preventing p-card abuse:
DESCRIPTION
Preventing P-Card Abuse: . Automated Monitoring & Resolution of Card Misuse July 2014. Meeting Agenda. Introduction CaseWare Profile Current State in Higher Ed. Purchasing Card Process Monitoring P-Cards Case Studies Q&A. CaseWare International. Founded in 1988 - PowerPoint PPT PresentationTRANSCRIPT
Preventing P-Card Abuse: Automated Monitoring & Resolution of Card Misuse July 2014
• Introduction• CaseWare Profile• Current State in Higher Ed.• Purchasing Card Process• Monitoring P-Cards• Case Studies• Q&A
Meeting Agenda
• Founded in 1988• An industry leader in providing technology solutions for
finance, accounting, governance, risk and audit professionals• Over 400,000 users of our technologies across 130 countries
and 16 languages• Customers include Fortune 500 and Global 500 companies• Microsoft Gold Certified Partner
CaseWare International
International Acceptance
2009
2011
2012
2014
2016
0 50 100 150 200 250 300
Annual Purchasing Card Spending
$ in billions
*ACFE 2012 Fraud Survey
Industry Trends
Monthly Spend Per Organization
2.1 Million
Transaction Size
$343
Monthly Spend Per Card
$2,393
Number of Transactions Per Card Per Month
7
Benchmark Averages
*ACFE 2012 Fraud Survey
Industry Trends
Fraud Reported for 2012
3.5 Trillion
Percent of Fraud not Recovered
49%
Average Loss per Fraud Case
$140,000
Median time before detected
18 Months
The Impact
*ACFE 2012 Fraud Survey
Industry Trends
• P-Card Fraud in the news
P-Card Misuse in Higher Ed.
End-User OrganizationCardholder
General Ledger
Supplier/Merchant
5. Settlement / Post to GL
4. Submit Reconciliation
1. Assign Card
2. Place Order / Make Purchase
3. Receive Goods/Services
Purchasing Card Process
• One View: Complete overview of P-Card Activities• Control: Apply detailed spending & usage policies• Prevention: Visibility helps stop fraudulent activity
before it affects your bottom line• Accuracy: Validate all transactions prior to payment• Efficiency: Ensure all appropriate discounts, rebates
and refunds are properly applied• Assurance: Reputational risk is minimized
Why Continuously Monitor P-Card Controls?
Purchasing Card Controls & Activities
Card Issuance
Inactive/On Leave Employee using
card
Elevated Liability
Card Administration & Analysis
Duplicate Payment through
AP & Card
Employee Card Limits
Program Performance
Non-Preferred Vendor Spend
Often Used Vendors – Convert
to PO
Decline Transaction
Report
Spending Patterns
Excessive Even Or Small Dollar Transactions
Split Purchases
Unusual Spending Patterns
Employee Spend Profile
Transaction Policy Violations
Cardholder – Merchant Match
Keyword Search for non-compliant
purchases
Cash Advance/Financial
Services
Card Issuance• Inactive/Terminated/On Leave employee using Card
‒ Employee in any state except ‘full time active’ is currently using the company card.
• Elevated liability‒ Create Employee transaction and spending profile to gauge unnecessary exposure
for the company. Profile factors (employee transactions, spending, card time of use, avg.
balance compared to credit limit, etc.)
Areas of Risk
Areas of RiskP-Card Administration & Analysis• P-Card Limits
‒ Employee(s) use the Purchasing Card to spend over their weekly, monthly or transaction limit.
• Duplicate Payment through Accounts Payable‒ Vendor has been paid through Accounts Payable as well as employee processing
the payment with Purchasing Card.
Areas of RiskProgram Performance• Non-Preferred Vendor Spend (Vendor Rebates not maximized)
‒ Multiple Vendors used for office supplies instead of single vendor to receive appropriate rebates.
‒ Vendor is not giving you the appropriate Rebate as per contractual agreement.
• Decline Transactions‒ Review and analyze decline transactions to assess potential misuse or
employee(s) with insufficient credit card limits.
Areas of RiskSpending Patterns• Excessive Even Dollar Transactions
‒ Even dollar transactions are normally rare and are typically used in the purchasing of gift cards, gift certificates.
• Split Transactions (Single or Multiple Cards)‒ Employee(s) complete(s) two transactions at same merchant to
circumvent their maximum purchase amount threshold.
Areas of RiskTransaction Policy Violations• Cardholder – Merchant Match
‒ Employee has registered himself or been registered as a Vendor and being paid for additional services outside of job responsibilities.
• Keyword Search‒ Verify employee are not making non-compliant purchases such as jewelry,
groceries, tobacco, electronics, Apple store, etc.
• Cash Advance/Financial Services‒ Employee may be using card for cash advances or financial services
(mortgage, loan, line of credit, etc.).
Data Type Level - 1 Level - 2 Level - 3Merchant Name ü ü üTransaction Amount (Total) ü ü üDate ü ü üTax Amount ü üCustomer Code ü üMerchant Postal Code ü üTax Identification ü üMerchant Minority Code ü üMerchant State Code ü üItem Product Code üItem Description üItem Quantity üItem Unit of Measure üItem Extended Amount üItem Net / Gross Indicator üItem Tax Amount üItem Tax Rate üItem Discount Indicator üShip from Postal Code üFreight Amount üDuty Amount üDestination Postal Code üDestination Country Code ü
Level 3 Data – Purchase & Service Details
CaseWare Project Approach STAYING AHEAD
Move to a more proactive approach that reduces potential business impact of control failures.
