The following table shows control principles on which our audit focused. They are not intended to be an exhaustive list.

Controls over purchasing cards	Focus area	What we expected to see
Policy	Policies and procedures	Entities should have a purchasing card policy that is up to date and accessible to all staff. The policy should include items such as: processes and controls for the issue, management and cancellation of a credit card, including credit card limits, validation and acquittal of expenditure purposes for which a card may, or may not, be used cardholder’s obligations (including during leave periods) processes for discharging any debt for personal expenditure on a credit card process for online purchases, including Paypal.
	Delegations	There are appropriate delegations in place for monetary limits on cards, monitoring the use of purchasing cards and approval of expenditure. Where appropriate, delegations should also be set for certain types of expenditure.
Use of purchasing cards	Managing and monitoring the use of cards	All purchasing card transactions should be valid, properly incurred, certified and accounted for in accordance with the entity’s purchasing card policies. New cards should be properly authorised before use. Cancelled cards should be cancelled on a timely basis to ensure unauthorised transactions do not occur. When employees go on leave, purchasing cards should be returned to the Card Administrator or another approved officer, and not shared with other employees. All transactions should be within the delegated transaction limits and transactions should not be split to circumvent these limits.
Monitoring of purchasing cards	Appointment of a reviewer	The entity should have an appointed reviewer as required by TI 321. A review of purchasing cards should be carried out on a regular basis and evidence of the review should be retained. Management should periodically review credit card activity to identify inactive or under-used cards that may warrant cancellation.