napcp sarbanes-oxley act its impact on p-card programs · sarbanes-oxley act (“sox”). ......

© Copyright 2005 NAPCP. All Rights Reserved.

The Sarbanes-Oxley Act and Its Impact on Purchasing Card Programs

2 © Copyright 2005 NAPCP. All Rights Reserved.

T H E S A R B A N E S - O X L E Y A C T A N D P - C A R D

TABLE OF CONTENTS Acknowledgement ………………………………………………………… 3 Introduction ………………………………………………………………… 3 Sarbanes-Oxley Act Overview ………………………………………….. 3

The P-Card Connection ………………………………………………….. 5

The P-Card Control Environment ……………………………………… 7

Roles and Responsibilities ………………………………………….. 7 P-Card Accounting Process …………………………………........... 8 Company P-Card Policies and Procedures …………..…………… 8 Training ………………………………………………………………... 9 Process for Opening an Account …………………………………… 9 Process for Closing an Account ……………………………………. 10 Process for Changing Card/Account Limits ……………………….. 10 Transaction Documentation …………………………………………. 11 Review, Approval, and Audit Processes …………………………… 11 Preventing Duplicate Payments …………………………………….. 11 Program Reporting …………………………………………………… 12 Role of the Card Provider in Fraud Detection …………………….. 12 Lost/Stolen Cards ……………………………………………………. 12 Liability Waiver Insurance …………………………………………… 12 Program Technology ………………………………………………… 13

Testing Effectiveness of Controls and Compliance-Monitoring …………………………………………………… 13

Conclusion ………………………………………………………………….. 13

The NAPCP SOX/P-Card Survey …………………………………… …… 14

About the National Association of Purchasing Card Professionals ……………………………………. …… 22

About Accounts Payable Now & Tomorrow …………………….......... 22

Other Resources ……………………………………………………… …… 23

Appendix ……………………………………………………………….. …… 24



Acknowledgement Mary Schaeffer, Accounts Payable Now & Tomorrow, contributed to this document and partnered with the National Association of Purchasing Card Professionals (NAPCP) on its 2005 survey concerning how the Sarbanes-Oxley Act has affected P-Card operations. For more information about Ms. Schaeffer and Accounts Payable Now & Tomorrow, refer to the “About” section at the end of this report. The author of this report is Lynn Larson, Manager of Industry Information and Research, NAPCP. More information about the NAPCP is included within the “About” section of this report.

Introduction The business community has been flooded with news and information about the Sarbanes-Oxley Act (“SOX”). Nevertheless, the NAPCP recognized the need for material specifically focused on how the Act impacts the Purchasing Card (P-Card) industry. Some P-Card professionals are well-versed on the subject of SOX, while others are still searching for answers or possibly do not yet have a basic understanding of the Act.

This document is focused on educating P-Card professionals about SOX in general with particular emphasis on its significance to Purchasing Cards and the control environment that is crucial for both overall program success and success with SOX. The provided information is not intended as professional advice of any kind nor is it a complete examination of the Act. Rather, it is an effort to apply how certain sections of SOX relate to Purchasing Card programs. In addition, the NAPCP surveyed its membership and other business contacts in July and August of 2005 to determine the Act’s affect on P-Card programs to date. Results of the survey are included within this report to help P-Card professionals understand what other organizations have experienced in regard to SOX compliance. However, to determine exactly how SOX affects your Purchasing Card program, consult with a qualified professional, such as your organization’s internal and external auditors. Sarbanes-Oxley Act Overview

What is it?

Much could be said about what SOX is and why it was created. In brief, the Sarbanes-Oxley Act of 2002 is legislation that directly resulted from numerous well-publicized corporate accounting scandals or, as some would say, frauds, which occurred after the turn of the current century (think Enron, WorldCom, and others).



The Act was initiated by U.S. Senator Paul Sarbanes (D-Maryland) and Representative Michael Oxley (R-Ohio).

The intent of the Act was not only to close the loopholes that made the scandals possible, but to also boost investor confidence and hold management at the very highest levels responsible for what occurs within their companies. This may sound simple enough, but the Act impacts many facets of an organization and includes strict penalties for non-compliance. Besides potential lawsuits and bad publicity, non-compliance can result in large fines and even jail time for company executives. Therefore, many people consider SOX the most significant legislation to affect the business world since the original Securities Act of the 1930s. Information about where to find the complete Act is provided within the “Other Resources” section of this report. Who is affected?

SOX primarily affects publicly traded American companies1. However, some organizations that are not required to comply have chosen to do so in response to customers’ requirements and/or in an effort to strengthen their overall controls, especially in the areas of audit and finance.

What are the provisions of the Act?

