ACG 4651

SPRING 2016
The Case of Procurement Cards
Background
The Dilemma
A midsize university in the Midwest (hereafter, the University) recently adopted a PCard
Program. The procurement supervisor, Paul Cardswell, spearheaded the Program, convincing
University administrators that PCards would streamline purchases and save the University
lots of money. Paul first researched PCard Programs at other universities and created a
university PCard Manual by taking what he believed to be the best parts of the other policy
manuals and using a cut-and-paste technique (see the University Purchasing Card Manual).
The manual and PCards were then provided to designated employees and departments in
December 2009. No formal employee training has been provided yet. To date, the only
review that has been done has been simply to verify adequate documentation at the
departmental level.
The University President has recently contacted Paul. The President has just returned from a
meeting of university administrators at which one of the topics of conversation was PCard
abuse. Apparently, some administrators, staff, and professors at other universities use
PCards inappropriately to enjoy free meals, supplies, and travel. The President is sure that
the same thing is not happening here at his University, because human resources conducts
a thorough background check on all employees prior to hiring. However, given tight
university budgets and the fact that University-issued PCards have charged almost $20
million in transactions, he wants to be sure. Therefore, he asks Paul his opinion. Paul tells the
President that he will investigate the situation and get back to him.
First, Paul does some research. He discovers that the most likely way an employee can
misuse organizational assets is via asset misappropriation, such as submitting an invalid or
inflated expense reimbursement (ACFE 2012). He also learns that 85 percent of employees
misusing organizational assets have never done that before (ACFE 2012). These newly
learned facts make Paul more concerned about compliance with University PCard Program
policies.
Unfortunately, Paul does not have time to investigate the situation himself. Therefore, he
hires you as an intern to perform an independent, risk-based internal audit of the PCard
Program. To help get you started, Paul provides you with the following background
information on PCards and PCard audits that he gathered when he started the Program.
Reengineering the Expenditure Cycle with PCards
The Expenditure Cycle may involve processing purchase requisitions and purchase orders,
matching internal documents with vendor documents, preparing checks, stuffing and mailing
payments, and posting entries into a variety of journals and ledgers. This makes the
traditional processing of the Expenditure Cycle labor-intensive, long, and costly. In fact, the
average administrative cost for a purchase order is $91, and the average time to complete
transactions is 32 days (Palmer and Gupta 2007). Given that most vendor invoices are for
small dollar amounts (less than $1,000) (IOMA 2009b), the cost and associated transaction
time seem excessive and can be significantly reduced. One way to reengineer both the
procurement and cash disbursement activities of the Expenditure Cycle is through the use of

ACG 4651
SPRING 2016
procurement credit cards (also known as corporate purchasing cards, PCards, or P-Cards),
which streamline much of the process.
The PCard is an alternative to the existing procurement and cash disbursement processes,
and provides an efficient method of purchasing and paying for small-dollar, routine
purchases. Rather than purchase using the cumbersome, traditional purchase requisitions,
purchase orders, invoices, and checks, a PCard Program that issues PCards to employees
can streamline the process. A typical PCard Program enables employees to conveniently
purchase low-dollar goods and services directly from any vendor that accepts a credit card.
Individual spending limits are established for each PCard based on the employees needs.
The direct buying by employees eliminates the need for purchase requisitions, purchase
orders, and vendor invoices, as well as the upfront review and preapprovals built into the
traditional Expenditure Cycle, thereby significantly reducing processing costs and time. In
fact, the cost of a PCard transaction is usually less than $10 (versus the traditional $91) with
only 20 days to complete the transaction (versus the traditional 32 days) (IOMA 2009b).
Therefore, a PCard Program saves considerable money, time, and effort. Many organizations
are taking advantage of these savings as evidenced by more than 70 percent of
organizations having a PCard Program by 2008 (Palmer and Gupta 2007). The potential
benefits of the PCard are significant for both the cardholder and the organization, as is
described below.
Benefits to the Card Holder/Employee
Eliminates the need to use personal funds for purchases and then obtain
reimbursements.
Provides convenience, flexibility, and security.
Allows the employee/organization to obtain goods faster than through the traditional
procurement process.
Benefits to the Organization
Reduces the number of purchase orders, vendor invoices, checks, reviews, and
preapprovals.
The typical procurement/payables function has 80 percent of its purchase
transactions accounting for less than 20 percent of total purchase dollars (Schaeffer
2002). Thus, the procurement function traditionally spends much of its time on small
purchase transactions. The use of the PCard allows the procurement function to focus
its efforts on large dollar transactions.
Capitalizes on the worldwide acceptance of credit cards.
Implementing a PCard Program
Procurement, which is often responsible for administering the PCard Program, selects a
financial institution (usually American Express, MasterCard, or Visa) to provide program
services to the organization. The organization sets predetermined limits on PCards and then
issues the PCards to employees in the Program. When an employee makes a purchase (in
person, by phone, or over the Internet), the vendor requests a purchase authorization at the
point of sale. As with any credit card, the PCard system validates the transaction against the
preset limits. Unique internal controls can also be established within a PCard Program. For
example, transactions are instantaneously approved or declined based on PCard
authorization criteria such as:

