Procurement purchasing card perils: Will you be the next headline?

In January, Local 10 news in Miami reported that a former Miami-Dade School Board member used district-issued credit cards to rack up more than $100,000 in personal purchases that included everything from refrigerators to a trip to Disney World.

This story could be mistaken for several recent stories regarding the misuse of a procurement purchasing card (p-card). P-card abuse or misuse is an emerging and troubling trend and organizations need to improve their internal control systems to mitigate risk.

Convenient, efficient and concealable
P-cards offer a quick and efficient alternative to the typically tedious and lengthy purchase order process for certain purchases. While the benefits of a p-card program are significant, so are the risks of fraud and misuse, necessitating a robust internal control system. According to the Association of Certified Fraud Examiners’ 2024 Report to the Nations, more than half of occupational frauds occur due to insufficient internal controls (32 percent) or an override of existing controls (19 percent).

Crafting effective policies
In another case of p-card misuse and abuse, Broward County’s chief watchdog could not substantiate alleged wrong-doing by the town’s commissioner and was quoted as saying that she “could not substantiate any policy violations because those policies barely existed in the first place.”

Without robust policies helping to enforce, guide and limit the use of p-cards with clear consequences for violation, localities cannot hold individuals accountable and safeguard taxpayer dollars from potential inappropriate use. An effective p-card program should have a purchasing card policy that aligns with the overall procurement policy and practices. An effective purchasing card policy will address the following, among others:

• Define roles
• Issuance criteria
• Training requirements
• Allowable expenditure categories
• Single transaction limit and monthly spending limit
• Documentation requirements for purchases
• Levels of review and approval required
• Reporting requirements
• Periodic audit of p-cards
• Consequences of violating the policy

Additionally, program procedures should be implemented that correspond with policies and provide greater details of the program requirements and processes to guide program users in utilizing their p-cards effectively, efficiently and ethically.

Implementing robust controls
Segregation of duties, management oversight, review and approvals, reconciliations—you have heard these terms repeatedly, but are you designing and implementing these controls effectively to mitigate risks? Are these controls being performed and operating as intended to detect or prevent the risk? A control can be designed effectively, but if the execution does not align with that design, it may as well not exist.

Systematic controls, such as Merchant Category Codes (MCC), are excellent in preventing the misuse of p-cards; however, with a large volume of cards and constant limit increase requests and requests to temporarily open MCC codes, these systematic controls become obsolete as these requests become overwhelming, and mistakes are made.

P-card audits are another common method of detecting and preventing misuse. If p-card audits are performed timely, consistently and independently, they are an efficient control to implement. Establishing a robust control environment that ensures proper p-card audits, segregation of duties, adherence to policies, and oversight is essential to an effective purchasing card program.

Some common findings resulting from several internal control assessments over purchasing card programs include:

• Training requirements not enforced
• Inconsistent and insufficient documentation of p-card audits
• Lack of enforcement of the procurement policy, purchasing card (p-card) policy, and p-card reconciliation policy

Along with these findings, a common denominator among assessments was also the excessive volume of issued cards for each organization. With hundreds of cards and, therefore, hundreds of card custodians and users, the ability to hold personnel accountable to policies proved, through our assessment, to be ineffective. The business case for many cardholders is simply “everyone else in the department has one,” which is an insufficient justification.

Routine analytics
Running routine analytics can be an excellent tool for identifying fraudulent transactions and leveraging data for informed decision-making. Analytics software company ThirdLine has developed real-time monitoring metrics that can integrate with your ERP and accounting systems to allow you to monitor exceptions. Below are examples of metrics ThirdLine has developed for monitoring p-cards:

• Transactions charged on a Saturday or Sunday
• Cardholders with 1.5 times more transactions than their monthly average
• Transaction with a vendor in a restricted MCC

Routine analytics enhance manual controls with automated monitoring to detect fraud and misuse within a reasonable timeframe and reduce the likelihood of errors and fraudulent transactions going undetected.

Opportunity, pressure, and rationalization
When developing your risk and control frameworks, it is key to consider the three components that go into a fraud event. Specifically, there is an opportunity for fraud to occur, as this component rests within the organization’s policies and those charged with upholding them.

Shannon Castillo, MA, CFE, is a consulting manager within the audit and assurance department in the Columbia, Md., office of UHY Advisors Inc. With more than six years of experience in risk and compliance management, Castillo identifies and develops solutions for areas of improvement by formulating process documentation and leveraging systems and tools for management to rely on to ensure processes are streamlined, risks are mitigated, and data is accurate and complete.