Purchasing Card Audits
P-Card audits can be categorized into two primary types—transaction audits and process audits (sometimes called performance audits). Following are suggestions for both. Transaction audits often draw the most attention because they are aimed at detecting fraudulent activity. However, do not overlook process audits, which are important for testing the effectiveness of P-Card controls, such as training, and measuring the level of compliance.
Audit-related Resources
In addition to the content below, other audit-related resources include the following:
P-Card Help
Does your organization need help with its Purchasing Card auditing strategies? Contact Recharged Education today. Also, subscribe to the educational blog (no charge).
Transaction Audits
Who, How, When
Transaction audits:
could be conducted by the P-Card program administrator or manager (PA/PM), an internal audit department or other department
can be accomplished through technology; for example, several companies offer auditing technology solutions to streamline the process and minimize reliance on human efforts
should occur a minimum of monthly
What to Avoid
Manually auditing all P-Card transactions every month, which is tedious and costly; learn more
Exclusively conducting random, percentage-based audits (e.g., 10% of transactions), which can result in some cardholders slipping through the cracks
Strategic P-Card Audits
Your strategy should include auditing transactions that have certain attributes, such as those:
at or above a certain dollar threshold
with certain merchant category codes (MCCs) and/or suppliers (e.g., Amazon)
containing key words that could indicate a prohibited purchase per your policies and procedures
occurring during non-business hours
Also look for suppliers used by only one cardholder; this might indicate an issue or something fishy.
In addition, audit all transactions by certain cardholders, such as those who:
are new to the cardholder role
have a new manager/approver
exceed a certain number of transactions during the month
These are just some examples. In addition, do not exclude C-suite cardholders just because of their job level.
Process Audits
P-Card process audits are usually conducted at least annually by internal and/or external auditors. Because the same tired, old audit can become ineffective, take the time to prepare a customized audit.
Auditor Preparation
The keys are:
reviewing past audit results, which may indicate areas worthy of more scrutiny
researching industry trends to identify new things to look for, such as card misuse within other organizations (how it happened, what controls were missing) and new scams by external fraudsters (e.g., new phishing tactics)
understanding changes to the program since the last audit to ensure controls were established for any new card uses
What to Use
Obtain a copy of the:
most current P-Card risk assessment
last audit results, as noted above
program policies and procedures
Audit against all of these. For example, determine whether any control gaps (per the risk assessment) have been resolved. Evaluate the level of compliance with P-Card policies and procedures; include cardholders, managers/approvers and the PA/PM.
What to Do with Audit Results
Compare to past audit results to identify what has changed
Develop action items that will improve the program
Ensure action items are assigned and make plans to follow up
Share with the appropriate parties, such as the PA/PM and his or her management