Media release
The Auditor-General for New South Wales, Margaret Crawford, released a report today examining credit card management in Local Government.
The audit was in response to a letter from the then Minister for Local Government in November 2018. The audit assessed the effectiveness of credit card management practices in six councils, including in the areas of policies, procedures, compliance and monitoring.
The audit found that all six councils had gaps in their credit card policies and procedures. The Auditor-General recommended that the Department of Planning, Industry and Environment publish guidelines on credit card management for the Local Government sector. The report also generated insights for the Local Government sector with respect to credit card management.
Executive summary
In 2018–19, all councils responding to an Audit Office survey (representing over 90 per cent of the sector) indicated they issued credit cards to staff members to make work-related purchases. As there are no sector-wide requirements or policies for credit card use and management in Local Government, councils have developed their credit card management frameworks to suit their own needs. The quality of credit card policies and procedures may therefore vary across the sector.
Credit cards are an efficient means of payment, especially for low-value purchases. Compared to the use of petty cash, credit card transactions provide better transparency and accountability for expenditure. By using credit cards, councils only need to make one payment each month, which can reduce the time spent on paying separate vendors, as in the case of purchase orders.
This audit assessed the effectiveness of credit card management practices in six councils: Dubbo Regional Council, Junee Shire Council, Lane Cove Council, Nambucca Valley Council, Penrith City Council and Shellharbour City Council. The councils selected represent a mix of rural, regional and metropolitan councils. They were also among the top ten users of credit cards within their geographical classification, in terms of the number of credit cards issued or the number of transactions per credit card.
This audit referenced the NSW Treasury's Policy and Guidelines Paper TPP17–09 'Use and Management of NSW Government Purchasing Cards', as its principles and recommendations for NSW Government agencies are relevant for councils.
The Audit Office of New South Wales Report on Local Government 2019 provided a high-level overview of credit card management across the sector. While over 90 per cent of councils reported that they had a credit card policy and a credit card acquittal process, the quality of these policies and procedures may vary across the sector as there is no standardised or recommended approach to credit card management for Local Government. This audit complements the Report on Local Government 2019 by providing a detailed discussion of the effectiveness of credit card management practices in councils.
Audit conclusionAll six audited councils had important gaps in their credit card policies and procedures. Their reconciliation of credit card transactions needs to be enhanced to enable detection of potential misuse or fraud.
The audit found important gaps in each of the six audited councils' credit card management practices. Their policies and procedures covered the essential aspects of credit card use and management, but a lack of coverage or clarity in some areas could lead to inconsistent and inappropriate use of credit cards. These areas included: eligibility to hold a credit card, aligning credit card limits with financial delegations, and the reconciliation procedures.
While all six councils conducted reconciliations of credit card transactions, the processes need to be enhanced to enable detection of potential misuse or fraud. Reconciliations had focused solely on verifying receipts, and did not require evidence of business-related purposes, even for transactions such as alcohol purchases or spending at entertainment venues. Five of the six councils also did not include compliance checks in their reconciliation process, such as checking that purchases were not for restricted items.
The level of senior management involvement in monitoring credit card use varied across the six councils. Three of the six councils did not generate regular reports for management oversight. Five of the six councils had no plans for internal audits or targeted reviews of credit card management and use.
|
1. Key findings from the six audited councils
All six councils had policies and procedures covering a range of essential components such as eligibility to hold a credit card, credit limits, restrictions on use, reconciliation processes, and roles and responsibilities. However, the audit found that the policies and procedures lacked clarity or detail in different aspects, which may raise transparency and consistency concerns. Gaps identified in more than one council included:
- a lack of criteria for eligibility assessment
- a lack of explicit alignment between credit card limits and financial delegations
- a lack of documented procedures for the reconciliation of the general manager's credit card transactions1
- a lack of policy and procedures for all types of cards used by the council.
Across all six councils, reconciliation had focused on checking the receipts of the items purchased and the descriptions of the items provided by cardholders. The audit found that none of the six councils included the verification of business-related purposes as part of their reconciliation of credit card transactions. The reconciliation processes at the time of the audit were therefore not sufficient to identify potential misuse or fraud.
Five of the six councils (Dubbo Regional Council, Lane Cove Council, Nambucca Valley Council, Penrith City Council and Shellharbour City Council) also did not check compliance of credit card transactions against policy. This included: a lack of verification of travel expenses against the pre-approved amounts and a lack of justification provided by staff when they had used their credit card in restricted categories (e.g. fuel purchases and fine payments).
Management reporting is a detective control in terms of identifying credit card misuse or fraud. While none of the six councils had management reporting on credit card use at the time of the audit, three of them (Junee Shire Council, Nambucca Valley Council and Shellharbour City Council) had alternative arrangements that provided sufficient senior management oversight. For instance, Junee Shire Council and Shellharbour City Council involved their general manager in the monthly review of credit card transactions, while Nambucca Valley Council had monthly reports generated for one department and was in the process of expanding the scope of the report for monitoring by the CFO.
Dubbo Regional Council's credit card policy allowed card sharing. This practice was a breach of the council's agreement with its card issuer. This practice also complicated credit card management, as additional steps were needed to identify the correct manager to approve transactions during reconciliation. This could make it difficult to identify the purchaser if an unauthorised purchase was made. This also raised the risk that purchasers could exceed their financial delegations if the cardholder had a higher credit card limit.
Nambucca Valley Council, Penrith City Council and Shellharbour City Council prohibited credit card sharing in their policies and procedures. However, during our interviews, cardholders from all six councils described situations when they had shared their credit cards with other staff members. This raises concerns about cardholders' understanding of responsible credit card use and their liability for the transactions. In the case of Nambucca Valley Council, Penrith City Council and Shellharbour City Council, this raises concerns about cardholders' compliance with their council's credit card policies and procedures.
Guidance and training serve as preventative controls, as they ensure staff members are aware of their obligations and the council's policies and procedures. While none of the six councils provided mandatory credit card training, they all required each cardholder to sign a statement of responsibility to acknowledge their understanding and acceptance of the terms and conditions associated with using the council credit card. They also provided guidance to cardholders on reconciliation. However, only Dubbo Regional Council, Nambucca Valley Council, Penrith City Council and Shellharbour City Council provided approvers with targeted guidance.
Only Nambucca Valley Council was able to provide the records for all transactions requested for review by the audit, but its credit card register was incomplete. The reasons that the other five councils gave for not providing all transaction records included:
- records were lost during system migration
- documentation had been misplaced
- the correct receipts, or other supporting evidence, were not collected from cardholders.
These issues raise concerns regarding the completeness and accuracy of records for monitoring and review purposes.
Only Junee Shire Council had a complete credit card register for the audited period. For the other five councils, the audit found discrepancies between the credit card register and the credit cards identified in our transaction data analysis. Two of these councils (Lane Cove Council and Shellharbour City Council) were unable to explain some of the card numbers identified. For others, reasons included:
- incorrect card numbers recorded
- card numbers replaced with new card numbers
- cancelled cards missing from the record.
This raises concerns regarding the monitoring of credit cards issued to staff members.
Credit card use provides operational efficiency when councils have to pay for a high volume of low-value routine purchases. The audit found that all six councils had used credit cards mostly for transactions valued at up to $100, and the highest volume of transactions was in retail stores across all six councils.
Insights for the Local Government sector
In November 2018, the then-Minister for Local Government wrote to the Auditor-General requesting an audit of credit card management in the Local Government sector. The audit aims to identify trends, good practice and performance improvement opportunities for all councils in New South Wales.
