Play your cards right

Building solid purchasing card programs requires careful planning. JPMorgan’s Eduardo Vergara reveals the best practices of several leading companies.

“No matter the industry, market segment, or program size, concerns regarding out-of-policy spending, fraud detection and card misuse remain the same”
-Eduardo Vergara, JPMorgan

Organizations are increasingly taking steps to cut costs and bring greater control over spending. In today’s highly regulated environment where the main focus is on compliance and auditing controls, a purchasing card program provides the foundation and visibility tools to better manage corporate spending.

By following the best practices and innovative strategies shared by some of JPMorgan’s purchasing card customers, corporations are better positioned to launch an effective card program, improve compliance and auditing processes and practices, and further accelerate efficiency.

The risks of inefficiency are significant. A university employee in Georgia was recently indicted for ringing up more than $300,000 in personal charges on a state-issued purchasing card. Items acquired included foosball tables, season tickets to football games and a $1900 frozen drink machine. A state audit report blamed the university for its lax supervision of the card program.

In Tennessee, county employees resigned amid a purchasing card scandal that included close to $50,000 in undocumented or inadequately documented expenses; reports of fabricated receipts; purchases of cruises, alcohol, lobster dinners and family members' plane tickets; as well as gas purchases for private cars.

Though such cases of flagrant misuse are fairly isolated, hearing such stories causes treasurers and purchasing card administrators to pause and question. No matter the industry, market segment or program size, concerns regarding out-of-policy spending, fraud detection and card misuse remain the same.

Here are some key steps to take to ensure that your program is up to par:

Establish checks and balances
A set of checks and balances and a segregation of duties must be established between the various individuals involved in card program management. No matter how clearly roles and responsibilities are documented, they will prove ineffective in mitigating risk unless there is logical segregation of duties. At a minimum, cardholders should not be their own approving manager or approving executive. Separate individuals must be identified for card program responsibilities related to request, authorization and execution.

Pam Henton, director of accounts payable and card services for energy company ConocoPhillips, manages about 13,500 cardholders and 120,000 expense reports per year. All expense reports and associated receipts must be reviewed and approved by the cardholder’s direct manager. By placing some burden on the manager, expense reports have already been through one review cycle.

Establish consistent policies across the organization
The development of policies should support various aspects of card program control, including establishing card issuance guidelines, transaction controls, and rules for card usage, documentation and record retention. No matter how the management of your card program is structured, the same policies and processes should apply to all cardholders. Whether your company is acquiring an established business or if you have oversight of a single program based in one location or multiple programs spread across a number of business units, be consistent when establishing parameters. Only then can rules be enforced without confusion.

According to Sears card manager Wayne Randall: “When Sears Holdings Corporation acquired Kmart and Land’s End, we realized from the onset that our purchasing card policies and procedures differed in a number of ways. Some of the initial goals were to gain buy-in to the program, establish consensus with a companywide policy, and roll out the cards to leverage the already established spending practices. We audited 100 percent of all new cardholders for the first few months to inform, educate and enforce compliance during their transition to a new corporate culture. If out-of-policy spending occurred, an email was sent to the cardholder outlining existing policies. New cardholders quickly adapted.”  

Mandate training for cardholders and card managers before a card is issued
Education and a clear understanding of cardholder roles and responsibilities are vital to any program. Once an application is received, companies should consider having card applicants participate in some form of training course before they receive their card. While training in-person or via conference call could be offered every month or so, companies may want to consider establishing a brief online course or quiz. A record of those who took the course or passed the quiz can be maintained to further support your company’s Sarbanes-Oxley initiatives.

Chevron Corporation employees are required to take a training course every two years to continue using the card. Monsanto Company requires that its cardholders take a computer-based training course and receive a score of 100 percent in order to apply for their card. Upon completion of the course, users receive a ‘digital diploma’ or certificate that then must be submitted along with their application. Cardholders who are on a watch list as a result of multiple audits are required to take the course again.
 
Establish protective controls upfront
All successful purchasing card programs are safeguarded with a combination of upfront controls and back-end auditing practices. In addition to required training, some common upfront measures include the establishment of cardholder transaction limits, monthly spending limits, and the blocking of unauthorized Merchant Category Codes (MCCs). An increasing number of companies have deployed single-use or limited-use account technology to bring greater control over spending.

ServiceMaster, the parent company of pest control business Terminix, has implemented single-use account technology to bring greater spend control and efficiency to its payment processes. The company is using the technology throughout its network of Terminix branches as a means to make one time payments to its subcontractors. Once a Terminix subcontractor’s work is complete and the associated claim has been approved by ServiceMaster, a limited-use account number is issued to securely pay the subcontractor’s approved claim.

In the past, ServiceMaster would pay its Terminix subcontractors by giving them a credit card number and expiration date. ServiceMaster would have no control over how often the subcontractor could charge the card or how much they charged. According to Mike Gaffney, ServiceMaster’s Director of Card Services: “We were running into situations where subcontractors would double charge us or they would charge us before the work was complete. The control is now very tight.”

Use technology to streamline back-end auditing
Technology is key to helping card administrators more effectively pinpoint potential card misuse and guide the back-end auditing process. Corporations should seek to partner with an issuer that provides Web-based payment management tools designed to support all areas of card program administration, including enhanced reporting and real-time visibility into spending.