The Act has 11 main parts called titles, which are sub-divided into sections. There are 66 sections total. The major provisions of the Act include criminal and civil penalties for securities violations; auditor independence and certification of internal audit work by external auditors; and increased disclosure regarding executive compensation, insider trading and financial statements. Also included are whistleblower protection and document destruction provisions.

When did the Act take effect?

Despite being signed into law in 2002, affected companies were granted time to prepare for and meet the Act’s various requirements. The reality was that many companies needed the delay in order to comply. While there have been several delays on some of the reporting requirements, the sections that affect Purchasing Card operations are currently in effect. Therefore, 2005 is a year in which companies already have experience with SOX compliance preparations.

It should be noted that there continues to be debate within the political and business arenas about the effectiveness of the Act and whether or not modifications should be made to it. Regardless of the ongoing debate, P-Card

1 Including wholly-owned subsidiaries and also publicly-traded non-U.S. companies doing business in the U.S. Non-profit organizations are also affected by some provisions of the Act.



professionals should be aware of what is currently required and how it affects them. The P-Card Connection Unless Purchasing Card professionals have already experienced the impact of SOX within their companies, they may wonder how SOX pertains to them. First, P-Card professionals should consult with relevant staff internally to determine if their company is required to comply with SOX or if it chooses to comply. If either situation applies, it is worthwhile to dig deeper into SOX. The impact to these Purchasing Card professionals, however, depends on how a company approaches SOX compliance in regard to its P-Card operations.

The Act does not come with step-by-step instructions for how to establish a P-Card control environment nor does it address other typical P-Card program components. It does not even explicitly refer to Purchasing Cards. Not surprisingly, companies and their auditors may formulate their own interpretations about SOX when developing or revising the processes and procedures associated with Purchasing Cards. Therefore, P-Card professionals should work with applicable internal staff to prepare for, and ensure, SOX compliance according to their company’s guidelines and standards. Despite variances in approaches by different companies, there are basic key controls that all P-Card programs should address.

Relevant SOX Sections

Before reviewing key P-Card program controls, it is important to understand the sections of the Act that relate to Purchasing Cards. Because P-Card is typically involved with the entire procure-to-pay cycle, it could receive increased scrutiny during SOX audits. From least relevant to most relevant, SOX sections that impact P-Card are as follows.

Section 409: Real Time Issuer Disclosures

One of the goals of the Act is to get accurate financial information into the hands of investors as quickly as possible. While “real time” is not quite possible, the time frames for releasing financial statements have been reduced. In addition, companies affected by SOX are required to inform their investors of any event that will “materially” affect their financial statements. Within a P-Card program, a very large fraud case could fall under the material event disclosure guidelines if the company’s finances are significantly affected as a result of the fraud. Fortunately, this is not likely to occur in well-controlled programs that include financial protection for fraud.



Section 302: Corporate Responsibility for Financial Reports

A company’s CEO and CFO are directly responsible for the accuracy, documentation, and submission of all financial reports to the Securities and Exchange Commission (SEC), as well as the company’s internal control structure. P-Cards tie in to both. This type of high accountability is also assigned within Section 404 of the Act.

Section 404: Management Assessment of Internal Controls

Section 404 has received the most attention in the business community. It is also the one most relevant to P-Cards. This small, but important, section instructs that all annual financial reports must include 1) an “Internal Control Report” stating that management is responsible for an “adequate” internal control structure and 2) an assessment by management of the effectiveness of the control structure. Any shortcomings in these controls must also be reported. In addition, registered external auditors must attest to the accuracy of the company management’s assertion that internal accounting controls are operational and effective. For P-Card professionals, Section 404 translates into ensuring that the overall P-Card control environment is effective – especially controls concerning: • The recording, processing, and reconciling of account balances for accurate

financial reporting • The prevention, identification, and detection of fraud2

Even prior to SOX, organizations’ P-Card control environments have been typically geared toward these two points. The difference is that now these things are covered by law, so even more importance may be placed on program controls.

Sub-certifications

Fearing the potential consequences for SOX non-compliance, top executives have trickled down the accountability for financial reports and internal controls into middle management and to others responsible for daily operations. P-Card professionals could potentially feel this effect. Few officers will willingly sign financial statements and an internal control assessment without requiring some sort of a guarantee from the employees who closely work with the processes. Thus, “sub-certifications” came into existence. These documents are also known as cascading certifications or upstream certifications and are now found at many companies required to comply with SOX. This type of document could be

2 Within the NAPCP Best Practices Task Force white paper, “Fraud Prevention and Detection,” from January 2004, the term “fraud” is distinguished from “misuse” and “abuse.” However, within the Act, the term “fraud” is used to imply a number of offenses and could mean any unauthorized P-Card activity.



introduced to P-Card professionals, depending on how deep a company reaches to obtain the desired guarantee of report accuracy. The NAPCP SOX survey results within this report reveal whether or not respondents have experienced sub-certifications at their level. It is not likely that these sub-certifications will bind the signers in the same way that the CEO and CFO are bound if they certify fraudulent statements. However, the end result will not be positive if there are errors or other serious problems. Even if P-Card professionals are not asked to sign a sub-certification document, everything should be done within their means to ensure an effective control environment.

