Look for P-Card expertise when hiring a PM/PA.

Look for P-Card expertise when hiring a PM/PA.

The key to preventing collusion involving the PM/PA lies in other controls, such as separation of duties, enforcing accountability and process audits.

Examples of Separation of Duties

Limit access to the finance system(s), so the PM/PA cannot make payments to the card issuer or edit P-Card transaction information. Someone else should verify that internal records match the card issuer’s documentation (e.g., total spend per cardholder per cycle).

Do not allow the PM/PA to request a new card for an employee and subsequently receive the card in the mail. If it is not possible to separate these duties, ensure that someone else reviews a report from the card issuer of any new cards issued.

Accountability

To detect cardholder misuse or fraud, including potential cardholder collusion with the PM/PA, managers must be held accountable for:

  • monitoring cardholders’ compliance with policies and procedures (P&P)
  • reviewing cardholders’ transactions on a timely basis
  • reporting any suspicious purchases

Process Audits

As part of the auditing efforts, your internal and/or external auditors should scrutinize the PM/PA, in addition to cardholders and managers, for compliance with program P&P.

It is achievable to have effective P-Card controls and a designated—versus rotating—PM/PA.


The presentation I mentioned at the beginning was part of the annual conference by the Institute of Financial Operations (IFO), which I spoke at last week. Stay tuned for more tips and ideas from this event


About the Author

Blog post author Lynn Larson, CPCP, is the founder of Recharged Education. With more than 15 years of Commercial Card experience, her mission is to make industry education readily accessible to all. Learn more

Subscribe to the Blog