Disruption in Risk Management for P-Cards

What does your organization rely on to catch inappropriate P-Card spend and potential fraud by cardholders? Does your confidence rest with the manager approval process? What about your auditing approach? In the article below, Paul Newton explores drawbacks concerning approval processes and the positive impact of analytics. His insights could lead your organization to rethink its detective P-Card controls.

Disruption in Risk Management for Purchase Cards

by Paul Newton

In a recent conversation with a partner at a mid-market CPA firm, it occurred to me that, because analytics makes the detection of purchase card fraud far easier, the risk management business may well be facing considerable disruption as a result.

Control with a Low Likelihood of Detection

For purchase card spend, testing methods have largely been manual/sporadic. The credible threat of post-approval detection was low and the strength of implemented processes (e.g., workflow, governance, systems and policies) were the primary deterrent to inappropriate spending. Unfortunately, transaction approval processes have two insurmountable weaknesses:

  1. the human element (e.g., managers approve all because they don’t have time to review each line item)

  2. the focus on overt policy violations despite employees “gaming” the system with inappropriate spend that is not technically a policy violation (“It doesn’t say I can’t use Venmo”)

Despite best efforts, fraud and wasteful spend do get past implemented processes, with very little chance of subsequently being detected. Indeed, most fraud cases are stumbled upon rather than arising from a systematic detection approach. The illustration below depicts the control framework as it has been historically—with a low likelihood of post-approval detection.

newton1.JPG

Some readers may feel that their processes do a more thorough job of preventing fraud and waste, but it has been my experience from creating comprehensive testing regimes that a shockingly large amount of problematic spend still occurs. Nevertheless, the point is that, historically, the process is the main form of control.

Control with a High Likelihood of Detection

Today’s analytics tools make it possible to create a large library of complex tests which can be re-run with little incremental effort. A rule that identifies split meals, for example, will identify every split meal, every single time, while machine learning methods identify outliers based on patterns that humans could never detect. Thus, very little gets past post-approval detection methods.

newton2.JPG

Upon first glance at the illustration above, one may conclude that analytics simply detects more things, which is no surprise. However, it also implies that implemented processes are of less importance when you have a high likelihood of detection. Even for firms with rudimentary process frameworks, fraud and waste will still be detected. This has a profound impact. Focusing on a [much cheaper] analytics component that provides a high likelihood of detection results in less fraud/waste than implementing extensive processes.

Furthermore, because the volume and complexity of tests make detection methods opaque, the probability of detection is high, but unknowable—and our risk-averse nature fosters self-regulation. After all, you can’t game the system if you don’t know the rules. Now the detection methods are the main form of control.

Conclusion

Our perspective of fraud prevention has been from a world where the likelihood of detection is low, so we build extensive processes to prevent abuse. However, when we can easily identify overt process violations, clever schemes and behavior outliers, we should reconsider the most effective way to prevent fraud and waste.

Process frameworks are still the default control point today, but inexpensive analytics tools are presently available to easily identify problematic transactions. I encourage readers to consider evaluating the new technologies in a pilot—if nothing else than to understand the extent to which their processes are insufficient. 

It is too early in the adoption cycle to tell what the optimal balance of process and analytics will be. Machine-driven disruption is happening everywhere. The exciting thing is that it not only allows us to do things better, it also allows us to do things differently. 

About the Author

Paul Newton is the founder of Northern Virginia based Barque Labs, whose mission is to leverage analytics to solve common problems. Barque’s Card Analytics Engine generates Targeted Review Sets with one click. Previously, Paul was Head of Analytics at a CPA firm where he pioneered analytics solutions for purchase cards, expense reports, freight, shipping delays and supplier management. Paul also founded Zimtoti Analytics where he led a $100M business turnaround, and was the EVP of Operations at Spring Global, the CFO/COO at Themis Analytics and VP of Services at webMethods.


Available Products & Services from Recharged Education

Submit a contact form to request a quote for what your organization needs.

In 2014, Lynn Larson, CPCP, founded Recharged Education. With 20 years of Commercial Card experience, her mission is to make industry education readily accessible to all. 

Subscribe to the Blog

Receive notice of new blog posts published by Recharged Education.