360 likes | 503 Vues
Preventing P-Card Abuse: . Automated Monitoring & Resolution of Card Misuse July 2014. Meeting Agenda. Introduction CaseWare Profile Current State in Higher Ed. Purchasing Card Process Monitoring P-Cards Case Studies Q&A. CaseWare International. Founded in 1988
E N D
Preventing P-Card Abuse: Automated Monitoring & Resolution of Card Misuse July 2014
Meeting Agenda • Introduction • CaseWare Profile • Current State in Higher Ed. • Purchasing Card Process • Monitoring P-Cards • Case Studies • Q&A
CaseWare International • Founded in 1988 • An industry leader in providing technology solutions for finance, accounting, governance, risk and audit professionals • Over 400,000 users of our technologies across 130 countries and 16 languages • Customers include Fortune 500 and Global 500 companies • Microsoft Gold Certified Partner
Industry Trends • *ACFE 2012 Fraud Survey
Industry Trends • *ACFE 2012 Fraud Survey
Industry Trends • *ACFE 2012 Fraud Survey
P-Card Misuse in Higher Ed. • P-Card Fraud in the news
Purchasing Card Process 1. Assign Card End-User Organization 4. Submit Reconciliation Cardholder 2. Place Order / Make Purchase 5. Settlement / Post to GL 3. Receive Goods/Services General Ledger Supplier/Merchant
Why Continuously Monitor P-Card Controls? • One View: Complete overview of P-Card Activities • Control: Apply detailed spending & usage policies • Prevention: Visibility helps stop fraudulent activity before it affects your bottom line • Accuracy: Validate all transactions prior to payment • Efficiency: Ensure all appropriate discounts, rebates and refunds are properly applied • Assurance: Reputational risk is minimized
Areas of Risk • Card Issuance • Inactive/Terminated/On Leave employee using Card • Employee in any state except ‘full time active’ is currently using the company card. • Elevated liability • Create Employee transaction and spending profile to gauge unnecessary exposure for the company. • Profile factors (employee transactions, spending, card time of use, avg. balance compared to credit limit, etc.)
Areas of Risk • P-Card Administration & Analysis • P-Card Limits • Employee(s) use the Purchasing Card to spend over their weekly, monthly or transaction limit. • Duplicate Payment through Accounts Payable • Vendor has been paid through Accounts Payable as well as employee processing the payment with Purchasing Card.
Areas of Risk • Program Performance • Non-Preferred Vendor Spend (Vendor Rebates not maximized) • Multiple Vendors used for office supplies instead of single vendor to receive appropriate rebates. • Vendor is not giving you the appropriate Rebate as per contractual agreement. • Decline Transactions • Review and analyze decline transactions to assess potential misuse or employee(s) with insufficient credit card limits.
Areas of Risk • Spending Patterns • Excessive Even Dollar Transactions • Even dollar transactions are normally rare and are typically used in the purchasing of gift cards, gift certificates. • Split Transactions (Single or Multiple Cards) • Employee(s) complete(s) two transactions at same merchant to circumvent their maximum purchase amount threshold.
Areas of Risk • Transaction Policy Violations • Cardholder – Merchant Match • Employee has registered himself or been registered as a Vendor and being paid for additional services outside of job responsibilities. • Keyword Search • Verify employee are not making non-compliant purchases such as jewelry, groceries, tobacco, electronics, Apple store, etc. • Cash Advance/Financial Services • Employee may be using card for cash advances or financial services (mortgage, loan, line of credit, etc.).
CaseWare Project Approach STAYING AHEAD Move to a more proactive approach that reduces potential business impact of control failures. ACCESS DATA Your organization’s data is accessed from the relevant sources and consolidated PROACTIVE REACTIVE DATABASES FLAT FILES Audit Go beyond financial processes and assess the design and operations of controls for the entire business. LOGS CONTROLS MONITORING PREPARE FOR ANALYTICS Your data from multiple sources is then cleaned and organized to ensure it is accurate, consistent and ready to be analyzed. INVESTIGATIONS GOALS & PLANNING Work with key stakeholders to understand the business processes to be analyzed and their monitoring requirements. SOURCE DATA Governance Ensure that sound governance structures are in place to ensure the right information about the right issues is available at the right time. INTERNALASSURANCE POST-ACQUISITION ASSESSMENT Core Processes Embed monitoring best practices to ensure that business owners and operators are accountable . RISK ASSESSMENT INPUT RISK ASSESSMENT FOLLOW-THROUGH OPTIMIZE WORKFLOW AND REMEDIATION The workflow for results are designed including assignment, escalation, investigation and closure. RISK & CONTROLS Drill into the details of current risks and controls. This determines the data analytics needed, the strength of your existing controls and policies as well as what controls need to be improved to mitigate risks. DATA ANALYTICS The correlations and relationships are made identifying, trends, field statistics, and patterns and anomalies are isolated. REPORTING RESULTS The details of how the results are to be communicated along with any relevant reporting are determined. RESULTS VALIDATION Key stakeholders validate the results of the analytics and results are fine tuned.
