Published in College & University Auditor – Fall 2015
Purchasing card (P-Card) spending is on the rise, particularly among colleges and universities. The use of P-Cards is expected to increase 62 percent by 2018 reaching $377 billion, according to the 2014 RPMG Purchasing Card Benchmark Survey. The expansion of P-Card programs and use is expected to continue given the myriad of benefits P-Cards offer including streamlining the procurement-to-pay process lowering operational costs and taking advantage of supplier discounts. Originally, P-Cards were used for small dollar transactions to help reduce or eliminate the need for petty cash. However, while P-Card use has grown, it has become increasingly challenging to maintain compliance as organizations struggle to gain insights into their program. Analyzing high transaction volumes using spreadsheets and manually reviewing receipts becomes labor-intensive and inefficient.
From the standpoint of internal audit, the objective of a P-Card system is to rid the organization; of fraud, waste and abuse. While there are a variety of ways to search for fraud, most are not foolproof. Sampling is unreliable for detecting and preventing misuse, and card issuer applications provide limited data. Spreadsheets have capacity limitations and are prone to errors.
Many auditors have found success in using purpose-built data analytics tools to extract and analyze data from different sources and file types to detect instances of fraud, waste, and abuse. These tools provide the ability to examine 100 percent of the P-Card program data. More than ever, auditors are embracing technology to stay ahead of risks and exposures that may lead to revenue losses.
From a business standpoint, the objectives are slightly different. While detection of misuse is important, stakeholders within the organization not only need to know that something went awry; they want to dive deeper into specific risk areas to identify underlying causes. Data analytics can help auditors look through high volumes of transactional data to identify anomalies, but it is often a reactionary approach. Infractions are seldom caught in time to recover funds. In fact, it takes an average of 24 months to detect procurement fraud at which time 89 percent of all proceeds are unrecoverable. The business goal is to stay well ahead of the problem.
Continuous monitoring is about creating a sustainable internal control environment, not creating more work. It goes beyond identifying a single set of problems to providing actionable insights to the business. Organizations can create a collaborative environment where everyone works to strengthen controls while expanding the P-Card program.
The tolerance threshold varies for every organization. If a $300 million P-Card program incurs $20,000 in annual misuse, the convenience and administrative cost savings may offset the loss. However, inappropriate spend involving large sums of money could quickly become newsworthy and damaging to the organization’s reputation. Stakeholders need assurance that preventative measures are in place and working properly. Transactional data can be analyzed, but misuse goes unnoticed without information from other sources such as accounts payables and human resources. For example, if John uses his P-Card to purchase gasoline while on vacation, the misuse is typically not found using traditional auditing techniques because fuel is a normal expense for John since his position requires business travel. John shares his clever cost-saving tactic with a close coworker, who begins to take advantage of similar weaknesses in the system for personal gain. The culture of misuse perpetuates and continues to go undetected.
When looking at exceptions, can you determine whether it was an isolated incident where clarification of policies and procedures need further explanation or a habitual problem? How many times has each employee violated the policies? Was one person in violation while the majority followed policy? Is there a department that tends to have multiple violations on a regular basis? Is misuse related to specific spending areas? These questions can only be addressed if the analysis includes data from different sources, such as employee data, category of spend, etc.
Running data analytics to test P-Card data provides some valuable details about exceptions, especially
when you incorporate multiple data sources including:
Additionally, if the organization uses an expense management system such as Concur, data can be automatically extracted and analyzed on a regular basis to ensure compliance. Expense management systems allow employees to submit expenses for approval and/or reimbursements.
Broadening the scope of data being examined helps bridge gaps and allows you to see fraud schemes that would be impossible to detect otherwise.
To gain an understanding of the unique ways P-Cards are being used within the organization, and whether policies and procedures are being followed, perform a risk and control assessment. By testing historical data, you can establish a benchmark to gauge the severity of issues and identify problem areas. Begin by comparing current data with the year prior to detect patterns for normal or abnormal spending trends. Calculate the average spends by department to look for outliers and unusual spend patterns. Historical data is useful for assessing the entire data population year to year.
Examples of Analytics Tests/Queries:
Next, break the queries down into sub-processes to pinpoint problem areas such as:
When an exception is detected, how is it dealt with, or is it dealt with at all? Traditional remediation, usually involving emails, is time consuming, unreliable and error-prone. Multiple follow-ups are necessary between several parties to ensure resolution, and managers are not always updated about whether or not the issue has been resolved. Continuous monitoring also automates remediation follow-ups until a resolution is achieved; including escalation if the issue is not addressed within a set timeframe. This process can be customized to align with business processes and structure.
Continuous monitoring tools offer dashboards that present information graphically on key program metrics such as the amount of spend across a period of time and the level of exceptions. Dashboards can be configured based on what the end-users want to see or what information is beneficial to department leaders.
Reviewing trend and patterns can help gauge the performance of controls and policies, and identify any potential gaps that need addressing. Visualization helps the end-user consume data and insights by looking at patterns, not just rows, and columns of numbers. Trends become more apparent, and the data becomes more useful to everyone participating in the review process.
P-Card programs often lose the support of top management if there are repeated cases of misuse, especially if they are discovered too late to take corrective action and recover losses. The administrative cost savings, convenience and efficiency gains associated with using P-Cards benefit the organization, but only if exposure and risk are managed properly. Management needs assurance that policies and procedures are being followed, and the audit is staying ahead of misuse.
The University of Miami, which includes academics, hospitals and research facilities, is growing at a rapid pace. Their growth will undoubtedly lead to an increase in P-Card use. The university’s internal audit department has already taken steps to move from periodically reviewing random samples of P-Card transactions to continuously monitoring 100 percent through the use of data analytics technology. Exceptions are shared with department managers to provide a comfort level about how P-Cards are being used within the organization, and whether policies and procedures are being followed.
“As our corporate cards program grows, we provide assurance at both the department and management levels that we have sufficient policies and procedures in place to review transactions,” said Hiram Sem, Executive Director of Treasury Operations and Cash Management, University of Miami. “Cardholders must understand they are responsible and accountable, but we must also carefully monitor expenditures to identify unauthorized charges early. Technology has helped us refine our review process and handle larger data volumes that come with expansion.”
The value of continuous monitoring reaches well beyond exception detection. There are three advantages to driving the trend towards continuous monitoring:
When an organization is working towards a problem-free environment, it provides a sustainable process to proactively look for and address issues. When employees know every transaction is being monitored, it creates a catalyst for behavioral changes within the organization.