Corporate credit cards are not new. They have been widely used for decades to cover day-to-day business expenditure by employees. You may expect controls to be robust and well established but, surprisingly, we are seeing a significant increase in frauds perpetrated through these cards.
We have recently advised on four separate matters, of which one particularly stands out – a major fraud in a large, well established organisation, which occurred without detection for over a year and was only detected when a new team member had taken over the approval role.
The reason for the fraud was threefold: weak internal controls in relation to credit cards (weak policy, concentration of credit card information), weak accounting controls (no segregation of duties, lack of reconciliation), and a culture of not taking policies and procedures seriously. Frankly, it is easier to fix the first two but they amount to nothing until ‘culture’ is addressed.
We set out below five common control failures that led to these frauds.
Control over credit card details
Often one central person or team have complete information over credit cards such as cardholder name, card number, expiry date and verification code. The availability of such detailed information in the hands of few significantly increases the risk of fraud.
Lack of segregation of duties
The person who has the information is often the same person who administers the system for submitting expense claims, which often allows the administrator to “suppress” certain transactions, thereby using a credit card for personal expenditure and suppressing that transaction, meaning that the cardholder does not even know that an expense was incurred on his card.
Lack of reconciliation
Often employees fail to submit supporting documents on a timely basis with delays of six months not uncommon. However, payments are made monthly to the card issuing bank without any reconciliation between the payment amount and expenses incurred. This lack of reconciliation combined with a lack of segregation of duties presents a significant fraud risk and control failure.
Approval of credit card expenditure
Most organisations have policies on allowable business expenditure and limits. A common theme, particularly when a doubtful expense is incurred for two or more persons, is the junior member picks up the tab and the senior person approves the expense. As a matter of policy, the tab should always be picked up by the senior most person.
Policies should prohibit personal expenses. Purchase of gift cards, use in PayPal accounts, buying other financial products/services, mobile app purchases, etc., should be restricted. Purchases of items available on credit should be restricted (e.g. payment of telephone bills should not be allowed).
The increase in fraud using corporate cards means that organisations should perform holistic reviews across the four pillars of the internal control environment:
- Governance – Reviewing and tightening policies and procedures;
- Process – Ensuring segregation of duties, information and necessary checks and balances;
- Systems – Reviewing system features and access controls; and
- People – Addressing cultural issues.
Rapidly evolving payment methods, new payment platforms and access to products on different channels place a huge burden on CFO’s and other professionals to evaluate and refresh internal control frameworks. An excellent first step is to ensure that existing internal controls relating to ‘older’ payment methods such as corporate credit cards are working efficiently and effectively.