Preventing P-Card Abuse: Automated Monitoring & Resolution of Card Misuse July 2014

• Introduction• CaseWare Profile• Current State in Higher Ed.• Purchasing Card Process• Monitoring P-Cards• Case Studies• Q&A

Meeting Agenda

• Founded in 1988• An industry leader in providing technology solutions for

finance, accounting, governance, risk and audit professionals• Over 400,000 users of our technologies across 130 countries

and 16 languages• Customers include Fortune 500 and Global 500 companies• Microsoft Gold Certified Partner

CaseWare International

International Acceptance

2009

2011

2012

2014

2016

0 50 100 150 200 250 300

Annual Purchasing Card Spending

$ in billions

*ACFE 2012 Fraud Survey

Industry Trends

Monthly Spend Per Organization

2.1 Million

Transaction Size

$343

Monthly Spend Per Card

$2,393

Number of Transactions Per Card Per Month

7

Benchmark Averages

*ACFE 2012 Fraud Survey

Industry Trends

Fraud Reported for 2012

3.5 Trillion

Percent of Fraud not Recovered

49%

Average Loss per Fraud Case

$140,000

Median time before detected

18 Months

The Impact

*ACFE 2012 Fraud Survey

Industry Trends

• P-Card Fraud in the news

P-Card Misuse in Higher Ed.

End-User OrganizationCardholder

General Ledger

Supplier/Merchant

5. Settlement / Post to GL

4. Submit Reconciliation

1. Assign Card

2. Place Order / Make Purchase

3. Receive Goods/Services

Purchasing Card Process

• One View: Complete overview of P-Card Activities• Control: Apply detailed spending & usage policies• Prevention: Visibility helps stop fraudulent activity

before it affects your bottom line• Accuracy: Validate all transactions prior to payment• Efficiency: Ensure all appropriate discounts, rebates

and refunds are properly applied• Assurance: Reputational risk is minimized

Why Continuously Monitor P-Card Controls?

Purchasing Card Controls & Activities

Card Issuance

Inactive/On Leave Employee using

card

Elevated Liability

Card Administration & Analysis

Duplicate Payment through

AP & Card

Employee Card Limits

Program Performance

Non-Preferred Vendor Spend

Often Used Vendors – Convert

to PO

Decline Transaction

Report

Spending Patterns

Excessive Even Or Small Dollar Transactions

Split Purchases

Unusual Spending Patterns

Employee Spend Profile

Transaction Policy Violations

Cardholder – Merchant Match

Keyword Search for non-compliant

purchases

Cash Advance/Financial

Services

Card Issuance• Inactive/Terminated/On Leave employee using Card

‒ Employee in any state except ‘full time active’ is currently using the company card.

• Elevated liability‒ Create Employee transaction and spending profile to gauge unnecessary exposure

for the company. Profile factors (employee transactions, spending, card time of use, avg.

balance compared to credit limit, etc.)

Areas of Risk

Areas of RiskP-Card Administration & Analysis• P-Card Limits

‒ Employee(s) use the Purchasing Card to spend over their weekly, monthly or transaction limit.

• Duplicate Payment through Accounts Payable‒ Vendor has been paid through Accounts Payable as well as employee processing

the payment with Purchasing Card.

Areas of RiskProgram Performance• Non-Preferred Vendor Spend (Vendor Rebates not maximized)

‒ Multiple Vendors used for office supplies instead of single vendor to receive appropriate rebates.

‒ Vendor is not giving you the appropriate Rebate as per contractual agreement.

• Decline Transactions‒ Review and analyze decline transactions to assess potential misuse or

employee(s) with insufficient credit card limits.

Areas of RiskSpending Patterns• Excessive Even Dollar Transactions

‒ Even dollar transactions are normally rare and are typically used in the purchasing of gift cards, gift certificates.

• Split Transactions (Single or Multiple Cards)‒ Employee(s) complete(s) two transactions at same merchant to

circumvent their maximum purchase amount threshold.

Areas of RiskTransaction Policy Violations• Cardholder – Merchant Match

‒ Employee has registered himself or been registered as a Vendor and being paid for additional services outside of job responsibilities.

• Keyword Search‒ Verify employee are not making non-compliant purchases such as jewelry,

groceries, tobacco, electronics, Apple store, etc.

• Cash Advance/Financial Services‒ Employee may be using card for cash advances or financial services

(mortgage, loan, line of credit, etc.).

Data Type Level - 1 Level - 2 Level - 3Merchant Name ü ü üTransaction Amount (Total) ü ü üDate ü ü üTax Amount   ü üCustomer Code   ü üMerchant Postal Code   ü üTax Identification   ü üMerchant Minority Code   ü üMerchant State Code   ü üItem Product Code     üItem Description     üItem Quantity     üItem Unit of Measure     üItem Extended Amount     üItem Net / Gross Indicator     üItem Tax Amount     üItem Tax Rate     üItem Discount Indicator     üShip from Postal Code     üFreight Amount     üDuty Amount     üDestination Postal Code     üDestination Country Code     ü

Level 3 Data – Purchase & Service Details

CaseWare Project Approach STAYING AHEAD

Move to a more proactive approach that reduces potential business impact of control failures.