The P-Card Control Environment

Since controls are what SOX, especially Section 404, focuses on, to follow are essential P-Card program controls to establish. P-Card professionals can use this as a guide when working with company resources on SOX compliance. Because organizations may differ on the specifics of each P-Card program control, this section is not intended as a “how to” guide; rather, it suggests critical items to have established processes and procedures for. Remember that the overall SOX strategy is to have controls pertaining to the recording, processing, and reconciling of account balances and the prevention, identification, and detection of fraud. Do not assume that past positive audits in the pre-SOX era translate into SOX compliance today. Although this may provide the foundation for SOX success, P-Card professionals must work with their management and auditors to address SOX specifics within their organizations. An instrumental source for the following information was the NAPCP’s January 2004 white paper, “Fraud Prevention and Detection: Establishing and Maintaining a Purchasing Card Program with Adequate Management Controls to Prevent Fraud, Misuse, and Abuse,” developed by the Best Practices Task Force chaired by Tom Wissel, UPS Capital Corporation. This white paper expands on various P-Card program controls more thoroughly than this SOX report. The complete white paper is available to NAPCP members at www.napcp.org. Roles and Responsibilities The first noteworthy topic associated with SOX compliance may be roles and responsibilities within the P-Card program. Organizations need to ensure that this is not overlooked. For optimal accountability, roles must be defined and responsibilities established with thought given to whether or not the assigned staff has the skills and qualifications to meet those responsibilities. Ensuring separation of duties for relevant P-Card processes should be part of this process as well. For every P-Card task, an appropriate role should be assigned to the task with a



separate oversight role assigned where needed. Accountability is necessary for SOX compliance.

P-Card Accounting Process Since sound financial reporting is an integral part of SOX, organizations should have documented procedures pertaining to how P-Card fits into the accounting process. If P-Card administration does not reside within Accounting, it is even more important for Program Administrators to work with the Accounting department on these controls. For example: • The appropriate accounting and/or general ledger (GL) entries associated with

P-Card transactions. What is the process for getting the reconciled P-Card transactions into the organization’s accounting or GL system accurately and timely? Automated methods are more efficient than manual processes.

• The appropriate accounting and/or GL entries associated with payments to the P-Card provider. Who will ensure that the payments are timely and accurate?

• Are payments to the card provider dependent on transaction reconciliation or are the two processes separate? If separate, how are the two processes “reconciled”?

• Who tracks P-Card related entries and how (i.e., use of a subsidiary ledger or other)?

Company P-Card Policies and Procedures (P&P) Perhaps at the top of the company P-Card control structure would be policies and program procedures (P&P). This could be the starting point of a SOX audit. Are P-Card policies and procedures clearly articulated and are they being followed? Are they designed to prevent and detect fraud? P&P must be kept current and accessible to the applicable employees. Test and ensure that actual practices reflect the documented P&P. Policies and procedures encompass two primary things: 1. Program administration

• An administration policy establishes a set of minimum controls, intended for the department that manages the P-Card program. It acts as a control framework by specifying what must be done and provides the basis for developing supporting procedures. Topics that it could address include requirements for opening an account, closing accounts, who can be a cardholder, who reviews cardholders’ statements, the audit process, the role of the program administrator, etc.



• Administrative procedures, most likely compiled as a program administrator manual, would then provide the details concerning how to carry out the policy.

2. Program participants

• A policy concerning P-Card use, such as what it should and should not be used for; prohibited practices; possible consequences for misuse; etc. should be communicated company-wide to all employees involved with the program.

• A user manual for program participants should provide specific instructions for completing various P-Card activities, such as applying for an account, reconciling transactions, compiling supporting documentation, etc. Retaining a user manual on the company Intranet will eliminate the hassle of updating paper versions and reduce the risk of users following outdated procedures.

P-Card language could also be incorporated into an organization’s overall policy structure. For example, within an “acquisitions and payments” policy, specify P-Card’s position with the organization’s procurement strategies. This helps ensure that even employees not associated with the program, but who may have a role in purchasing decisions, have an awareness of P-Card’s existence within the organization.

Training Effective training for program participants, including management and others besides cardholders, can be a key control for preventing and detecting fraud. Keep SOX compliance in mind when designing a training program. There are various tools and methods used for training purposes. Regardless of the approach, organizations need to address the following:

• Who will be trained – cardholders, managers, others? • Will training be required for some or all program participants? • When will training take place? Will it be required before card issuance? • How will training be conducted? Will trainees be offered more than

one option? • Who will develop the training? Who will conduct the training? • Will refresher training be offered or required? • When will the training program be updated? • How will trainee satisfaction be measured? • How will the effectiveness of the training be measured?

