When you look at instances of corporate card fraud that make the news, some interesting recurring points start to stand out. The first one is that there are way too many of these instances, and they happen in all sorts of industries and organizations β from universities and school districts to large private companies and healthcare institutions. But when you dig deeper you notice that many of these fraud instances have a similar calling card: someone had too much power.
How it happens
It’s a tale as old as corporate cards are. Someone uses the card improperly, and often quite brazenly, and they have no fear of repercussions because there is nobody to catch them doing it.
Organizations typically establish a chain of command for approving corporate card transactions. There are cardholders, and then there are approvers. You may be surprised to learn that fraud often happens because the approver is approving their own expenses.
Alternatively, they could be working with a conspirator. It’s easy to imagine how this could happen: someone with an approver status is incentivized to look the other way when they see something they shouldn’t from one of the cardholders whose expenses they are “approving”, and it flies under the organization’s radar.
No procurement department wants to be on the news
The instances you hear about on the news are just the ones where they were sloppy enough, or stole enough, to be noticed anyway. Maybe the organization conducted an audit that found the fraud months, or years, after the fact. The Association of Certified Fraud Examiners (ACFE) publishes statistics regarding occupational fraud on a yearly basis. In 2024, they found that the time on average it takes to detect occupational fraud is 12 months.
In short, you must have a contingency plan in place for those who would abuse their approver status. Otherwise, they have too much power in the process. The line from a certain famous fictional uncle applies quite well here… “with great power comes great responsibility”. When you can’t guarantee great responsibility β and you never can β checks and balances are the way to go. The easiest way to do this is to introduce a separation of duties to the process.
Introduce a separation of duties
When introducing a solid chain of command with sufficient checks and balances, there are a few key things to keep in mind:
- The purchaser and expense approver should never be the same person. This allows for the situation we described earlier where someone could abuse their approver status and purchase whatever they want with no oversight.
- Rotate approver status. This ensures that no person has approver status for too long, and lightens their workload in turn. It also keeps you more protected if somebody leaves the company suddenly.
- Introduce a third party service. Having a trusted third party looking at the expenses outside the company is the strongest thing you can do. This takes the onus off of the approver even further (which they may welcome in many cases, it is often a lot of busywork!) With a third party reviewing your corporate cards, you can also receive analytics and regular reporting on spend along with fraud alerts. These reports can come in handy when itβs time to share data and information with the rest of the department as well as leaders in the company. With more accountability, timely and accurate reporting, and a firm separation of duties, it will be much harder for internal expense fraud to exist and thrive.
Fraud hides in other ways too – learn how to fight against it
Introducing a separation of duties isn’t the only thing you should to to bolster your card program’s internal controls. It’s only the easiest. There are several types of fraud, misuse, and abuse that require more complicated methods to reveal. For example:
- Using fake LLCs and shell companies as a means to pay oneself with a corporate card, disgusing the transaction as legitimate.
- Submitting fake receipts
- Double dipping, by submitting reimbursement requests for transactions made via corporate card
A separation of duties alone would not uncover fraud in the above scenarios. You need data-driven, actionable reporting that compares what employees submit to actual data from the bank.
Check out Card Integrity’s free P-Card Best Practices eGuide for more on the type of internal controls you need and how you can get started.
