The investigations identified a series of common themes (red flags). While red flags do not always mean that a fraud is being perpetrated, they are an indication that a person's actions should be monitored more diligently. Some of the red flags identified during investigations included:
- Monthly reconciliations were always late or not performed. The person may be attempting to avoid any review of the purchases made. Certain receipts were not included in the monthly reconciliation.
- The individual had been placed on probation for performance issues. The person may believe he or she is about to be terminated and has nothing to lose by misusing the p-card.
- The employee presented several reconciliations at a time or stated that the reconciliations needed to be signed quickly due to a deadline. This technique reduces the amount of time for review, thus allowing unauthorized transactions to be hidden.
- The employee submitted receipts with a long list of purchase items. Personal items can be hidden within lengthy lists.
- Purchases were made after business hours from restaurants, gas stations or other merchants. The person can use the excuse that it was a mistake and used the wrong card.
- Supervisors were not taking the time to examine the monthly reconciliation. The supervisor trusts the person or has too many more-important tasks to perform.
There are two types of controls — preventive and detective — that may be used to reduce the likelihood of p-card abuse.
The following preventive controls should be in place for any p-card program:
- Background checks: All cardholders should undergo a background check. Giving an employee a p-card is tantamount to providing the cardholder access to one of the organization's most liquid assets: cash.
- Dollar limits: An individual's p-card should have a reasonable monetary limit based on both daily and monthly use. Some organizations set limits at a standard level for all cardholders or for employees with similar jobs. By tailoring the limits to each cardholder, the total dollars at risk can be reduced. If a special situation arises in which a dollar limit is too low and a higher dollar amount is required, the p-card limit can be increased for the specific transaction and then returned to the original level.
- Merchant Classification Codes: MCC should be used to prohibit transactions at various establishments, such as cash advances, liquor stores, big box stores and movie theaters. This can be somewhat of an issue, especially when the p-card is used at a big box store where non-business-related items can be interspersed with legitimate items.
- Probation: If an employee is placed on probation for a performance issue, place the p-card on hold status until the person is off probation.
- Education: Educate all p-card holders, administrators and supervisors on their card-related roles and responsibilities on an annual basis. This training should include a clear definition of roles, timing, type of documentation required, approvals and specific consequences if not performed in a timely manner. At the conclusion of the education, all p-card holders must sign an updated cardholder acceptance form that reiterates the appropriate uses of a p-card.
Detective controls are retrospective actions to identify questionable transactions. As implied, these controls identify potential issues after the transactions have occurred, but they cannot stop a fraudulent transaction from occurring. However, detective measures can assist in quickly identifying potential issues. Some of the more common detection controls associated with p-cards usage are:
- Reconciliation review: Perform reviews of transactions, explanations and receipts in a timely manner. The receipts should be reviewed with a specific focus on each receipt's date and time, items purchased and the reasonableness of the expenses.
- Placing p-card on hold status: If the reconciliation is not completed by the due date or there are missing receipts, place the p-card on hold status (not allowed to make purchases) until the reconciliation has been completed, reviewed and approved by the appropriate supervisor. The approver should send an email requesting the card be reactivated only after all processes are completed. Track the number of times a person is late or has an incomplete reconciliation (missing receipts).
- Three-strike rule: If a person repeatedly abuses the p-card (for example, routine tardiness in reconciliation or charging personal items), cancel the p-card and do not allow the person to get it reinstated.
- Monthly reports: The overall p-card administrator should generate a monthly report and forward it to the appropriate manager. The report should include spending trends, potential split transactions and dollars by merchant. This will provide additional oversight regarding appropriate use.
- Strong policy: The policy should state clearly what the p-card can and cannot be used to purchase. The policy also should identify the disciplinary action for accidental misuse versus intentional misuse.
- Anonymous tip line: As outlined in the ACFE's 2010 Report to the Nations, most frauds are discovered as the result of a tip. A tip line allows employees to report suspected p-card misuse.
P-CARD FRAUD INVESTIGATION
Great care must be taken when investigating suspected improprieties or irregularities to avoid wrongful accusations or alerting suspected individuals that an investigation is under way.
A strong fraud policy is essential. The policy should indicate who (for example, internal audit) will investigate a suspected fraud. The policy also should affirm that if a fraud is identified, the company will prosecute the cardholder.
Below are three steps that can help during a fraud examination:
STEP 1: Identify who will conduct the investigation.
In most organizations, internal audit has the primary responsibility for investigating fraud. Whoever is conducting the investigations should coordinate with the legal, risk management and corporate responsibility departments within the organization.
STEP 2: Ensure the investigative team has the right skills.
The investigative team, whether one person or many, should possess the following skill sets:
- Data extraction and mining.
- Data analytics.
- Documentation of the investigation process (standard process developed for all investigations).
- Interviewing skills.
- Identification of control breakdowns.
- Common sense.
- Ability to communicate internally and externally to various stakeholders (including management, law enforcement and attorneys).
STEP 3: Work closely with management to control the investigation.
During the investigation, management and staff must clearly understand their roles and responsibilities so they do not hinder the investigation. These actions will help:
- Work with management and staff to ensure that they do not contact the suspected individual in an effort to determine facts or demand restitution.
- Inform management not to discuss the case, facts, suspicions and/or allegations with anyone unless the legal affairs or internal audit departments specifically asks them to.
- Ensure the suspect is not terminated before the investigation is completed. If threat of loss is high, work with human resources, legal affairs and management to place the suspected individual on administrative leave.
- If the plan is to prosecute, work with public relations to make sure that a statement is available for release to any reporter who may contact the organization. The statement should simply state that an investigation is under way and no further comment is available.
The team that conducts the investigation should assist local management in determining the best course of action in the following areas:
1. Protecting evidence:
- Limiting logical and physical access.
- Securing computers and documents.
- Storing documents in a safe place.
- (Internal) Keeping information on a need-to-know basis.
- (External) Assisting local management in working with public relations and the communications department to develop necessary releases.
3. Law Enforcement:
- Working with local management and legal affairs in contacting the appropriate law enforcement agency once the investigation has proven fraud has occurred. Factors to consider include which agency has jurisdiction in the case, the dollar amount of the loss and the agency's ability to prosecute the case.
SOMEONE WILL TAKE ADVANTAGE OF P-CARDS
P-cards can be a valuable addition to any organization by reducing the number of transactions your accounts payable staff must process and by expediting urgent repairs and purchases. However, if your company uses p-cards, it is extremely important to have adequate controls, both preventive and detective, in place. Even with the best controls in place, you can be sure that someone will try to take advantage of the privilege and use the p-card for his or her personal gain. Therefore, when a misuse occurs, you need to be prepared to investigate it professionally by having the right team and policies in place to facilitate the investigation.
Jerry E. Diley, CFE, CIA, CISA, CRISC, is the senior IS audit manager of Bon Secours Health System in Marriottsville, MD.