Expertise Beyond the Numbers

Strengthening Your Organization’s Credit Card Program: Three Key P-Card Controls to Consider

Organizations implement corporate credit card (also known as “purchasing card”, or “p-card”) programs to help reduce internal administrative costs and expedite payments to vendors. While corporate credit cards are typically granted to Management level positions, the volume of issued cards may vary based on the size of your organization.

An effective purchasing program enables employees to efficiently and reliably make authorized and necessary purchases for goods, services, and travel.  But, as your program grows, and more cards are distributed, it may become challenging to implement a scalable, controllable program that doesn’t disrupt operations.

As a best practice, it is vital for organizations to design formal, manageable purchasing policies with effective internal controls in place to help reduce the risk of card misuse and abuse. Further, a periodic assessment or review of the process design and internal control effectiveness should be performed. Our team highlights three suggested internal controls that your organization can adopt and implement to minimize fraud risk and promote compliance.

Control #1:  Use of Merchant Code Restrictions

An effective and practical policy is critical for communicating rules and restrictions that align with the organization’s culture and risk tolerance.  While every corporate credit card policy should clearly state unacceptable or inappropriate credit card purchases, this ultimately will not prevent the transactions from occurring. A control to mitigate this risk is the use of merchant category code (MCC) restrictions.

An MCC is a four-digit number used to classify the merchant business by the type of goods or services it provides.  Business credit card providers will allow organizations to review the list of available MCCs to exclude or disable unwanted merchant types (e.g. department stores, boat dealers, landscaping services).  By implementing this control configuration, organizations can help prevent the likelihood and impact of inappropriate charges, fraud, misuse, or abuse.

The level and types of restrictions should be aligned with your policy, but also be based on business need.  The business need for each cardholder may vary.  To accommodate variable needs, organizations can create credit card classes or groups with different merchant code restrictions.  When a new cardholder is approved, the card should be assigned to the applicable restricted group based on the communicated business need.

Control #2:  Determine and Implement Meaningful and Effective Credit Limits

Effective corporate credit card limits should align with anticipated spend to control costs and safeguard against fraud or abuse. Organizations should consider two types of credit limits −a single, per purchase limit and a monthly aggregate limit.

A single, per purchase limit may include multiple items within a single purchase/transaction.  However, no single transaction may exceed the single purchase limit established for the cardholder. With the use of single purchase limits, Management should ensure formal procedures are in place to monitor and identify any split purchase attempt to bypass the single purchase limit.

The monthly aggregate limit is the maximum amount the cardholder is allowed to spend in a billing cycle.  Arbitrarily assigning high or irrelevant limits will not control, prevent, or detect unwanted behavior.  Credit limits should be based on anticipated need and be ample enough to perform the cardholder’s daily responsibilities.  The goal of the limit is not to make it difficult for the cardholder to perform his/her job, but to facilitate fiscal responsibility.

Control #3:  Monitor Cardholder Activity for Circumvention of the Purchasing Department

A benefit to corporate credit cards is the capability of cardholders to perform their job responsibilities more freely through less upfront administrative hurdles.  However, convenience can subsequently lead to avoiding necessary purchasing workflows.

For example, organizations may require that certain technology items be obtained through the purchasing department and not through corporate credit cards.  The intent is to ensure the proper parties (e.g. Information Technology) are involved in the approval and receiving process for these types of purchases.

It is important with any credit card program to monitor and control spending activity to detect these types of purchases.  Once identified, the credit card program administrator or the cardholder’s approver should re-train the cardholder to prevent the behavior from happening in the future and document the discussion.  In the event the behavior is repeated, Management should determine whether credit card privileges should be suspended or revoked.


SC&H Group’s Risk Management team can help organizations develop or review corporate credit card program policies.  Further, SC&H can perform corporate credit card audits to assess the effectiveness of internal controls, evaluate the process design for ease, alignment to business needs, and identify opportunities for improvement.  Contact us today to learn more about best practices that could strengthen your organization’s program, and how we can assist you in meeting your organizational goals.