CO M M E R C I A L C A R D

Auditing and Compliance Strategies for a Solid Purchasing Card Program

Industry Leaders Share Real-World Best Practices to Better Control Procurement Spending

Best Practices Shared by Surveyed Participants

1 Secure senior management support while involving key players

10
pg. 1 pg. 2 pg. 3 pg. 4 pg. 5 pg. 6 pg. 7 pg. 7 pg. 8 pg. 9

A university employee in Georgia was recently indicted for ringing up more than $300,000 in personal charges on a state-issued purchasing card. Items acquired included foosball tables, season tickets to football games and a $1900 frozen drink machine. A state audit report blamed the university for its lax supervision of the card program. In Tennessee, county employees resigned amid a purchasing card scandal that included close to $50,000 in undocumented or inadequately documented expenses; reports of fabricated receipts; purchases of cruises, alcohol, lobster dinners and family members plane tickets; and gas purchases for private cars. Though such cases of flagrant misuse are fairly isolated, hearing such stories causes treasurers and purchasing card administrators to pause and question. No matter the industry, market segment or program size, concerns regarding out-of-policy spending, fraud detection and card misuse remain the same. Does my corporate, university or government purchasing card program have the proper compliance and auditing controls in place? What steps can my organization take to improve its procurement program? JPMorgan surveyed dozens of its purchasing card customers to gather some of the industrys best practices for building and maintaining a solid card program. Among those surveyed include Arizona State University, Chevron Corporation, ConocoPhillips, George Washington University, International Paper, Monsanto Company, Sears Holdings Corporation, ServiceMaster, Starbucks, University of Illinois, University of Maine System, University of North Texas, University of Pennsylvania and Yale University.

2 Establish checks and balances 3 Establish consistent policies across the organization 4 Mandate training for cardholders and card managers before a card is issued 5 Establish protective controls upfront 6 Use technology to streamline back-end auditing 7 Audit beyond the traditional 8 Foster positive relationships with cardholders 9 Conduct periodic peer reviews before official audits occur 10 Network to gain new ideas

Partner with key players throughout the organization to gather input, foster a spirit of team ownership, and ensure full corporate buy-in.

Secure senior management support while involving key players

Support for your purchasing card compliance program must come from the top. Identify members from senior management who will champion the program and give it a backbone while providing focus and priority in the company. Senior management should play a key role in establishing or approving card policies and procedures and enforcing violations when needed. Also partner with key players throughout the organization to gather input, foster a spirit of team ownership and ensure full corporate buy-in. According to Visas Practical Guide to Control and Compliance in Commercial Card Programs, regardless of the ownership structure, the Program Manager and Program Administrator should work closely with other departments within the company, including Finance, Accounts Payable, Procurement, Human Resources and other business units to ensure that card purchases are made in compliance with company policies and procedures.

Monsanto Company, a leading global provider of technology-based solutions and agricultural products that improve farm productivity and food quality, is in the process of moving its 7,000 U.S.-based cardholders to a One Card, an all-in-one payment solution that consolidates purchasing, travel and entertainment expenses. According to Staci Leap, Monsantos Team Lead for Expense Management Production Support, Senior sponsorship is empowering as such support demonstrates to employees that card controls and enforcement are not taken lightly. In addition, as we continue to enhance our U.S.-based card program and expand internationally, our alliance with senior management and other key divisions has resulted in stronger controls and more streamlined implementations. Involving audit and treasury experts from the onset when developing processes and procedures has helped us identify tax, deductibility, governmental and legal issues that may have otherwise been overlooked. We always include a representative from Audit when establishing new policies. Each month Ms. Leaps organization also creates a dashboard with key metrics, statuses and issues for senior management review, giving her team and the card program significant exposure with the CFO, Controller and other hierarchy.

Arizona State Universitys program logged more than 120,000 transactions in 2007. ASU created a purchasing card advisory board comprised of fifteen influential users from across the university, including representatives from the services, education, athletics and research departments. According to John Riley, Director of Purchasing and Business Services for ASU, the team meets on a quarterly basis with a representative from its card issuer to provide feedback and strategize on how to strengthen the program. Regular face-to-face involvement with its top end-users has provided the university with another avenue to communicate and educate program or policy changes and improvements, resulting in decreased misuse of the card. Changes to the University of Maine Systems purchasing card manual and policies require approval by the CFO. According to procurement administrator Paula Taylor, The CFO has the ultimate responsibility for monitoring and controlling the use of purchasing cards, including making decisions as to which persons will be provided with a purchasing card.

2
No matter how clearly roles and responsibilities are documented, they will prove ineffective in mitigating risk unless there is logical segregation of duties.

