control, and governance
AN AILING CORPORATE CREDIT CARD PROGRAM
A former executive assistant at the University of Washington Medical Center has been charged with 19 counts of theft after being accused of embezzling more than US $250,000 from the hospital, according to an article published in The Seattle Times. A university detective began investigating the case last year after being tipped off by the university’s internal audit department. The former executive assistant was suspected of misusing his corporate credit card — which no one was assigned to oversee — as well as other university funds. Because of the alleged misuse, the university detective said systemwide changes have been implemented regarding how corporate cards are handled.
Systemwide changes made after a fraud has occurred is like closing the barn door after the horse has escaped. Management and internal auditors should be assessing fraud risk up front. Corporate credit and travel cards are always high-risk areas. Most companies conduct regular — at least annual — travel and entertainment and corporate credit card audits. If your company issues corporate and travel cards, you should be ascertaining whether a fraud risk assessment has been performed and when the last audit was completed.
In this case, a basic control over credit card spending was missing — no one was overseeing the former executive assistant’s credit card expenses. This control weakness may have contributed to the former assistant’s ability to allegedly embezzle more than US $250,000 in three years.
At an organization’s request, banks can restrict transactions for corporate credit cards to specific merchant category codes to prevent personal purchases. Furthermore, internal auditing can use data analysis to highlight potential personal purchases made on the corporate credit card by screening transactions by merchant category code. Given that the former assistant allegedly was stealing more than US $84,000 a year, trend analysis would have shown unusually high spending amounts by month and drawn attention to the fraud.
Fraud prevention and detection programs should be in place to identify fraud risk and to monitor high-risk areas for possible frauds. The university indicates that it made systemwide changes. These types of changes should be based on a solid fraud risk assessment rather than on fixing known weaknesses.
COMMENT ON THIS ARTICLE
Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.