Many governmental agencies are still writing significant numbers of checks without having sound controls in place. Purchase cards (P-Cards) could be a cost effective way for certain organizations to improve and streamline the payment process and get out of the check writing business, while improving the payment processing time.
If an organization is utilizing P-cards or is thinking about utilizing P-cards, internal controls need to be top of mind. P-cards alone are probably not sufficient for an organization but can provide substantial benefit when there are many smaller dollar, non-recurring payments. ACH wires generally are a more secure way of making larger or more frequent payments.
P-Cards = buying power = opportunity, which is one of the three corners of the fraud triangle
Basics for P-Cards
Documented policies and procedures related to the authorization and use of P-Cards is a must. This should include a training element which should also involve a testing component.
Organizations should adopt and mandate a cardholder agreement that all users must sign which clearly indicates that the P-Card is not for personal use. This agreement should outline the discipline/termination for misuse, the mandate for reconciling statements in a timely manner and a mechanism for self-reporting unauthorized transactions. Another tool available is the GFOA Best Practices over P-cards.
There are three R’s of internal control related to P-cards: Responsibility, Review and Revise Procedures.
Responsibility and Review
Both individual card holders and their supervisors are responsible for safeguarding the use of the card. The cardholder has to understand the ramifications for misuse and also understand the importance of timely statement reconciliation. The supervisor has the responsibility of reviewing the reconciliation and statements and comparing the two. The supervisor has other controls available as well including:
- Access to the Data Exchange File (DEF) which contains 50 fields of information at the point of sale (accessible from credit cards/banks)
- MCC blocks can be added so that the cardholder cannot go to a liquor store and buy liquor. However, this in and of itself would not catch them going into a gas station and buying liquor/beer
- Set single transaction limits
- Set daily transaction limits
- Set time of day limits (card only active from 8 a.m. to 5 p.m. for example)
- Segregation of duties (cardholder also received the order for example)
- Require documentation for management override
As the process evolves, organizations will have to be cognizant of the changing environment and revise the policy and procedures as deemed necessary to allow cardholders and supervisors the tools to comply without overburdening them.
Purchase cards can be an asset to an organization and can greatly improve and streamline the payment process. Abuse and fraudulent activity is possible but can be reduced/eliminated through proper internal controls. Having well designed controls is only half the battle. The key is making sure those controls are working effectively to address the associated risks. Ongoing monitoring is a great way to keep a pulse on the process. Attribute testing should focus on proper approvals and segregation of duties. If sampling is done on a statistical basis, the results of the testing can be extrapolated against the population. Transactional testing should be focused on lower dollar value items and focus on riskier types of purchases such as meals and incidentals.
To learn more about P-cards and other accounting best practices for local governmental entities, visit our Government page or contact Mark S. Zettlemoyer, CPA, CFE, Partner and Government Industry Group Leader, at 717.394.5666 or email@example.com.
Contributed by Hunter Mink, CPA (firstname.lastname@example.org), a manager in RKL’s Auditing and Accounting Services Group. Hunter has extensive experience working with governmental and non-profit entities.