Credit card management in Local Government

Media release

The Auditor-General for New South Wales, Margaret Crawford, released a report today examining credit card management in Local Government.

The audit was in response to a letter from the then Minister for Local Government in November 2018. The audit assessed the effectiveness of credit card management practices in six councils, including in the areas of policies, procedures, compliance and monitoring.

The audit found that all six councils had gaps in their credit card policies and procedures. The Auditor-General recommended that the Department of Planning, Industry and Environment publish guidelines on credit card management for the Local Government sector. The report also generated insights for the Local Government sector with respect to credit card management.

Read full report (PDF)

Executive summary

In 2018–19, all councils responding to an Audit Office survey (representing over 90 per cent of the sector) indicated they issued credit cards to staff members to make work-related purchases. As there are no sector-wide requirements or policies for credit card use and management in Local Government, councils have developed their credit card management frameworks to suit their own needs. The quality of credit card policies and procedures may therefore vary across the sector.

Credit cards are an efficient means of payment, especially for low-value purchases. Compared to the use of petty cash, credit card transactions provide better transparency and accountability for expenditure. By using credit cards, councils only need to make one payment each month, which can reduce the time spent on paying separate vendors, as in the case of purchase orders.

This audit assessed the effectiveness of credit card management practices in six councils: Dubbo Regional Council, Junee Shire Council, Lane Cove Council, Nambucca Valley Council, Penrith City Council and Shellharbour City Council. The councils selected represent a mix of rural, regional and metropolitan councils. They were also among the top ten users of credit cards within their geographical classification, in terms of the number of credit cards issued or the number of transactions per credit card.

This audit referenced the NSW Treasury's Policy and Guidelines Paper TPP17–09 'Use and Management of NSW Government Purchasing Cards', as its principles and recommendations for NSW Government agencies are relevant for councils.

The Audit Office of New South Wales Report on Local Government 2019 provided a high-level overview of credit card management across the sector. While over 90 per cent of councils reported that they had a credit card policy and a credit card acquittal process, the quality of these policies and procedures may vary across the sector as there is no standardised or recommended approach to credit card management for Local Government. This audit complements the Report on Local Government 2019 by providing a detailed discussion of the effectiveness of credit card management practices in councils.

Audit conclusion

All six audited councils had important gaps in their credit card policies and procedures. Their reconciliation of credit card transactions needs to be enhanced to enable detection of potential misuse or fraud.
 
The audit found important gaps in each of the six audited councils' credit card management practices. Their policies and procedures covered the essential aspects of credit card use and management, but a lack of coverage or clarity in some areas could lead to inconsistent and inappropriate use of credit cards. These areas included: eligibility to hold a credit card, aligning credit card limits with financial delegations, and the reconciliation procedures.
 
While all six councils conducted reconciliations of credit card transactions, the processes need to be enhanced to enable detection of potential misuse or fraud. Reconciliations had focused solely on verifying receipts, and did not require evidence of business-related purposes, even for transactions such as alcohol purchases or spending at entertainment venues. Five of the six councils also did not include compliance checks in their reconciliation process, such as checking that purchases were not for restricted items.
 
The level of senior management involvement in monitoring credit card use varied across the six councils. Three of the six councils did not generate regular reports for management oversight. Five of the six councils had no plans for internal audits or targeted reviews of credit card management and use.

1. Key findings from the six audited councils

All six councils had important gaps in their credit card policies and procedures

All six councils had policies and procedures covering a range of essential components such as eligibility to hold a credit card, credit limits, restrictions on use, reconciliation processes, and roles and responsibilities. However, the audit found that the policies and procedures lacked clarity or detail in different aspects, which may raise transparency and consistency concerns. Gaps identified in more than one council included:

  • a lack of criteria for eligibility assessment
  • a lack of explicit alignment between credit card limits and financial delegations
  • a lack of documented procedures for the reconciliation of the general manager's credit card transactions1
  • a lack of policy and procedures for all types of cards used by the council.
Reconciliation processes need to be enhanced to enable detection of potential misuse or fraud in all six councils

Across all six councils, reconciliation had focused on checking the receipts of the items purchased and the descriptions of the items provided by cardholders. The audit found that none of the six councils included the verification of business-related purposes as part of their reconciliation of credit card transactions. The reconciliation processes at the time of the audit were therefore not sufficient to identify potential misuse or fraud.

Five of the six councils (Dubbo Regional Council, Lane Cove Council, Nambucca Valley Council, Penrith City Council and Shellharbour City Council) also did not check compliance of credit card transactions against policy. This included: a lack of verification of travel expenses against the pre-approved amounts and a lack of justification provided by staff when they had used their credit card in restricted categories (e.g. fuel purchases and fine payments).

Three of the six councils lacked senior management oversight of credit card use

Management reporting is a detective control in terms of identifying credit card misuse or fraud. While none of the six councils had management reporting on credit card use at the time of the audit, three of them (Junee Shire Council, Nambucca Valley Council and Shellharbour City Council) had alternative arrangements that provided sufficient senior management oversight. For instance, Junee Shire Council and Shellharbour City Council involved their general manager in the monthly review of credit card transactions, while Nambucca Valley Council had monthly reports generated for one department and was in the process of expanding the scope of the report for monitoring by the CFO.

Cardholders from all six councils advised that they had shared their credit cards with other staff members for work-related purchases

Dubbo Regional Council's credit card policy allowed card sharing. This practice was a breach of the council's agreement with its card issuer. This practice also complicated credit card management, as additional steps were needed to identify the correct manager to approve transactions during reconciliation. This could make it difficult to identify the purchaser if an unauthorised purchase was made. This also raised the risk that purchasers could exceed their financial delegations if the cardholder had a higher credit card limit.

Nambucca Valley Council, Penrith City Council and Shellharbour City Council prohibited credit card sharing in their policies and procedures. However, during our interviews, cardholders from all six councils described situations when they had shared their credit cards with other staff members. This raises concerns about cardholders' understanding of responsible credit card use and their liability for the transactions. In the case of Nambucca Valley Council, Penrith City Council and Shellharbour City Council, this raises concerns about cardholders' compliance with their council's credit card policies and procedures.

All six councils provided cardholders with guidance on credit card use and four provided approvers with targeted instructions

Guidance and training serve as preventative controls, as they ensure staff members are aware of their obligations and the council's policies and procedures. While none of the six councils provided mandatory credit card training, they all required each cardholder to sign a statement of responsibility to acknowledge their understanding and acceptance of the terms and conditions associated with using the council credit card. They also provided guidance to cardholders on reconciliation. However, only Dubbo Regional Council, Nambucca Valley Council, Penrith City Council and Shellharbour City Council provided approvers with targeted guidance.

Five of the six councils were unable to provide all transaction records requested

Only Nambucca Valley Council was able to provide the records for all transactions requested for review by the audit, but its credit card register was incomplete. The reasons that the other five councils gave for not providing all transaction records included:

  • records were lost during system migration
  • documentation had been misplaced
  • the correct receipts, or other supporting evidence, were not collected from cardholders.

These issues raise concerns regarding the completeness and accuracy of records for monitoring and review purposes.

Five of the six councils had incomplete and inaccurate credit card registers

Only Junee Shire Council had a complete credit card register for the audited period. For the other five councils, the audit found discrepancies between the credit card register and the credit cards identified in our transaction data analysis. Two of these councils (Lane Cove Council and Shellharbour City Council) were unable to explain some of the card numbers identified. For others, reasons included:

  • incorrect card numbers recorded
  • card numbers replaced with new card numbers
  • cancelled cards missing from the record.

This raises concerns regarding the monitoring of credit cards issued to staff members.

All six councils used credit cards primarily for low-value purchases

Credit card use provides operational efficiency when councils have to pay for a high volume of low-value routine purchases. The audit found that all six councils had used credit cards mostly for transactions valued at up to $100, and the highest volume of transactions was in retail stores across all six councils.

Insights for the Local Government sector

In November 2018, the then-Minister for Local Government wrote to the Auditor-General requesting an audit of credit card management in the Local Government sector. The audit aims to identify trends, good practice and performance improvement opportunities for all councils in New South Wales.

Policies and procedures

A documented approach to managing credit cards ensures transparency and consistency of use within the council. A typical credit card management framework comprises policies and procedures, guidance for staff, monitoring and reporting arrangements, periodic reviews, and record keeping requirements. An effective framework also contains preventative and detective controls that can minimise risks of fraud and misuse.

'Credit cards' come in different forms, all of which have risks that need to be addressed. While the term 'credit cards' is commonly associated with corporate cards, charge cards and purchasing cards, products such as fuel cards, vendor cards and Cabcharge (FASTCARDs or eTickets) also provide cardholders access to council funds. As such, councils need to have a documented management policy and procedures for these products.

Credit card sharing between staff (including delegating the use of a card to another staff member) is a breach of agreement with the credit card issuer. It is a practice that complicates credit card management, especially in terms of ensuring accountability for purchases. Councils need to ensure that credit cards are used only by the approved cardholder.

Reconciliation and compliance

Effective credit card management requires both a clear management framework and efforts to ensure compliance. Regular compliance checks are essential to ensure staff members routinely adhere to the council's policy and procedures for every component of the credit card management framework. Good record keeping, which includes maintaining an accurate and up-to-date credit card register, supports effective credit card management practices.

Reconciliation of credit card transactions is a process that should extend beyond checking that each transaction is supported by a relevant receipt. As credit cards provide access to council funds, which should be spent only in the public interest, reconciliation of credit card transactions should involve a verification of the business-related purpose for each transaction. This is particularly important for transactions in categories that may not have an obvious business-related purpose. Reconciliation processes need to also include compliance checks against the council's credit card use policy.

Monitoring, reporting and review To ensure accountability and transparency, councils need to have monitoring and reporting arrangements in place. Such arrangements may include tracking the level of credit card use, ensuring compliance against credit card use policy, and detecting potential misuse and fraud. As credit card products evolve and new risks emerge over time, councils need to also assess the ongoing relevance and effectiveness of controls.

1 Note: The General Manager of Nambucca Valley Council did not hold a credit card during the audited period.

2. Recommendation

By June 2021, the Department of Planning, Industry and Environment should publish guidelines on credit card management for the Local Government sector.

