P-Card Internal Audit *

*
Adapted from: Dow, K. E., M. W. Watson, & V. J. Shea. 2013. Understanding the Links
Between Audit Risks and Audit Steps: The Case of Procurement Cards. Issues in Accounting
Education 28 (4): 913-927.

The Dilemma

A midsize university in the Southwest (hereafter, the University) recently adopted a PCard
Program. The procurement supervisor, Paul Cardswell, spearheaded the Program, convincing
University administrators that PCards would streamline purchases and save the University lots of
money. Paul first researched PCard Programs at other universities and created a university PCard
Program Manual by taking what he believed to be the best parts of the other policy manuals and
using a cut-and-paste technique (see the attached University PCard Program Manual). The
manual and PCards were then provided to designated employees and departments in December
2020. No formal employee training has been provided yet. To date, the only review that has been
done has been simply to verify adequate documentation at the departmental level.
The University President has recently contacted Paul. The President has just returned from a
meeting of university administrators at which one of the topics of conversation was PCard abuse.
Apparently, some administrators, staff, and professors at other universities use PCards
inappropriately to enjoy free meals, supplies, and travel. The President is sure that the same thing
is not happening here at his University, because human resources conduct a thorough background
check on all employees prior to hiring. However, given tight university budgets and the fact that
University-issued PCards have charged almost $20 million in transactions, he wants to be sure.
Therefore, he asks Paul his opinion. Paul tells the President that he will investigate the situation
and get back to him.
First, Paul does some research. He discovers that the most likely way an employee can misuse
organizational assets is via asset misappropriation, such as submitting an invalid or inflated
expense reimbursement. He also learns that 85 percent of employees misusing organizational
assets have never done that before. These newly learned facts make Paul more concerned about
compliance with University PCard Program policies.
Unfortunately, Paul does not have time to investigate the situation himself. Therefore, he hires
you as an intern to perform an independent, risk-based internal audit of the PCard Program. To
help get you started, Paul provides you with the following background information on PCards
and PCard audits that he gathered when he started the Program.

Reengineering the Expenditure Cycle with PCards

The Expenditure Cycle may involve processing purchase requisitions and purchase orders,
matching internal documents with vendor documents, preparing checks, stuffing and mailing
payments, and posting entries into a variety of journals and ledgers. This makes the traditional
processing of the Expenditure Cycle labor-intensive, long, and costly. In fact, the average
administrative cost for a purchase order is $91, and the average time to complete transactions is
32 days). Given that most vendor invoices are for small dollar amounts (less than $1,000), the
cost and associated transaction time seem excessive and can be significantly reduced. One way
to reengineer both the procurement and cash disbursement activities of the Expenditure Cycle is
using procurement credit cards (also known as corporate purchasing cards, PCards, or P-Cards),
which streamline much of the process.
The PCard is an alternative to the existing procurement and cash disbursement processes and
provides an efficient method of purchasing and paying for small-dollar, routine purchases. Rather
than purchase using the cumbersome, traditional purchase requisitions, purchase orders, invoices,
and checks, a PCard Program that issues PCards to employees can streamline the process. A
typical PCard Program enables employees to conveniently purchase low-dollar goods and
services directly from any vendor that accepts a credit card. Individual spending limits are
established for each PCard based on the employee’s needs. The direct buying by employees
eliminates the need for purchase requisitions, purchase orders, and vendor invoices, as well as
the upfront review and preapprovals built into the traditional Expenditure Cycle, thereby
significantly reducing processing costs and time. In fact, the cost of a PCard transaction is usually
less than $10 (versus the traditional $91) with only 20 days to complete the transaction (versus
the traditional 32 days). Therefore, a PCard Program saves considerable money, time, and effort.
Many organizations are taking advantage of these savings as evidenced by more than 70 percent
of organizations having a PCard Program by 2020. The potential benefits of the PCard are
significant for both the card holder and the organization, as is described below.
Benefits to the Card Holder/Employee
● Eliminates the need to use personal funds for purchases and then obtain reimbursements.
● Provides convenience, flexibility, and security.
● Allows the employee/organization to obtain goods faster than through the traditional
procurement process.

