UT Dallas

Procurement Credit Card AuditJennifer Terry • Dariel Dato-on

Audit Objective

To test for compliance with the UTD PCC polices related to transactions limits and user access.

Cardholders have a transaction limit and monthly limit.

Terminated users should no longer have access.

Scope

Because IDEA limited us to 10,000 records, we could only test a selection of the data.

Jennifer• Tested first three months

of FY-2011• 09/01/2010 – 11/31/2010

Dariel• Tested last three months

of FY-2011• 06/01/2011 – 08/31/2011

PCC Process

The UTD PCC data is handled by UTD Procurement.

The purchasing card is a MasterCard which gives cardholders the freedom and authority to make small-dollar purchases without the assistance of Procurement Management.

The department is responsible for reconciling the transactions monthly.

Audit Procedures

Cardholder Listing• List of all cardholders• Active/terminated status• Cardholders’ transaction limit• Cardholders’ monthly limit

Transactions Listing• List of all transactions• Monetary amount and

date

• Tested for transactions over the cardholders’ transaction limit• Tested for transactions over the cardholders’ monthly limit• Tested for transactions by inactive/terminated users

Combine

Observations

Observation #1: Missing Users

Condition: User performing transactions are not listed in the master cardholder listing file.

Criteria: The organization should have a comprehensive master list of all cardholders.

Cause: The cardholder file is out of date and (due to the new PeopleSoft system) the users do not know how to generate a new listing. Also, names are not always entered in a consistent manner.

Effect: The university does not know all the users that have procurement cards.

Recommendation: PeopleSoft training to obtain a comprehensive cardholder listing. Use unique identifier (e.g. NetID or numeric ID) to identify users instead of name.

?

Observation #2: Transaction Limit

Condition: 508 transactions were over the user’s transaction limit.

Criteria: As per the cardholder policy, each user should remain under their transaction limit.

Cause: Lack of proper monitoring of transaction amounts per user.

Effect: $122,504.60 was spent over the transaction limit.

Recommendation: Establish preventable control through the bank that would prevent transactions that exceed limit from being authorized without special approval.

Observation #3: Monthly Limit

Condition: Seven instances in which users exceeded their monthly limit.

Criteria: As per the cardholder policy, each user should remain under their monthly limit.

Cause: Lack of proper monitoring of monthly transactions per user.

Effect: $32,668.90 was spent over the monthly limit.

Recommendation: Implement system to warn user as they approach the monthly limit.

Observation #4: Terminated Access

Condition: Eleven active users who should have been terminated.

Criteria: Terminated users should no longer have access.

Cause: As per discussion with Ali Subhani, cardholder listing is not complete or incorrect.

Effect: Inactive user still have access to make monetary transactions.

Recommendation: Obtain a more up-to-date listing of cardholders, and ensure that all terminated users are denied access.

Problems &

Lessons Learned

Problems and Lessons

Problems Encountered

• As noted earlier, the Cardholder Listing was not up to date, which prevented complete testing of data

• Difficulty determining how to accumulate monthly transactions by account name

• Difficulty in identifying unallowable expenses

Lessons Learned

• The best way to learn a new software is through experimenting.

• We learned how to use IDEA more efficiently.

• We learned how to document the audit process.

• We gained an understanding of UTD’s purchasing card processes.

Acknowledgement

• We would like to thank Ali Subhani, IT Audit Supervisor, and Toni Messer, Director of Internal Audit, for their time and support during this project.

• We look forward to our discussions this coming week!