Policies and procedures |
A documented approach to managing credit cards ensures transparency and consistency of use within the council. A typical credit card management framework comprises policies and procedures, guidance for staff, monitoring and reporting arrangements, periodic reviews, and record keeping requirements. An effective framework also contains preventative and detective controls that can minimise risks of fraud and misuse. 'Credit cards' come in different forms, all of which have risks that need to be addressed. While the term 'credit cards' is commonly associated with corporate cards, charge cards and purchasing cards, products such as fuel cards, vendor cards and Cabcharge (FASTCARDs or eTickets) also provide cardholders access to council funds. As such, councils need to have a documented management policy and procedures for these products. Credit card sharing between staff (including delegating the use of a card to another staff member) is a breach of agreement with the credit card issuer. It is a practice that complicates credit card management, especially in terms of ensuring accountability for purchases. Councils need to ensure that credit cards are used only by the approved cardholder. |
Reconciliation and compliance |
Effective credit card management requires both a clear management framework and efforts to ensure compliance. Regular compliance checks are essential to ensure staff members routinely adhere to the council's policy and procedures for every component of the credit card management framework. Good record keeping, which includes maintaining an accurate and up-to-date credit card register, supports effective credit card management practices. Reconciliation of credit card transactions is a process that should extend beyond checking that each transaction is supported by a relevant receipt. As credit cards provide access to council funds, which should be spent only in the public interest, reconciliation of credit card transactions should involve a verification of the business-related purpose for each transaction. This is particularly important for transactions in categories that may not have an obvious business-related purpose. Reconciliation processes need to also include compliance checks against the council's credit card use policy. |
Monitoring, reporting and review | To ensure accountability and transparency, councils need to have monitoring and reporting arrangements in place. Such arrangements may include tracking the level of credit card use, ensuring compliance against credit card use policy, and detecting potential misuse and fraud. As credit card products evolve and new risks emerge over time, councils need to also assess the ongoing relevance and effectiveness of controls. |
2. Recommendation
By June 2021, the Department of Planning, Industry and Environment should publish guidelines on credit card management for the Local Government sector.
1. Introduction
1.1 Background
In 2018–19, all councils responding to an Audit Office survey (representing over 90 per cent of the sector) indicated they issued credit cards to staff members to make work-related purchases. Such purchases include general consumables, minor plant and equipment, hospitality and travel. If used as intended, credit cards can be a more efficient method of processing routine and low-value transactions. For instance, by making credit card payments on a monthly cycle, councils can reduce the time spent on paying separate vendors every month, thereby reducing administrative costs.
The NSW Treasury's Policy and Guidelines Paper TPP17–09 'Use and Management of NSW Government Purchasing Cards' (TPP17–09) notes that the benefits of using credit cards include significant savings over traditional purchase-to-pay processes and enhanced capability to track and monitor expenditure. In particular, credit cards can serve as an alternative to petty cash transactions, and the audit trail provided by credit cards helps to improve transparency and accountability for expenditure.
Credit cards come in various forms such as corporate cards, charge cards and purchasing cards; they are all referred to as 'credit cards' in this report. The scope of this audit also includes vendor cards (e.g. store cards, fuel cards and Cabcharge FASTCARDs) and credit vouchers (e.g. Cabcharge eTickets).
1.2 Importance of effective credit card management
Credit cards provide access to council funds, hence they must be used and monitored in the public interest. While the use of credit cards provides a clearer audit trail than cash transactions, it is nevertheless subject to risks of misuse and fraud, which may be committed by cardholders, merchants or fraudsters. It is important that councils effectively manage credit card use, minimise the risk of misuse and fraud, and ensure the intended benefits are realised.
Councils in New South Wales must comply with the Local Government Act 1993 (the Act) and the Local Government (General) Regulation 2005 (the Regulation). The following provisions of the Act and Regulation are relevant for the use and management of credit cards:
- Section 8A (2)(e) of the Act requires councils' decision-making to be transparent and decision-makers to be accountable for decisions and omissions.
- Section 8B of the Act requires councils to apply principles of sound financial management.
- Section 202(a) of the Regulation requires responsible accounting officers to establish and maintain a system of budgetary control that will enable the council’s actual income and expenditure to be monitored each month and to be compared with the estimate of the council’s income and expenditure.
- Section 207(2) of the Regulation requires responsible accounting officers to ensure that the accounting records are kept up-to-date and in an accessible form.
- Section 207(3)(e) of the Regulation requires responsible accounting officers to take all reasonable measures to ensure that appropriate budgeting and accounting systems (including internal control systems) are established and maintained for the purposes of the council.
- Section 209(b) of the Regulation requires general managers to ensure that effective measures are taken to secure the effective, efficient and economical management of financial operations within each division of the council administration.
- Section 209(c) of the Regulation requires general managers to ensure that authorising and recording procedures are established to provide effective control over the council’s expenditure and ensure the accuracy of accounting records, including a proper division of accounting responsibilities among the council's staff.
Effective credit card management is underpinned by an understanding of the risks involved in the use of credit cards. Exhibit 1 shows the common risks of misuse and fraud, how controls can mitigate such risks, and that a credit card management system involves different areas of a council.
Referring to Exhibit 1, an effective credit card management framework would help to ensure:
- risks related to credit card use are identified
- appropriate controls are in place to prevent and detect misuse or fraud
- roles and responsibilities are clear.
1.3 Overview of credit card management in councils
The Audit Office of New South Wales Report on Local Government 2019 reported that most councils had credit card policies and processes in place. The sector-level summary of credit card management is provided in Exhibit 2.
Credit card management | % |
Council has a periodic credit card acquittal process, which requires cardholders to provide receipts or other supporting documentation | 98 |
Credit card reconciliations are reviewed by an appropriate delegated authority | 94 |
Credit card reconciliations are reviewed in a timely manner | 93 |
Council has a corporate credit card policy | 92 |
New cardholder is required to sign the agreement of terms of use | 87 |
Corporate credit card policy is current | 82 |
All councils must maintain effective internal control systems in accordance with the Regulation. While 92 per cent of councils reported that they had a credit card policy and 98 per cent had a periodic credit card acquittal process, the quality of these policies and procedures may vary across the sector as there is no standardised or recommended approach to credit card management for Local Government.
1.4 About the audit
This audit assessed the effectiveness of credit card management practices in six councils. A mix of councils from metropolitan, regional and rural areas enabled the audit to examine a range of credit card management practices that also reflect different council sizes, structures, priorities and levels of resources. The audit covered the period 1 July 2016 to 30 June 2019.
The selected councils for this audit were: Dubbo Regional Council, Junee Shire Council, Lane Cove Council, Nambucca Valley Council, Penrith City Council and Shellharbour City Council. They were among the top ten users of credit cards within their geographical classification during the audited period, based on the number of credit cards issued or the number of transactions per credit card.
The audit assessed the audit objective against the following criteria:
- Do councils have an effective governance framework for credit cards including but not limited to the following:
- clear criteria for eligibility to hold a credit card
- clearly defined roles and responsibilities relating to credit card use and management
- defined delegation limits and restrictions on use
- clear requirements for approval, acquittal, authorisation of expenditure, reconciliation of transactions and segregation of duties?
- Do councils have effective controls to prevent and detect misuse within its credit card management framework?
- Do councils effectively educate their staff on credit card use and management?
- Do councils have effective record keeping?
In the absence of a recognised credit card management framework for Local Government, the audit used the framework applicable to NSW Government agencies: TPP17–09 'Use and Management of NSW Government Purchasing Cards' (PCards). The principles and recommendations in TPP17–09 are applicable to Local Government, including the core requirements that:
- the agency head is ultimately responsible for the proper management and administration of PCards within the agency
- cardholders understand and are accountable for the responsible use of PCards.
The purpose of this audit was not to specifically detect fraud or seek to exclude the possibility of any fraud in the councils examined. Rather, the audit examined the effectiveness of policy, systems and processes to manage credit cards in the selected councils.
More information about the audit is provided in Appendix two.
2. Credit card use
Council staff provided with a credit card can purchase from a wide range of businesses, including online transactions with overseas vendors. However, councils may limit the types of purchases that staff can make through their policies and procedures or by setting controls that block certain transaction types such as cash advances. To examine credit card usage, the audit obtained credit card transaction data from 1 July 2016 to 30 June 2019 for the six councils in this review. The data included:
- transaction date
- amount
- merchant category code (MCC)
- merchant name.
The audit analysed the number and value of transactions by each council, and the types of purchases made using credit cards.
2.1 Level of credit card use
Councils had different levels of credit card use and the variation between councils reflects differences in council characteristics, number of cards issued and their intended use. For example, Junee Shire Council had no more than two credit cards issued at a time, while Penrith City Council had 164 credit cards issued at the time of the audit (see Chapter 3 for details of the differences).
