Preventing, Detecting and Investigating Procurement Card Abuse


 Average 4 out of 5

jerry-diley80x80.jpg   FraudBasics
A $3 billion, American company with facilities in several eastern states and approximately 20,000 employees has taken a strong stand to prevent, detect and investigate procurement card abuse. A few years ago, the organization centralized the accounts payable function to tighten controls over disbursements. The centralized accounts payable function handles thousand of transactions monthly. To increase the department's efficiency, the company introduced procurement cards (p-cards), a tool to help manage high volumes of small transactions that otherwise would overwhelm the accounts payable processes.

With a p-card, each cardholder has at his or her disposal the equivalent of a petty cash fund with various dollar limits that can be used for work-related items. The organization issued nearly 800 p-cards to employees and consultants. While p-cards can expedite purchasing for urgent repairs and other items needed immediately, they also can be misused to purchase unapproved items.

To deter or detect misuse the following controls were instituted:  


  • Dollar limits on daily and monthly transactions.  
  • Restriction by Merchant Classification Codes (MCC). 
  • Monthly reviews and approval of purchases by immediate supervisor. 
  • Purchase reviews by a second person, the p-card coordinator. 
  • Software monitoring to identify potential questionable transactions. 

While these controls reduced the possibility of misuse, employees still found methods to circumvent the controls and use the p-cards for personal gain.  


The internal audit department was asked to investigate several p-card misuses in the past year. In each of these situations, the p-card holder had purchased personal items — most commonly gas for a personal car, household items, beauty services, gift cards and groceries. Losses from p-card misuse ranged from less than $2,500 to almost $30,000.  



The investigations identified a series of common themes (red flags). While red flags do not always mean that a fraud is being perpetrated, they are an indication that a person's actions should be monitored more diligently. Some of the red flags identified during investigations included:
  • Monthly reconciliations were always late or not performed. The person may be attempting to avoid any review of the purchases made. Certain receipts were not included in the monthly reconciliation.
  • The individual had been placed on probation for performance issues. The person may believe he or she is about to be terminated and has nothing to lose by misusing the p-card.
  • The employee presented several reconciliations at a time or stated that the reconciliations needed to be signed quickly due to a deadline. This technique reduces the amount of time for review, thus allowing unauthorized transactions to be hidden.
  • The employee submitted receipts with a long list of purchase items. Personal items can be hidden within lengthy lists.
  • Purchases were made after business hours from restaurants, gas stations or other merchants. The person can use the excuse that it was a mistake and used the wrong card.
  • Supervisors were not taking the time to examine the monthly reconciliation. The supervisor trusts the person or has too many more-important tasks to perform.



There are two types of controls — preventive and detective — that may be used to reduce the likelihood of p-card abuse.

The following preventive controls should be in place for any p-card program:

  • Background checks: All cardholders should undergo a background check. Giving an employee a p-card is tantamount to providing the cardholder access to one of the organization's most liquid assets: cash.
  • Dollar limits: An individual's p-card should have a reasonable monetary limit based on both daily and monthly use. Some organizations set limits at a standard level for all cardholders or for employees with similar jobs. By tailoring the limits to each cardholder, the total dollars at risk can be reduced. If a special situation arises in which a dollar limit is too low and a higher dollar amount is required, the p-card limit can be increased for the specific transaction and then returned to the original level.
  • Merchant Classification Codes: MCC should be used to prohibit transactions at various establishments, such as cash advances, liquor stores, big box stores and movie theaters. This can be somewhat of an issue, especially when the p-card is used at a big box store where non-business-related items can be interspersed with legitimate items.
  • Probation: If an employee is placed on probation for a performance issue, place the p-card on hold status until the person is off probation.
  • Education: Educate all p-card holders, administrators and supervisors on their card-related roles and responsibilities on an annual basis. This training should include a clear definition of roles, timing, type of documentation required, approvals and specific consequences if not performed in a timely manner. At the conclusion of the education, all p-card holders must sign an updated cardholder acceptance form that reiterates the appropriate uses of a p-card.