1. Introduction

1.1 Background

In 2018–19, all councils responding to an Audit Office survey (representing over 90 per cent of the sector) indicated they issued credit cards to staff members to make work-related purchases. Such purchases include general consumables, minor plant and equipment, hospitality and travel. If used as intended, credit cards can be a more efficient method of processing routine and low-value transactions. For instance, by making credit card payments on a monthly cycle, councils can reduce the time spent on paying separate vendors every month, thereby reducing administrative costs.

The NSW Treasury's Policy and Guidelines Paper TPP17–09 'Use and Management of NSW Government Purchasing Cards' (TPP17–09) notes that the benefits of using credit cards include significant savings over traditional purchase-to-pay processes and enhanced capability to track and monitor expenditure. In particular, credit cards can serve as an alternative to petty cash transactions, and the audit trail provided by credit cards helps to improve transparency and accountability for expenditure.

Credit cards come in various forms such as corporate cards, charge cards and purchasing cards; they are all referred to as 'credit cards' in this report. The scope of this audit also includes vendor cards (e.g. store cards, fuel cards and Cabcharge FASTCARDs) and credit vouchers (e.g. Cabcharge eTickets).

1.2 Importance of effective credit card management

Credit cards provide access to council funds, hence they must be used and monitored in the public interest. While the use of credit cards provides a clearer audit trail than cash transactions, it is nevertheless subject to risks of misuse and fraud, which may be committed by cardholders, merchants or fraudsters. It is important that councils effectively manage credit card use, minimise the risk of misuse and fraud, and ensure the intended benefits are realised.

Councils in New South Wales must comply with the Local Government Act 1993 (the Act) and the Local Government (General) Regulation 2005 (the Regulation). The following provisions of the Act and Regulation are relevant for the use and management of credit cards:

  • Section 8A (2)(e) of the Act requires councils' decision-making to be transparent and decision-makers to be accountable for decisions and omissions.
  • Section 8B of the Act requires councils to apply principles of sound financial management.
  • Section 202(a) of the Regulation requires responsible accounting officers to establish and maintain a system of budgetary control that will enable the council’s actual income and expenditure to be monitored each month and to be compared with the estimate of the council’s income and expenditure.
  • Section 207(2) of the Regulation requires responsible accounting officers to ensure that the accounting records are kept up-to-date and in an accessible form.
  • Section 207(3)(e) of the Regulation requires responsible accounting officers to take all reasonable measures to ensure that appropriate budgeting and accounting systems (including internal control systems) are established and maintained for the purposes of the council.
  • Section 209(b) of the Regulation requires general managers to ensure that effective measures are taken to secure the effective, efficient and economical management of financial operations within each division of the council administration.
  • Section 209(c) of the Regulation requires general managers to ensure that authorising and recording procedures are established to provide effective control over the council’s expenditure and ensure the accuracy of accounting records, including a proper division of accounting responsibilities among the council's staff.

Effective credit card management is underpinned by an understanding of the risks involved in the use of credit cards. Exhibit 1 shows the common risks of misuse and fraud, how controls can mitigate such risks, and that a credit card management system involves different areas of a council.

Infographic showing risks and controls
Exhibit 1: Risks and controls
Source: Audit Office of New South Wales research 2020 (adapted from the Australian National Audit Office's report 'Control of Credit Card Use', 2013).

Referring to Exhibit 1, an effective credit card management framework would help to ensure:

  • risks related to credit card use are identified
  • appropriate controls are in place to prevent and detect misuse or fraud
  • roles and responsibilities are clear.

1.3 Overview of credit card management in councils

The Audit Office of New South Wales Report on Local Government 2019 reported that most councils had credit card policies and processes in place. The sector-level summary of credit card management is provided in Exhibit 2.

Exhibit 2: Councils' credit card management in 2018–19
Credit card management %
Council has a periodic credit card acquittal process, which requires cardholders to provide receipts or other supporting documentation 98
Credit card reconciliations are reviewed by an appropriate delegated authority 94
Credit card reconciliations are reviewed in a timely manner 93
Council has a corporate credit card policy 92
New cardholder is required to sign the agreement of terms of use 87
Corporate credit card policy is current 82
Source: Audit Office of New South Wales Report on Local Government 2019.

All councils must maintain effective internal control systems in accordance with the Regulation. While 92 per cent of councils reported that they had a credit card policy and 98 per cent had a periodic credit card acquittal process, the quality of these policies and procedures may vary across the sector as there is no standardised or recommended approach to credit card management for Local Government.

1.4 About the audit

This audit assessed the effectiveness of credit card management practices in six councils. A mix of councils from metropolitan, regional and rural areas enabled the audit to examine a range of credit card management practices that also reflect different council sizes, structures, priorities and levels of resources. The audit covered the period 1 July 2016 to 30 June 2019.

The selected councils for this audit were: Dubbo Regional Council, Junee Shire Council, Lane Cove Council, Nambucca Valley Council, Penrith City Council and Shellharbour City Council. They were among the top ten users of credit cards within their geographical classification during the audited period, based on the number of credit cards issued or the number of transactions per credit card.

The audit assessed the audit objective against the following criteria:

  1. Do councils have an effective governance framework for credit cards including but not limited to the following:
    • clear criteria for eligibility to hold a credit card
    • clearly defined roles and responsibilities relating to credit card use and management
    • defined delegation limits and restrictions on use
    • clear requirements for approval, acquittal, authorisation of expenditure, reconciliation of transactions and segregation of duties?
  2. Do councils have effective controls to prevent and detect misuse within its credit card management framework?
  3. Do councils effectively educate their staff on credit card use and management?
  4. Do councils have effective record keeping?

In the absence of a recognised credit card management framework for Local Government, the audit used the framework applicable to NSW Government agencies: TPP17–09 'Use and Management of NSW Government Purchasing Cards' (PCards). The principles and recommendations in TPP17–09 are applicable to Local Government, including the core requirements that:

  • the agency head is ultimately responsible for the proper management and administration of PCards within the agency
  • cardholders understand and are accountable for the responsible use of PCards.

The purpose of this audit was not to specifically detect fraud or seek to exclude the possibility of any fraud in the councils examined. Rather, the audit examined the effectiveness of policy, systems and processes to manage credit cards in the selected councils.

More information about the audit is provided in Appendix two.

2. Credit card use

Council staff provided with a credit card can purchase from a wide range of businesses, including online transactions with overseas vendors. However, councils may limit the types of purchases that staff can make through their policies and procedures or by setting controls that block certain transaction types such as cash advances. To examine credit card usage, the audit obtained credit card transaction data from 1 July 2016 to 30 June 2019 for the six councils in this review. The data included:

  • transaction date
  • amount
  • merchant category code (MCC)
  • merchant name.

The audit analysed the number and value of transactions by each council, and the types of purchases made using credit cards.

2.1 Level of credit card use

Councils had different levels of credit card use and the variation between councils reflects differences in council characteristics, number of cards issued and their intended use. For example, Junee Shire Council had no more than two credit cards issued at a time, while Penrith City Council had 164 credit cards issued at the time of the audit (see Chapter 3 for details of the differences).

A relatively lower level of credit card use does not necessarily mean lower expenditure by a council, as there are other means of payment available such as purchase orders and petty cash. The purpose of examining the number of transactions and total spend is to provide context for the subsequent assessment of councils' credit card management practices.

Credit card transactions increased in both number and value across all six councils

Despite the differences in number of transactions and total spend, credit card use across the six councils followed a similar trend; that is, an increase on both measures from 2016–17 to 2018–19. Exhibits 3 and 4 show each of the six audited councils' annual number of credit card transactions and total spend, respectively.

Bar chart showing number of credit card transactions 2016-17 to 2018-19
Exhibit 3: Number of credit card transactions 2016–17 to 2018–19
Note: Data include bank fees and refunds.
Source: Audit Office of New South Wales analysis of council credit card data 2020.
Bar chart showing total credit card spend 2016-17 to 2018-19
Exhibit 4: Total credit card spend 2016–17 to 2018–19
Note: Data include bank fees and refunds.
Source: Audit Office of New South Wales analysis of council credit card data 2020. 
 
Average spend per transaction either decreased or held steady over the three years

Average spend per transaction either decreased or held steady in the six councils over the period. Exhibit 5 shows the average spend per transaction in each of the three years examined. 

Bar chart showing average spend per transaction 2016-17 to 2018-19
Exhibit 5: Average spend per transaction 2016–17 to 2018–19
Note: Data include bank fees and refunds.
Source: Audit Office of New South Wales analysis of council credit card data 2020.
 
Transactions valued at up to $100 accounted for over half of the total number of transactions

Council staff used credit cards most frequently for low-value purchases. Transactions valued at up to $100 accounted for over 50 per cent of the total number of transactions for all six councils. In contrast, transactions valued at $1,000 and over made up less than five per cent of the total number of transactions for each of the six councils. Exhibit 6 provides an overview of low-value and high-value transactions in the three years combined.

Exhibit 6: Low-value and high-value transactions 1 July 2016 to 30 June 2019
  Dubbo Junee Lane Cove Nambucca Penrith Shellharbour
Number of transactions up to $100 4,604 390 1,323 1,395 12,810 3,983
Percentage of total transactions 55.73% 58.91% 53.69% 59.19% 53.78% 55.64%
Number of transactions $1,000 and over 402 10 86 82 296 243
Percentage of total transactions 4.87% 1.51% 3.49% 3.48% 1.24% 3.39%
Lowest transaction value $0.01 $0.07 $0.46 $0.52 $0.09 $0.10
Highest transaction value* $13,076 $2,693 $7,585 $4,184 $19,298 $37,976
* Values are rounded to the nearest dollar.
Note: Data exclude bank fees and refunds.
Source: Audit Office of New South Wales analysis of council credit card data 2020.
 
Council staff used credit cards throughout the week including weekends

Council staff members used their credit cards mostly on weekdays. The number of credit card transactions on weekdays was spread evenly from Monday to Friday for each of the six councils. Some transactions took place on Saturdays and Sundays. While these weekend transactions likely supported council operations, they may raise questions concerning their business-related purpose as they were incurred outside of the standard working week. As such, it is particularly important that cardholders provide evidence of the business-related purposes and their supervisors closely scrutinise such transactions. This is discussed in more detail in Chapter 4.

To illustrate the pattern of credit card use, Exhibit 7 shows the distribution of transactions (in terms of percentage of total number of transactions) by day of the week.

Bar chart showing distribution of transactions by day of week 1 July 2016 to 30 June 2019
Exhibit 7: Distribution of transactions by day of week 1 July 2016 to 30 June 2019
Note: Transactions on public holidays and refunds are included. Bank fees are excluded.
Source: Audit Office of New South Wales analysis of council credit card data 2020.