Benefits to the Organization

● Reduces the number of purchase orders, vendor invoices, checks, reviews, and
preapprovals.
● The typical procurement/payables function has 80 percent of its purchase transactions
accounting for less than 20 percent of total purchase dollars. Thus, the procurement
function traditionally spends much of its time on small purchase transactions. The use of
the PCard allows the procurement function to focus its efforts on large dollar transactions.
● Capitalizes on the worldwide acceptance of credit cards.

Implementing a PCard Program

Procurement, which is often responsible for administering the PCard Program, selects a
t t t
financial institution (usually American Express , MasterCard , or Visa ) to provide program
services to the organization. The organization sets predetermined limits on PCards and then issues
the PCards to employees in the Program. When an employee makes a purchase (in person, by
phone, or over the Internet), the vendor requests a purchase authorization at the point of sale. As
with any credit card, the PCard system validates the transaction against the preset limits. Unique
internal controls can also be established within a PCard Program. For example, transactions are
instantaneously approved or declined based on PCard authorization criteria such as:
● Number of transactions allowed per month and per day.
● Single-purchase limit, including shipping costs, not to exceed preset limits.
● Monthly spending limits, and
● Approved commodity types (for example, office supplies are allowed, while travel expenses
are not allowed) using Merchant Category Codes (MCCs). MCCs are four-digit numbers used
by the bank card industry to classify vendors/industries into market segments. There are
approximately 600 MCCs, which denote various types of businesses (e.g., 4215, Courier
Services; 5111, Office Supplies; and 5722, Household Appliance Stores).
Each unit (or department) often has a designated PCard administrator, who is responsible for
the coordination and administration of the PCard Program. The PCard administrators also serve
as reviewers, who are responsible for the coordination and administration of a designated group
of PCard holders within their unit (or department). Reviewers make sure that all transactions for
which they are responsible are reviewed in the settlement system prior to being moved from the
settlement database into the general ledger to update account balances. Reviewers also maintain
PCard receipts for these transactions. All receipts are kept on file locally in accordance with
record retention policy (often for four or five years).
The PCard Program should provide clear communication of policies via a PCard policy
manual that contains the following items:
● Card issuance: Which employees are eligible for a PCard?
● Card usage: How should the PCard be used?
● Allowable and restricted transactions: What items can be purchased?
● Adjustments and disputed purchases: What will happen if adjustments to the purchase price
need to be made (e.g., sales tax incorrectly incurred, alcohol purchased, wrong amount
charged by vendor)?
● Recordkeeping requirements: What receipts should be submitted? How long should receipts
be kept?
● Account reconciliation and maintenance: Who oversees account reconciliation? Who
maintains PCard limits and restrictions?
● Penalties for abuse and fraud: What happens if a PCard is misused?
● Lost cards: What to do if a PCard is lost?
● Internal controls: What internal controls are in place to help ensure compliance?
● PCard audits: What type of PCard audits will be performed, how frequently, and by whom?
In addition to having a clear policy manual, best-in-class PCard Programs typically also have
the following characteristics:
● Top management support with good communication.
● Traditional expenditure cycle activities are first studied, reengineered, and streamlined to
create the PCard Program.
● Employee training on PCard usage.
● Established benchmarks and metrics (such as targets in the reduction in total purchasing
costs).
 ● Mandated card uses for certain types of employee spending, specified suppliers, and
transaction amounts.
● Enforcement policies for violations of PCard policies (e.g., charge back to department or
employee, termination, criminal charges, and legal action).
● Integration with enterprise resource planning (ERP) systems and/or e-procurement
software.
● Combination of credit cards and supplier/ghost cards (A supplier/ghost card is a high-limit
charge account with a vendor that consolidates all charges on a single statement (like a
monthly credit card statement).
● Audit processes.

