The shiny silver bullet for reducing cost and complexity via a robust purchasing card (PCard) program can be tarnished significantly with a purchasing card implementation that requires onerous cardholder record keeping and poorly designed transaction review processes.  While the benefit of implementing purchasing cards is widely accepted, the best approach to creating a controlled environment that properly balances risk with the costs of compliance is still subject to debate.

A recent Peercast^TM in the Corporate Card research area, featuring a large manufacturing company with hundreds of operating locations across the U.S. and Canada, focused on the topic of creating effective audits and controls for purchasing card activity.  Because of the large number of locations, during the past decade purchasing cards have been an important resource for reducing cost and complexity at this company.  Currently, approximately 20% of the workforce has a card, with usage covering all travel and expense, miscellaneous supplies, convention and meeting expenses, training, and other incidental purchases.  Specifically prohibited are purchases for production items, tax-exempt purchases, gift cards or other cash equivalent items, or payments to individuals or to unincorporated businesses.

Risks cited by our feature company that needs to be controlled include:

• Fraud or abuse related to personal purchases on the card
• Circumventing the procurement process for convenience
• Inadequate approval or review of expenses
• Purchases that are recorded in the incorrect account
• Violations of company policy, such as donations to political organizations or charities without proper approvals

To create a process for continuous monitoring, transaction data is loaded into an analytical software tool that connects with Human Resource data feeds, the vendor master file, and a merchant commodity code (MCC) table listing permitted and prohibited codes.  Data is reviewed to identify:

• High-value transactions and high amounts per month across multiple transactions
• Transactions to suspicious merchant codes
• Transactions for vendors who are active in the vendor file
• Duplicate and split transactions
• The late or missing cardholder or manager approvals
• Possible personal transactions or other violations via a keyword search

The company is using software tools to automate follow-up emails, and they are continuously reviewing the results to minimize false positives and to consider new risks. 

A related iPolling^TM question documented member company experience with this topic.  The first question asked how purchasing card transactions are selected for audit.  Interestingly, 12% of companies do no auditing and instead rely on compensating controls in the review process.  Of those that audit, 23% of member companies are using some type of intelligent software tool to set the audit criteria and identify suspicious activity that either requires review or is included in a population that is statistically sampled for audit.  The balance of the companies use a simple selection method based on transaction type or a specified percentage of transactions or cards.

Clearly, one of the compensating controls is to place responsibility on the cardholder’s manager to review purchasing card transactions.  The follow-up poll question asked member companies to comment on the satisfaction level with the management review process, with poll results indicating that this important control point isn’t as strong as most companies would like.  Only 12% of the companies were very satisfied, with 64% indicating that they were somewhat satisfied with the management review process.  The remaining 24% indicated that they were either neutral or dissatisfied with the quality of the reviews. 

Here are some of the additional comments from iPolling participants:

• We do not conduct formal audits of purchasing card activity. The approver reviews and approves all P-Card purchases for the month. No other review is conducted other than the periodic internal audit review (not very frequent).

• We currently review all purchasing card transactions.

• We have implemented a Business Intelligence tool where all P-Card transactions are downloaded every night. We run reports with specific criteria in order to pick potentially fraudulent transactions. These transactions get audited in detail.

• We currently target specific transactions to review on a monthly basis. We do not review all transactions from a certain cardholder.

• We use a combination of criteria to select transactions for audit review. To include transactions greater than a specific dollar amount, a targeted list of merchant names, a targeted list of MCCs, and a listing of specific words captured in the comments field of the P-Card transaction reconciliation system. Based on findings in these areas, there may be an expanded review of other transactions associated with a specific cardholder.

• We monitor types of charges. We will look at weekend spending, charges at restaurants, etc.

• Manager approval is not always completed timely, so follow-up by the Card Administrator is required.

• We use the Citibank One Card product, which includes purchasing transactions. All card transactions are loaded daily to our expense reporting application which currently is the IBM GERS product. In GERS, we created different forms that have unique characteristics, policy flags, etc. so that reviewers/approvers of such expenses did not have to use multiple tools. Because all data is in the system, we can do more focused audits to identify potential abuse and deviations from policy, although we also have random selections.

• Purchasing card transactions are audited based on rules that are set up within a third-party tool that is used for our corporate card audits.

• We use a third-party software called Insight to monitor usage.

• No audits are conducted, with the cardholder’s manager responsible to ensure purchases are within company policy.

How have you implemented purchasing cards at your company, and what controls or audit processes are in place?  How cumbersome is the manager review process and how satisfied are you with the quality of manager reviews?

Who are your peers and how are you collaborating with them?

“Peercasts^TM” are private, professionally facilitated webcasts that feature leading member company experiences on specific topics as a catalyst for broader discussion.  Access is available exclusively to Peeriosity member company employees, with consultants or vendors prohibited from attending or accessing discussion content.  Members can see who is registered to attend in advance, with discussion recordings, supporting polls, and presentation materials online and available whenever convenient for the member.  Using Peeriosity’s integrated email system, Peer Mail^TM, attendees can easily communicate at any time with other attending peers by selecting them from the list of registered attendees. 

 “iPolling^TM” is available exclusively to Peeriosity member company employees, with consultants or vendors prohibited from participating or accessing content. Members have full visibility of all respondents and their comments. Using Peeriosity’s integrated email system, Peer Mail^TM, members can easily communicate at any time with others who participated in iPolling.