2.2 Types of credit card purchases

The merchant category code (MCC) is a four-digit number that identifies a vendor's primary line of business. In this context it should be noted that some vendors have multiple lines of business, and the MCC only refers to what the vendor has registered as its primary line of business.

This audit has grouped several thousand MCCs into the following eight categories:

  • MCC 0001–1499 Agricultural services
  • MCC 1500–2999 Contracted services
  • MCC 3000–3999 Travel
  • MCC 4000–4999 Transportation and utility services
  • MCC 5000–7299 Retail and other stores
  • MCC 7300–7999 Business services
  • MCC 8000–8999 Professional services and membership organisations
  • MCC 9000–9999 Government services.

Travel is distinguished from transportation, as travel expenses tend to require prior approvals. 'Travel' includes airlines, car rental and lodging. 'Transportation' covers a range of items such as local transport, road tolls and travel agencies.

'Retail and other stores' is a broad category that captures a wide range of businesses. Examples include: hardware stores, supermarkets, dining and catering, motor vehicle suppliers and parts, speciality and safety clothing, electronics and computer software, books and office supplies.

Retail and other stores accounted for the highest number of transactions for all six councils

For the period 1 July 2016 to 30 June 2019, retail and other stores made up over three-quarters of all transactions by staff members of Nambucca Valley Council and Penrith City Council. This category also accounted for over half of all transactions by staff members of Dubbo Regional Council, Junee Shire Council and Shellharbour City Council.

Exhibit 8 shows the breakdown of the number of credit card transactions by MCC category for each of the six councils.

Graph showing distribution of number of transactions by MCC category 1 July 2016 to 30 June 2019
Exhibit 8: Distribution of number of transactions by MCC category 1 July 2016 to 30 June 2019
Note: Data exclude bank fees but include refunds. The category 'Retail and other stores' includes hardware and computer suppliers.
Source: Audit Office of New South Wales analysis of council credit card data 2020.
 
All six councils had transactions that may raise questions concerning their business-related purpose

The audit considered a number of MCCs to be types of transactions that may raise questions concerning their business-related purpose, although they may not be contrary to council policies. There may also be perceived personal gains through such transactions. As such, it is especially important that cardholders provide evidence of the business-related purposes of these transactions. This is discussed in more detail in Chapter 4.

Exhibit 9 shows the number and amount each council spent on the following types of transactions during the audited period:

  • dining and catering
  • alcohol (liquor stores)
  • entertainment
  • government fines (of all kinds).
Infographic showing value and number of transactions by selected type 1 July 2016 to 30 June 2019
Exhibit 9: Value and number of transactions by selected type 1 July 2016 to 30 June 2019
Note: Numbers in brackets denote the corresponding number of transactions. Data exclude refunds. Refer to Exhibits 3 and 4 for the number and value of all transactions for each council. The category 'Entertainment' may include conference registration platforms and library supplies such as DVDs.
Source: Audit Office of New South Wales analysis of council credit card data 2020.

3. Credit card management frameworks

The existence of a documented approach to managing credit cards ensures transparency and consistency of use within the council. A credit card management framework that contains preventative and detective controls can also minimise risks of fraud, misuse and wastage.

There is no prescribed credit card management framework for Local Government, but typical components of a credit card management framework include:

  • policies and procedures
  • guidance for staff
  • monitoring and reporting.

With no detailed guidance notes similar to those in TPP17–09 for NSW Government, councils have developed their own credit card management framework based on their size, structure, resources and intended credit card usage. For instance, the size of a council has implications for the number of credit cards issued, which in turn influences the arrangements for training and guidance provided to cardholders and approvers.

The intended level of credit card usage may determine whether a council adopts a manual or electronic credit card management system and councils should identify the system that best meets their needs. For instance, a council with few credit cards may not be able to justify investment in an electronic system. On the other hand, a manual system may only be viable for councils with a low number of credit cards and a low number of transactions.

Among the six councils audited, the three councils with fewer cards and a lower number of transactions had a manual credit card management system, while the three councils with more cards and a higher number of transactions used an electronic system.

Exhibit 10 summarises the six councils' policies on use of credit cards.

Exhibit 10: Overview of the six councils' policies on credit card use
Council Audit Office classification Number of staff (full-time equivalent) Number of credit cards issued (current at August 2019) Policy on credit card use
Dubbo Regional Council Regional 453 77 Purchase cards are used for official council business up to $5,000 and the policy allows cardholders to delegate the use of their purchase cards to other staff members.
Junee Shire Council Rural 71 1 Corporate credit cards are for council business activities and minor purchases where a purchase order is not accepted. Items that can be purchased via a purchase order should not be purchased on a corporate credit card.
Lane Cove Council Metropolitan 192 6 Corporate credit cards are for official council business, but should not be used when there is an alternative form of payment that aligns with the council's purchasing process.
Nambucca Valley Council Rural 110 37 Purchase cards are used for the payment of goods and services associated with council businesses.
Penrith City Council Metropolitan 1,031 167 Purchase cards are used for ‘low value and low risk procurement of goods and services’, while corporate cards are held by senior staff for ‘non-routine low value work related purchases’.
Shellharbour City Council Regional 372 65 Credit cards are for purchases up to $9,999 and the preferred payment method for transactions under $1,000.
Source: Audit Office of New South Wales analysis of council credit card registers, policies and procedures 2020; staff numbers from Office of Local Government's 'Your Council' website, except for Junee Shire Council which comes from their Workforce Plan 2020–24.

3.1 Policies and procedures

For the purposes of this audit, we expected an effective credit card management framework would include clear policies and procedures about the council's approach to credit card management and provide guidance to its staff. Policies and procedures can serve as preventative controls, as they standardise practice within a council and in turn prevent errors, inconsistency and inappropriate use. Councils should also proactively ensure policies and procedures are up-to-date in terms of capturing the changing features of credit card products, addressing emerging risks, ensuring controls remain relevant and effective, and promoting compliance.

With no official guidelines or templates for the Local Government sector, councils develop their own credit card policies and procedures. Minimum requirements for NSW Government agencies are stipulated in TPP17–09.

Exhibit 11 shows the criteria used in this audit when assessing councils' credit card policies and procedures.

Exhibit 11: Criteria used in the assessment of credit card policies and procedures
Audit assessment criteria Examples of key elements
Clear criteria for eligibility to hold a credit card
  • Nature of role and duties
  • Approved financial delegation
  • Handling of card cancellation.
Clearly defined roles and responsibilities relating to credit card use and management
  • Roles and responsibilities of cardholders, their supervisors, the finance team, senior management and the council.
Defined delegation limits and restrictions on use
  • Alignment of transaction/credit limits and financial delegations
  • When to use credit cards
  • When not to use credit cards
  • Specific restrictions on use.
Clear requirements for approval, acquittal, authorisation of expenditure, reconciliation of transactions and segregation of duties
  • Application and approval process
  • Steps involved in approval and reconciliation processes
  • Segregation of duties in approvals and reconciliations
  • Record keeping requirements.
Source: Audit Office of New South Wales.

Councils should also ensure that their policies and procedures address the different types of cards used in the council, such as fuel cards, vendor cards, Cabcharge FASTCARDs and Cabcharge eTickets. This practice ensures the different processes and associated risks are captured, and relevant monitoring and controls are implemented.

All six councils had gaps in their credit card policies and procedures

All six councils had credit card policies and procedures in place, but there were gaps in addressing the key elements. The common gaps were:

  • while the general manager (or senior staff) had delegation to authorise the issue of credit cards, the policy did not explicitly state the eligibility criteria to ensure consistency (Dubbo Regional Council, Lane Cove Council, Nambucca Valley Council and Shellharbour City Council)
  • the general manager (or mayor) was authorised to determine credit limits, but there was no stated requirement to align credit limits with financial delegations (Junee Shire Council, Lane Cove Council, Nambucca Valley Council and Shellharbour City Council)
  • policies and procedures did not cover the reconciliation process of the general manager and mayor's credit cards (Dubbo Regional Council, Lane Cove Council, Nambucca Valley Council, Penrith City Council and Shellharbour City Council)2.

The audit identified two effective approaches to setting clear criteria for eligibility to hold a credit card and they are shown in Exhibit 12.

Exhibit 12: Examples of two effective approaches to defining credit card eligibility

Junee Shire Council

  • The council's credit card policy specified the positions that were eligible to be issued a corporate credit card. These positions were: the mayor, general manager and directors. This approach avoids ambiguity regarding eligibility.

Penrith City Council

  • The council's credit card policy stated that, to be eligible for a credit card, the staff member must have a delegation as per the council's delegations register. This condition ensures credit cards are only given to staff who have the authority to purchase.
  • The credit card application form also required staff members to provide a reason for getting a credit card.
Source: Audit Office of New South Wales analysis 2020.
 
Two of the six councils did not follow the review schedule of their credit card policies and procedures

While all six councils reported to have a regular review schedule for their credit card policies and procedures, the audit found that two councils did not follow their review schedules. Junee Shire Council's latest Corporate Credit Card Policy was adopted in June 2015 and was scheduled to be reviewed every two years, but no such review has taken place. Shellharbour City Council's Corporate Credit Cards Operational Policy was due for review in August 2014, but the review did not take place until February 2018 when it was replaced by the Procurement Policy. While policy reviews do not always result in substantial changes, it is important that councils undertake regular reviews to ensure their policies and procedures are up-to-date and reflect the needs of the council.

Four of the six councils had no policies or procedures for fuel card use

In the audited councils, fuel cards were issued for leaseback, novated lease, council-owned or Rural Fire Services vehicles. In the case of leaseback and novated lease vehicles, the use of fuel cards can be linked to remuneration packages or allow varying degrees of personal use. Regardless of the agreement on fuel use, each council should have documented policies and procedures for the management of fuel cards. Exhibit 13 provides an overview of the six audited councils' fuel card management frameworks.

Exhibit 13: Fuel card management
Council Number of fuel cards Fuel card register Policy for fuel card use Fuel card procedures
Dubbo Regional Council 191 Yes Yes Yes
Junee Shire Council 15 Yes No No
Lane Cove Council 64 Yes No No
Nambucca Valley Council 85 Yes No No
Penrith City Council 204 Yes Yes Yes
Shellharbour City Council 215 Yes No* No*
* Shellharbour City Council's use of fuel cards was mentioned in the council's Vehicle Management Operational Policy and Driver's Kit, but there were insufficient details as guidance for staff on the use of fuel cards.
Source: Audit Office of New South Wales analysis of councils' fuel card information 2020.