Process for Opening an Account and Card Issuance



Organizations should have documented procedures pertaining to opening an account (and related approval) and card issuance. Overall, the process should be designed to prevent fraud. For example:

• Prevent unauthorized account setup, including a way to detect if a breach

has occurred. • Ensure secure card handling – even during transit and card delivery,

including a method to detect if expected cards fail to arrive. • Define any pre-requisites or requirements for the employee obtaining an

account/card. For example, specific training could be required prior to account setup. Use of a cardholder “agreement” is a best practice for the purpose of outlining the cardholder role, responsibilities, possible consequences for misuse, etc. Companies may also require a similar agreement for the cardholder’s manager. Signed agreements would be retained by the program administrator or perhaps become part of the individual’s employee file.

• Determine who sets and approves account limits and other restrictions/allowances.

Process for Closing an Account and Card Collection/Destruction

As with opening accounts, organizations need controls and procedures for closing accounts and card collection. Overall, the process should:

• Ensure that those responsible for account closure are notified about employee separations and transfers.

• Method(s) to ensure that accounts are closed properly with card provider. • Address how any late or post-closure transactions will be caught

and handled. • Specify what to do with the actual plastic credit cards for safe disposal. • Include the steps necessary to remove an employee’s access to

applicable technology.

Process for Changing Account/Card Limits and Other Restrictions

There should be a documented process for how changes (whether temporary or permanent) are made to the various account/card parameters like dollar limits (daily, single transaction, cycle), transaction number limits, and Merchant Category Code (MCC) restrictions or allowances.

• Who can make the changes? • Is there an approval and/or notification process? • How are changes made? • What kind of documentation is needed and retained?



• For temporary changes, who ensures that the changes “expire” on time and how is this done?

Transaction Documentation Related to the review and approval process described below are the documentation requirements to support P-Card transactions. Organizations must define and communicate the requirements to program participants, including records retention issues such as location, duration, format (paper or imaged), etc.

Review, Approval, and Audit Processes

The review, approval, and audit processes for P-Card transactions (and the supporting documentation) may be the most significant controls for detecting fraud – a focus of SOX. At a minimum, organizations should have a monthly process, but some organizations may elect to do so more frequently. The degree to which P-Card transactions are reviewed and audited often depends on an organization’s risk tolerance and how P-Cards are used. The process typically involves:

• Transaction review (often called “reconciliation”) by the cardholders or an assigned delegate. Cardholders are the key control in exposing fraud by parties outside of the organization.

• Subsequent review (often referred to as “approval”) by someone independent of the cardholder. This is often the cardholder’s supervisor or manager, who is the key control in detecting cardholder fraud.

• Periodic independent reviews by an audit team and possibly by other departments, such as the one that administers the P-Card program. This is a key factor for ensuring that the established controls are being followed.

Automated reconciliation, review, and audit tools are usually more efficient than manual processes. Plus, they can help uncover fraud more quickly, including uncovering internal fraud that previously went undetected before P-Card implementation.

Preventing Duplicate Payments

Organizations need controls to prevent and detect duplicate payments. For example:

• Avoid multiple payment methods for the same vendor. • Do not set up P-Card accepting vendors in the A/P system. • Strive for original documentation to support payments. • Payment approvers need to be trained to beware of approving

same invoice.



• Periodic audits to specifically look for this problem. Program Reporting

There are many types of program reports that can enhance the control environment and assist with compliance monitoring. Reports may come from the card provider, through the P-Card technology used, through the organization’s internal resources, etc. As with the review-related processes noted above, automation can greatly enhance an organization’s capabilities to detect fraud. Organizations need to determine:

• The types of reports that will benefit program management, especially SOX

compliance. • Who should generate and review the reports. • Report frequency and retention.

Role of the Card Provider in Fraud Detection Organizations should be aware of the detective controls used by their card provider and how the provider will communicate possible fraud to your organization. Card providers employ a number of tactics to help protect both the provider and your organization. For example, cardholder activity is monitored and typical spending patterns may be noted. For transactions falling outside of the typical spending behaviors, the card provider may conduct additional research. This could include contacting the cardholder to validate questionable transactions. Work with your card provider to develop a consistent approach for communications to cardholders. Then instruct the cardholders on what to expect, so that they can differentiate between legitimate communications by the card provider and potential credit card scams.

Lost/Stolen Cards Organizations need procedures for how cardholders should report lost/stolen cards. Both the card provider and program administrator need to be included in the communication chain. As with many processes, partnering with the card provider is recommended to understand how to handle lost/stolen cards and what kind of impact this may have on the program, especially any financial impact.

