In the last decade, many local governments have begun using purchasing cards (p-cards), a type of commercial credit card, to pay for goods and services. But, if used inappropriately, p-cards can cost agencies money and public trust.
For public organizations, the risk of being embarrassed in local media stories for misusing funds tends to be equal to or more important than any potential financial losses. “The last thing elected officials want to see is a headline shouting out, ‘Poor county controls lead to employee fraud and mismanagement,’” says Winston McColl, director of purchasing and contracting for San Diego County.
Thoughts of employees using the cards for personal gain or misusing public funds by buying over-priced products, over-buying or making questionable “business” purchases, are enough to keep government officials awake at night. Although card misuse rates are quite low — 0.67 incidents per 10,000 transactions or $340 of misuse for every $1 million spent, according to the “2005 Purchasing Card Benchmark Survey Report” by St. Louis-based RPMG Research Corp. — government agencies are establishing strict rules for p-card use so they can reap the greatest rewards. “Controls are absolutely essential to protect the integrity of the system and ensure its continuance,” McColl says. “If you can’t demonstrate effective controls, elected officials will not support implementing such a system.”
Prevention: The first defense
A card program’s controls typically are set before employees receive their cards. However, controls can be modified and strengthened at any stage of a program to address a variety of offenses. As time goes on, astute organizations ensure that controls keep pace with program growth.
While controls vary for each organization, they typically address common elements, such as the processes for opening and closing card accounts — including security of card handling — and preventing duplicate payments. Because it is possible to over- and under-control a program, a balancing act ensues. The ultimate challenge is ensuring that the cost of risk mitigation does not surpass the savings potentially achieved through card use. The most successful programs have a multi-faceted approach, striking the right balance and establishing both preventive and detective controls.
Long before any p-card transactions occur, the contract between the government agency and its card issuer should determine financial liability for each party in case of fraud and misuse. Optimally, the contract terms and conditions serve to minimize, or possibly eliminate, the government’s financial liability for proven fraud and for appropriately addressed misuse.
Besides the p-card contract, preventive controls that directly affect program participants — cardholders and their managers — should include clear policies, procedures, documentation requirements for purchases and required training. The controls are designed to minimize the risk of embarrassment, and they should be reviewed regularly and kept current. “Training each cardholder is the key, so they know up front what is expected and what rules to follow,” says Sandra Greeno, credit card administrator for Wichita, Kan., which began a p-card program in 1997 and estimates saving $45 on each transaction versus a traditional invoice-based purchasing process.
In addition to training cardholders about policies and procedures, program managers also should explain how the card issuer will notify card users of potentially fraudulent transactions. That way, cardholders will know the difference between scams and legitimate notifications, and help prevent the fraud from happening.
To measure the success of training, many managers test cardholders on program fundamentals that may indicate areas in which more training is warranted. The frequency for testing depends on the organization, but those with highly controlled programs may want to train or administer a quiz annually. Each employee and manager should sign an internal agreement before or at the time the card is issued to acknowledge their roles and responsibilities and agree to abide by the policies and procedures. Consequences for misuse often are included in the agreement, providing the basis for disciplinary action.
Preventing fraud and misuse takes more than training cardholders. Systemic controls — those that limit improper card use — also are important deterrents and part of the balancing act. Examples include single transaction limits, monthly/cycle spending limits, merchant category blocks, velocity controls and others. Too many restrictions may prevent legitimate transactions and discourage cardholders, while too few may provide greater opportunity for misuse. Systemic controls can be tailored to individual cardholders to meet the unique needs of each government agency.
Detection: The clean-up role
Because even the strongest preventive controls may not avoid all fraud and misuse, detective controls are essential. The most effective detective control is regular reconciliation of posted transactions. Cardholders are the first line of defense in that effort. Any fraud they detect should be reported to the card issuer immediately for further investigation, which will protect an organization from financial loss if its contract specifies the organization/agency is not liable for fraudulent charges.
In general, organizations tend to review p-card transactions more closely than other payments, which helps deter would-be card abusers. In addition, an organization’s audit program may review high-dollar transactions, transactions with certain “high-risk” supplier types, activity of heavy p-card users, new cardholders’ transactions, and more. Audits may be performed by any or all of the following: internal and external auditors; the p-card program manager or administrator; or staff in the accounting, finance or treasury departments. Some organizations audit every p-card transaction, but that significantly reduces the potential savings of p-card programs.
Technology and automation
Program management and reporting software has been developed over the past decade to help enforce controls and measure program success. As a result, auditing p-card transactions and ensuring compliance is less labor intensive and more effective.
Improved reconciliation tools reduce the time that cardholders spend on the program. Some tools automate workflow and purchase approvals, and others are designed specifically for audits. “Our approach to controlling the program was to move to more aggressive software,” Greeno says. “Supervisors and system administrators can see on a daily basis the purchases that their cardholders are making.”
Detailed reports help determine if cardholders are adhering to rules. A report of declined transactions, for example, may reveal a cardholder’s attempt to make a prohibited purchase, a signal that additional training or scrutiny of the cardholder may be needed. The report also may indicate potential fraud attempts. Other useful reports include: activity analysis by cardholder to check for unusual spending habits, account listings to determine that issued cards are in the right hands, and a report of users and their software access type to ensure appropriate use.
When card misuse is detected, disciplinary action must be taken. Rather than hiding cases of card misuse, some organizations internally publicize any offenses and resulting consequences. Depending on the infractions, consequences may range from additional training requirements to termination. Some organizations reduce a violator’s spending limit to $1 to prevent card use until certain requirements are met. Organizations that ignore bad behavior and do not follow through on consequences increase the risk for additional cardholder offenses.
Card users, issuers, networks and other providers each play a role in preventing and detecting fraud and misuse. Regardless of each organization’s controls, the companies that issue the cards ultimately must protect the integrity of their product. Industry metrics prove that it is possible to reap the rewards of p-cards while controlling the risks. Fraud and misuse are the exceptions, not the rule, especially considering the billions charged to p-cards annually.
Lynn Larson is the manager of Industry Information and Research for the Minnetonka, Minn.-based National Association of Purchasing Card Professionals.
Fraud vs. misuse
Fraud may be viewed as the unauthorized use of a purchasing card by someone other than the individual to whom it is issued.
Misuse involves the unauthorized activity by the employee to whom a card is issued.
— “Fraud Prevention and Detection: Establishing and Maintaining a Purchasing Card Program with Adequate Management Controls to Prevent Fraud, Misuse, and Abuse,” National Association of Purchasing Card Professionals, January 2004
The National Association of Purchasing Card Professionals (NAPCP) offers a variety of resources to assist purchasing card users. Established in 2000, the NAPCP is a non-profit organization focused on end-user education. Resources include two white papers about program controls: “Fraud Prevention and Detection: Establishing and Maintaining a Purchasing Card Program with Adequate Management Controls to Prevent Fraud, Misuse, and Abuse,” January 2004, and “The Sarbanes-Oxley Act and Its Impact on Purchasing Card Programs,” December 2005. For more information, visit www.napcp.org.