All six councils maintained a fuel card register that listed the cards issued. However, only two councils (Dubbo Regional Council and Penrith City Council) had fuel card policies and procedures that provided guidance to staff on their use. While Shellharbour City Council's policies and procedures lacked detail, three other councils (Junee Shire Council, Lane Cove Council and Nambucca Valley Council) did not have such documents in place.

As in the case for credit cards, there are no specific guidelines on fuel card management for Local Government. Councils should develop policies and procedures that reflect their needs, with the objective of minimising the risk of fraud and misuse. Exhibit 14 provides a case study of Dubbo Regional Council's approach to fuel card management which was distinct from the other five councils audited. 

Exhibit 14: An effective approach to fuel card management

Dubbo Regional Council's fuel card management

  • The council's fuel card policy stipulated that fuel card holders would be fully liable for fuel card expenses unless they provide evidence to prove business-related use.
  • When fuel card holders received their monthly statements, it was their responsibility to go through all transactions and identify business-related use.
  • For business-related transactions, fuel card holders must provide evidence to receive a rebate.
  • Failure to provide evidence for business-related use would result in the amount being deducted from salary as in the case of personal use.
Source: Audit Office of New South Wales analysis 2020.
 
Three councils used Cabcharge without documented policies or procedures

During the period 1 July 2016 to 30 June 2019, Dubbo Regional Council had 238 Cabcharge transactions, Penrith City Council had 163 and Nambucca Valley Council had 19. Penrith City Council and Nambucca Valley Council explained their Cabcharge management practices to the Audit Office via email, but they did not have such information in the form of documented policies and procedures. Junee Shire Council, Lane Cove Council and Shellharbour City Council reported no Cabcharge use during the audited period.

Three councils used store cards without documented policies and procedures

Lane Cove Council reported eight Bunnings store cards, while Junee Shire Council reported three Bunnings store cards and Nambucca Valley Council reported three Nambucca Co-op Green Cards. None of these three councils had documented policies or procedures for the management of store cards, and also none of them maintained store card registers.

Junee Shire Council advised that their credit card policy would be amended to cover store cards. Nambucca Valley Council advised that usage of their Green Cards was shared among staff members and managed by their Creditor Clerk, but these arrangements were not documented at the time of the audit.

Dubbo Regional Council, Penrith City Council and Shellharbour City Council reported no store card use during the audited period.


2 Note: Both the mayor and the general manager of Nambucca Valley Council did not hold a credit card during the audited period.

3.2 Guidance for staff

Guidance for staff is an important component of any credit card management framework. It serves as a preventative control, as it ensures staff members are aware of the council's policies and procedures, thereby standardising practices and preventing misuse. One of the key objectives is to ensure all cardholders have a clear understanding that they are accountable for the credit card issued for their use.

Guidance may be provided through a combination of policies, procedures and training. In some cases, policies and procedures alone may be sufficient as guidance for staff. Where training is offered, contents should be consistent with the council's relevant policies and procedures. At a state government level, TPP17–09 includes the requirement that cardholders sign a statement of responsibility to acknowledge their responsibilities with respect to the use and management of their PCards.

Reconciliation is a process that involves cardholders, designated approvers and the finance team. Councils should ensure sufficient guidance is provided not just to cardholders but also to their approvers whose roles include:

  • ensuring correct receipts are provided by cardholders
  • verifying receipts against the amounts incurred
  • verifying purchases against business needs
  • ensuring the timeliness of reconciliation reviews
  • being familiar with the systems
  • escalating issues in the case of inconsistencies, potential misuse or fraud.
All six councils provided cardholders with guidance on terms and conditions, and reconciliation procedures

While none of the six councils provided mandatory credit card training, they all required each cardholder to sign a statement of responsibility to acknowledge their understanding and acceptance of the terms and conditions associated with using the council credit card.

In credit card management, reconciliation is an important detective control that can identify potential misuse and fraud. Hence, it is critical that councils ensure reconciliations are regularly and consistently performed in line with policies and procedures. All six councils provided such guidance, but in different forms:

  • Dubbo Regional Council had a manual explaining the electronic reconciliation system.
  • Junee Shire Council had a reconciliation template as an attachment to the credit card policy.
  • Lane Cove Council had a reconciliation template with instructions.
  • Nambucca Valley Council had a Purchasing Card Reconciliation and Approval Manual.
  • Penrith City Council had a Cardholder Guide with details of its electronic reconciliation system. The council also conducted training on reconciliation, with separate presentations for corporate cards and purchase cards.
  • Shellharbour City Council had training material (including coverage of reconciliation) but it was dated May 2014 and the council had since revised its credit card management policy and procedures.
Four of the six councils provided approvers with targeted instructions

Providing approvers with targeted instructions may improve reconciliation timeliness and strengthen the function of reconciliation as a detective control. Such guidance is important even for approvers who themselves have credit cards, as there are differences between the roles of cardholders and approvers. The audit found that four of the six councils provided approvers with targeted guidance:

  • Dubbo Regional Council had a manual explaining the electronic reconciliation system.
  • Nambucca Valley Council had a Purchasing Card Reconciliation and Approval Manual.
  • Penrith City Council had an Approver Guide with details of its electronic reconciliation system.
  • Shellharbour City Council has a Procedure Manual explaining the electronic reconciliation system.

3.3 Monitoring, reporting and review

After a staff member is issued with a credit card, the council should continue to monitor their ongoing needs. For example, if there is an extended period where the cardholder has performed no transactions, the council may reassess whether this staff member has a justified need to hold a credit card in order to minimise any unnecessary costs such as credit card annual fees and administrative work related to credit card management.

Councils need monitoring and reporting arrangements in place in order to:

  • track the level of credit card use
  • ensure compliance against credit card use policy
  • detect potential misuse and fraud
  • assess the ongoing relevance and effectiveness of controls.

The latter is particularly important as credit card products evolve and new risks emerge over time. Different types of monitoring, reporting and review should be conducted at different intervals – some ongoing and some less frequent. Exhibit 15 shows some examples of monitoring, reporting and review.

Infographic showing examples of monitoring, reporting and review
Exhibit 15: Examples of monitoring, reporting and review
Source: Audit Office of New South Wales research 2020.
 
Senior management in the six councils had varied involvement in monitoring credit card use

The involvement of senior management in monitoring credit card use varied across the six councils. In Junee Shire Council, the general manager was involved in the reconciliation process by reviewing all transactions and signing off as cardholder. In Shellharbour City Council, the executive leadership team reviewed and discussed the council's credit card transactions at its monthly meetings. In Nambucca Valley Council, credit card reports had been generated for a manager of a specific business area, and at the time of the audit, the council was implementing regular council-wide credit card reports for its chief financial officer. Dubbo Regional Council, Lane Cove Council and Penrith City Council did not generate specific credit card reports during the audited period.

Five of the six councils did not have credit card management in their forward program of internal audits

Councils should ensure controls remain effective over time, especially in light of emerging risks associated with financial products. Regular internal audits help to monitor and test existing controls and identify areas of improvement. Credit card management was last audited in February 2016 for Lane Cove Council and in April 2009 for Penrith City Council.

Dubbo Regional Council was the only council to have credit card management in their forward program of internal audits. The council's credit card policy described its internal auditor as having a key role in ‘ensuring the integrity of the systems, policies, processes and procedures in place', which also included 'an audit on Purchase Card controls as part of a regular pattern of review.’ However, there was no evidence that the internal auditor had undertaken such monitoring activities.

4. Credit card management practices

While it is important for councils to have an established credit card management framework, it is equally important that they ensure compliance in practice. This chapter examines councils' credit card management practices – how well staff members were complying with policies and procedures, and how effective their credit card controls were. The chapter is structured to cover:

  • preventative controls (embedded in the issuance, use and cancellation of cards) that prevent fraud and misuse
  • detective controls (embedded in reconciliation and record keeping) that assist in detecting fraud and misuse.

Where ineffective credit card management practices are identified, councils should reflect on whether they need to more closely monitor compliance, or whether there are fundamental deficiencies in their policies and procedures that need to be refined.

4.1 Issuance and cancellation of credit cards

When a staff member is deemed eligible to hold a credit card as per the council's policy, the council – usually the finance team – will place an order with their card issuer. As part of this process (e.g. when filling in the application form), the council has the opportunity to implement several credit card controls to mitigate the risk of misuse and fraud. These controls include:

  • setting a credit card limit to restrict how much in total the cardholder can spend within the cycle (usually monthly)
  • setting a transaction limit to restrict how much the cardholder can spend for an individual transaction
  • setting credit card blocks on some types of transactions (such as cash withdrawals) and certain types of merchants, geographical restrictions and time restrictions.

At the end of staff members' tenure, councils should promptly collect their credit cards and ensure all reconciliations are completed prior to their departures. This would prevent fraud and misuse committed by departing staff.

Credit card limits were not explicitly linked to financial delegations in five of the six councils

A council's delegation policy specifies the purchase limits for different staff, while credit card limits relate to the cap on credit card use. Credit card transaction limits should not exceed purchase limits. Shellharbour City Council was the only audited council to have set transaction limits on credit cards, but the council was one of five audited councils to not have explicitly monitored credit card transaction limits in line with financial delegations. The lack of direct linkages between credit card transaction limits and financial delegations in practice (despite being a requirement in credit card policies) increases the risk of staff members exceeding their financial delegations and remaining undetected. Penrith City Council was the only council to have aligned credit card limits with financial delegations, which is a stricter measure.

Credit card blocks were used in two of the six audited councils

Credit card blocks are a useful control to prevent credit card misuse. Nambucca Valley Council and Shellharbour City Council were the only two councils that set credit card blocks. Nambucca Valley Council had cash advance blocks in place, while Shellharbour City Council assigned one of three blocking codes to its credit cards, thereby restricting cash withdrawals along with certain types of merchants, depending on the cardholder's role. All councils should consider the use of credit card blocks, taking into account their needs and circumstances.

4.2 Controls on credit card sharing

Councils are bound by the terms and conditions set by the card issuers. Each credit card should be used only by the cardholder. Card issuers allow multiple cards to be issued under the same account, and councils should order separate cards for staff with purchasing needs.