Detective controls are retrospective actions to identify questionable transactions. As implied, these controls identify potential issues after the transactions have occurred, but they cannot stop a fraudulent transaction from occurring. However, detective measures can assist in quickly identifying potential issues. Some of the more common detection controls associated with p-cards usage are:

  • Reconciliation review: Perform reviews of transactions, explanations and receipts in a timely manner. The receipts should be reviewed with a specific focus on each receipt's date and time, items purchased and the reasonableness of the expenses.
  • Placing p-card on hold status: If the reconciliation is not completed by the due date or there are missing receipts, place the p-card on hold status (not allowed to make purchases) until the reconciliation has been completed, reviewed and approved by the appropriate supervisor. The approver should send an email requesting the card be reactivated only after all processes are completed. Track the number of times a person is late or has an incomplete reconciliation (missing receipts).
  • Three-strike rule: If a person repeatedly abuses the p-card (for example, routine tardiness in reconciliation or charging personal items), cancel the p-card and do not allow the person to get it reinstated.
  • Monthly reports: The overall p-card administrator should generate a monthly report and forward it to the appropriate manager. The report should include spending trends, potential split transactions and dollars by merchant. This will provide additional oversight regarding appropriate use.
  • Strong policy: The policy should state clearly what the p-card can and cannot be used to purchase. The policy also should identify the disciplinary action for accidental misuse versus intentional misuse.
  • Anonymous tip line: As outlined in the ACFE's 2010 Report to the Nations, most frauds are discovered as the result of a tip. A tip line allows employees to report suspected p-card misuse.



Great care must be taken when investigating suspected improprieties or irregularities to avoid wrongful accusations or alerting suspected individuals that an investigation is under way.
A strong fraud policy is essential. The policy should indicate who (for example, internal audit) will investigate a suspected fraud. The policy also should affirm that if a fraud is identified, the company will prosecute the cardholder.

Below are three steps that can help during a fraud examination:

STEP 1: Identify who will conduct the investigation.

In most organizations, internal audit has the primary responsibility for investigating fraud. Whoever is conducting the investigations should coordinate with the legal, risk management and corporate responsibility departments within the organization.

STEP 2: Ensure the investigative team has the right skills.

The investigative team, whether one person or many, should possess the following skill sets:

  • Data extraction and mining.
  • Data analytics.
  • Documentation of the investigation process (standard process developed for all investigations).
  • Interviewing skills.
  • Identification of control breakdowns.
  • Common sense.
  • Ability to communicate internally and externally to various stakeholders (including management, law enforcement and attorneys).


STEP 3: Work closely with management to control the investigation.

During the investigation, management and staff must clearly understand their roles and responsibilities so they do not hinder the investigation. These actions will help:

  • Work with management and staff to ensure that they do not contact the suspected individual in an effort to determine facts or demand restitution.
  • Inform management not to discuss the case, facts, suspicions and/or allegations with anyone unless the legal affairs or internal audit departments specifically asks them to.
  • Ensure the suspect is not terminated before the investigation is completed. If threat of loss is high, work with human resources, legal affairs and management to place the suspected individual on administrative leave.
  • If the plan is to prosecute, work with public relations to make sure that a statement is available for release to any reporter who may contact the organization. The statement should simply state that an investigation is under way and no further comment is available.

The team that conducts the investigation should assist local management in determining the best course of action in the following areas:

1. Protecting evidence:

  • Limiting logical and physical access.
  • Securing computers and documents.
  • Storing documents in a safe place.

2. Communications:

  • (Internal) Keeping information on a need-to-know basis.
  • (External) Assisting local management in working with public relations and the communications department to develop necessary releases.

3. Law Enforcement:

  • Working with local management and legal affairs in contacting the appropriate law enforcement agency once the investigation has proven fraud has occurred. Factors to consider include which agency has jurisdiction in the case, the dollar amount of the loss and the agency's ability to prosecute the case.



P-cards can be a valuable addition to any organization by reducing the number of transactions your accounts payable staff must process and by expediting urgent repairs and purchases. However, if your company uses p-cards, it is extremely important to have adequate controls, both preventive and detective, in place. Even with the best controls in place, you can be sure that someone will try to take advantage of the privilege and use the p-card for his or her personal gain. Therefore, when a misuse occurs, you need to be prepared to investigate it professionally by having the right team and policies in place to facilitate the investigation.

Jerry E. Diley, CFE, CIA, CISA, CRISC, is the senior IS audit manager of Bon Secours Health System in Marriottsville, MD.   


The Association of Certified Fraud Examiners assumes sole copyright of any article published on or ACFE follows a policy of exclusive publication. Permission of the publisher is required before an article can be copied or reproduced. Requests for reprinting an article in any form must be emailed to