Best-in-class systems enable administrators to block unauthorized purchase categories, monitor corporate compliance, modify spending limits and cancel cards. Administrators should have access to a variety of standard reports that provide the transaction detail needed, including vendor analysis, unusual activity analysis, and delinquency reports. Cardholders can assist with compliance efforts by viewing their statement information in real-time.

Raymond Williams, accounts payable manager at coffee giant Starbucks, oversees a program with 4300 cardholders and approximately 45,000 expense reports per year. Williams and his team use an online reporting tool on a daily basis to oversee spending in real-time. A specialist identifies transactions that fall under certain restricted Merchant Category Codes (MCCs), as well as merchant names that have been placed on Starbuck’s high-risk transaction list or ‘Hot List’. Four or five emails are sent out each day asking cardholders for additional information on questionable transactions. The cardholder’s manager is copied on these messages. According to Williams, “It is an effective control if employees sense that their spending is being monitored. The card is for business purposes only, not for personal use.”

Audit beyond the traditional
Best-in-class organizations enhance their traditional auditing practices by looking beyond spend limit and MCC violations. Additional controls also may need to be established depending on your industry. Some companies conduct audits on purchases that are made in the evening or on weekends. Purchases that are shipped to an individual’s home as opposed to campus are also investigated. Other items that are red-flagged: personal technology purchases such as computers, cell phones or PDAs, and items acquired through PayPal. Many companies focus on retail spending by auditing statements that include purchases from Amazon.com, Best Buy, eBay, Target or Wal-Mart. Audits are also conducted on purchases made outside of its published list of preferred suppliers. 

Sears Holdings Corporation focuses on the travel-related practices of its OneCard users. When renting an automobile, cardholders should not sign up for the rental agency’s fueling option. In order for meals to be reimbursed, cardholders must be on overnight status. Cardholders must provide supporting documentation to demonstrate that an overnight trip occurred.

Foster positive relationships with cardholders
While monitoring and enforcement are vital to success, it is important that card program administrators not be viewed as the enemy. In order for your program to grow and succeed, positive, interactive relationships must be established with your cardholder base. Take a consultative approach. Create an environment where cardholders feel comfortable reaching out to you with questions and issues. Sometimes spend limits or other restrictions need to be loosened in order for cardholders to be more effective in their job.

The purchasing card manager at a major U.S. airline reviews decline reports daily and proactively investigates why such declines occurred. Perhaps MCCs should be unblocked for certain buyers or spending limits need to be raised. Perhaps a cardholder needs to be further educated on policies. The company also reviews its spending reports daily. If a cardholder has accidentally used the company card to buy a personal item, they should self-report immediately to demonstrate that they are operating within the spirit of the program and not engaged in suspicious activity.

According to the airline’s purchasing card manager: “We are very parental in a number of ways. If you have used the card in a non-compliant manner, we can work out the issue if you are honest upfront. Everyone is human and mistakes can occur. But we will monitor your reports more closely over the coming months to make sure that your behavior has improved. Like baseball, we have a ‘three strikes and you’re out’ approach. After the third strike, you lose card privileges and disciplinary action will be taken. But if you have received one strike and proven over the following months that you are following policies correctly, that one strike may be removed from your record.”

Conduct periodic peer reviews before official audits occur
To mitigate improper card use and help support Sarbanes-Oxley requirements, best-in-class organizations also perform ongoing peer reviews of purchasing practices well in advance of regularly scheduled audits. Sarbanes-Oxley Section 404 requires management to report on the adequacy of their company’s internal control over financial reporting. Informal, periodic peer reviews can help determine any program weaknesses while promoting efficiencies, ongoing training, and limiting overall risk.

International Paper’s purchasing card practices are audited every other year by internal audit. These audits take place at each of International Paper’s seven divisions. In anticipation of these audits, cursory peer reviews are conducted annually at each location. Divisions also perform monthly transactional reviews.
 
The purchasing card program at Monsanto is audited at least twice a year, once by an internal team and once by an external firm. Card administrators prepare for these audits by conducting approximately eight random audits per month and reviewing at least 40 percent of spend.

Card program policies should be reviewed and updated periodically to reflect any changes in the company that affect the use of the card. Despite the existence of written policies in the majority of companies surveyed by the Association of Financial Professionals, only 38 percent of those companies update their policies annually. At a minimum, it is recommended that reviews of the card program policies should be scheduled on an annual basis.

Eduardo Vergara is a Managing Director in Treasury Services and Global Commercial Card Executive. He is responsible for the day-to-day management of the global commercial card business and for setting and implementing Treasury Services' strategic vision for its card products. He also provides industry leadership and helps grow the business by expanding its international card platform and Order-To-Pay and emerging Procure-To-Pay product capabilities.

Vergara joined the firm in 2008, from American Express, where he was the global head of Product Management & Marketing for the Global Commercial Card business. Prior to American Express, Mr. Vergara worked for Bank of America, where his roles included head of international Business Development, Latin America, and Canada, global Treasury Services, head of Prepaid Cards and head of International Remittances.