Conducting a P-Card risk assessment (also called a risk analysis) helps you spot any control gaps, can uncover program inefficiencies, may increase program buy-in among management and auditors, and provides the basis for process audits.
P-Card Specific Information
To begin a P-Card risk assessment, document general facts about the program, such as:
- Date of the last risk assessment
- Program changes since then
- Year of program implementation
- Department/business unit responsible for program management
- Current card issuer
- Current number of cardholders/accounts
- Targeted dollar threshold for P-Card purchases
- Program metrics and benefits (to highlight the value of P-Cards)
- Information about internal card fraud cases (to put fraud into perspective)
This helps everyone who might review the assessment become more familiar with the program.
Eight Broad Topical Areas to Assess
Following the overview, break the P-Card program down into manageable chunks for assessment purposes; for example:
- Program policies and procedures (P&P)
- Card issuance processes
- Card controls
- Card usage/activity
- Card cancellation
- Accounting processes
- Information security
- Program management aspects
Within each topical area, determine baseline controls and whether your program meets these standards. For example, you could format the risk assessment as a series of related yes/no questions with an accompanying space for explaining the existing control. Designate additional space to note if action is needed to improve the control and, if so, who is responsible for each action item.
A Card Issuance Example
Risk assessment question: Is an employee’s manager required to provide documented approval before the card application is submitted to the issuer?
The answer might be “yes,” but you can take it further by evaluating the process. Are applications in paper form? If so, perhaps the existing control is that the manager of an applicant, in addition to the employee, must sign the application, but the risk is a forged signature. If your organization thinks a good answer is for AP to retain a copy of each manager’s signature to compare against an application, this presents other issues. Besides being tedious to execute, the challenge would be keeping the copy of manager signatures secure and current.
The action item to strengthen the control and improve the process could be changing to an electronic application and approval (e.g., email or system workflow approval).
The Balancing Act
More controls do not necessarily make a program better. The challenge is striking the right balance. As indicated above, conducting a risk assessment should help you avoid two broad risks:
- a lack of effective controls, which increases the likelihood of fraud, misuse and abuse
- applying too many controls, which are costly and impact the process savings inherent to P-Cards
Once you have completed a robust risk assessment, you do not have to start from scratch again each year. Make a copy of the previous version and then edit accordingly. It is possible that little will change from one year to the next, but reviewing annually supports a healthy control environment and successful program.