PCard Audits
As highlighted above, best-in-class PCard Programs include an audit process. PCard audits
should consider both compliance with the Program’s regulations and the effectiveness of the
Program’s processes. Thus, PCard audits should look for errors and irregularities, misuse, fraud,
and ways to improve the efficiency of the PCard Program. Potential PCard errors and
irregularities include incorrect foreign currency translations or the incurring of sales tax on non-
taxable transactions. Potential PCard misuse includes not providing required documents, use of
the card by the wrong person, and pyramiding (i.e., splitting transactions into multiple purchases
to circumvent transaction limits). Potential PCard fraud includes purchasing prohibited or
personal items via the PCard.
To detect these anomalies, the internal audit function periodically performs audits to verify that
items purchased are received and that organizational policies and procedures are followed. A
PCard audit may be performed as a separate audit or as part of a Sarbanes-Oxley Section 404
audit on internal controls. PCard audits should ‘‘use risk-based auditing to identify PCard risk
and evaluate how effective the risks are being managed with existing PCard control.” A risk-
based internal audit identifies key controls that are ‘‘required to provide reasonable assurance
that risks are effectively managed.’’ Key controls are the combination of manual and automated
internal controls that work together to mitigate business risks within an acceptable level for the
organization. Key controls need to be properly designed and fully functioning to mitigate risks.
Thus, the audit should examine whether (1) the PCard Program has appropriately designed
internal controls to mitigate organizational risks efficiently and effectively; (2) all employees and
information technology systems follow the prescribed controls; and, ultimately, (3) only valid
transactions are in the system (i.e., the controls are effective).
To assess the design of PCard controls, internal auditors will often first examine the policies
and procedures of the PCard Program Manual. A Risk-Control Matrix of organizational
objectives and identified risks should be mapped to the internal control policies to ensure that all
risks are mitigated so that organizational objectives can be achieved. To assess whether designed
controls are in place, the internal auditor will conduct control tests, which may include (1)
interviewing the Program director, Program administrators (reviewers), and employees about
their PCard activities; (2) observing the participants as they conduct their PCard activities; (3)
performing a basic analysis to gain an understanding of the data and client; and (4) examining
controls defined in information technology systems. Finally, to assess the effectiveness of the
PCard controls, the internal auditor will conduct substantive tests of transactions by using
 generalized audit software (GAS) to data mine (i.e., examine) the PCard transactions for
anomalies.

CASE REQUIREMENTS
Assignment
You have been hired to perform a risk-based internal audit of the PCard Program for the first
four months of 2021. Prior to the formal assignments of this case, you are required to gain an
understanding of the data and the client by performing some basic analysis. As part of your
preliminary fact gathering, you learn that card holders have the following limits: $2,500
maximum per transaction, a $2,500 daily maximum, and a monthly maximum of $10,000. With
this information in hand, you now request the PCard Program files.
1. First, review all provided information. Verify that you have the PCard Transactions Excel
data file, the PCard Program Manual Word file, and the Risk-Control Matrix Excel file.
2. Determine the validity of data file:
● Verify that all fields are in the proper format (DATE is a Date Field, etc.).
● Verify that all fields needed for analysis are included.
3. Completeness of data file: Procurement has provided control totals (see Figure 1). Recalculate
the dataset totals to confirm that it matches the totals provided by Procurement. Note any
exceptions.
4. Clean the data so that only January through April transactions are included in your audit
procedures.
5. Data analysis: Refer to the instructional guide example in Bb for assistance. Conduct some
preliminary analysis on the dataset (this analysis may be done using Excel, ActiveData (Windows
Only), Tableau, (MAC or Windows), ACL or IDEA (Windows Only)). Such analyses must
include but should not be limited to:
● Perform a Benford’s Law Analysis (first digit and first- and second-digit analysis).
● Determine how many card holders used their cards during the audit period.
● Determine who are the top five users of/spenders with the PCard for:
● total purchases during the audit period
● monthly purchases (for each month)
● daily purchases
● Determine which card holders (if any) have multiple cards.
● Determine whether card holders have duplicate transactions.

