Preventing P-Card Abuse:
Automated Monitoring
& Resolution of Card Misuse
July 2014
Meeting Agenda
•
•
•
•
•
•
•
Introduction
CaseWare Profile
Current State in Higher Ed.
Purchasing Card Process
Monitoring P-Cards
Case Studies
Q&A
CaseWare International
• Founded in 1988
• An industry leader in providing technology solutions for
finance, accounting, governance, risk and audit professionals
• Over 400,000 users of our technologies across 130 countries
and 16 languages
• Customers include Fortune 500 and Global 500 companies
• Microsoft Gold Certified Partner
International Acceptance
Industry Trends
Annual Purchasing Card Spending
2016
2014
2012
2011
2009
0
50
100
150
$ in billions
200
250
300
*ACFE 2012 Fraud Survey
Industry Trends
Monthly Spend Per
Organization
Transaction Size
$343
2.1 Million
Benchmark
Averages
Monthly Spend
Per Card
Number of Transactions
Per Card Per Month
$2,393
7
*ACFE 2012 Fraud Survey
Industry Trends
Fraud Reported for 2012
Percent of Fraud not
Recovered
3.5 Trillion
49%
The Impact
Average Loss
per Fraud Case
Median time before
detected
$140,000
18 Months
*ACFE 2012 Fraud Survey
P-Card Misuse in Higher Ed.
• P-Card Fraud in the news
Purchasing Card Process
1. Assign Card
4. Submit Reconciliation
Cardholder
End-User Organization
2. Place Order /
Make Purchase
5. Settlement /
Post to GL
3. Receive
Goods/Services
General Ledger
Supplier/Merchant
Why Continuously Monitor P-Card Controls?
• One View: Complete overview of P-Card Activities
• Control: Apply detailed spending & usage policies
• Prevention: Visibility helps stop fraudulent activity
before it affects your bottom line
• Accuracy: Validate all transactions prior to payment
• Efficiency: Ensure all appropriate discounts, rebates
and refunds are properly applied
• Assurance: Reputational risk is minimized
Purchasing Card Controls & Activities
Card Issuance
Card Administration
Program
Spending
& Analysis
Performance
Patterns
Inactive/On Leave
Employee using
card
Duplicate
Payment through
AP & Card
Non-Preferred
Vendor Spend
Elevated Liability
Employee Card
Limits
Often Used
Vendors – Convert
to PO
Decline
Transaction
Report
Excessive Even Or
Small Dollar
Transactions
Split
Purchases
Unusual Spending
Patterns
Employee Spend
Profile
Transaction Policy
Violations
Cardholder –
Merchant Match
Keyword Search
for non-compliant
purchases
Cash
Advance/Financial
Services
Areas of Risk
Card Issuance
• Inactive/Terminated/On Leave employee using Card
‒
Employee in any state except ‘full time active’ is currently using the company card.
• Elevated liability
‒
Create Employee transaction and spending profile to gauge unnecessary exposure
for the company.

Profile factors (employee transactions, spending, card time of use, avg.
balance compared to credit limit, etc.)
Areas of Risk
P-Card Administration & Analysis
• P-Card Limits
‒
Employee(s) use the Purchasing Card to spend over their weekly, monthly or
transaction limit.
• Duplicate Payment through Accounts Payable
‒
Vendor has been paid through Accounts Payable as well as employee processing
the payment with Purchasing Card.
Areas of Risk
Program Performance
• Non-Preferred Vendor Spend (Vendor Rebates not maximized)
‒
‒
Multiple Vendors used for office supplies instead of single vendor to receive
appropriate rebates.
Vendor is not giving you the appropriate Rebate as per contractual agreement.
• Decline Transactions
‒ Review and analyze decline transactions to assess potential misuse or
employee(s) with insufficient credit card limits.
Areas of Risk
Spending Patterns
• Excessive Even Dollar Transactions
‒ Even dollar transactions are normally rare and are typically used in the
purchasing of gift cards, gift certificates.
• Split Transactions (Single or Multiple Cards)
‒ Employee(s) complete(s) two transactions at same merchant to
circumvent their maximum purchase amount threshold.
Areas of Risk
Transaction Policy Violations
• Cardholder – Merchant Match
‒
Employee has registered himself or been registered as a Vendor and being paid for
additional services outside of job responsibilities.
• Keyword Search
‒
Verify employee are not making non-compliant purchases such as jewelry,
groceries, tobacco, electronics, Apple store, etc.
• Cash Advance/Financial Services
‒ Employee may be using card for cash advances or financial services
(mortgage, loan, line of credit, etc.).
Level 3 Data – Purchase & Service Details
Data Type
Merchant Name
Transaction Amount (Total)
Date
Tax Amount
Customer Code
Merchant Postal Code
Tax Identification
Merchant Minority Code
Merchant State Code
Item Product Code
Item Description
Item Quantity
Item Unit of Measure
Item Extended Amount
Item Net / Gross Indicator
Item Tax Amount
Item Tax Rate
Item Discount Indicator
Ship from Postal Code
Freight Amount
Duty Amount
Destination Postal Code
Destination Country Code
Level - 1



