I didn’t realize how quickly it would take to get to 30 years when posting one blog per week for each year (30 weeks). Even drawing some of the posts out to two weeks didn’t add much. So now I am posting additional analysis performed over the years. Another thing I didn’t take into account was that I would continue to perform analysis – even after I retired. So I will likely have enough to continue to post – maybe not every week since I am trying to slow done a bit.
I have often said that I never performed the same audit twice. This is not entirely true. I certainly have perform Accounts payable and Payroll more than once, but for different organizations. I have also done a variety of audits around contracting and construction or major capital projects. But I have never implemented the same audit program twice. There was always new risks, additional concerns, and different analysis to be done. This has made every audit a unique challenge.
The audit that comes closest to be repetitive is p-cards. I first mentioned this in my Year 2000 post which described a standard set of analysis I performed to find misuse, abuse and fraud in p-card charges. It started because I was tasked to assist the USA IG with some complicated analysis looking at totals by cardholder within any 5 day period. The audit of p-cards continued with my own company and the standard analysis scripts I have developed have been used over and over again in various organizations.
Perhaps not coincidentally, I was asked to develop and analysis program for p-cards again a couple of weeks ago. Many of the tests were the same as I had performed numerous times. The usual risks such as split transactions to avoid financial limits, duplicates to detect merchant fraud; personal expenditures charged to corporate p-cards, etc. But this time the organization actually had a list of prohibited Merchant Category Codes (MCC) that could verify by individual cardholder. This particular test was made more difficult because the list of prohibited MCCs was formatted like “4511, 3351-3499, 7512, 3500-3999, 7011, 4814-4815, 5541-5542, 7523-7524, 4112, 4817-4821”. While I did develop a script that expanded “3351-3499” into “3351, 3352, 3353, …. 3499” using nested loops, I thought there might be an easier way so I posted the question on the ACL Peer Community (aka User Forum). One of the regulars, Thomas Larson, posted a much easier script that used BETWEEN() when there was a range such as “3351-3499”, and a FIND() when it was a single MCC. However, this is not the point of my story. My point is – once again I found misuse, abuse and possibly fraud (still needs to be reviewed and verified) in p-card transactions.
P-card were introduced because they are cheaper than invoices, and have additional controls both at the bank and at the organization level. Why then do I consistently find issues with p-card transactions? The single most contributory cause is management review of p-card transactions. Employees who have been assigned a p-card are often asked to sign off an official looking form that says that they understand the rules around p-card use (basically, only to be used for business purposes that comply with policy). As a second level of control, the employee’s manager (or a p-card manager) is tasked with reviewing their employee’s use of the p-card. For some managers this can mean review 50-100 employees p-card usage which amounts to thousands of transactions. Since many are small dollar, managers can be less than diligent, providing employees with the opportunity they need to commit fraud.
However, sometimes it is a higher level manager who commits the fraud. For example, we had one such fraud in the city where I work. Finance director at charity organization charged personal expenses to her corporate credit card including: $78K in home furnishing and new appliances; $69K in groceries; $50K for gas and car repairs. She covered the expenses for 8 years with transfers ranging from $663.03 to $40,500.00 from various accounts. A simple review of transactions by MCC would have identified this fraud in the first few months.
Back in 2000, the office of the Inspector General in the US did a government-wide audit and identified the following control weaknesses – which based on audits I have been involved in – are also applicable in non-government companies. These include:
- Inadequate review of purchases by approving officials
- Unmanageable span of control
- Excessive number of cardholders
- Exceeding authorized purchase limits
- Lack of/inadequate documentation
- Inappropriate purchase methods
- Unrecorded accountable property
- Lack of security over purchase card
- Inadequate training for cardholders and approvers
- Inappropriate financial coding
- Inadequate reconciliation
I have seen numerous cases where:
- The approving official’s review is the most essential element of the p-card control system. The approver should ensure purchases are appropriate and charges are accurate. At the same time, the span of control can be quite large (1000’s of cardholders) making it difficult to perform adequate review
- Cardholders have developed unique ways to get around purchase limits, including one I know of that had a consultant who was working for them – write a letter to the credit card company to get the limit to be raised – it was.
- People confuse having a credit card with “authority to purchase” and are able to bypass purchasing controls
- Items that are purchased are often not recorded in any corporate system – this includes computers and other expensive and attractive items
- Cards are lost, stolen, misplaced and often not reported
- Financial coding is often “general office supplies” even though many different items can be purchased and it is difficult to reconcile transactions.
ACL Commands: FILTERS, CLASSIFY, CROSSTAB, EXTRACT, and RELATE
Lessons Learned: the implementation of an improved system of controls (p-card versus accounts payable invoices) can still have serious weaknesses and must be assessed. Also, when you are relying on managers to perform (manual) reviews of thousands of transactions, the likelihood of this being a good control is small.
In addition, control weaknesses in one company or one portion of a company, likely exist elsewhere. When performing a fraud risk assessment be sure to look at what is happening in your own company and others. Fraud schemes are often repeated whenever and wherever similar control weaknesses exist.
Lastly, despite close to 30 years of using ACL, I can and do ask for help. Some of the users on the Peer Community have analytical skills that put mine to shame; and they offer them freely to those of us who ask for help.