Cardholders from all six councils advised that they had shared their credit cards with other staff members

Dubbo Regional Council's credit card policy allowed cardholders to lend their credit card to other staff members. It also allowed credit card sharing between different teams. This practice was in breach of the terms and conditions set by their credit card issuer, which stated that 'any card issued to the customer or any cardholder is for the respective cardholder's use only'. This practice also complicated credit card management, as additional steps were needed to identify the relevant manager to approve transactions during reconciliation.

Nambucca Valley Council, Penrith City Council and Shellharbour City Council prohibited credit card sharing in their policies and procedures. However, during our interviews, cardholders from all six councils described situations when they had shared their credit cards with other staff members. This raises concerns about cardholders' understanding of responsible credit card use and their liability for the transactions. In the case of Nambucca Valley Council, Penrith City Council and Shellharbour City Council, this raises concerns about cardholders' compliance with their council's credit card policies and procedures.

With credit card sharing, transaction values could exceed a purchaser's delegation if the cardholder had a higher limit

Credit card sharing enables staff members to breach their delegation if they perform transactions using a credit card with a limit higher than their own delegation. Such breaches would be difficult to identify as credit card sharing also complicates the reconciliation process. As staff members are provided with a platform to exceed their purchase limits and potentially stay undetected, credit card sharing is a risk to expenditure management.

With credit card sharing, approval lines became misaligned

If credit cards are shared outside of the cardholder's team, the reconciliation process may become flawed. First, the cardholder is not the purchaser and there are implications for the accuracy of the information provided for reconciliation. Approval lines may also become misaligned, if the system does not allow the cardholder to redirect the reconciliation to the purchaser's supervisor. In this case, the cardholder's supervisor or finance staff are unlikely to be able to identify inappropriate or unnecessary purchases without consulting with the purchaser's supervisor. This extra step involved has implications for both the timeliness and accuracy of the reconciliation.

4.3 Reconciliation of transactions

Reconciliation is a key detective control in credit card management. The purpose is to ensure transactions are business-related, linked to the correct business areas, and compliant with the council's policies. Reconciliation involves various staff members and generally follows a monthly cycle. Exhibit 16 depicts a typical reconciliation process.

Infographic showing reconciliation process
Exhibit 16: Reconciliation process
Source: Audit Office of New South Wales analysis 2020.

To assess the effectiveness of councils' reconciliation processes, the audit reviewed the reconciliation documentation of a sample of transactions from each of the six councils. Each sample covered different types of transactions during the audited period, with a focus on transactions that may raise questions concerning their business-related purpose (refer to Exhibit 9) and transactions that could be in violation of the specific council's credit card use restrictions.

Exhibit 17 provides a summary of the review of reconciliation files.

Exhibit 17: Review of selected reconciliation files for transactions 1 July 2016 to 30 June 2019
  Junee Lane Cove Nambucca Dubbo Penrith Shellharbour
Reconciliation system Manual Manual Manual Electronic Electronic Electronic
Total value of selected transactions $2,713.50 $29,733.22 $12,766.60 $33,010.01 $45,701.07 $27,634.82
Number of selected transactions 12 35 62 82 96 82
Receipt included 10 32 62 69 86 79
Cardholder sign-off 10 34 62 41* 96 82
Approver sign-off 10 32 62 35* 87 82
Checked by finance -- 33 62 -- -- 82
* Dubbo Regional Council could not retrieve some of the requested transaction records following their system migration (see Section 4.4).
Source: Audit Office of New South Wales analysis 2020.
 
Councils did not scrutinise the business-related purposes of transactions during reconciliation

Based on the selected transactions we examined, none of the six councils provided evidence to support the stated business-related purposes of transactions. Reconciliations had focused on the receipt of purchase and the description of the item purchased. While this practice may be acceptable for routine purchases, the reconciliation of transactions in certain categories (including transactions made on weekends or public holidays) warrants a review of the business-related purposes. From our review of the information provided by councils, we found that the business-related purposes of many selected transactions remained unclear. For example:

  • Why was a meal in the local council area a business-related expense?
  • How was the purchase of alcohol a business-related expense?
  • What were the 'prizes' a council purchased gift cards for?
  • Why did council staff have supermarket purchases on weekends?

Exhibit 18 provides examples of transactions that lacked adequate documentation to demonstrate a clear business-related purpose.

Exhibit 18: Transactions that lacked adequate documentation to demonstrate a clear business-related purpose

Dubbo Regional Council:

  • did not allow the use of credit cards for meals and entertainment, except under exemptions. Twenty food, coffee and entertainment-related transactions ($13,067.55) reviewed in the audit included no evidence of a business-related purpose or approved exemptions
  • had two purchases of essential oil worth $113.70 and $92.36, respectively.

Lane Cove Council:

  • had a transaction of $7,584.99 at a plumbing supplies store. The council advised that the purchase was for an emergency. However, the audit found that the reviewer approved the transaction without evidence of what items were purchased or the business-related purpose
  • had a $5,000 transaction in December 2018 for 'social club Christmas party', but the corresponding approval form was completed and authorised in January 2019. The council advised that the social club is fully funded by its members, though there is no evidence provided of this funding arrangement
  • had a $755.57 transaction at a liquor store in December 2018 for 'alcohol and soft drinks for staff Christmas'. The corresponding approval form was completed on the date of purchase but authorised in January 2019. The council advised that the social club is fully funded by its members, though there is no evidence provided of this funding arrangement
  • had a $549 transaction related to cinema tickets for its social club. The corresponding approval form contained no signature. The council advised that the social club is fully funded by its members, though there is no evidence provided of this funding arrangement
  • had a $378 purchase of wine, for the purposes of 'council meetings' and 'social club'. The council advised that the social club is fully funded by its members, though there is no evidence provided of this funding arrangement. For council meetings, the council had an annual allocated budget for 'council suppers'. However, the council advised that there was no expenditure policy for council meetings.

Penrith City Council:

  • had four transactions (total value of $367.65) for the purchase of '25 x BoozeBud 2018 Beer Advent Calendars'. None of these purchases were delivered to the council offices, and none of the delivery addresses were within the Penrith City Council area. The council advised that they were gifts given as a 'goodwill gesture'. However, there was a lack of documentation regarding approval, budget or purpose at the time of purchase and such information also was not required during reconciliation.

Shellharbour City Council:

  • had a transaction described as 'artist makeup for youth performance at Blackbutt Youth Centre' and it included 15 'bath bombs'. The council advised that there was only verbal approval for this purchase.
Source: Audit Office of New South Wales analysis 2020.
 
Councils did not provide incident details for fines paid using credit cards

Four of the six councils had used credit cards to pay for government fines. While only two councils (Lane Cove Council and Shellharbour City Council) listed fine payments as an exclusion for credit card use, all councils should handle such transactions with caution, especially in terms of seeking details of the incidents and verifying the vehicles involved (where relevant). Exhibit 19 shows issues related to the fine payment transactions we examined.

Exhibit 19: Fine payments

Lack of supporting details for fine payments

  • A cardholder at Dubbo Regional Council paid a fine of $675.69 for using an unregistered vehicle. The council did not provide evidence that the vehicle was council owned. Another cardholder paid two fines for two separate offences incurred by an operator vehicle that took place at the same time: $642.56 for not complying with mass requirements classified as substantial risk and $321.28 for not complying with loading requirements classified as minor risk. A third cardholder paid a fine of $432.72 for not complying with mass requirements for an operator vehicle, classified as minor risk. The council advised that the offences were attributed to the council and not the fault of the drivers. However, from the evidence provided by the council, only the last fine was investigated at the time of the reconciliation.
  • The only cardholder at Junee Shire Council paid a fine of $264.05 for 'not parallel park in direction of travel'. The reconciliation form listed the reason as 'fine - community transport'. The council did not record details of the vehicle or the incident in question.
  • A cardholder at Lane Cove Council paid a fine of $650.59 for not complying with mass requirements for an operator vehicle, classified as substantial risk. The use of a credit card to pay the fine was a breach of the council's credit card policy. The council advised that the offence was attributed to the council and not the fault of the driver. However, there was no evidence that the incident was investigated at the time of the reconciliation.
  • A cardholder at Penrith City Council had four transactions for fine payments. Two of these transactions were each valued at $1,656.60 and related to the same offence ('drive in T-way when not authorised') by the same vehicle but on different dates. The council identified the vehicle as an RFS vehicle. However, the council did not follow the standard procedure of forwarding the penalty notices on to RFS and this resulted in the two subsequent penalty notices (each valued at $3,746.93) for failure to nominate the responsible driver within the designated timeframe. The council advised that the cost of these fines was charged to the RFS account at the council.
Note: The amounts mentioned in this table include credit card payment fees.
Source: Audit Office of New South Wales analysis 2020.
 
Councils did not closely review travel expenses put on credit cards

Councils all allowed travel expenses to be put on credit cards, but they had different policies for the management of travel expenses. Exhibit 20 shows the issues identified in our review of travel expenses, taking into account each council's requirements.

Exhibit 20: Travel expenses

Examples of deficiency in the reconciliation of travel-related transactions

  • For Dubbo Regional Council, the audit identified a total of eight transactions ($3,609.54) related to accommodation payments between 1 July 2016 and 30 June 2019. The council did not provide any pre-approval evidence as required by their policy.
  • Nambucca Valley Council prohibited credit card transactions on third-party travel websites from 3 July 2018, but the audit identified three such transactions, for which the council did not provide an explanation.

The audit also found that the council did not consistently use the travel application form for pre-approval, the form was not part of the credit card reconciliation check, and completed forms did not always have the approver's signature. Details on the forms also did not always match the transactions. In one instance, travel was approved to depart from Newcastle but the flight booking was from Coffs Harbour. In another case, the travel approval was for conference registration only, but the receipt provided by the cardholder was for accommodation.

The audit identified one case of travelling with a spouse on a business trip, and that the portion of the spouse's accommodation and meals was paid for using a council credit card. There was no approved travel application form for the trip. Although the staff member made a reimbursement to the council, the council provided no evidence to prove what the reimbursed amount covered.

  • Penrith City Council required all travel bookings to be made by the supply officer, and accommodation or meal expenses also required prior approval. Reconciliations were based only on invoices or receipts, but not approval forms or trip details to justify the business-related purposes. The audit found that a staff member had paid for a two-night stay in a hotel in Sydney CBD from 6 May to 8 May 2018 (with associated minibar and restaurant expenses) to the value of $641, but the reason for the trip was to attend 'a meeting in Sydney on 8 May 2018'.
  • Shellharbour City Council provided evidence of pre-approval for five of the ten training or travel-related transactions we reviewed.
Source: Audit Office of New South Wales analysis 2020.
 
