Purchasing Card Audits

P-Card audits can be categorized into two primary types—transaction audits and process audits (sometimes called performance audits). Following are suggestions for both. Transaction audits often draw the most attention because they are aimed at detecting fraudulent activity. However, do not overlook process audits, which are important for testing the effectiveness of P-Card controls, such as training, and measuring the level of compliance.

Audit-related Resources

In addition to the content below, other audit-related resources include the following:

• Rethink the audit process—an interview with Card Integrity

• Build a foundation for successful audits

• Why your P-Card auditing stance could be risky

• Are auditors friends or foes?

• The gift card scam and what your audits should include

• Disruption in risk management for P-Cards

• Auditing the program manager or administrator (PM/PA)

• P-Card controls and fraud cases

P-Card Help

Does your organization need help with its Purchasing Card auditing strategies? Contact Recharged Education today. Also, subscribe to the educational blog (no charge).

Transaction Audits

Who, How, When

Transaction audits:

• could be conducted by the P-Card program administrator or manager (PA/PM), an internal audit department or other department

• can be accomplished through technology; for example, several companies offer auditing technology solutions to streamline the process and minimize reliance on human efforts

• should occur a minimum of monthly

What to Avoid

• Manually auditing all P-Card transactions every month, which is tedious and costly; learn more

• Exclusively conducting random, percentage-based audits (e.g., 10% of transactions), which can result in some cardholders slipping through the cracks

Strategic P-Card Audits

Your strategy should include auditing transactions that have certain attributes, such as those:

• at or above a certain dollar threshold

• with certain merchant category codes (MCCs) and/or suppliers (e.g., Amazon)

• containing key words that could indicate a prohibited purchase per your policies and procedures

• occurring during non-business hours

Also look for suppliers used by only one cardholder; this might indicate an issue or something fishy.

In addition, audit all transactions by certain cardholders, such as those who: 

• are new to the cardholder role

• have a new manager/approver

• exceed a certain number of transactions during the month

These are just some examples. In addition, do not exclude C-suite cardholders just because of their job level. 

Process Audits

P-Card process audits are usually conducted at least annually by internal and/or external auditors. Because the same tired, old audit can become ineffective, take the time to prepare a customized audit.

Auditor Preparation

The keys are:

• reviewing past audit results, which may indicate areas worthy of more scrutiny

• researching industry trends to identify new things to look for, such as card misuse within other organizations (how it happened, what controls were missing) and new scams by external fraudsters (e.g., new phishing tactics)

• understanding changes to the program since the last audit to ensure controls were established for any new card uses

What to Use

Obtain a copy of the:

• most current P-Card risk assessment

• last audit results, as noted above

• program policies and procedures

Audit against all of these. For example, determine whether any control gaps (per the risk assessment) have been resolved. Evaluate the level of compliance with P-Card policies and procedures; include cardholders, managers/approvers and the PA/PM.

What to Do with Audit Results

• Compare to past audit results to identify what has changed

• Develop action items that will improve the program

• Ensure action items are assigned and make plans to follow up

• Share with the appropriate parties, such as the PA/PM and his or her management