A relatively lower level of credit card use does not necessarily mean lower expenditure by a council, as there are other means of payment available such as purchase orders and petty cash. The purpose of examining the number of transactions and total spend is to provide context for the subsequent assessment of councils' credit card management practices.
Despite the differences in number of transactions and total spend, credit card use across the six councils followed a similar trend; that is, an increase on both measures from 2016–17 to 2018–19. Exhibits 3 and 4 show each of the six audited councils' annual number of credit card transactions and total spend, respectively.
Source: Audit Office of New South Wales analysis of council credit card data 2020.
Source: Audit Office of New South Wales analysis of council credit card data 2020.
Average spend per transaction either decreased or held steady in the six councils over the period. Exhibit 5 shows the average spend per transaction in each of the three years examined.
Source: Audit Office of New South Wales analysis of council credit card data 2020.
Council staff used credit cards most frequently for low-value purchases. Transactions valued at up to $100 accounted for over 50 per cent of the total number of transactions for all six councils. In contrast, transactions valued at $1,000 and over made up less than five per cent of the total number of transactions for each of the six councils. Exhibit 6 provides an overview of low-value and high-value transactions in the three years combined.
Dubbo | Junee | Lane Cove | Nambucca | Penrith | Shellharbour | |
Number of transactions up to $100 | 4,604 | 390 | 1,323 | 1,395 | 12,810 | 3,983 |
Percentage of total transactions | 55.73% | 58.91% | 53.69% | 59.19% | 53.78% | 55.64% |
Number of transactions $1,000 and over | 402 | 10 | 86 | 82 | 296 | 243 |
Percentage of total transactions | 4.87% | 1.51% | 3.49% | 3.48% | 1.24% | 3.39% |
Lowest transaction value | $0.01 | $0.07 | $0.46 | $0.52 | $0.09 | $0.10 |
Highest transaction value* | $13,076 | $2,693 | $7,585 | $4,184 | $19,298 | $37,976 |
Note: Data exclude bank fees and refunds.
Source: Audit Office of New South Wales analysis of council credit card data 2020.
Council staff members used their credit cards mostly on weekdays. The number of credit card transactions on weekdays was spread evenly from Monday to Friday for each of the six councils. Some transactions took place on Saturdays and Sundays. While these weekend transactions likely supported council operations, they may raise questions concerning their business-related purpose as they were incurred outside of the standard working week. As such, it is particularly important that cardholders provide evidence of the business-related purposes and their supervisors closely scrutinise such transactions. This is discussed in more detail in Chapter 4.
To illustrate the pattern of credit card use, Exhibit 7 shows the distribution of transactions (in terms of percentage of total number of transactions) by day of the week.
Source: Audit Office of New South Wales analysis of council credit card data 2020.
2.2 Types of credit card purchases
The merchant category code (MCC) is a four-digit number that identifies a vendor's primary line of business. In this context it should be noted that some vendors have multiple lines of business, and the MCC only refers to what the vendor has registered as its primary line of business.
This audit has grouped several thousand MCCs into the following eight categories:
- MCC 0001–1499 Agricultural services
- MCC 1500–2999 Contracted services
- MCC 3000–3999 Travel
- MCC 4000–4999 Transportation and utility services
- MCC 5000–7299 Retail and other stores
- MCC 7300–7999 Business services
- MCC 8000–8999 Professional services and membership organisations
- MCC 9000–9999 Government services.
Travel is distinguished from transportation, as travel expenses tend to require prior approvals. 'Travel' includes airlines, car rental and lodging. 'Transportation' covers a range of items such as local transport, road tolls and travel agencies.
'Retail and other stores' is a broad category that captures a wide range of businesses. Examples include: hardware stores, supermarkets, dining and catering, motor vehicle suppliers and parts, speciality and safety clothing, electronics and computer software, books and office supplies.
For the period 1 July 2016 to 30 June 2019, retail and other stores made up over three-quarters of all transactions by staff members of Nambucca Valley Council and Penrith City Council. This category also accounted for over half of all transactions by staff members of Dubbo Regional Council, Junee Shire Council and Shellharbour City Council.
Exhibit 8 shows the breakdown of the number of credit card transactions by MCC category for each of the six councils.
Source: Audit Office of New South Wales analysis of council credit card data 2020.
The audit considered a number of MCCs to be types of transactions that may raise questions concerning their business-related purpose, although they may not be contrary to council policies. There may also be perceived personal gains through such transactions. As such, it is especially important that cardholders provide evidence of the business-related purposes of these transactions. This is discussed in more detail in Chapter 4.
Exhibit 9 shows the number and amount each council spent on the following types of transactions during the audited period:
- dining and catering
- alcohol (liquor stores)
- entertainment
- government fines (of all kinds).
Source: Audit Office of New South Wales analysis of council credit card data 2020.
3. Credit card management frameworks
The existence of a documented approach to managing credit cards ensures transparency and consistency of use within the council. A credit card management framework that contains preventative and detective controls can also minimise risks of fraud, misuse and wastage.
There is no prescribed credit card management framework for Local Government, but typical components of a credit card management framework include:
- policies and procedures
- guidance for staff
- monitoring and reporting.
With no detailed guidance notes similar to those in TPP17–09 for NSW Government, councils have developed their own credit card management framework based on their size, structure, resources and intended credit card usage. For instance, the size of a council has implications for the number of credit cards issued, which in turn influences the arrangements for training and guidance provided to cardholders and approvers.
The intended level of credit card usage may determine whether a council adopts a manual or electronic credit card management system and councils should identify the system that best meets their needs. For instance, a council with few credit cards may not be able to justify investment in an electronic system. On the other hand, a manual system may only be viable for councils with a low number of credit cards and a low number of transactions.
Among the six councils audited, the three councils with fewer cards and a lower number of transactions had a manual credit card management system, while the three councils with more cards and a higher number of transactions used an electronic system.
Exhibit 10 summarises the six councils' policies on use of credit cards.
Council | Audit Office classification | Number of staff (full-time equivalent) | Number of credit cards issued (current at August 2019) | Policy on credit card use |
Dubbo Regional Council | Regional | 453 | 77 | Purchase cards are used for official council business up to $5,000 and the policy allows cardholders to delegate the use of their purchase cards to other staff members. |
Junee Shire Council | Rural | 71 | 1 | Corporate credit cards are for council business activities and minor purchases where a purchase order is not accepted. Items that can be purchased via a purchase order should not be purchased on a corporate credit card. |
Lane Cove Council | Metropolitan | 192 | 6 | Corporate credit cards are for official council business, but should not be used when there is an alternative form of payment that aligns with the council's purchasing process. |
Nambucca Valley Council | Rural | 110 | 37 | Purchase cards are used for the payment of goods and services associated with council businesses. |
Penrith City Council | Metropolitan | 1,031 | 167 | Purchase cards are used for ‘low value and low risk procurement of goods and services’, while corporate cards are held by senior staff for ‘non-routine low value work related purchases’. |
Shellharbour City Council | Regional | 372 | 65 | Credit cards are for purchases up to $9,999 and the preferred payment method for transactions under $1,000. |
3.1 Policies and procedures
For the purposes of this audit, we expected an effective credit card management framework would include clear policies and procedures about the council's approach to credit card management and provide guidance to its staff. Policies and procedures can serve as preventative controls, as they standardise practice within a council and in turn prevent errors, inconsistency and inappropriate use. Councils should also proactively ensure policies and procedures are up-to-date in terms of capturing the changing features of credit card products, addressing emerging risks, ensuring controls remain relevant and effective, and promoting compliance.
With no official guidelines or templates for the Local Government sector, councils develop their own credit card policies and procedures. Minimum requirements for NSW Government agencies are stipulated in TPP17–09.
Exhibit 11 shows the criteria used in this audit when assessing councils' credit card policies and procedures.
