Transylvania Blood Bank Procurement Card (PCard) Audit Case Study

Transylvania Blood Bank Procurement Card (PCard) Audit Case Study

 

  Transylvania Blood Bank Procurement Card (PCard) Audit

Background

Transylvania Blood Bank (TBB), a non-profit organization, recently adopted a PCard Program. The procurement manager, Diana Prince, spearheaded the Program, convincing top management that PCards would streamline purchases, provide more control over assets, and save the company money. Diana first researched PCard Programs at other companies and created a PCard Program Manual by using a cut-and-paste technique, taking what she believed to be the best parts of the other policy manuals (see TBB PCard Manual). The manual and PCards were then provided to designated employees and departments in January 2016. No formal employee training has been provided yet. To date, the only review that has been done has been to verify adequate documentation at the departmental level.

The company President has recently contacted Diana. She has just returned from a meeting of charity administrators at which one of the topics of conversation was PCard abuse. Apparently, some administrators and staff at other charities use PCards inappropriately to enjoy free meals, supplies, and travel. The President is sure that the same thing is not happening here at this company, because human resources conducts a thorough background check on all employees prior to hiring. However, given tight budgets and the fact that company-issued PCards have charged almost $20 million in transactions, she wants to be sure. Therefore, she asks Diana to investigate the situation and get back to him.

First, Diana does some research. She discovers that the most likely way an employee can misuse organizational assets is via asset misappropriation, such as submitting an invalid or inflated expense reimbursement (ACFE 2016). She also learns that 85 percent of employees misusing organizational assets have never been caught for doing so before (ACFE 2016). These facts make Diana more concerned about compliance with TBB Charity PCard Program policies.

Unfortunately, Diana does not have time to investigate the situation more thoroughly. So, she hires you as an intern to perform an independent, risk-based internal audit of the PCard Program.

To help get you started, Diana provides you with the following background information on PCards and PCard audits that she gathered when she started the Program.

Reengineering the Expenditure Cycle with PCards

The Expenditure Cycle involves processing purchase requisitions and purchase orders, matching internal documents with vendor documents, preparing checks, stuffing and mailing payments, and posting entries into a variety of journals and ledgers. This makes the traditional processing of the Expenditure Cycle labor-intensive, long, and costly. In fact, the average administrative cost for a purchase order is $91, and the average time to complete transactions is 32 days (Palmer and Gupta 2007). Given that most vendor invoices are for small dollar amounts (less than $1,000) (IOMA 2009b), the cost and associated transaction time seem excessive and can be significantly reduced. One way to reengineer both the procurement and cash disbursement activities of the Expenditure Cycle is through the use of procurement credit cards (also known as corporate purchasing cards, PCards, or P-Cards), which streamline much of the process.

The PCard is an alternative to the existing procurement and cash disbursement processes, and provides an efficient, streamlined method of purchasing and paying for small-dollar, routine purchases. A typical PCard Program enables employees to conveniently purchase low-dollar goods and services directly from any vendor that accepts a credit card. Individual spending limits are established for each PCard based on the employee’s needs. The direct buying by employees eliminates the need for purchase requisitions, purchase orders, and vendor invoices, as well as the upfront review and preapprovals built into the traditional Expenditure Cycle, thereby significantly reducing processing costs and time. In fact, the cost of a PCard transaction is usually less than $10 (versus the traditional $91) with only 20 days to complete the transaction (versus the traditional 32 days) (IOMA 2009b). Therefore, a PCard Program saves considerable money, time, and effort. Many organizations are taking advantage of these savings as evidenced by more than 70 percent of organizations having a PCard Program by 2008 (Palmer and Gupta 2007). The potential benefits of the PCard are significant for both the card holder and the organization, as is described below.

Benefits to the Card Holder/Employee

• Eliminates the need to use personal funds for purchases and then obtain reimbursements.
• Provides convenience, flexibility, and security.
• Allows the employee/organization to obtain goods faster than through the traditional procurement process.

Benefits to the Organization

• Reduces the number of purchase orders, vendor invoices, checks, reviews, and preapprovals.
• The typical procurement/payables function has 80 percent of its purchase transactions accounting for less than 20 percent of total purchase dollars (Schaeffer 2002). Thus, the procurement function traditionally spends much of its time on small purchase transactions. The use of the PCard allows the procurement function to focus its efforts on large dollar transactions.
• Capitalizes on the worldwide acceptance of credit cards.

Implementing a PCard Program

Procurement, which is often responsible for administering the PCard Program, selects a financial institution (usually American Express, MasterCard, or Visa) to provide program services to the organization. The organization sets predetermined limits on PCards and then issues the PCards to employees in the Program. When an employee makes a purchase (in person, by phone, or over the Internet), the vendor requests a purchase authorization at the point of sale. As with any credit card, the PCard system validates the transaction against the preset limits. Unique internal controls can also be established within a PCard Program. For example, transactions are instantaneously approved or declined based on PCard authorization criteria such as:

• Number of transactions allowed per month and per day;
• Single-purchase limit, including shipping costs, not to exceed preset limits;
• Monthly spending limits; and
• Approved commodity types (for example, office supplies are allowed, while travel expenses are not allowed) using Merchant Category Codes (MCCs). MCCs are four-digit numbers used by the bank card industry to classify vendors/industries into market segments. There are approximately 600 MCCs, which denote various types of businesses (e.g., 4215, Courier Services; 5111, Office Supplies; and 5722, Household Appliance Stores).

