1. Setting Controls for Purchasing Card Programs Marty Newman Tammy Yanulevich University of Maryland 2014 NAEP District II

2. Controls Card Assignment Background Checks AgreementsApproversLimitsRestrictionsTrainingReviews Separation of Employment Upper Management Support

3. Card Assignment CardholdersApprovers

4. Background Checks Check with Legal and HR Contract Established? Who Pays? What is Expected Gain?

5. Cardholder Agreements Requires Signatures –Department Head –Cardholder –Approver Includes Responsibilities and Consequences Form approved by Legal and HR Cover Memo with Instructions Password Protect Your Forms

10. Approvers Supervisor Business Manager Detail Oriented Accepts Responsibilities Approver Form requires Signatures and cites Responsibilities and Consequences Documented Review Completion

11. Card Limits Single Transaction Limit (tied to non- compete limit) Monthly Credit Limit (reasonably assigned and reviewed) Daily # of Transactions Expiration

12. Restrictions MCCPolicy

13. Training Mandatory Training with Test Reviewer Training Refresher Training

14. Reviews 100% Percentage of Transactions On Site RemoteCyclical

15. Separation of Employment Immediate Cancellation of Card Responsibility Suspend Cards for Extended Absence

16. Upper Management Support

17. Red Flags Avoiding Review Late Record Submittal Lost/Missing Receipts Accidental Personal Transactions Cardholder Placed on Probation

18. What’s the Difference Between Fraud, Misuse and Negligence?

19. Fraud A deception deliberately practiced in order to secure unfair or unlawful personal gain

20. Misuse Restricted purchases - not for personal gain Examples of misuse include: –Purchasing gift cards or other cash equivalents –Intentionally splitting a purchase to circumvent delegated authority (by one or more cardholders) –Sharing cards

21. Negligence Sloppy recordkeeping - not for personal gain Unsecured record retention Lack of receipts Unsigned documents Missing statements Lack of additionally required documentation

22. Consequences of Fraud Restitution Termination of Employment Imprisonment

23. Consequences of Misuse and Negligence Make the punishment fit the crime Institute the “3 strikes, you’re out” rule Suspend card until cardholder attends another training Cancel the card (coordinate with department)

24. Deter Fraud, Misuse and Negligence

25. Ingredients in Pcard Fraud OpportunityMotivationRationalization

26. Why Does Fraud Occur? Premeditated, calculated act to defraud institution Crime of necessity (personal financial need) Crime of passion (desperation) Incident of bad judgment Inattentive Approvers

27. How Does Fraud Occur? Services paid for, but not received (usually involves two individuals) Personal purchases made, and removed from institution’s property or shipped to another location Personal purchases made in combination with authorized goods/services Program weaknesses

28. Program Weaknesses Program has too many cardholders Reviewers responsible for too many cardholders Insufficient training Faltering Reviewer (very dangerous as this is the first line of defense) Lack of/or insufficient program oversight We must have proper mechanisms installed to detect and halt fraud

29. You Found Fraud/Abuse, Now What? Create a Plan of Action and get it approved

30. Plan of Action Components Confirm fraud occurred Review each transaction with cardholder’s supervisor Prepare detailed list of suspected transactions Investigate

31. Plan of Action Components Create Log of Events –Date when made aware of questionable or suspected transactions with details –Investigation techniques and discoveries –Record facts only – no dialogue –Copy of signed cardholder agreement and training sign-in sheet –Review transactions as far back as when card was initially issued –Update log regularly

32. Plan of Action Components Inform your supervisor/department head Contact Institution’s Legal Office Contact Institution’s Human Resources Office or Office of Provost Get cardholder’s department head on board Contact issuing bank to report potential cardholder fraud

33. Plan of Action Components Cardholder’s department head confronts cardholder (personnel action) Cancel card Obtain duplicate receipts if needed (vendor will contact cardholder) Know your deadlines (filing of fraud insurance, HR deadlines) Based on the situation, discuss restitution and employment termination of cardholder

34. Plan of Action Components Identify which control failed Implement changes to program Announce to campus

35. Sharing Some Lessons Learned

36. Lessons Learned Instruct Approvers to conduct an exit review of departing cardholder’s transactions Ensure sensitive equipment (computers, digital cameras, etc.) are tagged in inventory Document attendance at training sessions Know that California vendors uphold privacy act; they require legal action to obtain receipts Cell phone vendors similar to California vendors

37. Lessons Learned Watch for altered receipts Receive notification that the reviews have been completed Obtain a copy of the Liability Waiver in advance; know requirements and time constraints Inform all cardholders and reviewers of what, when and why fraud occurred Trust everyone – audit anyway

38. Questions and Answers