Audit assessment criteria | Examples of key elements |
Clear criteria for eligibility to hold a credit card |
|
Clearly defined roles and responsibilities relating to credit card use and management |
|
Defined delegation limits and restrictions on use |
|
Clear requirements for approval, acquittal, authorisation of expenditure, reconciliation of transactions and segregation of duties |
|
Councils should also ensure that their policies and procedures address the different types of cards used in the council, such as fuel cards, vendor cards, Cabcharge FASTCARDs and Cabcharge eTickets. This practice ensures the different processes and associated risks are captured, and relevant monitoring and controls are implemented.
All six councils had credit card policies and procedures in place, but there were gaps in addressing the key elements. The common gaps were:
- while the general manager (or senior staff) had delegation to authorise the issue of credit cards, the policy did not explicitly state the eligibility criteria to ensure consistency (Dubbo Regional Council, Lane Cove Council, Nambucca Valley Council and Shellharbour City Council)
- the general manager (or mayor) was authorised to determine credit limits, but there was no stated requirement to align credit limits with financial delegations (Junee Shire Council, Lane Cove Council, Nambucca Valley Council and Shellharbour City Council)
- policies and procedures did not cover the reconciliation process of the general manager and mayor's credit cards (Dubbo Regional Council, Lane Cove Council, Nambucca Valley Council, Penrith City Council and Shellharbour City Council)2.
The audit identified two effective approaches to setting clear criteria for eligibility to hold a credit card and they are shown in Exhibit 12.
Junee Shire Council
Penrith City Council
|
While all six councils reported to have a regular review schedule for their credit card policies and procedures, the audit found that two councils did not follow their review schedules. Junee Shire Council's latest Corporate Credit Card Policy was adopted in June 2015 and was scheduled to be reviewed every two years, but no such review has taken place. Shellharbour City Council's Corporate Credit Cards Operational Policy was due for review in August 2014, but the review did not take place until February 2018 when it was replaced by the Procurement Policy. While policy reviews do not always result in substantial changes, it is important that councils undertake regular reviews to ensure their policies and procedures are up-to-date and reflect the needs of the council.
In the audited councils, fuel cards were issued for leaseback, novated lease, council-owned or Rural Fire Services vehicles. In the case of leaseback and novated lease vehicles, the use of fuel cards can be linked to remuneration packages or allow varying degrees of personal use. Regardless of the agreement on fuel use, each council should have documented policies and procedures for the management of fuel cards. Exhibit 13 provides an overview of the six audited councils' fuel card management frameworks.
Council | Number of fuel cards | Fuel card register | Policy for fuel card use | Fuel card procedures |
Dubbo Regional Council | 191 | Yes | Yes | Yes |
Junee Shire Council | 15 | Yes | No | No |
Lane Cove Council | 64 | Yes | No | No |
Nambucca Valley Council | 85 | Yes | No | No |
Penrith City Council | 204 | Yes | Yes | Yes |
Shellharbour City Council | 215 | Yes | No* | No* |
Source: Audit Office of New South Wales analysis of councils' fuel card information 2020.
All six councils maintained a fuel card register that listed the cards issued. However, only two councils (Dubbo Regional Council and Penrith City Council) had fuel card policies and procedures that provided guidance to staff on their use. While Shellharbour City Council's policies and procedures lacked detail, three other councils (Junee Shire Council, Lane Cove Council and Nambucca Valley Council) did not have such documents in place.
As in the case for credit cards, there are no specific guidelines on fuel card management for Local Government. Councils should develop policies and procedures that reflect their needs, with the objective of minimising the risk of fraud and misuse. Exhibit 14 provides a case study of Dubbo Regional Council's approach to fuel card management which was distinct from the other five councils audited.
Dubbo Regional Council's fuel card management
|
During the period 1 July 2016 to 30 June 2019, Dubbo Regional Council had 238 Cabcharge transactions, Penrith City Council had 163 and Nambucca Valley Council had 19. Penrith City Council and Nambucca Valley Council explained their Cabcharge management practices to the Audit Office via email, but they did not have such information in the form of documented policies and procedures. Junee Shire Council, Lane Cove Council and Shellharbour City Council reported no Cabcharge use during the audited period.
Lane Cove Council reported eight Bunnings store cards, while Junee Shire Council reported three Bunnings store cards and Nambucca Valley Council reported three Nambucca Co-op Green Cards. None of these three councils had documented policies or procedures for the management of store cards, and also none of them maintained store card registers.
Junee Shire Council advised that their credit card policy would be amended to cover store cards. Nambucca Valley Council advised that usage of their Green Cards was shared among staff members and managed by their Creditor Clerk, but these arrangements were not documented at the time of the audit.
Dubbo Regional Council, Penrith City Council and Shellharbour City Council reported no store card use during the audited period.
3.2 Guidance for staff
Guidance for staff is an important component of any credit card management framework. It serves as a preventative control, as it ensures staff members are aware of the council's policies and procedures, thereby standardising practices and preventing misuse. One of the key objectives is to ensure all cardholders have a clear understanding that they are accountable for the credit card issued for their use.
Guidance may be provided through a combination of policies, procedures and training. In some cases, policies and procedures alone may be sufficient as guidance for staff. Where training is offered, contents should be consistent with the council's relevant policies and procedures. At a state government level, TPP17–09 includes the requirement that cardholders sign a statement of responsibility to acknowledge their responsibilities with respect to the use and management of their PCards.
Reconciliation is a process that involves cardholders, designated approvers and the finance team. Councils should ensure sufficient guidance is provided not just to cardholders but also to their approvers whose roles include:
- ensuring correct receipts are provided by cardholders
- verifying receipts against the amounts incurred
- verifying purchases against business needs
- ensuring the timeliness of reconciliation reviews
- being familiar with the systems
- escalating issues in the case of inconsistencies, potential misuse or fraud.
While none of the six councils provided mandatory credit card training, they all required each cardholder to sign a statement of responsibility to acknowledge their understanding and acceptance of the terms and conditions associated with using the council credit card.
In credit card management, reconciliation is an important detective control that can identify potential misuse and fraud. Hence, it is critical that councils ensure reconciliations are regularly and consistently performed in line with policies and procedures. All six councils provided such guidance, but in different forms:
- Dubbo Regional Council had a manual explaining the electronic reconciliation system.
- Junee Shire Council had a reconciliation template as an attachment to the credit card policy.
- Lane Cove Council had a reconciliation template with instructions.
- Nambucca Valley Council had a Purchasing Card Reconciliation and Approval Manual.
- Penrith City Council had a Cardholder Guide with details of its electronic reconciliation system. The council also conducted training on reconciliation, with separate presentations for corporate cards and purchase cards.
- Shellharbour City Council had training material (including coverage of reconciliation) but it was dated May 2014 and the council had since revised its credit card management policy and procedures.
Providing approvers with targeted instructions may improve reconciliation timeliness and strengthen the function of reconciliation as a detective control. Such guidance is important even for approvers who themselves have credit cards, as there are differences between the roles of cardholders and approvers. The audit found that four of the six councils provided approvers with targeted guidance:
- Dubbo Regional Council had a manual explaining the electronic reconciliation system.
- Nambucca Valley Council had a Purchasing Card Reconciliation and Approval Manual.
- Penrith City Council had an Approver Guide with details of its electronic reconciliation system.
- Shellharbour City Council has a Procedure Manual explaining the electronic reconciliation system.
3.3 Monitoring, reporting and review
After a staff member is issued with a credit card, the council should continue to monitor their ongoing needs. For example, if there is an extended period where the cardholder has performed no transactions, the council may reassess whether this staff member has a justified need to hold a credit card in order to minimise any unnecessary costs such as credit card annual fees and administrative work related to credit card management.
Councils need monitoring and reporting arrangements in place in order to:
- track the level of credit card use
- ensure compliance against credit card use policy
- detect potential misuse and fraud
- assess the ongoing relevance and effectiveness of controls.
The latter is particularly important as credit card products evolve and new risks emerge over time. Different types of monitoring, reporting and review should be conducted at different intervals – some ongoing and some less frequent. Exhibit 15 shows some examples of monitoring, reporting and review.