Liability Waiver Insurance

As a result of various program controls, fraud can be uncovered by a number of sources – the card provider, a cardholder, program administrator, auditor, etc. Once uncovered, what is the process for handling fraud, or more importantly, who pays for it? The answer depends on the contract between an organization and its card provider. Most organizations have contract clauses to limit fraud liability, such



as to $50, or to even incur no liability. It is important for organizations to know the specifics regarding liability waiver insurance. Liability could also depend on whether the fraud is internal or external. For example, with internal fraud, as long as the organization terminates the offending employee, it likely will not incur the cost. Terminating the employee also sets a standard to deter other cardholders from engaging in prohibited card practices.

Program Technology

In the preceding paragraphs, many references were made to automation, reporting, and/or technology. This report would be lacking if it did not also include a cautionary word about technology. Employees’ access to any technology used in conjunction with a P-Card program must be appropriate to maintain data integrity and security. Without it, accurate financial reporting could be at risk and the potential for fraud could increase. SOX compliance could be compromised.

• Regularly review who has access to program technology and what type of

access it is. • Are there security gaps that could result in unauthorized use of the

technology? • What controls does the technology have to protect data and sensitive

information?

Testing Effectiveness of Controls and Compliance-Monitoring

As P-Card programs evolve and mature, the control environment needs to keep pace as well. The needed controls may change as a program changes. Ongoing monitoring is necessary to ensure that the controls are effective and to determine what is still lacking. Internal and external audits, monitoring by the Program Administrator and regular risk assessments are all possible methods for testing the control environment. The frequency that these methods and others are done may vary, but annual compliance monitoring is generally common. However, anytime notable program changes occur, an audit or updated program risk assessment is a good practice. SOX compliance needs to be sustainable going forward. Conclusion

The bottom line is that, for SOX compliance and P-Card program success, organizations should ensure that they have addressed various P-Card elements from a control standpoint. Automation and robust program technology, when used properly, can play significant roles in achieving the desired outcome. If an



organization has already developed, implemented, documented, and tested controls for its P-Card program, which is a best – if not necessary – practice, then SOX compliance should not be a huge issue. SOX compliance can simply be a result of the work that an organization has already invested in its P-Card program. Nevertheless, even with well-designed programs, some organizations have required minor program changes for SOX compliance and others have required extensive changes. P-Card professionals must understand what their companies require for SOX compliance and then act accordingly. The following NAPCP SOX survey results reveal what organizations have actually experienced concerning P-Card operations and SOX compliance.

The NAPCP SOX/P-Card Survey

Survey Overview

The purpose of the survey was to determine what kind of impact SOX has had on P-Card operations. The NAPCP conducted the SOX survey in July and August of 2005. It was offered to NAPCP members, subscribers to Accounts Payable Now & Tomorrow, and other NAPCP contacts in the P-Card community. All P-Card end users3 were encouraged to respond to the survey regardless of whether or not their organization is required to comply with SOX. The NAPCP received 267 complete responses.

The Respondents

Respondents’ organizations are of various sizes and types including, but not limited to, education, manufacturing, government, medical/pharmaceutical, utilities, finance/insurance, other professional services, etc. The largest percent of respondents (41%) are program administrators, coordinators, or managers. The remaining respondents are accounting professionals (16%); procurement professionals (16%); management within unidentified departments (10%); controllers, finance, and treasury personnel (6%); and other (10%), such as analysts and specialists. Over half of the 267 respondents (62%) stated either that their organization is required to comply with SOX (54%) or it chooses to comply (8%). Interestingly, 14% of respondents were not sure if their organization was required to comply.

3 Individuals/organizations that use Purchasing Cards as opposed to the providers of P-Card products and services.



Respondents by SOX Requirement

144

22

36

27

38 Yes, SOX is required

No, but choose to comply

No, but use different process

No, and do not have other process

Unsure

Respondents by Organization Category

Public 58%Private 29%

Other 13%

The “Other” organization category included non-profit organizations, universities, municipalities, government, etc. Exhibits 1 - 3 in the Appendix provide a graphical depiction of the survey respondents. Profile of Purchasing Card Programs

The majority of all respondents’ organizations (59%) have an established P-Card program of five years or more. Annual dollar volume, annual number of P-Card transactions, and total number of open accounts varied among the survey respondents. It is most relevant to review the P-Card program profiles of those required to comply with SOX. The largest majority of these programs:



• Are at least five years old or more (65%) • Have annual P-Card volume over $20 million (46%) • Have over 100,000 transactions annually (almost 40%)