Recommendations Here are a few general recommendations: • Direct cardholders to document purchase requests and approvals, budget approvals, and bona fide company/government/corporation needs for P-card transactions. • Strengthen the monthly P-card reconciliation process. • Ensure that purchases are equitably distributed among qualified vendors and that you determine the most efficient and effective method of obtaining services (i.e., insourcing versus outsourcing, purchase cards versus other procurement tool). • Develop policies and procedures to ensure that purchase card files are retained when cardholders or approving officials end employment with the department or discontinue their functions as cardholders or approving officials. • Improve training — as well as its tracking and monitoring — for cardholders and approving officials on regulations over the use of P-cards.
Customer Value Chain Enabled by Expert Content Business Process Modelling Data Management Training, Consulting and Certification Certified Enterprise Platform Global Partner Network
Customer Value Chain • Upload the company’s risk and controls library across: • Business Processes • Subsidiaries • Locations • Design analytics to monitor the controls • Generate alerts when controls are failing • Trigger a collaborative remediation workflow • Take the necessary actions • Measure performance and track root causes • Optimize business processes
Generate Insights • Indicators of controls performance • Tracking root causes • Measuring ROI
Collaborate • Alerts are triggered by system events • For example: • An inactive employee is currently using their purchase card • An employee has left the company but the card was never recovered. • Alerts delivered in the browser, e-mail or Text Messaging. • Triggers a collaborative workflow for teams to take action
Remediation Workflow • Create work items for users to take action • Designed according to business requirements • Time limits, escalation, team assignments, metrics capture all configurable.
Actions • Users are engaged by the system to action items • Exception details are provided along with: • Research info • Remediation guidelines and links • History of the item • Relevant Indicators/Metrics
Taking Action • Users are provided with guidelines for resolution • They take action according to the workflow design • This include capturing the metrics
Measure & Optimize • Based on the indicators the business gain insights how to improve operations • For example: • Card Misuse may be consistently happening in a particular department or location • Which may be occurring because of a lack of training in that sub-process or location. • Address the training issue and the control environment is restored
Monitor: Value Added Solution • Give customers the ability to: • Determine the state of any control in the business • Resolve identified breaches before impact • Provide an unparalleled ROI All of this in a simple, yet sophisticated solution.
Success Story – Georgia Tech Expanding P-Card Program • 2,400 cards and growing… • 180,000+ transactions per year • $70+ million spend
Success Story – Georgia Tech Challenges • Card abuse by employees • Reputational Risk • Money Leakage
Success Story – Georgia Tech CaseWare Monitor Solution • Automated Transaction Monitoring • Use Level III data to independently verify the integrity of transactions • Customizable Workflow management to facilitate analysis and investigations • Notifications (via dashboard, e-mail, SMS, etc.) equipped with Resolution Guidelines
Success Story – Georgia Tech Results • Detected millions in fraudulent purchases • Uncovered $350K during initial phase • Automated and scheduled analysis of transactions • Fast resolution of control breakdowns “The real value of using data analytics is that it allows you to see fraud schemes that would be impossible to detect manually.” Phil Hurd, CISSP, CISA Georgia Institute of Technology
Success Story – Georgia Tech Video Reference
Q & A Andrew Simpson, COO andrew.simpson@caseware.com Michel Caluori, Professional Services michel.caluori@caseware.com For Complimentary Risk & Control Assessment Contact: rcminfo@caseware.com
Save the Date!Upcoming PDG Conference! 18th National P-Cards on Campus Conference February 8-11, 2015 - Wyndham San Antonio Riverwalk - San Antonio, TX For details, be sure to visit www.prodev.com