The involvement of senior management in monitoring credit card use varied across the six councils. In Junee Shire Council, the general manager was involved in the reconciliation process by reviewing all transactions and signing off as cardholder. In Shellharbour City Council, the executive leadership team reviewed and discussed the council's credit card transactions at its monthly meetings. In Nambucca Valley Council, credit card reports had been generated for a manager of a specific business area, and at the time of the audit, the council was implementing regular council-wide credit card reports for its chief financial officer. Dubbo Regional Council, Lane Cove Council and Penrith City Council did not generate specific credit card reports during the audited period.
Councils should ensure controls remain effective over time, especially in light of emerging risks associated with financial products. Regular internal audits help to monitor and test existing controls and identify areas of improvement. Credit card management was last audited in February 2016 for Lane Cove Council and in April 2009 for Penrith City Council.
Dubbo Regional Council was the only council to have credit card management in their forward program of internal audits. The council's credit card policy described its internal auditor as having a key role in ‘ensuring the integrity of the systems, policies, processes and procedures in place', which also included 'an audit on Purchase Card controls as part of a regular pattern of review.’ However, there was no evidence that the internal auditor had undertaken such monitoring activities.
4. Credit card management practices
While it is important for councils to have an established credit card management framework, it is equally important that they ensure compliance in practice. This chapter examines councils' credit card management practices – how well staff members were complying with policies and procedures, and how effective their credit card controls were. The chapter is structured to cover:
- preventative controls (embedded in the issuance, use and cancellation of cards) that prevent fraud and misuse
- detective controls (embedded in reconciliation and record keeping) that assist in detecting fraud and misuse.
Where ineffective credit card management practices are identified, councils should reflect on whether they need to more closely monitor compliance, or whether there are fundamental deficiencies in their policies and procedures that need to be refined.
4.1 Issuance and cancellation of credit cards
When a staff member is deemed eligible to hold a credit card as per the council's policy, the council – usually the finance team – will place an order with their card issuer. As part of this process (e.g. when filling in the application form), the council has the opportunity to implement several credit card controls to mitigate the risk of misuse and fraud. These controls include:
- setting a credit card limit to restrict how much in total the cardholder can spend within the cycle (usually monthly)
- setting a transaction limit to restrict how much the cardholder can spend for an individual transaction
- setting credit card blocks on some types of transactions (such as cash withdrawals) and certain types of merchants, geographical restrictions and time restrictions.
At the end of staff members' tenure, councils should promptly collect their credit cards and ensure all reconciliations are completed prior to their departures. This would prevent fraud and misuse committed by departing staff.
A council's delegation policy specifies the purchase limits for different staff, while credit card limits relate to the cap on credit card use. Credit card transaction limits should not exceed purchase limits. Shellharbour City Council was the only audited council to have set transaction limits on credit cards, but the council was one of five audited councils to not have explicitly monitored credit card transaction limits in line with financial delegations. The lack of direct linkages between credit card transaction limits and financial delegations in practice (despite being a requirement in credit card policies) increases the risk of staff members exceeding their financial delegations and remaining undetected. Penrith City Council was the only council to have aligned credit card limits with financial delegations, which is a stricter measure.
Credit card blocks are a useful control to prevent credit card misuse. Nambucca Valley Council and Shellharbour City Council were the only two councils that set credit card blocks. Nambucca Valley Council had cash advance blocks in place, while Shellharbour City Council assigned one of three blocking codes to its credit cards, thereby restricting cash withdrawals along with certain types of merchants, depending on the cardholder's role. All councils should consider the use of credit card blocks, taking into account their needs and circumstances.
4.2 Controls on credit card sharing
Councils are bound by the terms and conditions set by the card issuers. Each credit card should be used only by the cardholder. Card issuers allow multiple cards to be issued under the same account, and councils should order separate cards for staff with purchasing needs.
Dubbo Regional Council's credit card policy allowed cardholders to lend their credit card to other staff members. It also allowed credit card sharing between different teams. This practice was in breach of the terms and conditions set by their credit card issuer, which stated that 'any card issued to the customer or any cardholder is for the respective cardholder's use only'. This practice also complicated credit card management, as additional steps were needed to identify the relevant manager to approve transactions during reconciliation.
Nambucca Valley Council, Penrith City Council and Shellharbour City Council prohibited credit card sharing in their policies and procedures. However, during our interviews, cardholders from all six councils described situations when they had shared their credit cards with other staff members. This raises concerns about cardholders' understanding of responsible credit card use and their liability for the transactions. In the case of Nambucca Valley Council, Penrith City Council and Shellharbour City Council, this raises concerns about cardholders' compliance with their council's credit card policies and procedures.
Credit card sharing enables staff members to breach their delegation if they perform transactions using a credit card with a limit higher than their own delegation. Such breaches would be difficult to identify as credit card sharing also complicates the reconciliation process. As staff members are provided with a platform to exceed their purchase limits and potentially stay undetected, credit card sharing is a risk to expenditure management.
If credit cards are shared outside of the cardholder's team, the reconciliation process may become flawed. First, the cardholder is not the purchaser and there are implications for the accuracy of the information provided for reconciliation. Approval lines may also become misaligned, if the system does not allow the cardholder to redirect the reconciliation to the purchaser's supervisor. In this case, the cardholder's supervisor or finance staff are unlikely to be able to identify inappropriate or unnecessary purchases without consulting with the purchaser's supervisor. This extra step involved has implications for both the timeliness and accuracy of the reconciliation.
4.3 Reconciliation of transactions
Reconciliation is a key detective control in credit card management. The purpose is to ensure transactions are business-related, linked to the correct business areas, and compliant with the council's policies. Reconciliation involves various staff members and generally follows a monthly cycle. Exhibit 16 depicts a typical reconciliation process.
To assess the effectiveness of councils' reconciliation processes, the audit reviewed the reconciliation documentation of a sample of transactions from each of the six councils. Each sample covered different types of transactions during the audited period, with a focus on transactions that may raise questions concerning their business-related purpose (refer to Exhibit 9) and transactions that could be in violation of the specific council's credit card use restrictions.
Exhibit 17 provides a summary of the review of reconciliation files.
Junee | Lane Cove | Nambucca | Dubbo | Penrith | Shellharbour | |
Reconciliation system | Manual | Manual | Manual | Electronic | Electronic | Electronic |
Total value of selected transactions | $2,713.50 | $29,733.22 | $12,766.60 | $33,010.01 | $45,701.07 | $27,634.82 |
Number of selected transactions | 12 | 35 | 62 | 82 | 96 | 82 |
Receipt included | 10 | 32 | 62 | 69 | 86 | 79 |
Cardholder sign-off | 10 | 34 | 62 | 41* | 96 | 82 |
Approver sign-off | 10 | 32 | 62 | 35* | 87 | 82 |
Checked by finance | -- | 33 | 62 | -- | -- | 82 |
Source: Audit Office of New South Wales analysis 2020.
Based on the selected transactions we examined, none of the six councils provided evidence to support the stated business-related purposes of transactions. Reconciliations had focused on the receipt of purchase and the description of the item purchased. While this practice may be acceptable for routine purchases, the reconciliation of transactions in certain categories (including transactions made on weekends or public holidays) warrants a review of the business-related purposes. From our review of the information provided by councils, we found that the business-related purposes of many selected transactions remained unclear. For example:
- Why was a meal in the local council area a business-related expense?
- How was the purchase of alcohol a business-related expense?
- What were the 'prizes' a council purchased gift cards for?
- Why did council staff have supermarket purchases on weekends?
Exhibit 18 provides examples of transactions that lacked adequate documentation to demonstrate a clear business-related purpose.
Dubbo Regional Council:
Lane Cove Council:
Penrith City Council:
Shellharbour City Council:
|
Four of the six councils had used credit cards to pay for government fines. While only two councils (Lane Cove Council and Shellharbour City Council) listed fine payments as an exclusion for credit card use, all councils should handle such transactions with caution, especially in terms of seeking details of the incidents and verifying the vehicles involved (where relevant). Exhibit 19 shows issues related to the fine payment transactions we examined.
Lack of supporting details for fine payments
|
Source: Audit Office of New South Wales analysis 2020.
Councils all allowed travel expenses to be put on credit cards, but they had different policies for the management of travel expenses. Exhibit 20 shows the issues identified in our review of travel expenses, taking into account each council's requirements.