Councils did not closely review fuel purchases put on credit cards

For fuel purchases using credit cards, councils should request the same amount of information as they would for fuel cards (e.g. vehicle identity and mileage) to minimise the risk of fraud. Allowing staff members to pay for fuel using credit cards when fuel cards are available could complicate the monitoring of business-related fuel use and expenses.

Councils had imposed restrictions on the purchase of fuel using credit cards. Dubbo Regional Council excluded fuel purchase from credit card use, while three other councils (Lane Cove Council, Nambucca Valley Council and Shellharbour City Council) allowed fuel purchases only in emergency situations. Exhibit 21 summaries the compliance issues identified in our review of these four councils' fuel purchases put on credit cards. The audit did not review the fuel transactions by credit card holders of Junee Shire Council and Penrith City Council, as their credit card policies did not include restrictions on fuel purchases.

Exhibit 21: Fuel purchases

Lack of details to explain fuel purchases using credit cards

  • All four councils with restrictions on fuel purchases approved credit card transactions without seeking vehicle details.
  • Of the three councils that allowed fuel purchases in emergency circumstances, Lane Cove Council did not provide any explanations for the transactions identified, while Nambucca Valley Council and Shellharbour City Council cited issues using fuel cards in those situations.
Source: Audit Office of New South Wales analysis of councils' fuel card information 2020.
 
Councils did not scrutinise split transactions

The splitting of a payment into multiple smaller transactions is a practice for cardholders to stay within their authorised credit card limit and potentially avoid scrutiny. The audit found instances of split transactions in four of the six councils (Dubbo Regional Council, Nambucca Valley Council, Penrith City Council and Shellharbour City Council). Cardholders did not provide explanations for the split transactions and approvers proceeded to approve such transactions.

We found examples of transactions being split in multiples of $90, $99 and $100. In the period of review, the 'tap-and-go' limit was $100. This may indicate that cardholders had forgotten their PIN numbers; they had shared their card and the purchaser did not know the PIN number; or they had intended to stay below the threshold for other reasons.

Exhibit 22 shows the identified instances of split transactions.

Exhibit 22: Split transactions

Splitting a purchase into multiple payments (with a single receipt)

  • Dubbo Regional Council had two instances of split transactions. The first purchase of $636.68 was paid for in six transactions of $99 and one transaction of $42.68. The second purchase of $270 was paid for in three transactions of $90. The council advised that these were due to cardholders forgetting their PIN numbers. There is no evidence that the council queried the split transactions during reconciliation.
  • Nambucca Valley Council had one instance of split transactions. A single purchase of $406.74 was paid for in four transactions of $99 and one transaction of $10.74. There is no evidence that the council queried the split transactions during reconciliation.
  • Penrith City Council had two instances of split transactions. An invoice of $200 was paid for in two transactions of $100. Another purchase of $317.76 was paid for in three transactions of $99 and one transaction of $20.76. There is no evidence that the council queried the split transactions during reconciliation.

Splitting a high-quantity purchase into multiple smaller purchases (with multiple receipts)

  • Shellharbour City Council had two instances of cardholders splitting the payment for a purchase of a high quantity of items on the same day:
    • In the first instance, the cardholder made three transactions of $992.34, $948.48 and $513.69 (totalling $2,454.51 for 164 items) within nine minutes. The cardholder's transaction limit was $2,000 at the time. There is no evidence that the council queried the split transactions during reconciliation.
    • In the second instance, another cardholder made three identical transactions of $125 (totalling $375 for 15 items) within seven minutes. There is no evidence that the council queried the split transactions during reconciliation.
Source: Audit Office of New South Wales analysis 2020.
 
Supervisors may initiate credit card transactions and subsequently approve such transactions

Segregation of duties is important in the prevention of fraud and misuse. This ensures that cardholders would not approve their own transactions. Even when segregation of duties is embedded in credit card reconciliation processes, lines of duties may still be blurred when a supervisor instructs a reporting staff to purchase on the supervisor's behalf. In this scenario, the supervisor who initiates the purchase will end up approving the credit card transaction. This contravenes the principle of segregation of duties.

Five of the six councils lacked guidance on the oversight of their general manager's credit card use

Junee Shire Council's credit card policy stated the mayor's role in credit card management and the council provided evidence of the mayor's involvement in the reconciliation process. The audit found that none of the other five councils had a policy for independent reconciliation of the general manager's credit card transactions or guidance for staff on how to escalate concerns. This increases the risk of identified misuse not being reported. In line with the Guidelines for the Appointment & Oversight of General Managers (2011), councils should have policies to guide the mayor in the day-to-day oversight and management of the general manager, including their credit card use.

4.4 Record keeping

Record keeping is an essential element of councils' credit card management frameworks. It ensures that councils keep accurate and complete records, such as credit card registers, receipts and reconciliations. Effective record keeping preserves an audit trail that is essential for audits. The absence of such information would hamper compliance checks and also assessments of the effectiveness of councils' credit card management frameworks.

Five of the six councils did not maintain an accurate or up-to-date credit card register

The audit compared councils' credit card transaction data with their credit card register and found that five of the six councils had credit cards missing from the register for the audited period. The most common reason for the discrepancies was that old card numbers (e.g. cancelled or lost cards) were removed or replaced with new card numbers. This practice can lead to incomplete records and impede audits. Councils should maintain a register for all cards issued and ensure their status is kept up-to-date. Exhibit 23 shows the number of cards not on the credit card register and the reasons provided by each council.

Exhibit 23: Issues with credit card registers
Council Number of cards not on register Reasons provided by council
Dubbo Regional Council 10
  • Cancelled card
  • Card number replaced with new card number
  • Incorrect card number recorded
Lane Cove Council 9
  • Unable to explain seven of the card numbers identified
  • Card number not recorded by mistake
  • Cancelled card
Nambucca Valley Council 1
  • Card number (lost card) replaced with new card number
Penrith City Council 6
  • Incorrect card number recorded
  • Card number replaced with new card number
  • Replacement card details not updated
Shellharbour City Council 2
  • Unable to explain the card numbers identified
Source: Audit Office of New South Wales analysis 2020.
 
Five of the six councils were not able to provide records of all transactions requested for review during this audit

Referring to Exhibit 17, five of the six councils (Dubbo Regional Council, Junee Shire Council, Lane Cove Council, Penrith City Council and Shellharbour City Council) had lost records of certain transactions requested for review by the audit. Nambucca Valley Council produced all requested transaction records.

Dubbo Regional Council initially could not produce the requested records for 27 of the 82 transactions selected for review. These transactions totalled $17,885.70 in value. The council advised that the records of 20 of these transactions ($15,688.95 in total) were lost during the transition from one online purchase card reconciliation system to another, but the council had since obtained access to the previous system to extract 14 of the missing records. For the 13 records outstanding ($8,999.74 in total):

  • 3 were reservation documents but not tax invoices
  • 3 were EFTPOS receipts but not tax invoices
  • 3 were ledgers but not tax invoices
  • 2 were incorrect receipts
  • 1 was a receipt without the merchant's ABN
  • 1 was an unreadable receipt.

Junee Shire Council advised that two of the 12 transactions selected for review fell within a period where the council had no recoverable records. The two transactions were for dining valued at $367.50 and $426.50, respectively. The council used a manual reconciliation system and the folder containing copies of the relevant documentation had been misplaced.

Lane Cove Council could not produce receipts for three of the 35 transactions selected for review (totalling $172.13). The council provided no specific reasons.

Penrith City Council did not produce the receipts for ten transactions (totalling $3,029.60). Of these, three were EFTPOS receipts but not tax invoices; three were event tickets but not tax invoices, one was an incorrect receipt; one related to departed staff members who the council could not query; one was an estimate for accommodation cost, not a receipt; and in one case the council did not obtain the receipt from the cardholder.

Shellharbour City Council did not produce receipts for three of the 82 transactions selected for review (totalling $857.40). Of these transactions, two were order confirmations but not tax invoices and one was an EFTPOS receipt but not a tax invoice.

5. Dubbo Regional Council

Dubbo Regional Council had gaps in its credit card policy and procedures. It allowed cardholders to share their credit card with other staff members, which complicated credit card management, increased the risk of misuse and fraud, and breached its agreement with the credit card issuer. The council's reconciliation of credit card transactions needs to be enhanced to ensure it can review compliance with policy and detect potential misuse or fraud.

Dubbo Regional Council had 77 credit cards at the time of the audit. The council's policy on credit card sharing violated its agreement with the card issuer that each credit card should be for the respective cardholder's use only. Credit card sharing also increases the risk of misuse and fraud.

The council's credit card policy and procedures lacked clarity in several areas. The eligibility criteria were broad and there was a risk of inconsistency in granting approvals, especially since the council gave approval delegations to multiple senior staff members. The policy and procedures also lacked guidance on the reconciliation of the general manager's credit card and the management of Cabcharge.

The audit identified gaps in the council's credit card management practices. While the council had a clear policy on financial delegations, there was no evidence that credit card limits were monitored in line with financial delegations. The credit card register contained inaccurate information, and the council was also unable to provide records of certain transactions requested for review by the audit.

The council's credit card reconciliation process needs to be enhanced to enable detection of potential misuse or fraud. It did not include compliance checks or reviewing the business-related purpose of transactions. Purchases of restricted items such as fuel, meals and entertainment were not accompanied by evidence of need or exemption. Travel expenses were not checked against travel pre-approval forms. The audit also identified instances of split transactions. The council provided no evidence of the finance team's involvement in the reconciliation of credit card transactions.

Senior management oversight of credit card use was lacking, as the council did not produce reports on credit card use. There was also no evidence that the internal auditor had undertaken monitoring activities as required in the credit card policy.

Recommendations

Dubbo Regional Council should immediately:

1. amend its credit card policy to prevent cardholders from sharing their credit card with other staff.

