How to reassure management about your P-Card controls.

It’s a classic battle: P-Card supporters versus P-Card resisters. You try to garner program buy-in, but management concerns about controls prevail. Why? How do you overcome this? Begin with a current risk assessment.

When was the last time you conducted such an analysis of your Purchase Card program? Some organizations have never completed this activity, but it is critical for documenting program risks and the mitigating controls. Besides helping to increase program buy-in among management and auditors, a risk assessment:

  • helps you identify any control gaps
  • can uncover program inefficiencies
  • provides the basis for process audits

There are various ways to approach a risk assessment. The ORCA framework is one:

  • Identify your organization’s program objectives
  • Determine the potential risks
  • Document existing controls
  • Specify the necessary actions to address areas that are lacking controls

If your organization has a risk assessment template, you could start with that or consider purchasing the P-Card specific template from Recharged Education. 

A risk assessment provides the foundation for the P-Card control environment.

A risk assessment provides the foundation for the P-Card control environment.

As you complete the assessment process, here’s an example of something to evaluate. When I managed a P-Card program, an internal auditor asked me if I could obtain a card for myself without anyone knowing. I admitted there were no preventative controls for this. However, there were established detective controls, which were documented in a risk assessment.  

Keep in mind that more controls do not necessarily make a program better. To be successful, a Purchasing Card program must have effective controls to prevent and detect card fraud. The challenge is striking the right balance; you do not want to over- or under-control a program. Too many controls are costly, impacting the process savings inherent to P-Cards, while a lack of effective controls puts your organization at risk.

About the Author

Blog post author Lynn Larson, CPCP, is the founder of Recharged Education. With more than 15 years of Commercial Card experience, her mission is to make industry education readily accessible to all. Learn more

Subscribe to the Blog

Subscribe

Reconstructing the crime scene—a case of internal card fraud.

A Harris County (TX) man used his company credit card to make personal gasoline purchases totaling more than $18,000 per a report by KTRK ABC Eyewitness News. Could this happen to your organization? What were the missing controls? The June 19 news story noted that the man, who was a truck driver for a northwest Harris County company, filled the gas tanks of family and friends between September 2013 and May 2014 in exchange for cash. 

Do not become a victim of internal card fraud. Protect your organization by establishing the right controls. 

Do not become a victim of internal card fraud. Protect your organization by establishing the right controls. 

Getting Caught

The man’s boss became suspicious after noticing the average monthly fuel cost increase by as much as $4,000. Then his research revealed purchases of unleaded gas, but the company vehicles use diesel.

Per the 2014 Report to the Nations on Occupational Fraud and Abuse by the Association of Certified Fraud Examiners (ACFE), the median duration—the amount of time from when the fraud commenced until it was detected—for all schemes in their study was 18 months. The man’s boss beat the norm, but we are left wondering whether this was a fluke or the result of controls.

Recommended Controls

Clearly Defined Roles and Responsibilities

Managers fulfilling a reviewer/approver role are the first line of defense for detecting cardholder fraud. They need to understand the importance of the role and exactly what it entails. They should at least be spot-checking cardholders' receipts. It appears the man's boss was not doing so.

Mandated Training Beyond P&P

Do not limit manager training to P-Card policies and procedures. Train them on the red flag behaviors that might indicate fraud. According to the 2014 report by the ACFE, the top four are: living beyond one’s means, financial difficulties, unusually close association with a vendor/customer, and control issues (unwillingness to share duties).

Appropriate Spend Controls

Should the man in question have had lower spend limits? It’s a delicate balance. You do not want overly restrictive spend controls that cause legitimate transactions to be declined. However, you should regularly review the appropriateness of each cardholder’s limits.

Right Type of Card

Did the man have a P-Card or true Fleet Card? A Fleet Card that allows an organization to: 1) limit the gallons of fuel purchased and/or 2) specify the information a cardholder must enter at the point of purchase, such as vehicle mileage, could have helped deter the fraud altogether. See a Fleet Card success story...

Reports for Department Managers (Reviewers/Approvers)

Provide managers with a report of the purchasing history for his or her department, including comparisons between the current month and same month in previous years. This can help a manager more quickly identify out-of-norm spending activity.

In the gasoline fraud case, if the manager was trained to look for monthly fuel costs within a certain dollar range, he might have spotted the fraud even sooner. Also, because fuel costs can fluctuate widely, reporting should include the gallons of gas purchased each month.

Reports for the Program Manager

Each month, the P-Card program management team should be looking at spend by supplier (greatest to least) and by cardholder, comparing to the previous month and YTD. Define parameters for when research is warranted, such as a monthly change up or down by X% or more. Such reports also support your:

  • card usage goals by highlighting when card spend with a specific supplier suddenly drops (maybe a different payment method was used) and
  • strategic sourcing efforts (e.g., when YTD spend with a non-contract supplier reaches "X," you pursue a competitive bid)

Proactive data monitoring and analysis was used by only 35% of the victim organizations...

(per the ACFE report)

For more information about controls, visit the related webpage. See also a related blog post about procurement fraud and card misuse.

About the Author

Blog post author Lynn Larson, CPCP, is the founder of Recharged Education. With more than 15 years of Commercial Card experience, her mission is to make industry education readily accessible to all. Learn more

Subscribe to the Blog

Subscribe

A relabeled fraud triangle targets organizations’ faults.

Donald Cressey’s “fraud triangle” theory pegs factors that collectively lead someone to commit occupational fraud. We can apply a similar model to an organization’s role in internal card fraud. Do the following characteristics fit your organization? Possessing all three is a sure sign of a weak control environment, but having even just one can increase the risk of fraud.

Ignorance

A lack of education about Commercial Card controls and fraud prevention/detection techniques can cause an organization to focus on the wrong things and overlook others; for example, establishing overly restrictive card controls (spend limits, MCC blocks), but not addressing separation of duties.

Reluctance

Rooted in organization culture, this trait can be exemplified various ways; for example, a reluctance to:

  • invest the time to learn and follow best practices
  • believe that long-time, trusted employees can (and do) commit fraud      
  • consistently enforce program policies and procedures, regardless of job level

Comfort

While comfort is typically a good word, it can be problematic if an organization finds comfort in what it has always done, seeing no reason to change. An “implement and forget it” control strategy is never wise. What has worked in the past may prove to be ineffective now or in the future.

Avoiding the Triangle Trap

Hire the right program manager and utilize their expertise. Annually conduct a risk assessment to identify potential control gaps. Evaluate the effectiveness of your controls through audits. Keep pace with the changing nature of fraud.

Dial back your organization’s level of risk by avoiding traits that weaken the control environment.

Dial back your organization’s level of risk by avoiding traits that weaken the control environment.

Most fraudsters work for their employers for years before they begin to steal.
— 2014 Report to the Nations on Occupational Fraud and Abuse by the Association of Certified Fraud Examiners

More Information

For more information on the three elements of Cressey’s fraud triangle (pressure, opportunity and rationalization), refer to the Association of Certified Fraud Examiners (ACFE). Also access their resource referenced above: 2014 Report to the Nations on Occupational Fraud and Abuse.

Next Blog Post

Reconstructing the crime scene—a case of internal card fraud.

About the Author

Blog post author Lynn Larson, CPCP, is the founder of Recharged Education. With more than 15 years of Commercial Card experience, her mission is to make industry education readily accessible to all. Learn more

Subscribe to the Blog

Subscribe