Examples of deficiency in the reconciliation of travel-related transactions
The audit also found that the council did not consistently use the travel application form for pre-approval, the form was not part of the credit card reconciliation check, and completed forms did not always have the approver's signature. Details on the forms also did not always match the transactions. In one instance, travel was approved to depart from Newcastle but the flight booking was from Coffs Harbour. In another case, the travel approval was for conference registration only, but the receipt provided by the cardholder was for accommodation. The audit identified one case of travelling with a spouse on a business trip, and that the portion of the spouse's accommodation and meals was paid for using a council credit card. There was no approved travel application form for the trip. Although the staff member made a reimbursement to the council, the council provided no evidence to prove what the reimbursed amount covered.
|
For fuel purchases using credit cards, councils should request the same amount of information as they would for fuel cards (e.g. vehicle identity and mileage) to minimise the risk of fraud. Allowing staff members to pay for fuel using credit cards when fuel cards are available could complicate the monitoring of business-related fuel use and expenses.
Councils had imposed restrictions on the purchase of fuel using credit cards. Dubbo Regional Council excluded fuel purchase from credit card use, while three other councils (Lane Cove Council, Nambucca Valley Council and Shellharbour City Council) allowed fuel purchases only in emergency situations. Exhibit 21 summaries the compliance issues identified in our review of these four councils' fuel purchases put on credit cards. The audit did not review the fuel transactions by credit card holders of Junee Shire Council and Penrith City Council, as their credit card policies did not include restrictions on fuel purchases.
Lack of details to explain fuel purchases using credit cards
|
The splitting of a payment into multiple smaller transactions is a practice for cardholders to stay within their authorised credit card limit and potentially avoid scrutiny. The audit found instances of split transactions in four of the six councils (Dubbo Regional Council, Nambucca Valley Council, Penrith City Council and Shellharbour City Council). Cardholders did not provide explanations for the split transactions and approvers proceeded to approve such transactions.
We found examples of transactions being split in multiples of $90, $99 and $100. In the period of review, the 'tap-and-go' limit was $100. This may indicate that cardholders had forgotten their PIN numbers; they had shared their card and the purchaser did not know the PIN number; or they had intended to stay below the threshold for other reasons.
Exhibit 22 shows the identified instances of split transactions.
Splitting a purchase into multiple payments (with a single receipt)
Splitting a high-quantity purchase into multiple smaller purchases (with multiple receipts)
|
Segregation of duties is important in the prevention of fraud and misuse. This ensures that cardholders would not approve their own transactions. Even when segregation of duties is embedded in credit card reconciliation processes, lines of duties may still be blurred when a supervisor instructs a reporting staff to purchase on the supervisor's behalf. In this scenario, the supervisor who initiates the purchase will end up approving the credit card transaction. This contravenes the principle of segregation of duties.
Junee Shire Council's credit card policy stated the mayor's role in credit card management and the council provided evidence of the mayor's involvement in the reconciliation process. The audit found that none of the other five councils had a policy for independent reconciliation of the general manager's credit card transactions or guidance for staff on how to escalate concerns. This increases the risk of identified misuse not being reported. In line with the Guidelines for the Appointment & Oversight of General Managers (2011), councils should have policies to guide the mayor in the day-to-day oversight and management of the general manager, including their credit card use.
4.4 Record keeping
Record keeping is an essential element of councils' credit card management frameworks. It ensures that councils keep accurate and complete records, such as credit card registers, receipts and reconciliations. Effective record keeping preserves an audit trail that is essential for audits. The absence of such information would hamper compliance checks and also assessments of the effectiveness of councils' credit card management frameworks.
The audit compared councils' credit card transaction data with their credit card register and found that five of the six councils had credit cards missing from the register for the audited period. The most common reason for the discrepancies was that old card numbers (e.g. cancelled or lost cards) were removed or replaced with new card numbers. This practice can lead to incomplete records and impede audits. Councils should maintain a register for all cards issued and ensure their status is kept up-to-date. Exhibit 23 shows the number of cards not on the credit card register and the reasons provided by each council.
Council | Number of cards not on register | Reasons provided by council |
Dubbo Regional Council | 10 |
|
Lane Cove Council | 9 |
|
Nambucca Valley Council | 1 |
|
Penrith City Council | 6 |
|
Shellharbour City Council | 2 |
|
Referring to Exhibit 17, five of the six councils (Dubbo Regional Council, Junee Shire Council, Lane Cove Council, Penrith City Council and Shellharbour City Council) had lost records of certain transactions requested for review by the audit. Nambucca Valley Council produced all requested transaction records.
Dubbo Regional Council initially could not produce the requested records for 27 of the 82 transactions selected for review. These transactions totalled $17,885.70 in value. The council advised that the records of 20 of these transactions ($15,688.95 in total) were lost during the transition from one online purchase card reconciliation system to another, but the council had since obtained access to the previous system to extract 14 of the missing records. For the 13 records outstanding ($8,999.74 in total):
- 3 were reservation documents but not tax invoices
- 3 were EFTPOS receipts but not tax invoices
- 3 were ledgers but not tax invoices
- 2 were incorrect receipts
- 1 was a receipt without the merchant's ABN
- 1 was an unreadable receipt.
Junee Shire Council advised that two of the 12 transactions selected for review fell within a period where the council had no recoverable records. The two transactions were for dining valued at $367.50 and $426.50, respectively. The council used a manual reconciliation system and the folder containing copies of the relevant documentation had been misplaced.
Lane Cove Council could not produce receipts for three of the 35 transactions selected for review (totalling $172.13). The council provided no specific reasons.
Penrith City Council did not produce the receipts for ten transactions (totalling $3,029.60). Of these, three were EFTPOS receipts but not tax invoices; three were event tickets but not tax invoices, one was an incorrect receipt; one related to departed staff members who the council could not query; one was an estimate for accommodation cost, not a receipt; and in one case the council did not obtain the receipt from the cardholder.
Shellharbour City Council did not produce receipts for three of the 82 transactions selected for review (totalling $857.40). Of these transactions, two were order confirmations but not tax invoices and one was an EFTPOS receipt but not a tax invoice.
5. Dubbo Regional Council
Dubbo Regional Council had gaps in its credit card policy and procedures. It allowed cardholders to share their credit card with other staff members, which complicated credit card management, increased the risk of misuse and fraud, and breached its agreement with the credit card issuer. The council's reconciliation of credit card transactions needs to be enhanced to ensure it can review compliance with policy and detect potential misuse or fraud.Dubbo Regional Council had 77 credit cards at the time of the audit. The council's policy on credit card sharing violated its agreement with the card issuer that each credit card should be for the respective cardholder's use only. Credit card sharing also increases the risk of misuse and fraud. The council's credit card policy and procedures lacked clarity in several areas. The eligibility criteria were broad and there was a risk of inconsistency in granting approvals, especially since the council gave approval delegations to multiple senior staff members. The policy and procedures also lacked guidance on the reconciliation of the general manager's credit card and the management of Cabcharge. The audit identified gaps in the council's credit card management practices. While the council had a clear policy on financial delegations, there was no evidence that credit card limits were monitored in line with financial delegations. The credit card register contained inaccurate information, and the council was also unable to provide records of certain transactions requested for review by the audit. The council's credit card reconciliation process needs to be enhanced to enable detection of potential misuse or fraud. It did not include compliance checks or reviewing the business-related purpose of transactions. Purchases of restricted items such as fuel, meals and entertainment were not accompanied by evidence of need or exemption. Travel expenses were not checked against travel pre-approval forms. The audit also identified instances of split transactions. The council provided no evidence of the finance team's involvement in the reconciliation of credit card transactions. Senior management oversight of credit card use was lacking, as the council did not produce reports on credit card use. There was also no evidence that the internal auditor had undertaken monitoring activities as required in the credit card policy. RecommendationsDubbo Regional Council should immediately: 1. amend its credit card policy to prevent cardholders from sharing their credit card with other staff. By December 2020, Dubbo Regional Council should: 2. clarify in the credit card policy and procedures:
3. ensure that credit card management practices include:
4. ensure reconciliation involves:
5. ensure there is ongoing senior management oversight of credit card use 6. ensure the internal auditor undertakes monitoring activities as specified in the credit card policy. |
5.1 Credit card use
For the period 1 July 2016 to 30 June 2019, over 50 per cent of the council's credit card transactions were in the retail category. This was followed by business services and transportation and utility services. Exhibit 24 shows the distribution of the council's credit card transactions by eight groups of merchant category codes (MCC).