Surprisingly, even though the majority of programs at organizations required to comply with SOX have significant volume, only 3% of these organizations have over 10,000 open accounts. Only 13% have over 5,000 open accounts. The majority (32%) have only 50 to 500 accounts to manage. Exhibits 4 - 7 in the Appendix provide a graphical depiction of the survey respondents’ P-Card programs. SOX and P-Card Operations: Time and Resources Again, the focus of the survey was the impact of SOX specifically on P-Card operations. Prior to conducting the survey, the NAPCP informally questioned Purchasing Card professionals about SOX compliance and their P-Card programs from a time and resource perspective. Feedback varied from “SOX has been a nightmare to prepare for” to “SOX was no big deal.” The results of the survey indeed reflected this kind of wide range. The following tables reflect the response rate only for those required to comply with SOX (144 of the 267 respondents). Time Spent on SOX-related Planning and Implementation Activities None (no need to do additional activities)

8%

Minimal amount (did not interfere with daily routine)

29%

Moderate amount (was or has been a key project)

37%

Significant amount (was or has been the top priority)

24%

Extremely high amount (was or has been the sole focus)

2%

Several respondents on the low end for time spent commented that they were only in the early stages of SOX planning. This demonstrates that not all organizations have tracked SOX requirements in a timely manner. In contrast, another respondent stated that adhering with SOX consumed a great deal of his or her time and the extra documentation steps added a lot to his or her work load. Somewhere in between the extremes were respondents who indicated that their already established P-Card controls provided the basis for SOX compliance – alleviating much of the pressure.



Resources Used for SOX-related Planning and Implementation Activities *Respondents checked all options that applied. Consultants and/or other outside professional services

36%

Hired additional staff

8%

Reassigned existing staff to focus exclusively on SOX and P-Card

15%

Existing staff incorporated SOX-related activities for P-Card into their current jobs

60%

A special team/committee was developed specifically for SOX activities

29%

Not applicable

14%

Other

6%

Respondents’ comments indicated that resources for SOX were not specifically required for their P-Card programs. Overall, resources were primarily utilized for their organizations’ SOX initiatives and not just SOX as it pertains to P-Card. Overwhelmingly, the outside professional services used were those pertaining to external auditors. Some respondents that selected “Other” clarified that personnel outside of their department, such as Finance and Internal Audit, handled SOX as it pertains to P-Card and the organization as a whole. The Impact of SOX on P-Card Operations Even more important than the time spent and resources used for SOX compliance within P-Card programs is the actual SOX impact. What has been the overall impact of SOX on P-Card? Have P-Card operations changed as a result? Again, 62% of respondents’ organizations are required to comply with SOX or choose to comply. Therefore, 38% fall outside of SOX compliance, so we would expect that the same percent did not feel any SOX impact. However, 48% actually stated that SOX has not had an impact on their P-Card operations overall. This indicates a small portion (10%) of organizations that are under the SOX law (including voluntary participants) have not felt any effects yet. Perhaps these organizations already audited their programs for SOX compliance and did not uncover the need for any changes. In contrast, it is also possible that these organizations have not yet addressed the P-Card program as it pertains to SOX. Of those confessing to a SOX impact on P-Card (52%), a variety of outcomes were reported, as shown in the table below.



The Overall Impact of SOX on P-Card *Respondents checked all options that applied. SOX helped prove that existing controls are effective

26%

Controls and/or procedures were added, but the benefit of such action was not apparent

8%

Controls and/or procedures that benefited the program were added

23%

The P-Card program is more restrictive due to SOX

5%

New P-Card opportunities were created and the program is less restrictive

1%

Organizations were forced to document policies and procedures that were not previously documented

12%

Other

6%

There are obviously some mixed results. Several survey comments revealed that it was too soon to determine the SOX impact. To dig further into SOX and P-Card, the survey specifically asked if P-Card operations have changed due to SOX and what the changes have been.

Has SOX Changed P-Card Operations?

0%

10%

20%

30%

40%

50%

60%

Yes (significantly) Somewhat(moderately

changed)

Hardly (minimallychanged)

No

Res

pons

e R

ate All Respondents

(267)

Only Those Requiredto Comply w/ SOX(144)

Of those required to comply with SOX, a surprising 29% have not made any changes to their P-Card programs. For the entire respondent pool (62% required or choosing to comply; 38% falling outside of SOX), 48% reported some type of change to P-Card operations whether it be minimal, moderate, or significant. On the other spectrum, 52% reported that nothing has changed.



So, why make any changes to P-Card operations if SOX does not apply to you? It’s possible that organizations are taking the opportunity to confirm their Purchasing Card programs are appropriately controlled and are tweaking their internal controls as needed. Perhaps some changes were made because outside parties (customers, financial institutions, and/or suppliers) asked an organization about its SOX compliance. We asked this very question within the survey and 33% stated that their organization had been asked about SOX. Another 38% replied “no” and 28% were unsure.

