​Card Abuse Runs Rampant​​

​Auditors can recommend steps to ensure the organization's employees use credit cards appropriately.​

Comments Views

​S​​ome of Australia's largest government agencies are plagued by credit card fraud and abuse, The Sydney Morning Herald reports. According to analysis by Fairfax Media, the Australian Bureau of Statistics, Health Department, and Bureau of Meteorology had the highest rates of misspending with government-issued credit cards last year — each topped 20 percent of charges. Fairfax found staff members had used credit cards to pay for accounting courses, personal bills, and private travel.

Lessons Learned

The Association of Certified Fraud Examiners' (ACFE's) 2016 Report to the Nations on Occupational Fraud and Abuse estimates organizations around the world lose 5 percent of revenues to occupational fraud. Employee credit card fraud is one part of this problem. Internal Auditor magazine and InternalAuditor.org have featured numerous articles on this subject, most recently "On the Hook for Fraud" and "The Tech Know-how for Fraud." These stories, the persistence of employee credit card fraud activity, and recent trends in online credit use are reminders to auditors of what comprises an effective approach to preventing employee credit card fraud. Recommendations auditors can make to address gaps they find during their audit work include:​

  • Establish an employee credit card use policy. The policy should spell out appropriate and inappropriate card uses, how uses will be monitored, and consequences of policy noncompliance, including fraud. Policies should hold employees responsible for the activity on their card and for reviewing the statement for activity during each period. Those who violate the policy — especially fraudsters — should face zero tolerance consequences such as termination and prosecution. Moreover, there must be regular monitoring and auditing of policy compliance and uses, including surprise audits.
  • Encourage a culture of trust, honesty, and awareness among employees. This should include "open door" measures that facilitate employees coming forward with their concerns about suspicious behaviors. The most recent ACFE report notes that organizations most often detect fraud through tips (43.5 percent in large organizations). Internal audits (18.6 percent in large organizations) are a distant second.
    Employees should know the organization's fraud prevention procedures. One of the biggest deterrents to employee credit card fraud is simply knowing that people are watching, are aware, and will report fraudulent activity, if necessary.
    Organizations also should train employees on how to recognize signs of credit card fraud, such as how to tell whether a credit card terminal, ATM, or gas pump has been tampered with. Employees should know how to recognize a stolen card. The major credit card companies all have procedures for handling such situations, and these should be learned. Similarly, organizations should work with their suppliers and customers to ensure they are familiar with both legitimate and illegitimate kinds of purchases made by employees. Subscribe to credit card company alerts of significant or unusual transactions and investigate them immediately.
  • Establish multiple controls over credit card use and authorizations. That includes obvious controls such as a limit to the number of credit cards and authorized card users, as well as using as few providers and cards as possible. Establish credit limits to reduce the organization's risk exposure. Establish low or no ability to obtain cash advances. All authorized users should have their own unique cards that they are responsible for, and cards should not be loaned or be available to others. Establish procedures for reimbursements, including to prevent double dipping — employees can submit expense receipts for reimbursement, or they can use the company card, but not both. Collect and cancel cards when employees leave the organization. Also, have the capacity to quickly report loss, theft, or unauthorized use. Maintain in a secure area a list of credit cards by issuers, account numbers, authorized users, and issuer phone numbers so that contact can be made quickly. Prompt notification can reduce or eliminate responsibility for fraudulent charges.
  • Monitor credit card activity closely — and let employees know the organization is watching. Receive and review credit card statements intact because these can be altered, revised, or edited. Establish a credit card statement cut-off date for all cards that facilitates the organization's ability to obtain, review, and post credit card activity once a month and before month-end to facilitate accounting. Review credit card activity for the type of expenditure, the vendor, and the reasonableness of the amount. As the credit card is used, insist that original receipts be obtained as part of the documentation for the expenditure. Do not let the invoice, the credit card receipt, or the credit card statement be the only supporting piece of documentation. Review expense reimbursement claims and compare the expense report activity to the organization's credit card statement, scrutinizing for the same vendor and amounts. Be alert to altered amounts and claims, as well as expense report claims made months after the original charge was made. Analyze expenses, compare them to budget, and investigate variances.
  • Keep up to date with technological advances, such as online payments, and the fraudulent activity that is occurring with them. There has been a massive increase in online credit card fraud, with transactions made using stolen card details estimated to have more than doubled since 2011. Card skimming, including via ghost terminals, is a particular example. Many organizations are now using chip technology that protects from incurring liability resulting from counterfeit fraud that occurs at their point of sale. Also, password protection (including regular changes to passwords) of accounting and point of sale software, and administrative controls to assign specific functions to only the employees who need them are common. Biometrics (Apple's iPhone X Face ID is a recent example), geolocation, and social media all are either being used or researched in the roll-out of risk-based customer authentication. Organizations need to learn and implement these technologies as they evolve.​
Art Stewart
Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to remove comments.

About the Author



Art StewartArt Stewart<p>​Art Stewart is an independent management consultant with more than 35 years of experience in internal audit, financial management, performance measurement, governance, and strategic policy planning.​​​</p>https://iaonline.theiia.org/authors/Pages/Art-Stewart.aspx


Comment on this article

comments powered by Disqus
  • IIA GRC_May 2019_Premium 1
  • IIA Awareness Month_Premium 2
  • IIA Sawyer-OrderToday Bookstore_May 2019_Premium 3