MCC category | Number of transactions | % of total number | Value of transactions | % of total value |
Retail and other stores | 4,964 | 59.3 | $745,856 | 36.3 |
Business services | 998 | 11.9 | $319,905 | 15.6 |
Transportation and utility services | 865 | 10.3 | $237,737 | 11.6 |
Professional services and membership organisations | 485 | 5.8 | $356,904 | 17.4 |
Travel | 475 | 5.7 | $242,650 | 11.8 |
Government services | 325 | 3.9 | $79,800 | 3.9 |
Contracted services | 231 | 2.8 | $63,481 | 3.1 |
Agricultural services | 28 | 0.3 | $10,676 | 0.5 |
Total | 8,371 | 100.0 | $2,057,009 | 100.0 |
Source: Audit Office of New South Wales analysis of council credit card data 2020.
6. Junee Shire Council
Junee Shire Council had gaps in its credit card policy and procedures. The council's reconciliation of credit card transactions needs to be enhanced to ensure it can review compliance with policy and detect potential misuse or fraud. Junee Shire Council had only one credit card, held by the general manager, at the time of the audit. Staff members could seek approval from the general manager to purchase using the credit card. This raises concerns of credit card sharing, which would be a violation of the council's agreement with its credit card issuer. Credit card sharing also increases the risk of misuse and fraud. The council had fuel cards and store cards for use by staff members. However, its credit card policy and procedures did not cover the management of these types of cards. The lack of documented rules and guidance increases the risk of misuse and fraud. The audit identified other gaps in the council's credit card management practices:
The council's credit card reconciliation process needs to be enhanced to enable detection of potential misuse or fraud. It did not include reviewing the business-related purpose of transactions. The council also provided no evidence of the finance team's involvement in the reconciliation of credit card transactions. As the cardholder, the general manager reviewed all transactions every month. As the approver, the mayor (or deputy mayor) had to sign off on these transactions. Hence, there was sufficient management oversight of the council's credit card use. However, there was a lack of periodic review of the council's credit card use, as it was not included in the council's forward program of internal audits. RecommendationsJunee Shire Council should immediately: 1. amend its credit card policy to prevent cardholders from sharing their credit card with other staff. By December 2020, Junee Shire Council should: 2. clarify in the credit card policy and procedures:
3. ensure that credit card management practices include:
4. ensure reconciliation involves:
5. develop a plan for periodic reviews (e.g. internal audit) of credit card use and management 6. ensure its credit card policy and procedures are reviewed according to schedule. |
6.1 Credit card use
For the period 1 July 2016 to 30 June 2019, over 50 per cent of the council's credit card transactions were in the retail category. This was followed by transportation and utility services, and government services. Exhibit 25 shows the distribution of the council's credit card transactions by eight groups of merchant category codes (MCC).
MCC category | Number of transactions | % of total number | Value of transactions | % of total value |
Retail and other stores | 437 | 64.9 | $73,183 | 60.5 |
Transportation and utility services | 87 | 12.9 | $12,832 | 10.6 |
Government services | 53 | 7.9 | $10,278 | 8.5 |
Business services | 37 | 5.5 | $8,983 | 7.4 |
Travel | 29 | 4.3 | $9,053 | 7.5 |
Professional services and membership organisations | 19 | 2.8 | $4,309 | 3.6 |
Contracted services | 11 | 1.6 | $2,389 | 2.0 |
Agricultural services | -- | -- | -- | -- |
Total | 673 | 100.0 | $121,027 | 100.0 |
Source: Audit Office of New South Wales analysis of council credit card data 2020.
7. Lane Cove Council
Lane Cove Council had gaps in its credit card policy and procedures. The council's reconciliation of credit card transactions needs to be enhanced to ensure it can review compliance with policy and detect potential misuse or fraud.Lane Cove Council had six credit cards, held by the most senior staff members, at the time of the audit. During our interviews, cardholders advised that they had shared their credit card with reporting staff. Credit card sharing is a violation of the council's agreement with its credit card issuer, and it also increases the risk of misuse and fraud. The council's credit card policy lacked clarity in several areas. While the general manager had delegation to authorise the issue of credit cards, the policy did not specify any eligibility criteria. The policy and procedures also lacked guidance on the reconciliation of the general manager's credit card and the management of fuel cards and store cards. The audit identified gaps in the council's credit card management practices. There was no evidence that credit card limits were monitored in line with financial delegations. The credit card register contained inaccurate information, and the council was also unable to provide records of certain transactions requested for review by the audit. The council's credit card reconciliation process needs to be enhanced to enable detection of potential misuse or fraud. The process also did not include compliance checks or reviewing the business-related purpose of transactions. Purchases of restricted items such as fuel and fine payments were not accompanied by adequate justification. There was a lack of targeted guidance for approvers in reconciliation, and the council only evidenced the finance team's involvement in an administrative capacity (i.e. entering data into the journals). Senior management oversight of credit card use was lacking. Although the credit card policy referred to management reporting, the council had not been producing such reports at the time of the audit. Management reporting was implemented in December 2019 following our discussions. There was a lack of periodic review of the council's credit card use, as it was not included in the council's forward program of internal audits. The council has adopted a new Management Directive in January 2020, which has clarified the eligibility criteria for credit cards. RecommendationsLane Cove Council should immediately: 1. amend its credit card policy to prevent cardholders from sharing their credit card with other staff. By December 2020, Lane Cove Council should: 2. clarify in the credit card policy and procedures:
3. ensure that credit card management practices include:
4. ensure reconciliation involves:
5. develop a plan for periodic reviews (e.g. internal audit) of credit card use and management. |
7.1 Credit card use
For the period 1 July 2016 to 30 June 2019, nearly half of the council's credit card transactions were in the retail category. This was followed by transportation and utility services, government services, and business services. Exhibit 26 shows the distribution of the council's credit card transactions by eight groups of merchant category codes (MCC).
MCC category | Number of transactions | % of total number | Value of transactions | % of total value |
Retail and other stores | 1,221 | 46.5 | $286,037 | 49.6 |
Transportation and utility services | 419 | 16.0 | $38,598 | 6.7 |
Government services | 379 | 14.4 | $125,516 | 21.8 |
Business services | 334 | 12.7 | $51,316 | 8.9 |
Professional services and membership organisations | 142 | 5.4 | $50,684 | 8.8 |
Contracted services | 114 | 4.3 | $17,944 | 3.1 |
Travel | 16 | 0.6 | $6,080 | 1.1 |
Agricultural services | -- | -- | -- | -- |
Total | 2,625 | 100.0 | $576,175 | 100.0 |
Source: Audit Office of New South Wales analysis of council credit card data 2020.