Each unit (or department) often has a designated PCard administrator, who is responsible for the coordination and administration of the PCard Program. The PCard administrators also serve as reviewers, who are responsible for the coordination and administration of a designated group of PCard holders within their unit (or department). Reviewers make sure that all transactions for which they are responsible are reviewed in the settlement system prior to being moved from the settlement database into the general ledger to update account balances. Reviewers also maintain PCard receipts for these transactions. All receipts are kept on file locally in accordance with record retention policy (often for four or five years). The PCard Program should provide clear communication of policies via a PCard policy manual that contains the following items (IOMA 2007, 2009b):

• Card issuance: Which employees are eligible for a PCard?
• Card usage: How should the PCard be used?
• Allowable and restricted transactions: What items can be purchased?
• Adjustments and disputed purchases: What happens if adjustments to the purchase price need to be made (e.g., sales tax incorrectly incurred, alcohol purchased, wrong amount charged by vendor)?
• Recordkeeping requirements: What receipts should be submitted? How long should receipts be kept?
• Account reconciliation and maintenance: Who is in charge of account reconciliation? Who maintains PCard limits and restrictions?
• Penalties for abuse and fraud: What happens if a PCard is misused?
• Lost cards: What to do if a PCard is lost?
• Internal controls: What internal controls are in place to help ensure compliance?
• PCard audits: What type of PCard audits will be performed, how frequently, and by whom?

In addition to having a clear policy manual, best-in-class PCard Programs typically also have the following characteristics (IOMA 2007, 8; Anonymous 2008):

• Top management support with good communication;
• Traditional expenditure cycle activities are first studied, reengineered, and streamlined to create the PCard Program;
• Employee training on PCard usage;
• Established benchmarks and metrics (such as targets in the reduction in total purchasing costs);
• Mandated card use for certain types of employee spending, specified suppliers, and transaction amounts;
• Enforcement policies for violations of PCard policies (e.g., charge back to department or employee, termination, criminal charges, and legal action);
• Integration with enterprise resource planning (ERP) systems and/or e-procurement software;
• An audit process.

PCard Audits

As highlighted above, best-in-class PCard Programs include an audit process. PCard audits should consider both compliance with the Program’s regulations and the effectiveness of the Program’s processes. Thus, PCard audits should look for errors and irregularities, misuse, fraud, and ways to improve the efficiency of the PCard Program. Potential PCard errors and irregularities include incorrect foreign currency translations or the incurring of sales tax on non-taxable transactions. Potential PCard misuse includes not providing required documents, use of the card by the wrong person, and pyramiding (i.e., splitting transactions into multiple purchases to circumvent transaction limits). Potential PCard fraud includes purchasing prohibited or personal items via the PCard. To detect these anomalies, the internal audit function periodically performs audits to verify that items purchased are received and that organizational policies and procedures are followed.

A PCard audit may be performed as a separate audit or as part of a Sarbanes-Oxley Section 404 audit on internal controls. PCard audits should ‘‘use risk-based auditing to identify PCard risk and evaluate how effective the risks are being managed with existing PCard controls’’ (IOMA 2003, 10). A risk based internal audit identifies key controls that are ‘‘required to provide reasonable assurance that risks are effectively managed’’ (IIA 2010, part 5). Key controls are the combination of manual and automated internal controls that work together to mitigate business risks within an acceptable level for the organization. Key controls need to be properly designed and fully functioning to mitigate risks. Thus, the audit should examine whether (1) the PCard Program has appropriately designed internal controls to mitigate organizational risks efficiently and effectively; (2) all employees and information technology systems actually follow the prescribed controls; and, ultimately, (3) only valid transactions are in the system (i.e., the controls are effective).

To assess the design of PCard controls, internal auditors will often first examine the policies and procedures of the PCard Program Manual. A Risk-Control Matrix of organizational objectives and identified risks should be mapped to the internal control policies to ensure that all risks are mitigated so that organizational objectives can be achieved. To assess whether designed controls are in place, the internal auditor will conduct control tests, which may include:

• Interviewing the Program director, Program administrators (reviewers), and employees about their PCard activities;
• Observing the participants as they conduct their PCard activities;
• Performing a basic analysis to gain an understanding of the data and client;
• Examining controls defined in information technology systems.
• Conducting substantive tests of transactions by using generalized audit software (GAS) to data mine (i.e., examine) the PCard transactions for anomalies.

Requirements

In this case your group will evaluate the design effectiveness of controls for the PCard program at the Transylvania Blood Bank. You will to read the background material to obtain an understanding of the program then perform a risk and control assessment using techniques that an auditor would use when evaluating for internal control weaknesses in a process.

Part 1. Critically evaluate the PCard Program Manual design of controls by completing the Risk-Control Matrix (on Moodle).

1. Review the audit reports of PCard programs at other companies (on Moodle) to gain an understanding of a Pcard audit
2. Obtain the TBB PCard Manual (in Moodle) – review and note policies on transaction limits.
3. After obtaining an understanding of the current policies surrounding the PCard Program at TBB, identify and create a list of potential risks with using PCards.
4. Map the internal controls outlined in the PCard Program Manual to the risks you identified, in the Risk-Control Matrix Identify the person (or area) who is performing the control.
5. Evaluate the design of the control – Is the control designed to address the risk?
6. Not all risks necessarily have a corresponding internal control (hint: these would be internal control weaknesses). If a risk does not have a corresponding control, note “missing” in the current control column in the Risk-Control Matrix file. If the control is missing or not designed appropriately to address the risk, recommend a control or recommend how to strengthen the existing control and determine who should perform the control.

Part 2: Write a summary memo in Microsoft Word (not to exceed 2 pages, single spaced 12 font) to Diana Prince highlighting your procedures, primary findings, and recommendations.

Deliverables 

Memo – Word doc (include Task Summary on page 3)

Risk-Control Matrix – Excel File