Establish checks and balances

A set of checks and balances and a segregation of duties must be established between the various individuals involved in card program management. No matter how clearly roles and responsibilities are documented, they will prove ineffective in mitigating risk unless there is logical segregation of duties. At a minimum, cardholders should not be their own approving manager or approving executive. Separate individuals must be identified for card program responsibilities related to request, authorization and execution. Pam Henton, director of accounts payable and card services for energy company ConocoPhillips, manages about 13,500 cardholders and 120,000 expense reports per year. All expense reports and associated receipts must be reviewed and approved by the

cardholders direct manager. By placing some burden on the manager, expense reports have already been through one review cycle. Monsantos Staci Leap and her auditing counterpart Tamara Khan have divided program responsibilities to create a Center of Excellence. Ms. Leap mainly focuses on the overall card program and expense reporting system while Ms. Khan focuses on compliance and control. Every other week they meet to review their red list of potential user violations and other program spending trends. This model creates a balanced system of checks and balances and is being replicated in other countries as they roll out their global program.

Establish consistent policies across the organization

The development of policies should support various aspects of card program control, including establishing card issuance guidelines, transaction controls, and rules for card usage, documentation and record retention. No matter how the management of your card program is structured, the same policies and processes should apply to all cardholders. Whether your company is acquiring an established business or if you have oversight of a single program based in one location or multiple programs spread across a number of business units, be consistent when establishing parameters. Only then can rules be enforced without confusion. According to Sears card manager Wayne Randall: When Sears Holdings Corporation acquired Kmart and Lands End, we realized from the onset that our purchasing card policies and procedures differed in a number of ways. Some of the initial goals were to gain buy-in to the program, establish consensus with a companywide policy, and roll out the cards to leverage the already established spending practices.

We audited 100% of all new cardholders for the first few months to inform, educate and enforce compliance during their transition to a new corporate culture. If out-of-policy spending occurred, an email was sent to the cardholder outlining existing policies. New cardholders quickly adapted. As Monsanto rolls out programs in new countries, the same set of delinquency controls are implemented that led to a reduction in delinquencies from 30 to 5 percent. According to Staci Leap, there was some initial doubt that the new global programs would be able to achieve the same delinquency standards as those established in the U.S. program, but history has proven this to be a realistic expectation.

No matter how the management of your card program is structured, the same policies and processes should apply to all cardholders.

ThOugh ThE PROgRAMS bELOw ARE MAnAgED DIffEREnTLy, EACh buSInESS hAS ESTAbLIShED An EnvIROnMEnT whERE COnTROLS ARE unIfORM, ThuS CREATIng A MORE COMPLIAnT EnvIROnMEnT fOR OvERALL COMPAny SPEnD: International Paper: The program is managed at the companys shared service center in Memphis, TN. However the day-to-day operations are performed by the companys outsourcing partner with support from four specialists based in Poland. Two additional specialists in the U.S. support customer service, priority inquiries and paper-based applications. The team oversees approximately 3,500 cardholders and $70 million in spend. Sears holdings Corporation: The card program is managed by a Shared Services operation that oversees purchasing activity for more than 20,000 cardholders in multiple business units, including Lands End, Kmart and Sears. university of Maine System: A lead purchasing card manager oversees seven program administrators. The administrators manage seven separate programs at seven geographically dispersed campuses with 1,700 cardholders and $18 million in spend.