By December 2020, Dubbo Regional Council should:

2. clarify in the credit card policy and procedures:

  • eligibility criteria for a credit card
  • reconciliation arrangements for the general manager’s credit card
  • Cabcharge management policy and procedures

3. ensure that credit card management practices include:

  • monitoring credit card limits in line with financial delegations
  • considering the use of credit card blocks
  • keeping the credit card register are up-to-date, accurate and complete
  • maintaining complete and accurate records

4. ensure reconciliation involves:

  • scrutinising business-related purposes and incident details of transactions
  • keeping a record of the finance team's review of transactions
  • reviewing transactions against travel pre-approval forms (where applicable)
  • recording vehicle details and mileage when credit cards are used in place of fuel cards
  • checking that there are no split transactions

5. ensure there is ongoing senior management oversight of credit card use

6. ensure the internal auditor undertakes monitoring activities as specified in the credit card policy.

 

5.1 Credit card use

For the period 1 July 2016 to 30 June 2019, over 50 per cent of the council's credit card transactions were in the retail category. This was followed by business services and transportation and utility services. Exhibit 24 shows the distribution of the council's credit card transactions by eight groups of merchant category codes (MCC).

Exhibit 24: Distribution of Dubbo Regional Council's number of transactions by MCC category 1 July 2016 to 30 June 2019
Exhibit 24: Distribution of Dubbo Regional Council's number of transactions by MCC category 1 July 2016 to 30 June 2019
MCC category Number of transactions % of total number Value of transactions % of total value
Retail and other stores 4,964 59.3 $745,856 36.3
Business services 998 11.9 $319,905 15.6
Transportation and utility services 865 10.3 $237,737 11.6
Professional services and membership organisations 485 5.8 $356,904 17.4
Travel 475 5.7 $242,650 11.8
Government services 325 3.9 $79,800 3.9
Contracted services 231 2.8 $63,481 3.1
Agricultural services 28 0.3 $10,676 0.5
Total 8,371 100.0 $2,057,009 100.0
Note: Data exclude bank fees but include refunds. The category 'Retail and other stores' includes hardware and computer suppliers.
Source: Audit Office of New South Wales analysis of council credit card data 2020.

6. Junee Shire Council

Junee Shire Council had gaps in its credit card policy and procedures. The council's reconciliation of credit card transactions needs to be enhanced to ensure it can review compliance with policy and detect potential misuse or fraud.

Junee Shire Council had only one credit card, held by the general manager, at the time of the audit. Staff members could seek approval from the general manager to purchase using the credit card. This raises concerns of credit card sharing, which would be a violation of the council's agreement with its credit card issuer. Credit card sharing also increases the risk of misuse and fraud.

The council had fuel cards and store cards for use by staff members. However, its credit card policy and procedures did not cover the management of these types of cards. The lack of documented rules and guidance increases the risk of misuse and fraud.

The audit identified other gaps in the council's credit card management practices:

  • the credit card limit was not monitored in line with financial delegation
  • there was a lack of targeted guidance for the approver (the mayor) in reconciliation
  • the council was unable to provide records of certain transactions requested for review by the audit
  • the council did not review its credit card policy according to schedule.

The council's credit card reconciliation process needs to be enhanced to enable detection of potential misuse or fraud. It did not include reviewing the business-related purpose of transactions. The council also provided no evidence of the finance team's involvement in the reconciliation of credit card transactions.

As the cardholder, the general manager reviewed all transactions every month. As the approver, the mayor (or deputy mayor) had to sign off on these transactions. Hence, there was sufficient management oversight of the council's credit card use. However, there was a lack of periodic review of the council's credit card use, as it was not included in the council's forward program of internal audits.

Recommendations

Junee Shire Council should immediately:

1. amend its credit card policy to prevent cardholders from sharing their credit card with other staff.

By December 2020, Junee Shire Council should:

2. clarify in the credit card policy and procedures:

  • fuel card management policy and procedures
  • store card management policy and procedures

3. ensure that credit card management practices include:

  • monitoring credit card limits in line with financial delegations
  • considering the use of credit card blocks
  • providing approvers with targeted guidance
  • maintaining complete and accurate records

4. ensure reconciliation involves:

  • scrutinising business-related purposes and incident details of transactions
  • keeping a record of the finance team's review of transactions
  • checking travel pre-approval forms (where applicable)
  • recording vehicle details and mileage when credit cards are used in place of fuel cards
  • checking that there are no split transactions

5. develop a plan for periodic reviews (e.g. internal audit) of credit card use and management

6. ensure its credit card policy and procedures are reviewed according to schedule.

 

6.1 Credit card use

For the period 1 July 2016 to 30 June 2019, over 50 per cent of the council's credit card transactions were in the retail category. This was followed by transportation and utility services, and government services. Exhibit 25 shows the distribution of the council's credit card transactions by eight groups of merchant category codes (MCC).

Pie graph showing distribution of Junee Shire Council's number of transactions by MCC category 1 July 2016 to 30 June 2019
Exhibit 25: Distribution of Junee Shire Council's number of transactions by MCC category 1 July 2016 to 30 June 2019
MCC category Number of transactions % of total number Value of transactions % of total value
Retail and other stores 437 64.9 $73,183 60.5
Transportation and utility services 87 12.9 $12,832 10.6
Government services 53 7.9 $10,278 8.5
Business services 37 5.5 $8,983 7.4
Travel 29 4.3 $9,053 7.5
Professional services and membership organisations 19 2.8 $4,309 3.6
Contracted services 11 1.6 $2,389 2.0
Agricultural services -- -- -- --
Total 673 100.0 $121,027 100.0
Note: Data exclude bank fees but include refunds. The category 'Retail and other stores' includes hardware and computer suppliers.
Source: Audit Office of New South Wales analysis of council credit card data 2020.

7. Lane Cove Council

Lane Cove Council had gaps in its credit card policy and procedures. The council's reconciliation of credit card transactions needs to be enhanced to ensure it can review compliance with policy and detect potential misuse or fraud.

Lane Cove Council had six credit cards, held by the most senior staff members, at the time of the audit. During our interviews, cardholders advised that they had shared their credit card with reporting staff. Credit card sharing is a violation of the council's agreement with its credit card issuer, and it also increases the risk of misuse and fraud.

The council's credit card policy lacked clarity in several areas. While the general manager had delegation to authorise the issue of credit cards, the policy did not specify any eligibility criteria. The policy and procedures also lacked guidance on the reconciliation of the general manager's credit card and the management of fuel cards and store cards.

The audit identified gaps in the council's credit card management practices. There was no evidence that credit card limits were monitored in line with financial delegations. The credit card register contained inaccurate information, and the council was also unable to provide records of certain transactions requested for review by the audit.

The council's credit card reconciliation process needs to be enhanced to enable detection of potential misuse or fraud. The process also did not include compliance checks or reviewing the business-related purpose of transactions. Purchases of restricted items such as fuel and fine payments were not accompanied by adequate justification. There was a lack of targeted guidance for approvers in reconciliation, and the council only evidenced the finance team's involvement in an administrative capacity (i.e. entering data into the journals).

Senior management oversight of credit card use was lacking. Although the credit card policy referred to management reporting, the council had not been producing such reports at the time of the audit. Management reporting was implemented in December 2019 following our discussions. There was a lack of periodic review of the council's credit card use, as it was not included in the council's forward program of internal audits.

The council has adopted a new Management Directive in January 2020, which has clarified the eligibility criteria for credit cards.

Recommendations

Lane Cove Council should immediately:

1. amend its credit card policy to prevent cardholders from sharing their credit card with other staff.

By December 2020, Lane Cove Council should:

2. clarify in the credit card policy and procedures:

  • reconciliation arrangements for the general manager’s credit card
  • fuel card management policy and procedures
  • store card management policy and procedures

3. ensure that credit card management practices include:

  • monitoring credit card limits in line with financial delegations
  • considering the use of credit card blocks
  • providing approvers with targeted guidance
  • keeping the credit card register up-to-date, accurate and complete
  • maintaining complete and accurate records

4. ensure reconciliation involves:

  • scrutinising business-related purposes and incident details of transactions
  • keeping a record of the finance team's review of transactions
  • checking travel pre-approval forms (where applicable)
  • recording vehicle details and mileage when credit cards are used in place of fuel cards

5. develop a plan for periodic reviews (e.g. internal audit) of credit card use and management.

 

7.1 Credit card use

For the period 1 July 2016 to 30 June 2019, nearly half of the council's credit card transactions were in the retail category. This was followed by transportation and utility services, government services, and business services. Exhibit 26 shows the distribution of the council's credit card transactions by eight groups of merchant category codes (MCC).

Pie chart showing distribution of Lane Cove Council's number of transactions by MCC category 1 July 2016 to 30 June 2019
Exhibit 26: Distribution of Lane Cove Council's number of transactions by MCC category 1 July 2016 to 30 June 2019
MCC category Number of transactions % of total number Value of transactions % of total value
Retail and other stores 1,221 46.5 $286,037 49.6
Transportation and utility services 419 16.0 $38,598 6.7
Government services 379 14.4 $125,516 21.8
Business services 334 12.7 $51,316 8.9
Professional services and membership organisations 142 5.4 $50,684 8.8
Contracted services 114 4.3 $17,944 3.1
Travel 16 0.6 $6,080 1.1
Agricultural services -- -- -- --
Total 2,625 100.0 $576,175 100.0
Note: Data exclude bank fees but include refunds. The category 'Retail and other stores' includes hardware and computer suppliers.
Source: Audit Office of New South Wales analysis of council credit card data 2020.

8. Nambucca Valley Council

Nambucca Valley Council had gaps in its credit card policy and procedures. The council's reconciliation of credit card transactions needs to be enhanced to ensure it can review compliance with policy and detect potential misuse or fraud.

Nambucca Valley Council had 37 credit cards at the time of the audit. During our interviews, cardholders described instances of credit card sharing within the council. Credit card sharing is a violation of the council's agreement with its credit card issuer, and it also increases the risk of misuse and fraud.

The council's credit card policy lacked clarity in several areas. While the general manager had delegation to authorise the issue of credit cards, the policy did not specify any eligibility criteria. The policy and procedures lacked guidance on the management of fuel cards, store cards and Cabcharge. The policy also lacked coverage of the reconciliation arrangements for the general manager's credit card as the general manager did not hold a credit card. While the policy did not preclude the mayor and the general manager from holding a credit card, both opted not to do so.

The audit identified gaps in the council's credit card management practices. There was no evidence that credit card limits were monitored in line with financial delegations. The credit card register contained inaccurate information, and there was insufficient control in handling staff departures, as the audit identified one incident where a credit card was returned after the staff member's last day.