8. Nambucca Valley Council
Nambucca Valley Council had gaps in its credit card policy and procedures. The council's reconciliation of credit card transactions needs to be enhanced to ensure it can review compliance with policy and detect potential misuse or fraud.Nambucca Valley Council had 37 credit cards at the time of the audit. During our interviews, cardholders described instances of credit card sharing within the council. Credit card sharing is a violation of the council's agreement with its credit card issuer, and it also increases the risk of misuse and fraud. The council's credit card policy lacked clarity in several areas. While the general manager had delegation to authorise the issue of credit cards, the policy did not specify any eligibility criteria. The policy and procedures lacked guidance on the management of fuel cards, store cards and Cabcharge. The policy also lacked coverage of the reconciliation arrangements for the general manager's credit card as the general manager did not hold a credit card. While the policy did not preclude the mayor and the general manager from holding a credit card, both opted not to do so. The audit identified gaps in the council's credit card management practices. There was no evidence that credit card limits were monitored in line with financial delegations. The credit card register contained inaccurate information, and there was insufficient control in handling staff departures, as the audit identified one incident where a credit card was returned after the staff member's last day. The council's credit card reconciliation process needs to be enhanced to enable detection of potential misuse or fraud. The process also did not include adequate compliance checks or reviewing the business-related purpose of transactions. Purchases of restricted items such as fuel and the use of third-party travel websites were not accompanied by adequate justification. Travel expenses were not checked against travel pre-approval forms. The audit also identified instances of split transactions. Senior management oversight of credit card use was insufficient, as the council had been producing reports for only one manager for his department at the time of the audit. Management reporting for the Chief Finance Officer was implemented following our discussions. There was a lack of periodic review of the council's credit card use, as it was not included in the council's forward program of internal audits. The audit acknowledges that the council had revised its credit card procedures following our discussions to address our preliminary findings. The council has also set additional credit card blocks in response to this audit. The recommendations below contain only the outstanding items. RecommendationsNambucca Valley Council should immediately: 1. ensure cardholders stop sharing their credit card with other staff. By December 2020, Nambucca Valley Council should: 2. clarify in the credit card policy and procedures:
3. ensure that credit card management practices include:
4. ensure reconciliation involves:
5. develop a plan for periodic reviews (e.g. internal audit) of credit card use and management. |
8.1 Credit card use
For the period 1 July 2016 to 30 June 2019, over three-quarters of the council's credit card transactions were in the retail category. Exhibit 27 shows the distribution of the council's credit card transactions by eight groups of merchant category codes (MCC), and Exhibit 31 provides the number and value of these transactions.
MCC category | Number of transactions | % of total number | Value of transactions | % of total value |
Retail and other stores | 1,860 | 78.3 | $312,676 | 68.0 |
Business services | 134 | 5.6 | $44,864 | 9.8 |
Agricultural services | 114 | 4.8 | $11,258 | 2.5 |
Transportation and utility services | 75 | 3.2 | $15,335 | 3.3 |
Travel | 62 | 2.6 | $30,190 | 6.6 |
Government services | 62 | 2.6 | $13,136 | 2.9 |
Professional services and membership organisations | 38 | 1.6 | $21,061 | 4.6 |
Contracted services | 30 | 1.3 | $11,330 | 2.5 |
Total | 2,375 | 100.0 | $459,849 | 100.0 |
Source: Audit Office of New South Wales analysis of council credit card data 2020.
9. Penrith City Council
Penrith City Council had gaps in its credit card policy and procedures. The council's reconciliation of credit card transactions needs to be enhanced to ensure it can review compliance with policy and detect potential misuse or fraud.Penrith City Council had 167 credit cards at the time of the audit. During our interviews, cardholders described instances of credit card sharing within the council. Credit card sharing is a violation of the council's agreement with its credit card issuer, and it also increases the risk of misuse and fraud. The audit identified gaps in the council's credit card policy and procedures. There was no documented arrangement for the reconciliation of the general manager's credit card. There was also no guidance on the management of Cabcharge. The credit card register contained inaccurate information, and the council was also unable to provide records of certain transactions requested for review by the audit. The council's credit card reconciliation process needs to be enhanced to enable detection of potential misuse or fraud. The process did not include adequate compliance checks or reviewing the business-related purpose of transactions. The council's policy required prior approval for conferences, accommodation or meal expenses. However, there was no evidence that such approvals were checked during credit card reconciliation. The audit also identified instances of split transactions. The council implemented monthly reporting for managers in July 2019. There was a lack of periodic review of the council's credit card use, as it was not included in the council's forward program of internal audits. RecommendationsPenrith City Council should immediately: 1. ensure cardholders stop sharing their credit card with other staff. By December 2020, Penrith City Council should: 2. clarify in the credit card policy and procedures
3. ensure that credit card management practices include:
4. ensure reconciliation involves:
5. develop a plan for periodic reviews (e.g. internal audit) of credit card use and management. |
9.1 Credit card use
For the period 1 July 2016 to 30 June 2019, 85 per cent of the council's credit card transactions were in the retail category. Exhibit 28 shows the distribution of the council's credit card transactions by eight groups of merchant category codes (MCC).
MCC category | Number of transactions | % of total number | Value of transactions | % of total value |
Retail and other stores | 20,354 | 85.5 | $2,476,200 | 66.6 |
Business services | 1,383 | 5.8 | $290,129 | 7.8 |
Government services | 860 | 3.6 | $582,067 | 15.7 |
Professional services and membership organisations | 620 | 2.6 | $234,654 | 6.3 |
Transportation and utility services | 396 | 1.7 | $68,802 | 1.9 |
Travel | 114 | 0.5 | $50,030 | 1.4 |
Contracted services | 81 | 0.3 | $14,890 | 0.4 |
Agricultural services | 11 | 0.1 | $1,569 | -- |
Total | 23,819 | 100.0 | $3,718,341 | 100.0 |
Source: Audit Office of New South Wales analysis of council credit card data 2020.
10. Shellharbour City Council
Shellharbour City Council had gaps in its credit card policy and procedures. The council's reconciliation of credit card transactions needs to be enhanced to ensure it can review compliance with policy and detect potential misuse or fraud.Shellharbour City Council had 65 credit cards at the time of the audit. During our interviews, cardholders described instances of credit card sharing within the council. Credit card sharing is a violation of the council's agreement with its credit card issuer, and it also increases the risk of misuse and fraud. The council's credit card policy lacked clarity in several areas. While the general manager had delegation to authorise the issue of credit cards, the policy did not specify any eligibility criteria. The council did not align credit card limits with financial delegations, and while blocking codes were used, there was no explanation in the policy or procedures. Although the mayor and general manager's credit card transactions were reviewed during the council's monthly Executive Leadership Team meetings, the policy and procedures lacked guidance on the reconciliation of their credit cards. The council also did not have sufficiently detailed documentation for the management of fuel cards. The audit identified gaps in the council's credit card management practices:
The council's credit card reconciliation process needs to be enhanced to enable detection of potential misuse or fraud. The process did not include compliance checks or reviewing the business-related purpose of transactions. Purchases of restricted items, such as fuel and fine payments, were not accompanied by adequate justification. The audit identified instances of split transactions, and travel or conference approval forms were also not checked during reconciliation. There was a lack of targeted guidance for approvers in reconciliation, and the council also provided no evidence of the finance team's involvement in the reconciliation of credit card transactions. The council's Executive Leadership Team was involved in the monthly review of credit card transactions, hence there was management oversight of credit card use. However, there was a lack of periodic review of the council's credit card use, as it was not included in the council's forward program of internal audits. RecommendationsShellharbour City Council should immediately: 1. ensure cardholders stop sharing their credit card with other staff. By December 2020, Shellharbour City Council should: 2. clarify in the credit card policy and procedures:
3. ensure that credit card management practices include:
4. ensure reconciliation involves:
5. develop a plan for periodic reviews (e.g. internal audit) of credit card use and management 6. ensure its credit card policy and procedures are reviewed according to schedule. |
10.1 Credit card use
For the period 1 July 2016 to 30 June 2019, nearly three-quarters the council's credit card transactions were in the retail category. This was followed by business services and transportation and utility services. Exhibit 29 shows the distribution of the council's credit card transactions by eight groups of merchant category codes (MCC).
MCC category | Number of transactions | % of total number | Value of transactions | % of total value |
Retail and other stores | 5,360 | 73.0 | $987,512 | 58.4 |
Business services | 628 | 8.6 | $208,411 | 12.3 |
Transportation and utility services | 509 | 6.9 | $73,425 | 4.3 |
Professional services and membership organisations | 386 | 5.3 | $212,131 | 12.6 |
Government services | 228 | 3.1 | $146,144 | 8.7 |
Contracted services | 157 | 2.1 | $34,231 | 2.0 |
Travel | 61 | 0.8 | $21,729 | 1.3 |
Agricultural services | 11 | 0.2 | $6,363 | 0.4 |
Total | 7,340 | 100.0 | $1,689,946 | 100.0 |
Source: Audit Office of New South Wales analysis of council credit card data 2020.
Appendices
Appendix one – Responses from councils and the Department of Planning, Industry and Environment
Appendix two – About the audit
Appendix three – Performance auditing
Copyright notice
© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.
Parliamentary reference - Report number #340 - released 3 September 2020