PROACTIVE REACTIVE
CONTROLS MONITORING
INVESTIGATIONS
INTERNAL ASSURANCE
POST-ACQUISITION ASSESSMENT
RISK ASSESSMENT INPUT
RISK ASSESSMENT FOLLOW-THROUGH
OPTIMIZE
AuditGo beyond financial processes and assess the design and operations of controls for the entire business.
GovernanceEnsure that sound governance structures are in place to ensure the right information about the right issues is available at the right time.
Core ProcessesEmbed monitoring best practices to ensure that business owners and operators are accountable .
GOALS & PLANNINGWork with key stakeholders to understand the business processes to be analyzed and their monitoring requirements.
DATA ANALYTICSThe correlations and relationships are made identifying, trends, field statistics, and patterns and anomalies are isolated.
RESULTS VALIDATIONKey stakeholders validate the results of the analytics and results are fine tuned.
ACCESS DATAYour organization’s data is accessed from the relevant sources and consolidated
PREPARE FOR ANALYTICSYour data from multiple sources is then cleaned and organized to ensure it is accurate, consistent and ready to be analyzed.
LOGS
FLAT FILES
SOURCE DATA
WORKFLOW AND REMEDIATIONThe workflow for results are designed including assignment, escalation, investigation and closure.
RISK & CONTROLSDrill into the details of current risks and controls. This determines the data analytics needed, the strength of your existing controls and policies as well as what controls need to be improved to mitigate risks.
DATABASES
REPORTING RESULTSThe details of how the results are to be communicated along with any relevant reporting are determined.
RecommendationsHere are a few general recommendations:
1. Direct cardholders to document purchase requests and approvals, budget approvals, and bona fide company/government/corporation needs for P-card transactions.
2. Strengthen the monthly P-card reconciliation process.
3. Ensure that purchases are equitably distributed among qualified vendors and that you determine the most efficient and effective method of obtaining services (i.e., insourcing versus outsourcing, purchase cards versus other procurement tool).
4. Develop policies and procedures to ensure that purchase card files are retained when cardholders or approving officials end employment with the department or discontinue their functions as cardholders or approving officials.
5. Improve training — as well as its tracking and monitoring — for cardholders and approving officials on regulations over the use of P-cards.
Driven by:
Analytics
ControlsInsight
Collaborate
Actions
Measure and
Optimize
Expert Content
Business Process Modelling
Data Management
Training, Consulting and Certification
Certified Enterprise Platform
Global Partner Network
Enabled by
Customer Value Chain
• Upload the company’s risk and controls library across:– Business Processes– Subsidiaries – Locations
• Design analytics to monitor the controls• Generate alerts when controls are failing• Trigger a collaborative remediation workflow• Take the necessary actions• Measure performance and track root causes• Optimize business processes
Customer Value Chain
Generate Insights• Indicators of controls performance• Tracking root causes• Measuring ROI
• Alerts are triggered by system events– For example:
• An inactive employee is currently using their purchase card
• An employee has left the company but the card was never recovered.
• Alerts delivered in the browser, e-mail or Text Messaging.
• Triggers a collaborative workflow for teams to take action
Collaborate
Remediation Workflow• Create work items for users to take action• Designed according to business requirements• Time limits, escalation, team assignments,
metrics capture all configurable.
• Users are engaged by the system to action items• Exception details are provided along with:– Research info– Remediation guidelines and links– History of the item– Relevant Indicators/Metrics
Actions
Taking Action• Users are provided with guidelines for
resolution• They take action according to the workflow
design• This include capturing the metrics
• Based on the indicators the business gain insights how to improve operations
• For example:– Card Misuse may be consistently happening in a particular
department or location– Which may be occurring because of a lack of training in
that sub-process or location.– Address the training issue and the control environment is
restored
Measure & Optimize
• Give customers the ability to:– Determine the state of any control in the business– Resolve identified breaches before impact– Provide an unparalleled ROI
All of this in a simple, yet sophisticated solution.
Monitor: Value Added Solution
Expanding P-Card Program• 2,400 cards and growing…• 180,000+ transactions per year• $70+ million spend
Success Story – Georgia Tech
Challenges• Card abuse by employees • Reputational Risk• Money Leakage
Success Story – Georgia Tech
CaseWare Monitor Solution• Automated Transaction Monitoring• Use Level III data to independently verify the
integrity of transactions • Customizable Workflow management to facilitate
analysis and investigations• Notifications (via dashboard, e-mail, SMS, etc.)
equipped with Resolution Guidelines
Success Story – Georgia Tech
Results• Detected millions in fraudulent purchases• Uncovered $350K during initial phase• Automated and scheduled analysis of transactions• Fast resolution of control breakdowns
“The real value of using data analytics is that it allows you to see fraud schemes that would be impossible to detect manually.”
Phil Hurd, CISSP, CISA Georgia Institute of Technology
Success Story – Georgia Tech
Video Reference
Success Story – Georgia Tech
Andrew Simpson, [email protected]
Michel Caluori, Professional [email protected]
For Complimentary Risk & Control Assessment Contact: [email protected]
Q & A
Save the Date!Upcoming PDG Conference!
18th National P-Cards on Campus ConferenceFebruary 8-11, 2015 - Wyndham San Antonio Riverwalk - San Antonio,
TX
For details, be sure to visit www.prodev.com