James Leisner, CPA, is director of corporate services for Stonebridge Business Partners, a Rochester, N.Y., company providing a variety of compliance and forensic investigative services to institutions, government organizations, nonprofits, and businesses.
Replacement Contractor: How would you suggest a business owner make employees aware of the fact that company credit card use is being monitored?
Jim Leisner: Have them sign a statement explaining, among other things, that the card is for business use only, not for personal use. That statement should also say that they're responsible for the safekeeping of the card and that they will alert you immediately of its loss or theft. It should state that unauthorized use or abuse could result in termination.
RC: Who should be responsible for card use?
JL: I would make employees responsible for individual cards and numbers. In other words, no card sharing. You can't hand your card to another employee and ask them to do a task for you. This keeps everyone responsible for his or her own card and card activity.
RC: How often should a business owner be looking at the card activity of employees with company credit cards?
JL: I would communicate to employees that you are reviewing their card activity each month. Employee review and sign-off sends the message that employees are responsible for the safekeeping of those cards. Make it a process/procedure that each month they are asked to review card activity and sign off on it or speak up to any issues or problems. Make them responsible for obtaining and turning in receipts. Facilitate a convenient way to submit receipts when employees are assigned cards.
RC: Are there any other controls you would suggest?
JL: Have appropriate credit levels for the cards. Not every employee needs the same credit limit. Five hundred dollars might suit one employee fine. Another might need $5,000. Also, subscribe to e-mail and phone alerts that the credit company offers that report when activity thresholds are approached or exceeded. You can also monitor activity online as often as necessary.
RC: What should the accounting department look for when examining card activity?
JL: Management and accounting should be reviewing account statements and detailed receipts. Receipt details should be viewed closely. It's not enough that a purchase is made from The Home Depot and that the purchase seems to make sense. I would look at: what are they buying, how much are they buying, what job are they buying it for, and does what they're buying make sense? For example, I am involved in a recent matter where an employee was using a company credit card to buy merchandise that seemed appropriate. But while some items seemed appropriate, the quantities and frequency didn't make sense. That person also began buying gift cards with the credit card. So someone in your company buying needed items at The Home Depot could be tempted to buy gift cards as well as household items for their own use or business items that they're buying for a business they're conducting on the side.
RC: How about the receipts themselves?
JL: Examine receipts closely for alterations of items, dates, quantities, and prices. Internal accounting should be matching receipts provided by the employee to statement activity. Otherwise a dishonest employee could submit a date-altered receipt multiple times, or submit his own credit card for reimbursement.
RC: How common is theft of cards by individuals outside the organization or misuse (fraud) of company credit cards by people inside the organization?
JL: In my experience, internal abuse is a bigger problem. If the employee is responsible for reviewing statement activity or the company subscribes to fraud/threshold alerts, that will protect you from outside fraud or theft. Typically, though, abusers are internal. They start small and escalate if they sense that no one is watching or that their abuses are not being detected. They escalate and conceal.
RC: How complicated do controls need to be?
JL: I don't think it is that complicated or takes much time. It's also important that those individuals within the company who are supposed to be reviewing this activity understand what they are doing, why they are doing it, what they are looking for, and what they should do — or who they should contact — if they find suspect activity. Again, in a recent incident, the accounts payable clerk was not aware exactly what they were supposed to be doing and ended up scrutinizing some activity but not other types of activity. The individual in question was trusted too much. He was smooth and had been there a long time. Generally, the supervisor should review a subordinate's activity. In addition, ask internal audit and an outside accountant to review credit card activity, as a supervisor could be in collusion with a subordinate. Having an unrelated employee or outside accountant review card account activity — statements and receipts — would be an excellent safeguard.
RC: How often should a business owner be reviewing card use?
JL: At least annually review what credit cards you are using, who is using them, and whether or not they're still needed. Adjust as necessary. When people leave the company, they must surrender their card and I would suggest you close that "sub account" so it can no longer be used. Otherwise the information could be retained by the former employee and used at a later date. Even if the card expires, that former employee could, with some guesswork, figure out the new expiration date.
—Jim Cory, editor, REPLACEMENT CONTRACTOR.