The council's credit card reconciliation process needs to be enhanced to enable detection of potential misuse or fraud. The process also did not include adequate compliance checks or reviewing the business-related purpose of transactions. Purchases of restricted items such as fuel and the use of third-party travel websites were not accompanied by adequate justification. Travel expenses were not checked against travel pre-approval forms. The audit also identified instances of split transactions.

Senior management oversight of credit card use was insufficient, as the council had been producing reports for only one manager for his department at the time of the audit. Management reporting for the Chief Finance Officer was implemented following our discussions. There was a lack of periodic review of the council's credit card use, as it was not included in the council's forward program of internal audits.

The audit acknowledges that the council had revised its credit card procedures following our discussions to address our preliminary findings. The council has also set additional credit card blocks in response to this audit. The recommendations below contain only the outstanding items.

Recommendations

Nambucca Valley Council should immediately:

1. ensure cardholders stop sharing their credit card with other staff.

By December 2020, Nambucca Valley Council should:

2. clarify in the credit card policy and procedures:

  • reconciliation arrangements for the general manager’s credit card (should the policy continue to allow the general manager to have one)
  • fuel card management policy and procedures

3. ensure that credit card management practices include:

  • monitoring credit card limits in line with financial delegations
  • keeping the credit card register up-to-date, accurate and complete

4. ensure reconciliation involves:

  • scrutinising business-related purposes and incident details of transactions
  • checking travel pre-approval forms (where applicable)
  • recording vehicle details and mileage when credit cards are used in place of fuel cards
  • checking that there are no split transactions

5. develop a plan for periodic reviews (e.g. internal audit) of credit card use and management.

 

8.1 Credit card use

For the period 1 July 2016 to 30 June 2019, over three-quarters of the council's credit card transactions were in the retail category. Exhibit 27 shows the distribution of the council's credit card transactions by eight groups of merchant category codes (MCC), and Exhibit 31 provides the number and value of these transactions.

Pie graph showing distribution of Nambucca Valley Council's number of transactions by MCC category 1 July 2016 to 30 June 2019
Exhibit 27: Distribution of Nambucca Valley Council's number of transactions by MCC category 1 July 2016 to 30 June 2019
MCC category Number of transactions % of total number Value of transactions % of total value
Retail and other stores 1,860 78.3 $312,676 68.0
Business services 134 5.6 $44,864 9.8
Agricultural services 114 4.8 $11,258 2.5
Transportation and utility services 75 3.2 $15,335 3.3
Travel 62 2.6 $30,190 6.6
Government services 62 2.6 $13,136 2.9
Professional services and membership organisations 38 1.6 $21,061 4.6
Contracted services 30 1.3 $11,330 2.5
Total 2,375 100.0 $459,849 100.0
Note: Data exclude bank fees but include refunds. The category 'Retail and other stores' includes hardware and computer suppliers.
Source: Audit Office of New South Wales analysis of council credit card data 2020.

9. Penrith City Council

Penrith City Council had gaps in its credit card policy and procedures. The council's reconciliation of credit card transactions needs to be enhanced to ensure it can review compliance with policy and detect potential misuse or fraud.

Penrith City Council had 167 credit cards at the time of the audit. During our interviews, cardholders described instances of credit card sharing within the council. Credit card sharing is a violation of the council's agreement with its credit card issuer, and it also increases the risk of misuse and fraud.

The audit identified gaps in the council's credit card policy and procedures. There was no documented arrangement for the reconciliation of the general manager's credit card. There was also no guidance on the management of Cabcharge. The credit card register contained inaccurate information, and the council was also unable to provide records of certain transactions requested for review by the audit.

The council's credit card reconciliation process needs to be enhanced to enable detection of potential misuse or fraud. The process did not include adequate compliance checks or reviewing the business-related purpose of transactions. The council's policy required prior approval for conferences, accommodation or meal expenses. However, there was no evidence that such approvals were checked during credit card reconciliation. The audit also identified instances of split transactions.

The council implemented monthly reporting for managers in July 2019.

There was a lack of periodic review of the council's credit card use, as it was not included in the council's forward program of internal audits.

Recommendations

Penrith City Council should immediately:

1. ensure cardholders stop sharing their credit card with other staff.

By December 2020, Penrith City Council should:

2. clarify in the credit card policy and procedures

  • reconciliation arrangements for the general manager’s credit card
  • Cabcharge management policy and procedures

3. ensure that credit card management practices include:

  • considering the use of credit card blocks
  • keeping the credit card register up-to-date, accurate and complete
  • maintaining complete and accurate records

4. ensure reconciliation involves:

  • scrutinising business-related purposes and incident details of transactions
  • keeping a record of the finance team's review of transactions
  • checking travel pre-approval forms (where applicable)
  • recording vehicle details and mileage when credit cards are used in place of fuel cards
  • checking that there are no split transactions

5. develop a plan for periodic reviews (e.g. internal audit) of credit card use and management.

 

9.1 Credit card use

For the period 1 July 2016 to 30 June 2019, 85 per cent of the council's credit card transactions were in the retail category. Exhibit 28 shows the distribution of the council's credit card transactions by eight groups of merchant category codes (MCC).

Pie graph showing distribution of Penrith City Council's number of transactions by MCC category 1 July 2016 to 30 June 2019
Exhibit 28: Distribution of Penrith City Council's number of transactions by MCC category 1 July 2016 to 30 June 2019
MCC category Number of transactions % of total number Value of transactions % of total value
Retail and other stores 20,354 85.5 $2,476,200 66.6
Business services 1,383 5.8 $290,129 7.8
Government services 860 3.6 $582,067 15.7
Professional services and membership organisations 620 2.6 $234,654 6.3
Transportation and utility services 396 1.7 $68,802 1.9
Travel 114 0.5 $50,030 1.4
Contracted services 81 0.3 $14,890 0.4
Agricultural services 11 0.1 $1,569 --
Total 23,819 100.0 $3,718,341 100.0
Note: Data exclude bank fees but include refunds. The category 'Retail and other stores' includes hardware and computer suppliers.
Source: Audit Office of New South Wales analysis of council credit card data 2020.

10. Shellharbour City Council

Shellharbour City Council had gaps in its credit card policy and procedures. The council's reconciliation of credit card transactions needs to be enhanced to ensure it can review compliance with policy and detect potential misuse or fraud.

Shellharbour City Council had 65 credit cards at the time of the audit. During our interviews, cardholders described instances of credit card sharing within the council. Credit card sharing is a violation of the council's agreement with its credit card issuer, and it also increases the risk of misuse and fraud.

The council's credit card policy lacked clarity in several areas. While the general manager had delegation to authorise the issue of credit cards, the policy did not specify any eligibility criteria. The council did not align credit card limits with financial delegations, and while blocking codes were used, there was no explanation in the policy or procedures. Although the mayor and general manager's credit card transactions were reviewed during the council's monthly Executive Leadership Team meetings, the policy and procedures lacked guidance on the reconciliation of their credit cards. The council also did not have sufficiently detailed documentation for the management of fuel cards.

The audit identified gaps in the council's credit card management practices:

  • The council's training material had not been updated following the review of its credit card policy and procedures.
  • The credit card register contained inaccurate information.
  • The council was unable to provide records of certain transactions requested for review by the audit.
  • The council did not review its credit card policy according to schedule.

The council's credit card reconciliation process needs to be enhanced to enable detection of potential misuse or fraud. The process did not include compliance checks or reviewing the business-related purpose of transactions. Purchases of restricted items, such as fuel and fine payments, were not accompanied by adequate justification. The audit identified instances of split transactions, and travel or conference approval forms were also not checked during reconciliation. There was a lack of targeted guidance for approvers in reconciliation, and the council also provided no evidence of the finance team's involvement in the reconciliation of credit card transactions.

The council's Executive Leadership Team was involved in the monthly review of credit card transactions, hence there was management oversight of credit card use. However, there was a lack of periodic review of the council's credit card use, as it was not included in the council's forward program of internal audits.

Recommendations

Shellharbour City Council should immediately:

1. ensure cardholders stop sharing their credit card with other staff.

By December 2020, Shellharbour City Council should:

2. clarify in the credit card policy and procedures:

  • eligibility criteria for a credit card
  • the use of blocking codes
  • reconciliation arrangements for the general manager’s credit card
  • fuel card management policy and procedures (with more details)

3. ensure that credit card management practices include:

  • monitoring credit card limits in line with financial delegations
  • providing approvers with targeted guidance
  • keeping the credit card register up-to-date, accurate and complete
  • maintaining complete and accurate records
  • updating the training material to reflect the latest policy and procedures

4. ensure reconciliation involves:

  • scrutinising business-related purposes and incident details of transactions
  • keeping a record of the finance team's review of transactions
  • checking travel pre-approval forms (where applicable)
  • recording vehicle details and mileage when credit cards are used in place of fuel cards
  • ensuring no split transactions

5. develop a plan for periodic reviews (e.g. internal audit) of credit card use and management

6. ensure its credit card policy and procedures are reviewed according to schedule.

10.1 Credit card use

For the period 1 July 2016 to 30 June 2019, nearly three-quarters the council's credit card transactions were in the retail category. This was followed by business services and transportation and utility services. Exhibit 29 shows the distribution of the council's credit card transactions by eight groups of merchant category codes (MCC).

Pie graph showing distribution of Shellharbour City Council's number of transactions by MCC category 1 July 2016 to 30 June 2019
Exhibit 29: Distribution of Shellharbour City Council's number of transactions by MCC category 1 July 2016 to 30 June 2019
MCC category Number of transactions % of total number Value of transactions % of total value
Retail and other stores 5,360 73.0 $987,512 58.4
Business services 628 8.6 $208,411 12.3
Transportation and utility services 509 6.9 $73,425 4.3
Professional services and membership organisations 386 5.3 $212,131 12.6
Government services 228 3.1 $146,144 8.7
Contracted services 157 2.1 $34,231 2.0
Travel 61 0.8 $21,729 1.3
Agricultural services 11 0.2 $6,363 0.4
Total 7,340 100.0 $1,689,946 100.0
Note: Data exclude bank fees but include refunds. The category 'Retail and other stores' includes hardware and computer suppliers.
Source: Audit Office of New South Wales analysis of council credit card data 2020.

Appendices

Appendix one – Responses from councils and the Department of Planning, Industry and Environment

Appendix two – About the audit

Appendix three – Performance auditing

 

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #340 - released 3 September 2020