One of the most significant changes in auditing corporate card expenses over the past decade has been the conversion of supporting documentation from paper receipts to electronic form. Although an internal auditor's core duties of ensuring completeness and accuracy in record-keeping remain the same, the electronic form has altered the dynamics of those duties significantly.
Not so long ago, people mailed paper receipts to a central location for processing. Today, by contrast, a simple receipt photo, screenshot, or email confirmation uploaded via a website or mobile app often suffices. The convenience and efficiency of electronic files, as well as enabling technologies such as cloud storage, data visualization, and automation, have created both new opportunities and challenges in auditing corporate card transactions.
Cloud storage is an on-demand, self-service model where data or software as a service is stored remotely on virtual servers hosted by third parties.
Opportunities Cloud storage removes the storage limitation challenge presented by retaining physical copies of paper receipts or using on-site servers, as it is easily scalable to accommodate any data storage needs. Additionally, it reduces pre-installation costs and maintenance charges associated with on-site servers.
Duplicate back-up copies of data can be stored in multiple locations worldwide, making data less vulnerable to natural disasters. Cloud storage also makes it easier to implement a document retention period for physical receipts. Corporate card data that requires long-term storage could be archived or automatically purged after a defined period.
Limitations Digital documentation is susceptible to malicious software, such as ransomware, that encrypts data to an unusable form and holds it hostage unless payment is made. Focusing on data security may protect transaction information from hacking, which could result in negative publicity from a data breach or give competitors insight into prospective projects.
Use, transfer, and purge of stored personally identifiable information attached to employees' expenses is limited by regulations such as the European Union's General Data Protection Regulation and the California Consumer Privacy Act. If the data is backed-up or stored in international locations, there is the added complexity of the local regulations around the data's use.
Depending on how the information is housed and structured in a third-party's platform, organizations may have to pay extra to fully access their data the way they want. For instance, application programming interface (API) software, which allows two applications to talk to each other, often is an extra cost. API, for example, allows the expense repository system and audit software to talk to each other and is used to access features or data of a service application.
Data visualization distills large datasets into visual graphics to allow for easy understanding of complex relationships within the data.
Opportunities Combined with data analytics, data visualization allows the data to be dissected in more ways than before. For example, a dashboard template could track multiple key performance indicators linked to a database that would allow users to slice the data in real time and filter down to focus on any variable for specified business areas.
Beyond simply graph or pivot data in Excel, data visualization can simultaneously overlay multiple variables, such as transaction types, on a geographic map while highlighting the magnitude of the transactions in different sizes and colors. This could be used, for example, to target potential fraud indicators where there may be misalignment between travel plans and expense transaction locations.
Auditors can use data visualization to add value in addition to investigating noncompliance. It could highlight frequent exception trends and indicate broader implications, such as the need for additional employee training for specific parts of the corporate card policy or the need to amend the policy. For example, the corporate card policy may have a standard flat threshold for specific expense types, such as lodging or business meals. However, the policy does not consider that guideline amounts are not realistic for high-cost-of-living areas, such as New York or San Francisco, and may indicate that the policy needs to be amended to allow for fluctuations. Data visualization could help draw attention to these types of trends.
The data also could highlight opportunities to reduce costs and negotiate group rates if, for example, it finds that cross-departmental employees frequently attend the same conferences or events. On the other hand, it could flag individuals who did not use the prenegotiated group rate, and management could use it as an opportunity to educate those employees on ways to maximize their budget.
Limitations Despite these benefits, there is a risk of overreliance on data visualization. The insights gleaned from it are limited by the accuracy and completeness of the data inputs, false positives, or misleading trends if used incorrectly.
Processes that can drive efficiency and cost savings in corporate card audits include robotic process automation (RPA), a software robot that mimics human actions; machine learning (ML), a subset of artificial intelligence (AI) that allows systems to learn new things from data; and AI, the simulation of human intelligence by machines.
Opportunities The combination of RPA, ML, and AI creates a system that mimics human judgment in defined circumstances and could reduce time spent on repetitive and low-value tasks. With the advent of these technologies, the audit concept of reasonable assurance due to limited available audit hours and resources could move much closer to absolute assurance. In the past, internal auditors have focused on rigid criteria: a specific time period, an individual's or group's transactions, keywords, or transactions that exceed a defined threshold. Many potential noncompliant transactions that fall out of the hard-line criteria would be missed, and without software with AI capabilities, it would be impossible for auditors to review the entire volume of transactions.
Expense tracking software could incorporate a company corporate card policy so that RPA could continuously monitor and flag noncompliant transactions for additional approval or auditor review. This would ensure that auditors focus on transactions that are more likely to be exceptions and perform more meaningful work.
Optical character recognition (OCR) image-reading software could save not only the submitter's time, but also the approver's and auditor's time, by automatically pulling and matching the amounts from the uploaded receipt to the reported expense transaction. For international receipts in foreign languages, the software can translate the language, look up the local tax rates, and calculate currency exchange rates. More advanced expense-tracking software could cross-reference publicly available data, such as online menus or historical hotel rates, to determine the reasonable range for specific expenses. This would allow for variation due to seasonal or location-based fluctuations for the reasonable expense threshold range.
AI with OCR could detect split transactions where a larger receipt is paid through multiple transactions or using multiple corporate cards. Another instance of split transaction could occur if there were a deposit that was paid in advance and the remainder of the balance was paid at a later date. Image-reading software could easily detect this, while it is much harder for an auditor to find with paper receipts. The use of OCR software could reduce excessive payment for the same expenses submitted multiple times or circumvention of the policy expense guideline amount.
Another AI capability is systematic risk profiling. Low-risk recurring transactions could be auto-approved and bypass the need for manager review, saving hours of administrative time and increasing the time available for more productive tasks. This time could focus on high-risk individuals or departments more likely to be noncompliant, leading to increased policy education or behavior change.
Limitations AI, ML, and RPA are relatively new and often expensive technologies. The software is only as good as the training data set inputs and what it is being programmed to do. AI involves a learning process, where users must "train" the software. Moreover, the AI tools may produce a high number of false positives, which could create more work than traditional methods. If these technologies do not detect pervasive noncompliance in the training data set, the model may never catch it — but a person could.
ML and AI are susceptible to biases and skewed results because of bad data inputs. For instance, the technology might determine that a certain gender or race is a higher risk for noncompliance, leading auditors to focus on those individuals' transactions and possibly result in legal issues/consequences.
Auditing purchase card expenses goes far beyond reviewing for policy compliance. By using the cloud, data visualization, and automation in corporate card audits, auditors can drive better stewardship of company resources. While these technologies provide tremendous benefits, it's important for internal auditors to be aware of their downsides to adjust accordingly. By building on this foundation, internal audit also can use these technologies to transform the audits of other business areas and processes.