Protect Your Purchasing Cards with Data Analytics
Practical advice to help organizations tackle fraud, waste and abuse
By Steve Biskie, CPA, CITP, CISA
Corporate purchasing cards have been steadily gaining popularity over the past several years – and with good reason. Purchasing cards (p-cards) can automate supplier payments, eliminate unnecessary paperwork and trim costs. But, p-cards also come with inherent risks for organizations large and small. Employees can be tempted to abuse p-card program controls and in extreme cases, commit sophisticated, high-level fraud.
Whether you have 50 employees with p-card privileges or 5,000, data analytics offer a powerful way to minimize your organization’s risk exposure and validate internal controls. Analytics support business assurance by providing:
- Independent control testing
- 100% data review with cross-platform analysis
- Prompt notification of key exceptions
- Quantified exposure
- Both pre-defined and tailored pain-point analysis
Analytics really hit their sweet spot when Audit and business process owners work together to coordinate their efforts – achieving compliance, recovering costs, preventing loss, mitigating critical risk areas and providing assurance. And when it comes to p-card programs, analytics are typically designed to cover each of the four major components of the p-card process: managing cards, managing merchants, managing transactions and conducting review and analysis.
Effective analytics might test for invalid employees and duplicate purchase cards using name and address matches, for example. Other key analyses include validating card limit changes, pinpointing blocked merchant categories and key words (such as alcohol, clothing, and casinos), and looking for unusual behavior patterns (such as using cards during weekends and holidays for employees not known to travel). The opportunities are endless, but first, let’s look at data analytics in action.
Streamlined efforts produce big results
Global security and technology firm Lockheed Martin offers a terrific example of developing a coordinated p-card monitoring process. The company recently created a Commercial Card Operations division to maximize its commercial card value proposition and minimize risk. The p-card program covers:
- 90,000 cardholders across multiple continents
- 2.5 million transactions per year
- 4 primary cards – travel, meeting, fleet and purchasing
The Commercial Card Operations division implemented ACL data analytics to create an early warning system that flags suspicious transactions on a near-real-time basis. When unusual transactions occur, cardholders receive a message requesting additional details on a fixed timeline. The analytics achieved full ROI within months and have made a powerful impression on cardholders. As auditors know first-hand, people are far more likely to follow the rules when they know someone is watching.
High-performance, custom analytics
California’s Lawrence Livermore National Laboratory (LLNL) established its p-card program in 1992 to simplify the purchase of low-value goods and services. In 2009, the LLNL had 120 p-card holders who spent $70 million and issued over 50,000 purchase orders. As a federally funded organization, LLNL is subject to federal acquisition regulations and ongoing internal and external audits.
The p-card program is a high-risk business area for LLNL because it involves significant dollar amounts, includes orders placed by people working outside the supply chain management department, and has the highest likelihood of fraud, waste and abuse. The potential for negative publicity is also a top concern.
According to Christa Ormonde, one of two p-card auditors for LLNL, the organization needed a more efficient way to review transactions and validate the effectiveness of the p-card program. Auditors were using judgment-based transaction samples and manually scanning thousands of lines of data. They also lacked a way to identify split orders, suspect suppliers and prohibited purchase items. Review processes were slow, and the team was struggling under a backlog of outstanding audits.
To automate the manual processes, the audit team implemented ACL analytics, which were integrated with the LLNS card management system. The ACL continuous controls monitoring (CCM) solution performs weekly audits of approximately 1,200 posted transactions. The solution also generates a list of transactions flagged for follow-up, based on a series of analytics that target the LLNL’s highest risk areas. All transactions are tested to find:
- Vendor / p-card holder name matches
- GSA name and GSA address matches
- Split orders
- Even-dollar orders (which often indicate gift card purchases)
- Reconciliation summaries (to flag inconsistent order and transaction totals)
- Suspect suppliers (including prohibited categories and providers)
- Controlled items (using key words such as alcohol, clothing, food)
- On-site / off-site service guideline violations
- P-card holder also named as the purchase requester
Boosting efficiency, oversight and internal controls
Just prior to implementing the CCM solution, the LLNL p-card audit team was downsized from four auditors to two, but the automation has enabled them to keep up with their full workload and even outperform previous benchmarks.
With tailored analytics, LLNL auditors have trimmed their complete transaction review time from an average of 24 days down to 19 – and they can immediately target potential problems for further investigation. They can quickly identify problematic cardholders and communicate any issues to the p-card program manager.