Level - 2









Level - 3























STAYING AHEAD
CaseWare Project Approach
Move to a more proactive
approach that reduces potential
business impact of control failures.
DATABASES
FLAT FILES
ACCESS DATA
Your organization’s data is
accessed from the relevant
sources and consolidated
PROACTIVE
REACTIVE
LOGS
GOALS & PLANNING
Work with key
stakeholders to
understand the
business processes
to be analyzed and
their monitoring
requirements.
PREPARE FOR ANALYTICS
Your data from multiple
sources is then cleaned
and organized to ensure it
is accurate, consistent and
ready to be analyzed.
SOURCE
DATA
CONTROLS
MONITORING
INVESTIGATIONS
INTERNAL
ASSURANCE
POST-ACQUISITION
ASSESSMENT
RISK ASSESSMENT RISK ASSESSMENT
INPUT
FOLLOW-THROUGH
WORKFLOW AND REMEDIATION
The workflow for results are
designed including assignment,
escalation, investigation and
closure.
RISK & CONTROLS
Drill into the details of
current risks and controls.
This determines the data
analytics needed, the
strength of your existing
controls and policies as well
as what controls need to be
improved to mitigate risks.
DATA ANALYTICS
The correlations and
relationships are made
identifying, trends, field
statistics, and patterns and
anomalies are isolated.
OPTIMIZE
Audit
Go beyond financial processes
and assess the design and
operations of controls for the
entire business.
Governance
RESULTS VALIDATION
Key stakeholders validate
the results of the analytics
and results are fine tuned.
REPORTING RESULTS
The details of how the
results are to be
communicated along with
any relevant reporting are
determined.
Ensure that sound governance
structures are in place to ensure
the right information about the
right issues is available at the
right time.
Core Processes
Embed monitoring best
practices to ensure that business
owners and operators are
accountable .
Recommendations
Here are a few general recommendations:
1. Direct cardholders to document purchase requests and approvals, budget approvals,
and bona fide company/government/corporation needs for P-card transactions.
2. Strengthen the monthly P-card reconciliation process.
3. Ensure that purchases are equitably distributed among qualified vendors and that you
determine the most efficient and effective method of obtaining services (i.e.,
insourcing versus outsourcing, purchase cards versus other procurement tool).
4. Develop policies and procedures to ensure that purchase card files are retained when
cardholders or approving officials end employment with the department or discontinue
their functions as cardholders or approving officials.
5. Improve training — as well as its tracking and monitoring — for cardholders and
approving officials on regulations over the use of P-cards.
Customer Value Chain
Controls
Enabled by
Insight
Expert Content
Business Process Modelling
Measure
and
Optimize
Driven by:
Analytics
Collaborate
Data Management
Training, Consulting and Certification
Certified Enterprise Platform
Actions
Global Partner Network
Customer Value Chain
• Upload the company’s risk and controls library across:
– Business Processes
– Subsidiaries
– Locations
•
•
•
•
•
•
Design analytics to monitor the controls
Generate alerts when controls are failing
Trigger a collaborative remediation workflow
Take the necessary actions
Measure performance and track root causes
Optimize business processes
Generate Insights
• Indicators of controls performance
• Tracking root causes
• Measuring ROI
Collaborate
• Alerts are triggered by system events
– For example:
• An inactive employee is currently using their purchase card
• An employee has left the company but the card was never
recovered.
• Alerts delivered in the browser, e-mail or Text
Messaging.
• Triggers a collaborative workflow for teams to take
action
Remediation Workflow
• Create work items for users to take action
• Designed according to business requirements
• Time limits, escalation, team assignments,
metrics capture all configurable.
Actions
• Users are engaged by the system to action items
• Exception details are provided along with:
–
–
–
–
Research info
Remediation guidelines and links
History of the item
Relevant Indicators/Metrics
Taking Action
• Users are provided with guidelines for
resolution
• They take action according to the workflow
design
• This include capturing the metrics
Measure & Optimize
• Based on the indicators the business gain insights
how to improve operations
• For example:
– Card Misuse may be consistently happening in a particular
department or location
– Which may be occurring because of a lack of training in
that sub-process or location.
– Address the training issue and the control environment is
restored
Monitor: Value Added Solution
• Give customers the ability to:
– Determine the state of any control in the business
– Resolve identified breaches before impact
– Provide an unparalleled ROI
All of this in a simple, yet sophisticated solution.
Success Story – Georgia Tech
Expanding P-Card Program
• 2,400 cards and growing…
• 180,000+ transactions per year
• $70+ million spend
Success Story – Georgia Tech
Challenges
• Card abuse by employees
• Reputational Risk
• Money Leakage
Success Story – Georgia Tech
CaseWare Monitor Solution
• Automated Transaction Monitoring
• Use Level III data to independently verify the
integrity of transactions
• Customizable Workflow management to facilitate
analysis and investigations
• Notifications (via dashboard, e-mail, SMS, etc.)
equipped with Resolution Guidelines
Success Story – Georgia Tech
Results
•
•
•
•
Detected millions in fraudulent purchases
Uncovered $350K during initial phase
Automated and scheduled analysis of transactions
Fast resolution of control breakdowns
“The real value of using data analytics is that it allows you to see
fraud schemes that would be impossible to detect manually.”
Phil Hurd, CISSP, CISA
Georgia Institute of Technology
Success Story – Georgia Tech
Video Reference
Q&A
Andrew Simpson, COO
andrew.simpson@caseware.com
Michel Caluori, Professional Services
michel.caluori@caseware.com
For Complimentary Risk & Control Assessment
Contact: rcminfo@caseware.com
Save the Date!
Upcoming PDG Conference!
18th National P-Cards on Campus Conference
February 8-11, 2015 - Wyndham San Antonio Riverwalk - San Antonio, TX
For details, be sure to visit www.prodev.com