What Changed as a Result of SOX?

For the organizations that made P-Card program changes as a result of SOX, the types of changes varied. The survey presented a long list of possibilities and respondents were asked to check all answers that applied. Type of Change

Response

Internal audit program 22% Business strategy and/or policy for P-Card use 19% Documentation requirements for P-Card transactions 19% Review/approval process 16% Process and/or requirements for opening an account 15% Responsibilities of program administrator/manager 14% Records retention 11% Cardholder training 11% Unsure (of specific changes) 10% Spend and/or transaction limits 10% Cardholder reconciliation process 10% Management training 9% Process for changing account limits and/or other changes 9% Who can and/or cannot be a cardholder 7% Process for closing accounts 7% Other 6% MCC restrictions/allowances 6% External audit program 5% Access to P-Card technology 4% Accounting practices 3% Relationship and/or contract with card provider 1% Respondents’ comments did not explain what “Other” could mean. However, a notable comment pertained to P-Card program technology. SOX was one factor out of several that supported an organization’s decision to change the online program used for managing transactions. As with other questions, several people noted that it was too soon to determine changes that would be made.



The survey also asked if SOX was the key in obtaining organization support to make certain P-Card changes that the organization previously resisted. In other words, did it take an act of Congress to make specific changes? Only 7% of all respondents stated “yes,” but the number increased slightly when responses were limited to those required to comply with SOX. For these 144 respondents, 12.5% stated that SOX was the key for getting needed changes accomplished. Sometimes an act of Congress is needed to sway an organization to your way of thinking. SOX Compliance The last survey question concerning P-Card operations dealt with SOX compliance success. Of those required or choosing to comply with SOX, the results are: To date, P-Card program has not been officially audited for SOX 43% Favorable audit result 35% Mixed results – audit revealed both successes and issues 11% Audit revealed much work is still needed for SOX compliance 1% Other 6%

Of those that answered “Other,” comments ranged from “unsure” to statements indicating that the audit results were not yet complete or results were unknown. Surprisingly, 4% of those required or choosing to comply with SOX answered “Not applicable.” These respondents gave no explanation for their contradictory answers. It’s possible that their P-Card programs just have not been audited for SOX compliance yet and they failed to answer accordingly. Sub-certifications Earlier within this report, the concept of sub-certifications was described as a way for upper management to obtain from its employees a written guarantee that presented data (for SOX compliance) is accurate. To determine if this concept had trickled down to Purchasing Card professionals, the survey asked about it. Specifically, the survey questioned if the P-Card Administrator/Manager/Other was required to sign a sub-certification letter to the Disclosure Committee for his or her organization. Of those required to comply with SOX:

• 9% stated that a sub-certification was required. • 8% said it was optional. • 54% reported that it was not applicable (no one is asked or required to sign

anything pertaining to SOX and P-Card). • 27% were unsure, which indicates that sub-certifications may not be widely

discussed.



• Another 2% indicated “other” with some comments noting that someone outside of P-Card administration signed a sub-certification letter pertaining to P-Card operations.

For companies requiring a sub-certification letter, nearly all respondents gave the same answer regarding what the signer is certifying. Signers certify that controls have been reviewed and there is no knowledge of significant control weaknesses unless specifically reported. What if a person is required to sign a sub-certification letter, but refuses? Only a couple respondents stated that disciplinary action is certain. The majority of this small group (sub-certification letters required) indicated that either disciplinary action is possible or the respondent believes that an employee’s career would be negatively impacted. Still others just did not know what the ramifications would be for refusing to sign a required letter. Overall, things like sub-certification letters could become more common as time progresses. For now, most P-Card professionals are not burdened by this facet of SOX.

Other Comments on SOX and P-Card Operations

Survey respondents were given many opportunities to add comments on particular points and on SOX overall. These comments give further insight into P-Card professionals’ experience with SOX.

“Overkill. It stymies innovation…not to mention common sense.” “The controls inherent to our P-Card program went a long way towards complying with SOX. We only had to make a few modifications to be fully compliant.” “Our P-Card program was mostly SOX compliant and only needed to be documented.” “Our organization’s processes were already well-documented. SOX brought renewed interest and clarification to our controls and oversight.” “Since P-Card spend is small…not a lot of emphasis was placed on SOX and P-Card.” “P-Card is an integral part of the procurement stream…and thus required full documentation, review of controls, testing, etc.”