ACG 4651
SPRING 2016

Number of transactions allowed per month and per day;

Single-purchase limit, including shipping costs, not to exceed preset limits;
Monthly spending limits; and
Approved commodity types (for example, office supplies are allowed, while travel
expenses are not allowed) using Merchant Category Codes (MCCs). MCCs are fourdigit numbers used by the bankcard industry to classify vendors/industries into
market segments. There are approximately 600 MCCs, which denote various types of
businesses (e.g., 4215, Courier Services; 5111, Office Supplies; and 5722, Household
Appliance Stores).

Each unit (or department) often has a designated PCard administrator, who is responsible for
the coordination and administration of the PCard Program. The PCard administrators also
serve as reviewers, who are responsible for the coordination and administration of a
designated group of PCard holders within their unit (or department). Reviewers make sure
that all transactions for which they are responsible are reviewed in the settlement system
prior to being moved from the settlement database into the general ledger to update
account balances. Reviewers also maintain PCard receipts for these transactions. All receipts
are kept on file locally in accordance with record retention policy (often for four or five
years).
The PCard Program should provide clear communication of policies via a PCard policy
manual that contains the following items (IOMA 2007, 2009b):
Card issuance: Which employees are eligible for a PCard?
Card usage: How should the PCard be used?
Allowable and restricted transactions: What items can be purchased?
Adjustments and disputed purchases: What happens if adjustments to the purchase
price need to be made (e.g., sales tax incorrectly incurred, alcohol purchased, wrong
amount charged by vendor)?
Recordkeeping requirements: What receipts should be submitted? How long should
receipts be kept?
Account reconciliation and maintenance: Who is in charge of account reconciliation?
Who maintains PCard limits and restrictions?
Penalties for abuse and fraud: What happens if a PCard is misused?
Lost cards: What to do if a PCard is lost?
Internal controls: What internal controls are in place to help ensure compliance?
PCard audits: What type of PCard audits will be performed, how frequently, and by
whom?
In addition to having a clear policy manual, best-in-class PCard Programs typically also have
the following characteristics (IOMA 2007, 8; Anonymous 2008):
Top management support with good communication;
Traditional expenditure cycle activities are first studied, reengineered, and
streamlined to create the PCard Program;
Employee training on PCard usage;
Established benchmarks and metrics (such as targets in the reduction in total
purchasing costs);

ACG 4651
SPRING 2016

Mandated card use for certain types of employee spending, specified suppliers, and
transaction amounts;
Enforcement policies for violations of PCard policies (e.g., charge back to department
or employee, termination, criminal charges, and legal action);
Integration with enterprise resource planning (ERP) systems and/or e-procurement
software;
Combination of credit cards and supplier/ghost cards;1 and
An audit process.

