Update on external audit for purchasing cards

21 July 2020 | From Kgethi

Dear colleagues

I wrote to you previously about the responsibility that comes with the use of the University of Cape Town (UCT) resources, including the purchasing card (PCard). The PCard is a VISA product issued by Nedbank to authorised UCT staff members. It provides a convenient and cost-effective purchasing tool for low-value items, online purchases and frequent reimbursements of university-approved business expenditure.

UCT has over 1 700 PCards currently in use, with most being used by staff to facilitate efficient payments for approved university business. However, over the years, we’ve had a number of instances where there has been inappropriate use of the PCard by a relatively small number of PCard holders. In these instances, necessary disciplinary action followed, and where evidence of misconduct was found, including the use of the PCard for personal expenses, staff were dismissed and there was a full recovery of funds from the staff members concerned.

External review of PCards

In 2019 UCT management appointed an external service provider, Nexus Forensic Services (Nexus), to undertake a review based on a randomly selected sample of PCards. The purpose of the review was to provide management with the assurance that spending was aligned with the PCard policy. Nexus, using their own methodology, selected 20 PCards and analysed the expenses incurred for an 18-month period, starting 1 January 2018 and ending 30 June 2019. An additional PCard was included by management following allegations of improper use.

A finance task team, made up of senior members of the finance department and led by Executive Director: Finance, Mr Ashley Francis, was established to ensure Nexus had all the data required. The team also provided assistance where necessary. Members of the Internal Audit division were invited as observers in this process so as not to compromise the independence of our Internal Audit office.

The Nexus team completed its report and presented it to the executive management at the beginning of May 2020. The findings were also presented to the Risk Management Executive Committee and the university Audit and Risk Committee. A summary of the findings shows that 18 of the 21 PCards had not fully adhered to the PCard policy. These included, among others, expense reports not prepared by card processors or signed by the line managers responsible.

The executive mandated representatives of the departments of finance and human resources to review each PCard finding and recommend the most appropriate course of action. The chief operating officer, Dr Reno Morar, oversaw this process and reviewed the recommendations made by the team regarding ‘consequence management’.

As most of the transgressions of the PCard policy did not constitute misconduct or misappropriation of resources, the most appropriate intervention in these instances required greater awareness about adherence to the PCard policy. Improving internal communication and a greater commitment to policy adherence were the recommended course of action. However, where there were serious transgressions, disciplinary action was initiated.

Mr Francis will communicate the findings and ‘consequence management’ to staff where there has been no misconduct or misappropriation of resources.

The PCard policy explicitly states which procedure to follow in cases where personal expenses are made in error. If this happens, the expense must be reported and repaid within the time periods stated. This process will be actively managed. Re-occurrences and staff members who are ‘repeat offenders’ will have their cards withdrawn and may face disciplinary action.

New improvements on internal controls

Over the past few months, several new improvements have been implemented which are aimed at making compliance and accountability easier. These improvements include a new electronic form for submission and storage of supporting documentation which has been rolled out across campus. This will facilitate the submission, workflow to the card processor, central storage and retrieval of supporting documentation.

In addition, weekly Business Objects (BOBJ) reports detailing unposted transactions are emailed to PCard holders for follow-up. PCards with unposted transactions in excess of two months are blocked, with any exceptions requiring approval by the Executive Director: Finance. Monthly BOBJ PCard expense line item reports are emailed to all line managers for review. Once reviewed, these must be returned to the relevant finance manager as proof of the review. In addition, the cardholders and line mangers receive a monthly BOBJ dashboard report indicating spend trends, card limits and unposted transactions.

Management has also introduced further training for all key role players involved. Targeted regular messages and training will be implemented for all PCard holders, card processors and line managers. Management will undertake periodic reviews of selected cards. Also, Internal Audit will be requested to conduct a follow-up review on selected PCards.

As part of ensuring that finance managers were empowered to play a leading role and adherence to internal controls, a training workshop was arranged. The Nexus team, Risk Office, Internal Audit and senior finance officials made a number of presentations. Similar workshops are planned for all stakeholders, including further training for PCard holders. Finance managers are an important part of this process and will ensure adherence to the policy by undertaking regular reviews of the reports. Staff with PCards who require training can contact Ms Natalie Pitcher, Manager: Card Payments Solutions (natalie.pitcher@uct.ac.za).

Internal audit

A PCard audit is included in the 2020 Internal Audit Plan review. The scope includes, but is not limited to:

  • policies and procedures
  • eligibility and profile control
  • card management
  • expenditure control and authorisation
  • oversight, monitoring and reporting.

As part of the review, based on sampling methodology, a selected number of cards will be tested. This Internal Audit review is particularly important as it will test the adherence to, and effectiveness of the new controls implemented by management.

UCT must lead by example

UCT is a public university that will always adhere to the highest corporate governance standards in a manner that serves as a good example for other institutions. Our 2019 unqualified audit shows that most of our internal controls are able to detect and prevent misuse and abuse of resources. As a result, a risk-based approach will be adopted and all PCards, where there are instances of potential abuse, including unapproved transactions, will be flagged for management review.

It is expected that by accepting a PCard, all users must understand the responsibilities that come with having a PCard. Continuous and targeted communication will be used to reinforce a culture of responsibility and accountability.

Failure to follow policy may hold consequences.

The executive believes that changes implemented over the last year will in future reduce or eliminate most of the findings relating to policy and/or procedural gaps.

Kind Regards

Professor Mamokgethi Phakeng

Read previous communications:

Creative Commons License This work is licensed under a Creative Commons Attribution-NoDerivatives 4.0 International License.

Please view the republishing articles page for more information.