Report 17: 2019-20

Controls Over Purchasing Cards

What we found

All entities had up to date and approved policies and procedures for the use of purchasing cards, however some aspects were not included

Good policies and procedures provide essential guidance for staff to manage purchasing cards in accordance with management’s expectations. They should cover matters such as controls over issuing and cancelling cards as well as approving and acquitting purchases.

In 5 of the entities sampled, there was no policy or clarification regarding the return of cards while on extended leave. The policy should state what length of time represents extended leave and the need for the cardholder to return the card to the finance area while they are on leave.

Four of the entities also did not have a policy regarding the use of Paypal. Paypal can be an effective method of payment for certain purchases. However, its use creates an increased risk as the purchasing card is required to be linked to a Paypal account, which could result in the officer’s personal expenses being recorded with the entity’s transactions. If an entity uses Paypal, then it should have a more detailed policy on what can be purchased, and the type of evidence required for these purchases.

In 4 of the entities tested, the policy around hospitality and entertainment expenses needed to be clearer. Our data analytics testing noted a number of purchases in relation to food, gifts and alcohol. The policy at these entities is not clear on what is acceptable expenditure for hospitality, and delegated limits for these types of expenditure have not been set.

Most entities need to apply better controls over the use of cards

We tested a sample of 100 purchasing card transactions per entity and noted that a large number of them were supported by appropriate documentation, acquitted and approved in a timely manner, and were for business purposes. However, we still found a number of poor practices that had not been identified by the entities.

At 2 of the entities sampled, we noted instances where grocery store rewards program cards had been used when purchasing groceries. Public sector guidelines on gifts, benefits and hospitality require that purchasing cards should not be used to gain private advantage through the transaction. When rewards programs are used in conjunction with government purchasing cards, there is an increased risk of individuals making purchases through a particular supplier to gain a private advantage. 

As part of our data analytics, we reviewed the purchasing card transactions to identify if expenditure on the card had occurred while the cardholder was on leave. Our testing identified that purchasing cards were being shared between staff at 5 of the entities sampled while the cardholder was on leave. One low value transaction was made when the cardholder was on leave, which was an allegedly fraudulent transaction that had not been reported. The risk of sharing a card is that an entity cannot hold a cardholder accountable for all of the transactions paid for using that card.

Our data analytics further identified instances of splitting payments at 3 entities. This occurs where the cardholder splits the payment of a transaction into 2 or more instances to circumvent the transaction limit set on the purchasing card. The risk of splitting a payment is that the cardholder is making a purchase at a value that they are not delegated to make.

We also found instances of personal use on purchasing cards in 3 of the entities where the cardholder did not notify the appropriate authority in a timely manner. We also noted a number of instances at these 3 entities where the money had not been repaid within 5 days of notification, as required by Treasurer’s Instruction 321 Credits Cards – Authorised Use. If personal use of a government purchasing card is not tightly controlled, it is possible that amounts may not be reimbursed.

Five entities had purchases that were not acquitted and approved in a timely manner

Of 600 transactions tested at 6 entities, 155 were not acquitted and approved in a timely manner (within 30 days). When transactions are not acquitted and approved in a timely manner, there is an increased risk that unauthorised transactions are not identified and resolved promptly.

We also noted that transaction limits were not applied to purchasing cards in 7 of the 9 entities sampled. The purchasing card system is set up to implement a transaction limit on cards, but these entities are not implementing or enforcing these limits. Not implementing a transaction limit increases the risk of a large monetary loss, as large inappropriate transactions can be processed in 1 transaction. For example, if a purchasing card has a $100,000 limit with no transaction limit, the card holder could use the entire purchasing card limit in the 1 transaction.

None of the entities sampled had a formal review process to identify any shortcomings

Most of the entities sampled stated that they performed a periodic review of their purchasing cards, but none had formal records to evidence this.

From our review of the activity on purchasing cards across the 9 entities, we noted 475 cardholders who had used their purchasing card less than 12 times in the last 12 months, suggesting that they may not have a need for a purchasing card.

We also noted instances where business items were bought on the purchasing card that were outside the entity’s purchasing card policy, for example, the purchase of IT equipment and fuel.

Regular formal reviews would identify similar issues in a timely manner, and enable an entity to take appropriate corrective action, including training for card users.

 
Page last updated: March 27, 2020

Back to Top