PROACTIVE REACTIVE

CONTROLS MONITORING

INVESTIGATIONS

INTERNAL ASSURANCE

POST-ACQUISITION ASSESSMENT

RISK ASSESSMENT INPUT

RISK ASSESSMENT FOLLOW-THROUGH

OPTIMIZE

AuditGo beyond financial processes and assess the design and operations of controls for the entire business.

GovernanceEnsure that sound governance structures are in place to ensure the right information about the right issues is available at the right time.

Core ProcessesEmbed monitoring best practices to ensure that business owners and operators are accountable .

GOALS & PLANNINGWork with key stakeholders to understand the business processes to be analyzed and their monitoring requirements.

DATA ANALYTICSThe correlations and relationships are made identifying, trends, field statistics, and patterns and anomalies are isolated.

RESULTS VALIDATIONKey stakeholders validate the results of the analytics and results are fine tuned.

ACCESS DATAYour organization’s data is accessed from the relevant sources and consolidated

PREPARE FOR ANALYTICSYour data from multiple sources is then cleaned and organized to ensure it is accurate, consistent and ready to be analyzed.

LOGS

FLAT FILES

SOURCE DATA

WORKFLOW AND REMEDIATIONThe workflow for results are designed including assignment, escalation, investigation and closure.

RISK & CONTROLSDrill into the details of current risks and controls. This determines the data analytics needed, the strength of your existing controls and policies as well as what controls need to be improved to mitigate risks.

DATABASES

REPORTING RESULTSThe details of how the results are to be communicated along with any relevant reporting are determined.

RecommendationsHere are a few general recommendations:

1. Direct cardholders to document purchase requests and approvals, budget approvals, and bona fide company/government/corporation needs for P-card transactions.

2. Strengthen the monthly P-card reconciliation process.

3. Ensure that purchases are equitably distributed among qualified vendors and that you determine the most efficient and effective method of obtaining services (i.e., insourcing versus outsourcing, purchase cards versus other procurement tool).

4. Develop policies and procedures to ensure that purchase card files are retained when cardholders or approving officials end employment with the department or discontinue their functions as cardholders or approving officials.

5. Improve training — as well as its tracking and monitoring — for cardholders and approving officials on regulations over the use of P-cards.

Driven by:

Analytics

ControlsInsight

Collaborate

Actions

Measure and

Optimize

Expert Content

Business Process Modelling

Data Management

Training, Consulting and Certification

Certified Enterprise Platform

Global Partner Network

Enabled by

Customer Value Chain

• Upload the company’s risk and controls library across:– Business Processes– Subsidiaries – Locations

• Design analytics to monitor the controls• Generate alerts when controls are failing• Trigger a collaborative remediation workflow• Take the necessary actions• Measure performance and track root causes• Optimize business processes

Customer Value Chain

Generate Insights• Indicators of controls performance• Tracking root causes• Measuring ROI

• Alerts are triggered by system events– For example:

• An inactive employee is currently using their purchase card

• An employee has left the company but the card was never recovered.

• Alerts delivered in the browser, e-mail or Text Messaging.

• Triggers a collaborative workflow for teams to take action

Collaborate

Remediation Workflow• Create work items for users to take action• Designed according to business requirements• Time limits, escalation, team assignments,

metrics capture all configurable.

• Users are engaged by the system to action items• Exception details are provided along with:– Research info– Remediation guidelines and links– History of the item– Relevant Indicators/Metrics

Actions

Taking Action• Users are provided with guidelines for

resolution• They take action according to the workflow

design• This include capturing the metrics

• Based on the indicators the business gain insights how to improve operations

• For example:– Card Misuse may be consistently happening in a particular

department or location– Which may be occurring because of a lack of training in

that sub-process or location.– Address the training issue and the control environment is

restored

Measure & Optimize

• Give customers the ability to:– Determine the state of any control in the business– Resolve identified breaches before impact– Provide an unparalleled ROI

All of this in a simple, yet sophisticated solution.

Monitor: Value Added Solution

Expanding P-Card Program• 2,400 cards and growing…• 180,000+ transactions per year• $70+ million spend

Success Story – Georgia Tech

Challenges• Card abuse by employees • Reputational Risk• Money Leakage

Success Story – Georgia Tech

CaseWare Monitor Solution• Automated Transaction Monitoring• Use Level III data to independently verify the

integrity of transactions • Customizable Workflow management to facilitate

analysis and investigations• Notifications (via dashboard, e-mail, SMS, etc.)

equipped with Resolution Guidelines

Success Story – Georgia Tech

Results• Detected millions in fraudulent purchases• Uncovered $350K during initial phase• Automated and scheduled analysis of transactions• Fast resolution of control breakdowns

“The real value of using data analytics is that it allows you to see fraud schemes that would be impossible to detect manually.”

Phil Hurd, CISSP, CISA Georgia Institute of Technology

Success Story – Georgia Tech

Video Reference

Success Story – Georgia Tech

Andrew Simpson, COOandrew.simpson@caseware.com

Michel Caluori, Professional Servicesmichel.caluori@caseware.com

For Complimentary Risk & Control Assessment Contact: rcminfo@caseware.com

Q & A

Save the Date!Upcoming PDG Conference!

18th National P-Cards on Campus ConferenceFebruary 8-11, 2015 - Wyndham San Antonio Riverwalk - San Antonio,

TX

For details, be sure to visit www.prodev.com