You continue your internal audit on the PCard activity.

(1) Review the risk-control matrix and complete the Manual Review Test Results and
Analytical Review Test Results columns (columns G and H) of the Risk-Control Matrix by
performing the following tests:

● Transactions exceeding the limit per transaction

● Transactions by a cardholder exceeding the daily limit
 ● Transactions by cardholder exceeding the monthly limit
● Transactions with prohibited vendors (see Prohibited Vendor MCC)
● Identify sets of transactions that are possible pyramiding transactions. (A pyramiding
transaction is a single purchase that has been split into two or more separate transactions
across one or more cardholders with the intent to circumvent individual transaction
limits.)
● Identify transactions that take place on weekends and holidays
6. Deliverables. Submit your work product (e.g., Excel spreadsheet) and write a
memo (using Microsoft Word; not to exceed four pages excluding tables and charts in
an appendix to the written narrative in the memo) to Dr. Keith Newell, President of the
University Board of Regents, highlighting each of the tests performed and the results
of each test. Refer to the writing resources in this manual for instructions and tips
on preparing the memo. Use appropriate grammar, spelling, formatting (i.e., single-
spaced, 12-point times roman font, headers, footers, titles/descriptions of tests), and
subtotals to summarize detailed records. Attach any tables, charts, figures, or
illustrations in an appendix (not within the text of the memo).

FIGURE 1
Control Totals

Re: Data control totals

To: Internal Audit Department
From: Procurement

Per your request, here are the control totals and other pertinent information for the procurement
card (PCARD) data covering the first four (4) months of 2021.

Total Dollar Value of Transactions $876,732.52

Total Number of Transactions 4,075
Total Number of PCARDS Issued 227

Overall Guidance
The Procurement Department has provided you with the necessary files containing
all the PCard transactions and related information required for your analysis. The three
files consist of: (1) the PCard Transactions file; (2) the PCard Program Manual for the
University; and (3) a Risk- Control Matrix. The PCard Transactions file consists of
approximately four months of purchasing records for the University from January 1,
2021, through April 30, 2021. Table 1 provides the record layout for this file. The PCard
Program Manual lists the policies governing the PCard Program. Any deviation from
those policies is considered an internal control violation. The third file, the Risk-
Control Matrix, identifies one example of a risk applying to the PCard Program.
Finally, Table 2 provides a list of Prohibited MCCs, which helps determine whether a
purchase is in violation of university (and PCard Program) policy.
TABLE 1
Transaction Excel File Layout
Field Name Description Data Type
Card Holder Card Holder Name Character
Card Number Card Holder Number Numeric
Posted Date Date transaction was submitted by vendor to financial Date
institution

Transaction Date Date of transaction Date

Transaction Description of transaction (vendor name) Character
Description

Vendor MCC Vendor primary MCC Numeric

Amount Transaction amount in U.S. dollars Numeric
Source Transaction type: Purchase, debit, credit Character

TABLE 2
Prohibited Merchant Category Codes
(MCCs)
3000–3299 All Airlines
3351–3440 All Rental Car Agencies
3501–3744 All Hotels
4121 Taxicabs and Limousines
4131 Bus Lines
4411 Cruise Lines
4722 Travel Agencies
5541–5542 Service Stations, Fuel Dispensers
5813 Bars, Cocktail Lounges, Discotheques
5921 Package Stores, Beer, Wine, Liquor
6010–6300 Financial Institutions and Cash Disbursements
7011 Lodging Hotels, Motels, Resorts
7012 Timeshares
7261 Funeral Services and Crematories
7273 Dating and Escort Services
7276 Tax Preparation Services
7297 Massage Parlors
7298 Health and Beauty Spas