Conclusion Overall, experience with SOX among Purchasing Card professionals reflects two extremes (positive and negative) and everything in between. Despite SOX being in effect this year, organizations vary widely in their responses to it. The survey results show that a significant educational opportunity for SOX remains within the Purchasing Card community. Other survey results show that many organizations still seem to be getting their feet wet with SOX compliance. Still others have completed SOX preparations and are now facing the task of sustaining compliance. Organizations approach SOX differently when it comes to P-Cards. Nevertheless, there is a consistent element throughout the industry. A strong P-Card control environment is a must for SOX compliance. About the National Association of Purchasing Card Professionals The National Association of Purchasing Card Professionals (NAPCP) is a non-profit professional trade association committed to the advancement of Purchasing Card professionals and practices. The NAPCP is a resource for Purchasing Card professionals at all levels – from novice to expert. It provides the Purchasing Card industry with a broad and in-depth forum for news and information, networking, and professional education for end users, card associations, card issuers, and solution providers.

10520 Wayzata Blvd. Phone: (952) 546-1880 Minnetonka, MN 55305 Internet: www.napcp.org

About Accounts Payable Now & Tomorrow

Accounts Payable Now & Tomorrow is a fee-based monthly newsletter for professionals interested in payment issues. It is written by Mary Schaeffer, a nationally recognized payment expert, and a revolving complement of experts who provide commentary on specialty topics such as P-Cards, 1099s, sales and use tax, unclaimed property, fraud, accounting, etc. Ms. Schaeffer is the author of 10 business books, including four on accounts payable; hundreds of articles; and e-News from the AP Front, a complimentary news alert delivered weekly via e-mail to the payment community.

Internet: www.ap-now.com



Other Resources

Deloitte. Taking Control: A Guide to Compliance with Section 404 of the Sarbanes-Oxley Act of 2002.

• Available through www.deloitte.com or, specifically, at: http://www.deloitte.com/dtt/whitepaper/0,1017,sid%253D36513%2526cid%253D54135,00.html

NAPCP Best Practices Task Force Report. Fraud Prevention and Detection: Establishing and Maintaining a Purchasing Card Program with Adequate Management Controls to Prevent Fraud, Misuse, and Abuse. January 2004.

• Available to NAPCP members only through www.napcp.org.

Sarbanes-Oxley Act of 2002.

• The entire Act can be accessed through the Web site of the U.S. Government Printing Office (GPO) at: http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=107_cong_reports&docid=f:hr610.107.pdf

Schaeffer, Mary S. Accounts Payable & Sarbanes Oxley: Strengthening Your Internal Controls. John Wiley & Sons, 2006.

• Purchase directly from the publisher at www.wiley.com or from your local bookseller.

Sheth, Prasant C. Sarbanes Oxley Section 404 Compliance – Implications on Corporate Purchasing Card Programs. Joseph C. Sansone Company (JCSCo). May 2005.

• Visit www.jcsco.com.



Appendix The following graphs portray additional information about the SOX survey respondents.

Exhibit 1: Respondents by Organization Annual Sales

0102030405060708090

100110

Less than$100

million

$100 to$499

million

$500 to$999

million

Over $1billion

Notapplicable

Unsure

Annual Sales

# of

Res

pons

es

All Respondents(267)


Exhibit 2: Respondents by Organization Employee Count

0

20

40

60

80

100

120

140

Less than500

500 to 999 1000 to4999

5000 andover

Unsure

Employee Count

# of

Res

pons

es





Exhibit 3: Respondents by Title

108

42 46

17

28 26

0

20

40

60

80

100

120

# of

Res

pond

ents

Program administrators, coordinators, managers 108Accounting Professionals 42Procurement Professionals 46Controller/Finance/Treasury 17Management (unidentified dept.) 28Other, such as analysts and specialists 26

Exhibit 4: Age of P-Card Programs

0%

10%

20%

30%

40%

50%

60%

70%

Less than oneyear

One to twoyears

More than twoyears, but

less than five

Five years ormore

Resp

onse

Rat

e





Exhibit 5: Annual P-Card Dollar Volume

0% 5% 10% 15% 20% 25% 30% 35%

Over $100,000,000

$20,000,001 - $100,000,000

$10,000,001 - $20,000,000

$3,000,001 - $10,000,000

$1,200,000 - $3,000,000

Less than $1,200,000

Don't know

Response Rate



Exhibit 6: Annual Number of P-Card Transactions

0% 5% 10% 15% 20% 25% 30%

Over 500,000

100,001 - 500,000

50,001 - 100,000

15,001 - 50,000

6,000 - 15,000

Less than 6,000

Don't know

Response Rate



Exhibit 7: Number of Open Accounts

0%5%

10%15%20%25%30%35%40%45%

Greaterthan

10,000

5,001 -10,000

1,001 -5,000

501 -1,000

50 - 500 Lessthan 50

Don'tknow

Res

pons

e R

ate All Respondents

(267)


napcp sarbanes-oxley act its impact on p-card programs · sarbanes-oxley act (“sox”). ......

Documents