Credit Cards and the Immutable Laws of Nature

“GetInvolved Nonprofit Guide” Article for January 2014 from Cover & Rossiter, P.A.

By Pete Kennedy, CPA, CVA – Director at Cover & Rossiter, P.A.

I recently completed an audit at a client’s and was headed home for the weekend when I stopped at a convenience store to grab a snack.  The person in front of me was buying a series of store gift cards with a credit card….a business card…from the client I had just left…that had been issued to his supervisor (a female) and not to him. When the clerk noticed the name discrepancy, the person said “It’s OK, I work there, see?” (opening his jacket to reveal the client’s emblem on his shirt).  The clerk said “Oh, OK” and allowed him to continue with the purchase.  I shot the Controller at my client a quick e-mail – although he established that the gift cards were for a legitimate purpose, he was not pleased.

The above story illustrates one of the universal laws of auditing: we’ll call it “the Cover & Rossiter Law of Control Gravity.”  If you imagine the Business Office as the Sun at the center of the solar system from which all financial controls emanate, those controls, like gravity, will weaken with distance.  Put another way, the design of any system of controls can be rock solid, but the further removed you are from the Business Office, the less likely it is that the control system will be taken seriously.  Outside the Business Office, controls have another name: “Red Tape.”  An entry-level employee from an operating department will not understand the need for the controls (especially if controls are being disregarded by their supervisor) and it is unrealistic to rely upon a third-party organization (in this case a merchant, but you can substitute a bank or payroll processor) to enforce any facet of your controls.

Another of the galactic constants is “Dillon’s Law” (named for my 15 year-old son).  When given a choice between two methods of getting something done, people will almost always choose the easier of the two methods. Since controls generally involve effort, the easier method will usually be the less controlled one.  The whole idea behind credit cards is ease of use.  If you have credit cards and no limits or controls on how they will be used, they will soon be used for EVERYTHING.

Each time a credit card is issued to an employee of any organization, it is equivalent to handing that person a stack of cash (equal to the credit limit on the card) and saying “Make sure you only spend this on business-related purchases.”  Whether that employee chooses to meticulously comply, or use the card as their own unofficial bonus system, is entirely up to them.  The only things that prevent employees from stealing are their own personal moral code (which can obviously vary widely from one person to the next and should be disregarded as a control against theft) and the control system.  Another immutable law is “Msgr. Wallin’s Law” (you can Google it for an illustration), which states that there is a percentage of people – at all levels of an organization, from the mail room to the corner office – who will cheat or steal if they believe they can get away with it.

Control System

When you combine these three laws, the need for a strong control system around your credit card process becomes obvious. Fortunately, establishing and maintaining a good control system is not advanced physics.  Here are a few guidelines:

  • Require that each employee signs a cardholder agreement and keep the agreements on file.  Generally, the agreement will explain that eceiving a card is a privilege, the card is only to be used for business purposes, the cardholder will be required to provide substantiation of charges, as well as the ramifications of noncompliance with the policy.  Often the agreement will refer to the organization’s travel reimbursement policy for allowable charges since the cards are frequently used for business travel.
  • Establish per charge and monthly limits.  The limits will logically vary with the needs of the user.  The limits should be designed to complement other controls that exist in the organization.  As an example, if the organization’s policy requires elevated approval for purchase orders above $5,000, it would make sense that such charges require further scrutiny and that the card limits should reflect this.
  • Require documentation with every charge along with an explanation of the business purpose.  Some organizations develop a level that is considered insignificant so that administrative time is not expended chasing down $10 parking receipts.   The explanation of the charge should be detailed enough that a reasonable person could understand what the charge was for and how it was business-related.  All too frequently we see “L.A. trip” as an explanation.  While such an explanation may suffice for a review a month later by someone familiar with the operations, it will need more detail to be useful several years later – “L.A. trip for American Association of Museums Seminar” would be better.
  • Efficiencies gained in the use of credit cards can quickly be lost when the Business Office has to chase the “problem children” to obtain their receipts. There needs to be a “hammer.”  Someone has to be in charge of the process and that person needs to be empowered to enforce the rules.  The repercussions for noncompliance need to be severe enough that people – even the administratively challenged – will badly want to comply.  Can’t be bothered to turn in your receipts?  Well, at a minimum, that should mean an immediate suspension of the card even if the charges appear to be legitimate.  If the charges look dicey, many cardholder agreements have provisions for payroll deduction of unsubstantiated charges by employees.  Fraudulent charges should be dealt with especially harshly.  Most card agreements include a provision for dismissal should the employee be found to have made fraudulent charges.

The most powerful argument in favor of credit card issuance and usage is efficiency.  It is obviously far less effort to “whip out the plastic” than to issue a purchase order, match the receiver to the invoice, enter it into accounts payable and cut a check.  Credit card usage has expanded dramatically and will likely continue to do so.  It is important to recognize that credit card use is replacing a process with tried and true controls and that adequate controls are needed.

If you need assistance in establishing a control system for credit card usage or any other nonprofit topic, please contact Pete Kennedy, or any other member of our Nonprofit Practice team, at Cover & Rossiter at (302) 656-6632.

Cover & Rossiter, P.A. ( is one of the most respected and experienced CPA firms serving the accounting, tax and audit needs of the nonprofit community in Delaware.  

Posted in ,