Risk Assessments
It’s a classic battle: P-Card supporters versus P-Card resisters. How do you overcome management concerns about P-Card controls? Begin with a current risk assessment (also called a risk analysis).
When was the last time you conducted such an analysis of your Purchase Card program? Some organizations have never completed this activity, but it is critical for documenting program risks and the mitigating controls.
There are various ways to approach a risk assessment. The ORCA framework is one:
Identify your organization’s program objectives
Determine the potential risks
Document existing controls
Specify the necessary actions to address areas that are lacking controls
If your organization has a risk assessment template, you could start with that or consider purchasing the P-Card specific template from Recharged Education.
Don't forget to subscribe to the blog (no charge) to receive educational content!
Related Resources
Available for purchase: P-Card risk assessment template (Excel file)
P-Card Specific Information
Program Overview
To begin a P-Card risk assessment, document general facts about the program, such as:
Date of the last risk assessment
Program changes since then
Year of program implementation
Department/business unit responsible for program management
Current card issuer
Current number of cardholders/accounts
Targeted dollar threshold for P-Card purchases
Program metrics and benefits (to highlight the value of P-Cards)
Information about internal card fraud cases (to put fraud into perspective)
This helps everyone who might review the assessment become more familiar with the program.
Eight Broad Topical Areas to Assess
Following the overview, break the P-Card program down into manageable chunks for assessment purposes; for example:
Program policies and procedures (P&P)
Card issuance processes
Card controls
Card usage/activity
Card cancellation
Accounting processes (see an example)
Information security
Program management aspects
Within each topical area, determine baseline controls and whether your program meets these standards. For example, you could format the risk assessment as a series of related yes/no questions with an accompanying space for explaining the existing control. Designate additional space to note if action is needed to improve the control and, if so, who is responsible for each action item.
A Card Issuance Example
Risk assessment question: Is an employee’s manager required to provide documented approval before the card application is submitted to the issuer?
The answer might be “yes,” but you can take it further by evaluating the process. Are applications in paper form? If so, perhaps the existing control is that the manager of an applicant, in addition to the employee, must sign the application, but the risk is a forged signature. If your organization thinks a good answer is for AP to retain a copy of each manager’s signature to compare against an application (yes, at least one organization has done this), this presents other issues. Besides being tedious to execute, the challenge would be keeping the copy of manager signatures secure and current.
The action item to strengthen the control and improve the process could be changing to an electronic application and approval (e.g., email or system workflow approval).
The Balancing Act
More controls do not necessarily make a program better. The challenge is striking the right balance. As indicated above, conducting a risk assessment should help you avoid two broad risks:
a lack of effective controls, which increases the likelihood of fraud, misuse and abuse
applying too many controls, which are costly and impact the process savings inherent to P-Cards
Once you have completed a robust risk assessment, you do not have to start from scratch again each year. Make a copy of the previous version and then edit accordingly. It is possible that little will change from one year to the next, but reviewing annually supports a healthy control environment and successful program.