With 100 percent data coverage, the auditors are free to focus on higher-risk areas and have the flexibility to create new analytics that address specific pain points. Perhaps the most revealing moment came when LLNL Internal Audit reviewed the p-card program and produced no findings whatsoever. The internal auditors even reduced their sample plan by 80 percent over prior years, thanks to the strength of the p-card analytics.
“The constant oversight we’ve implemented with data analytics keeps p-card holders in check,” says Ormonde. “We’re now able to do more ad-hoc reviews, targeted audits and we’ve eliminated the backlog of outstanding work.”
The case for customization
The nature and type of tests used for p-card analytics can be endless, but the following three issues are common targets during the early stages of program rollout:
1. Transactions made with restricted (or unexpected merchants)
2. Duplicate purchases
3. Suspicious transaction timing or purchase amounts
While each of these issues may initially seem straightforward, the reality is that a one-size-fits-all approach can lead to a false sense of security. This is where the weaknesses faced by packaged solutions with a standard set of “plug-and-play” tests quickly become apparent. In fact, the notion of “plug-and-play” with analytics is truly misleading, and can come with serious consequences. In some cases, the generic nature of these tests lead to so many false-positives that follow-up becomes a chore and legitimate findings become lost in the forest of information. In other cases, the tests are designed is such a specific manner that “false-negatives,” where problems that should have been detected are not becomes a concern. In fact, when recently reviewing the tests conducted by three large organizations, we found that in all three cases the test logic being used was so basic that some of the most common scenarios resulting in duplicate payments were being missed.
P-card data analytics should be detailed, robust and highly specific. Customization is key. Focusing on quick, easy tests is a great way to grab that low-hanging fruit, but some of the most valuable tests you can perform are also the most creative.
Take a simple duplicate test, for example. The idea of finding matching totals can be extended to a full range of possibilities, including:
- same vendor, same amount, same day
- same vendor, same amount, within a range of days
- same vendor, similar amount
- different vendor, same amount
- same vendor, same reference number
- different vendor, same reference number
The goal is to continuously refine and expand the scope of your transaction testing. Let’s take splitting transactions as another example. If employees are trying to circumvent a single purchase limit of $1,500, they might make two $1,000 transactions on the same day to purchase a $2,000 item. Or, they might split the $2,000 into one purchase for $1,195 and a second purchase for $805. They could also split the total into two or more transactions with varying amounts over several days – and do it often.
Start small and keep sharpening your analytics
Automating p-card control validations is clearly an effective audit strategy, but a well-designed monitoring program, driven by analytic technology, can provide significant value when applied to business processes across the organization. Analytics can help you find money, increase efficiencies, reduce risk and identify problems before they snowball into crises. Smart data analytics can also provide evidence and support for internal and external audits, while reducing fees.
If you’re eying your p-card program and looking for a concrete plan, the key is start with simple tests that you can continue optimizing for long-term value. Identify just a handful of areas and launch simple, specific analytics – based on pain points, risk areas and top opportunities for improving processes.
Next, be sure to leverage other people’s expertise to get your plan up and running. There are terrific industry associations and user groups out there that can offer a helping hand. ACL Services also has standardized analytics and thousands of tests that can jump-start your efforts (with the expertise and know-how to customize them to your specific situation to maximize value).
Finally, it’s critical to benchmark your work against past experiences. Look at the time it takes to audit transactions, the number and quality of issues you identify, and the risks mitigated. I’ve found that detailed anecdotes will also make it easier to get buy-in from senior management. At the LLNA, the audit team was cut from four people to two, yet the auditors used data analytics to review all the p-card transactions in less time and actually improved their audit performance. Now that’s a compelling story.
What story will you tell?
Steve Biskie, CPA,
CITP, CISA
Director of Services Product Management
ACL Services, Ltd.
Steve Biskie has over 15 years experience in information technology audit for public accounting (as a former Deloitte manager), private industry, and with specialized risk management consulting firms. His role at ACL is focused on designing services that enable organizations to achieve best practices in the use of audit analytics. Biskie is an accomplished public speaker on the topics of audit, risks, and controls, with a focus on technology. He is an IIA All-Star speaker and a much in-demand thought leader and facilitator throughout industry events.
The opinions, beliefs and viewpoints expressed by the various authors and forum participants on this web site do not necessarily reflect the opinions, beliefs and viewpoints of AuditNet®