Mandate training for cardholders and card managers before a card is issued

Education and a clear understanding of cardholder roles and responsibilities are vital to any program. Once an application is received, companies should consider having card applicants participate in some form of training course before they receive their card. While training in-person or via conference call could be offered every month or so, companies may want to consider establishing a brief online course or quiz. A record of those who took the course or passed the quiz can be maintained to further support your companys Sarbanes-Oxley initiatives. Best-in-class companies keep education at the forefront and train early and often. Regularly published newsletters, e-mail announcements and continually updated Intranet sites can be used to announce policy changes or bring greater clarity. At George Washington University, card applicants do not receive their card until they participate in a faceto-face one-hour training class with the universitys Assistant Director of Supply Chain. At Yale University, training also is mandatory. While one-on-one training is offered to the universitys deans and other seniorlevel staffers, the universitys Learning Center offers in-class training twice a month to cardholders. Online training also is available (http://www.yale.edu/ procurement/training.html). Chevron Corporation employees are required to take a training course every two years to continue using the card. Monsanto requires that its cardholders take a computer-based training course and receive a score of at least 100 percent in order to apply for their card. Upon completion of the course, users receive a digital diploma or certificate that then must be submitted along with their application. Cardholders who are on a watch list as a result of multiple audits are required to take the course again. Though Monsantos card policies are required reading and made available online, administrators also developed a simplified version of the policies to help cardholders learn more easily. The companys How to Handbook includes indexes and tabs to separate and highlight key sections of travel, expense and compliance policies. Arizona State University has been producing a monthly newsletter since 1993 titled P-CUTS Purchasing Card User Tips. Examples of topics addressed in the publication include updated policies and procedures, FAQs, lists of restricted items, tips on fraud prevention, training class schedules and other reminders (http://www.asu. edu/purchasing/pdf/currentissue. pdf). Purchasing card news is often included in The Bottom Line, a monthly newsletter published by the University of Pennsylvanias Financial Training Department (http://www. finance.upenn.edu/ftd/Bottom_Line/ Sep06.pdf). Penns Purchasing Services department also issues a monthly Purchasing Card News e-mail to all purchasing cardholders to keep them apprised of card program related news. In addition to printed and emailed training materials, University of North Texas also has a program guide online (http://pps.unt.edu/images/ stories/pcard_32008.pdf). Their program philosophy is to empower the cardholder and decentralize controls. In order to succeed, they also need to educate the cardholders and offer them easy access to program materials.

Establish protective controls upfront

In 2007 the University of Illinois implemented a compliance improvement initiative that incorporated a number of upfront controls, including mandated training, an ancillary Web-based training program, compliance-tracking software and a revised policy document in which cardholder responsibilities and consequences for inappropriate use were further clarified. These were some of the factors that lead to a 60 percent improvement in audit findings within a year. ServiceMaster, the parent company of pest control business Terminix, has implemented single-use account technology to bring greater spend control and efficiency to its payment processes. The company is using the technology throughout its network of Terminix branches as a means to make one-time payments to its subcontractors. Once a Terminix subcontractors work is complete and the associated claim has been approved by ServiceMaster, a limited-use account number is issued to securely pay the subcontractors approved claim. In the past, ServiceMaster would pay its Terminix subcontractors by giving them a credit card number and expiration date. ServiceMaster would have no control over how often the subcontractor could charge the card or how much they charged. According to Mike Gaffney, ServiceMasters Director of Card Services: We were running into situations where subcontractors would double charge us or they would charge us before the work was complete. The control is now very tight.

All successful purchasing card programs are safeguarded with a combination of upfront controls and back-end auditing practices. In addition to required training, some common upfront measures include the establishment of cardholder transaction limits, monthly spending limits, and the blocking of unauthorized Merchant Category Codes. An increasing number of companies have deployed single-use or limited-use account technology to bring greater control over spending. At George Washington University, card applicants must first receive signed approval from two senior-level executives before an enrollment form is submitted. The University of North Texas has established an exception process where only certain cardholders are able to make certain purchases. For example, only the campus police department is able to purchase ammunition. To be considered for such exceptions, cardholders must fill out an exception request and receive approval by the director of the purchasing department. All exception forms are kept on file for back-up. Texas Womans University blocks certain types of vendors from purchasing card use. Examples of prohibited Merchant Category Codes include 4121 taxicabs and limos; 4722 travel agencies; 7298 health and beauty spas; and 7011 lodging hotels, motels and resorts. Restricted purchases include memberships, temporary personnel, utilities, telephone services and equipment, tips and gratuities.

Some common upfront controls include the establishment of cardholder transaction limits, monthly spending limits, and the blocking of unauthorized Merchant Category Codes.

6
Corporations should seek to partner with an issuer that provides Web-based payment management tools designed to support all areas of card program administration, including enhanced reporting and real-time visibility into spending.

use technology to streamline back-end auditing

Technology is key to helping card administrators more effectively pinpoint potential card misuse and guide the back-end auditing process. Corporations should seek to partner with an issuer that provides Web-based payment management tools designed to support all areas of card program administration, including enhanced reporting and real-time visibility into spending. Best-in-class systems enable administrators to block unauthorized purchase categories, monitor corporate compliance, modify spending limits and cancel cards. Administrators should have access to a variety of standard reports that provide the transaction detail needed, including vendor analysis, unusual activity analysis and delinquency reports. Cardholders can assist with compliance efforts by viewing their statement information in real-time. Raymond Williams, accounts payable manager at coffee giant Starbucks, oversees a program with 4,300 cardholders and approximately 45,000

expense reports per year. Williams and his team use an online reporting tool on a daily basis to oversee spending in real-time. A specialist identifies transactions that fall under certain restricted Merchant Category Codes, as well as merchant names that have been placed on Starbucks high-risk transaction list or Hot List. Approximately 4 to 5 emails are sent out each day asking cardholders for additional information on questionable transactions. The cardholders manager is copied on these messages. According to Williams, It is an effective control if employees sense that their spending is being monitored. The card is for business purposes only, not for personal use. International Paper uses a central data warehouse and data mining tools to store and access transaction information electronically. The company worked with their issuer to set up the data feeds to populate the system, thus enabling card administrators to create reports and make on-the-fly inquiries for all of their program needs.

