The following table shows control principles on which our audit focused. They are not intended to be an exhaustive list.
|Controls over purchasing cards
||What we expected to see
||Policies and procedures
- Entities should have a purchasing card policy that is up to date and accessible to all staff. The policy should include items such as:
- processes and controls for the issue, management and cancellation of a credit card, including credit card limits, validation and acquittal of expenditure
- purposes for which a card may, or may not, be used
- cardholder’s obligations (including during leave periods)
- processes for discharging any debt for personal expenditure on a credit card
- process for online purchases, including Paypal.
- There are appropriate delegations in place for monetary limits on cards, monitoring the use of purchasing cards and approval of expenditure.
- Where appropriate, delegations should also be set for certain types of expenditure.
|Use of purchasing cards
||Managing and monitoring the use of cards
- All purchasing card transactions should be valid, properly incurred, certified and accounted for in accordance with the entity’s purchasing card policies.
- New cards should be properly authorised before use.
- Cancelled cards should be cancelled on a timely basis to ensure unauthorised transactions do not occur.
- When employees go on leave, purchasing cards should be returned to the Card Administrator or another approved officer, and not shared with other employees.
- All transactions should be within the delegated transaction limits and transactions should not be split to circumvent these limits.
|Monitoring of purchasing cards
||Appointment of a reviewer
- The entity should have an appointed reviewer as required by TI 321.
- A review of purchasing cards should be carried out on a regular basis and evidence of the review should be retained.
- Management should periodically review credit card activity to identify inactive or under-used cards that may warrant cancellation.