PCard Audits
As highlighted above, best-in-class PCard Programs include an audit process. PCard audits
should consider both compliance with the Programs regulations and the effectiveness of the
Programs processes. Thus, PCard audits should look for errors and irregularities, misuse,
fraud, and ways to improve the efficiency of the PCard Program. Potential PCard errors and
irregularities include incorrect foreign currency translations or the incurring of sales tax on
non-taxable transactions. Potential PCard misuse includes not providing required documents,
use of the card by the wrong person, and pyramiding (i.e., splitting transactions into multiple
purchases to circumvent transaction limits). Potential PCard fraud includes purchasing
prohibited or personal items via the PCard.
To detect these anomalies, the internal audit function periodically performs audits to verify
that items purchased are received and that organizational policies and procedures are
followed. A PCard audit may be performed as a separate audit or as part of a SarbanesOxley Section 404 audit on internal controls. PCard audits should use risk-based auditing to
identify PCard risk and evaluate how effective the risks are being managed with existing
PCard controls (IOMA 2003, 10). A risk based internal audit identifies key controls that are
required to provide reasonable assurance that risks are effectively managed (IIA 2010,
part 5). Key controls are the combination of manual and automated internal controls that
work together to mitigate business risks within an acceptable level for the organization. Key
controls need to be properly designed and fully functioning to mitigate risks. Thus, the audit
should examine whether (1) the PCard Program has appropriately designed internal controls
to mitigate organizational risks efficiently and effectively; (2) all employees and information
technology systems actually follow the prescribed controls; and, ultimately, (3) only valid
transactions are in the system (i.e., the controls are effective).
To assess the design of PCard controls, internal auditors will often first examine the policies
and procedures of the PCard Manual. A Risk-Control Matrix of organizational objectives and
identified risks should be mapped to the internal control policies to ensure that all risks are
mitigated so that organizational objectives can be achieved. To assess whether designed
controls are in place, the internal auditor will conduct control tests, which may include (1)
interviewing the Program director, Program administrators (reviewers), and employees about
their PCard activities; (2) observing the participants as they conduct their PCard activities;
(3) performing a basic analysis to gain an understanding of the data and client; and (4)
examining controls defined in information technology systems. Finally, to assess the
effectiveness of the PCard controls, the internal auditor will conduct substantive tests of
transactions by using generalized audit software (GAS) to data mine (i.e., examine) the
PCard transactions for anomalies.

ACG 4651
SPRING 2016
Overall Guidance
The Procurement Department has provided you with the necessary files containing all of the
PCard transactions and related information required for your analysis. The three files consist
of: (1) the PCard Transactions file; (2) the PCard Manual for the University; and (3) a RiskControl Matrix. The PCard Transactions file consists of one month of purchasing records for
the University from February 2010. Table 1 provides the record layout for this file. The PCard
Manual lists the policies governing the PCard Program. Any deviation from those policies is
considered an internal control violation. The third file, the Risk-Control Matrix, identifies one
example of a risk applying to the PCard Program. Finally, Table 2 provides a list of Prohibited
MCCs, which helps determine whether a purchase is in violation of University (and PCard
Program) policy.

ACG 4651
SPRING 2016
FIGURE 1
Control Totals Provided by Telecommunications
To: Internal Audit Department
From: Procurement
RE: Data control totals
Per your request, here are the control totals and other pertinent information for the
procurement card data covering the first four months of 2010.
Total Dollar Value of Transactions
Total Number of Transactions
Total Number of Cards Issued

$159,000.18
831
174

ACG 4651
SPRING 2016
TABLE 1
Transaction Table Layout
Field Name
Card Holder
Card Number
Posted Date
Transaction Date
Transaction Description
Vender MCC
Exchange
Document Amount U.S
Source Amount Foreign
Source Currency
Source

Description
Card Holder Name
Card Holder Number
Date transaction submitted
Date of transaction
Description of transaction
Vendor primary MCC
Conversion rate to U.S. dollar
Transaction amount in U.S. dollar
Transaction amount in local currency
Currency used for source amount
Transaction type: Purchase, debit,
credit

Data Type
Character
Numeric
Date
Date
Character
Numeric
Numeric
Numeric
Numeric
Character
Character

ACG 4651
SPRING 2016
TABLE 2
Prohibited Merchant Category Codes
3000-3299
All Airlines
3351-3440
All Rental Car Agencies
3501-3744
All Hotels
4121
Taxicabs and Limousines
4131
Bus Lines
4411
Cruise Lines
4722
Travel Agencies
5541-5542
Service Stations, Fuel Dispensers
5813
Bars, Cocktail Lounges
5921
Package Stores, Beer, Wine, Liquor
6010-6300
Financial
Institution
and
Disbursements
7011
Lodging Hotels, Motels, Resorts
7012
Timeshares
7261
Funeral Services and Crematories
7273
Dating and Escort Services
7276
Tax Preparation Services
7297
Massage Parlors
7298
Health and Beauty Spas

Cash