ACCORDIng TO vISA, CARD PROgRAM DATA ALLOwS COMPAnIES TO IDEnTIfy SPECIfIC InDICATORS ThAT MAy hIghLIghT AnOMALIES In ThE CARD PuRChASES. ThESE InDICATORS MAy InCLuDE: Split transactions (i.e. two or more transactions which show the following similarities: same date, same supplier, same cardholder and same amounts) Unusual increase in the cardholders average spend and/or highest spend amount Purchase amounts over transaction limits Purchase amounts within one 1 to 3 percent below purchase limits Purchases with unauthorized suppliers Purchases from suppliers with un-blocked MCCs on a watch list

SOME AuDITIng COnTROLS ARE unIquE TO CERTAIn InDuSTRy SEgMEnTS: Many companies in the healthcare industry audit spending to ensure that it is compliant with government pharmaceutical regulations. Sales representatives, for example, must follow strict state and federal guidelines in terms of the amount of dollars that can be spent entertaining their medical clients. State colleges are exempt from paying sales tax on the purchase of products and services that support the universitys educational and research mission. Card program administrators from institutions like the University of Maine System and The University of North Texas perform audits to ensure that vendors are not applying sales tax to cardholder purchases. If sales tax, finance charges, or fees have been incurred, supporting documentation must demonstrate that these were warranted. University card administrators also perform audits to ensure that purchases acquired by grant accounts are allowable, allocable and reasonable, and not prohibited by the sponsor or federal guidelines. Some government contractors have unique controls, such as performing environment health and safety reviews to ensure that cardholders are compliant with environmental practices and are hiring sanctioned vendors to perform functions such as the disposal of waste, paint or batteries.

Audit beyond the traditional

Best-in-class organizations enhance their traditional auditing practices by looking beyond spend limit and MCC violations. Additional controls also may need to be established depending on your industry. According to Joey Saxon, the University of North Texas Director of Purchasing and Payment Services, audits are conducted on purchases that are made in the evening or on weekends. Purchases that are shipped to an individuals home as opposed to campus are also investigated. Other items that are red-flagged: personal technology purchases such as computers, cell phones or PDAs and items acquired through PayPal.TM

Sears Holdings Corporation focuses on the travel-related practices of its OneCard users. When renting an automobile, cardholders should not sign up for the rental agencys fueling option. In order for meals to be reimbursed, cardholders must be on overnight status. Cardholders must provide supporting documentation to demonstrate that an overnight trip occurred. Many companies focus on retail spending by auditing statements that include purchases from Amazon.com, Best Buy, eBay, Target or Wal-Mart. Audits are also conducted on purchases made outside of its published list of preferred suppliers.

foster positive relationships with cardholders

While monitoring and enforcement are vital to success, it is important that card program administrators not be viewed as the enemy. In order for your program to grow and succeed, positive, interactive relationships must be established with your cardholder base. Take a consultative approach. Create an environment where cardholders feel comfortable reaching out to you with questions and issues. Sometimes spend limits or other restrictions need to be loosened in order for cardholders to be more effective in their job. The purchasing card manager at a major U.S. airline reviews decline reports daily and proactively investigates why such declines occurred. Perhaps MCCs should be unblocked for certain buyers or spending limits need to be raised. Perhaps a cardholder needs to be further educated on policies. The company also reviews its spending

reports daily. If a cardholder has accidentally used the company card to buy a personal item, they should self-report immediately to demonstrate that they are operating within the spirit of the program and not engaged in suspicious activity. According to the airlines purchasing card manager: We are very parental in a number of ways. If you have used the card in a non-compliant manner, we can work out the issue if you are honest upfront. Everyone is human and mistakes can occur. But we will monitor your reports more closely over the coming months to make sure that your behavior has improved. Like baseball, we have a three strikes and youre out approach. After the third strike, you lose card privileges and disciplinary action will be taken. But if you have received one strike and proven over the following months that you are following policies correctly, that one strike may be removed from your record.

Conduct periodic peer reviews before official audits occur

To mitigate improper card use and help support Sarbanes-Oxley requirements, best-in-class organizations also perform ongoing peer reviews of purchasing practices well in advance of regularly scheduled audits. Sarbanes-Oxley Section 404 requires management to report on the adequacy of their companys internal control over financial reporting. Informal, periodic peer reviews can help determine any program weaknesses while promoting efficiencies, ongoing training and limiting overall risk.

International Papers purchasing card practices are audited every other year by internal audit. These audits take place at each of International Papers seven divisions. In anticipation of these audits, cursory peer reviews are conducted annually at each location. Divisions also perform monthly transactional reviews. The purchasing card program at Monsanto is audited at least twice a year, once by an internal team and once by an external firm. Card administrators prepare for these audits by conducting approximately 8 random audits per month and reviewing at least 40 percent of spend.

The seven college campuses that comprise The University of Maine System perform periodic mini-reviews of cardholder and record-keeper documentation and processes in anticipation of formal scheduled audits that take place. The review program (http://www.maine.edu/ system/stratProcure/PCardReview. php) was piloted in Fall 2007 to promote program policy compliance, continue cardholder education, heighten program exposure, recognize departmental training opportunities and ensure successful campus internal audits. The review program also helps to identify structural weaknesses in the card program and offers an opportunity to recommend changes in a less formal way. Using peer-led reviews offers a more manageable alternative to the traditional audit and has been embraced by university staff. Card administrators control the process and can fine-tune their program with self-identified modifications instead of being forced to implement an auditors plan. Card program policies should be reviewed and updated periodically to reflect any changes in the company that affect the use of the card. Despite the existence of written policies in the majority of companies surveyed by the Association of Financial Professionals, only 38 percent of those companies update their policies annually. At a minimum, it is recommended that reviews of the card program policies should be scheduled on an annual basis.

There is a clear value in taking a look at what other people are doing and not falling into the trap of thinking that only your ideas are the best that would work. Networking helps validate business direction and pholisophy.

In todays highly regulated environment where the main focus is on compliance and auditing controls, a purchasing card program provides the foundation and visibility tools to better manage corporate spending. By following the best practices and innovative strategies shared by some of JPMorgans purchasing card customers, corporations are better positioned to launch an effective card program, improve compliance and auditing processes and practices, and further accelerate efficiency.

10

network to gain new ideas

Many professionals with purchasing card oversight participate in peer-based networking in order share compliance challenges and successes; learn valuable lessons from other program administrators; and discuss industry best practices. Such involvement also helps organizations validate and improve their own compliance practices. In addition to attending conferences sponsored by such groups as the Association for Financial Professionals, International Accounts Payables Professionals, the National Association of Educational Procurement, the National Association of Purchasing and Payables and the National Association of Purchasing Card Professionals, many purchasing professionals are finding valuable connections in their own backyard. For example, 14 universities in Pennsylvania, including Drexel University and the University of Pennsylvania, meet regularly as part of the Philadelphia Area Collegiate Cooperative (http://www.purchasing. upenn.edu/pacc/index.php), a cooperative purchasing organization comprised of representatives of local higher education purchasing officers to utilize cooperative purchasing best practices to leverage combined buying power for its member institutions. Perhaps such an organization exists in your state.

Some card issuers also host regional meetings in which compliance and auditing tips are shared. Seek to partner with a provider that hosts regular networking opportunities, whether they are annual user conferences or user groups that meet on a regular basis. Purchasing card providers want your input and feedback as they develop new offerings or strengthen existing solutions. According to Ralph Maier, Director of Purchasing Services, University of Pennsylvania: While we take great pride in our own work, we realize that we are not alone in the challenges we face. Our philosophy is to take a look at strategies, processes and techniques that other organizations have used. While we try to develop as many homegrown ideas and concepts as possible, we also complement what we have done with the best of what others are doing, thus making our deliverables much more valuable to management and customers. There is clear value in taking a look at what other people are doing and not falling into a trap of thinking that only your ideas are the best ideas that would work. Networking helps validate business direction and philosophy and helps validate business decisions one way or another. Its always interesting to see how other organizations have approached similar opportunities or challenges. At the end of the day, we are evaluated for how successful we are in what weve been able to deliver.

For information on JPMorgan Commercial Card Solutions, visit jpmorgan.com/commercialcard or send an e-mail to: commercialcardinfo@jpmchase.com

JPMorgan Treasury Services jpmorgan.com/ts

2008 JPMorgan Chase & Co. All Rights Reserved. JPMorgan Chase Bank, N.A. Member FDIC Printed on paper using 15% post consumer fiber.

Produced by TSS Global Marketing