Part 3: Drawing up suitable policies and procedures

Controlling sensitive expenditure: Guidelines for public entities.

Leaders and senior managers can make sensitive expenditure decisions that Parliament and the public respect by dealing with sensitive expenditure properly and prudently. This requires:

  • a principles-based approach;
  • leading proper and prudent practices by example;
  • approving and implementing suitable policies and procedures;
  • procedures that consistently support all staff to follow proper and prudent practices; and
  • appropriate training and monitoring of activities to ensure effective control of sensitive expenditure.

Scope of policies and procedures

This Part outlines our view of the components of a strong management approach in relation to:

  • the generic content of policies and procedures for sensitive expenditure;
  • approving sensitive expenditure;
  • claims relating to sensitive expenditure;
  • using credit cards for sensitive expenditure; and
  • using cash advances.

Where entities diverge from the broad approach outlined in this Part, we expect them to be able to justify their decisions with respect to the principles discussed in paragraphs 2.1-2.7.

Generic content of policies and procedures

Policies and procedures relating to sensitive expenditure need to:

  • make clear what types of expenditure are and are not permitted;
  • outline clear approval processes that are specific about who approves what, including arrangements for when the usual approver is unavailable;
  • set spending limits or boundaries, including explaining what is meant by “actual and reasonable” when these terms are used, and specifying dollar limits and defined boundaries, where practicable, of what is “reasonable”;
  • allow a manager discretion to grant an exception (“management override”) to a policy or procedure only in exceptional circumstances;
  • specify the monitoring and reporting regime and, where applicable, any internal audit checks that may be applied; and
  • specify the process for amending the policies and procedures.


Approval of sensitive expenditure should be:

  • given only when the person approving the expenditure is satisfied that a justified business purpose and other principles have been adequately met;
  • given before the expenditure is incurred, wherever practical;
  • made within any statutory limits on an entity’s delegations;
  • made only when budgetary provision and delegated authority exist; and
  • given by a person senior to the person who will benefit or who might be perceived to benefit from the sensitive expenditure, wherever possible. Where this is not possible, this fact should be recorded, and any such expenditure should be subject to some form of monitoring.

In the case of people in very senior positions, the principle of approval by a more senior person (the “one-up” principle) should be applied to the maximum extent possible. However, there will be some instances where an alternative approach will be required because there is no more senior person. In such instances, it is essential that there should be no reciprocal arrangement for approving sensitive expenditure (that is, with a person approving expenditure having their own expenditure approved by the person whose expenditure they are approving). An arrangement involving three persons is one way to avoid this problem (for example, A approves B’s expenditure, B approves C’s expenditure, and C approves A’s expenditure).


Claims relating to sensitive expenditure need to:

  • clearly state the business purpose of the expenditure – in instances where the business purpose is not clear from the supplier documentation supporting the claim, a written statement of the purpose should be included as part of the claim;
  • be accompanied by adequate original (not photocopied) supporting documentation, such as tax invoices or other validating documentation – credit card statements do not constitute adequate documentation for reimbursement;
  • document the date, amount, description, and purpose of minor expenditure when receipts are unavailable (for example, for tips or from vending machines); and
  • be submitted promptly after the expenditure is incurred.

Using credit cards

Using credit cards is not a type of sensitive expenditure, but is a common method of payment for such expenditure. Specific policies and procedures are needed for using credit cards to minimise some of the risks associated with them. These risks include credit cards being used:

  • for inappropriate business-related expenditure (in both quantity and type);
  • to obtain cash for a business purpose, with subsequent expenditure being poorly documented or justified; and
  • for personal benefit, by obtaining cash or paying for personal items.

Entities that permit the use of credit cards should have suitable policies and instructions governing use of the cards, and controls to ensure that those policies and instructions are observed.

Credit card policies and procedures need to set out:

  • who is eligible for a business credit card;
  • the person or people responsible for authorising card issue, managing the acquisition of cards, and monitoring and reporting on their use;
  • the process for cancelling and destroying cards;
  • that credit limits are to be set by the entity (not by the card holder) at the minimum necessary to enable the card holder to undertake their duties for the entity;
  • a prohibition on using cards for private expenditure or credit;
  • the need to have acceptable original documentation to explain and corroborate transactions;
  • how credit card transactions are to be reviewed and approved by a person senior to the card holder; and
  • the consequences of unauthorised use, and who is responsible in the case of misuse of the card.

Credit card cash advances

Business credit cards should not be used to obtain cash advances unless:

  • cash is required in an emergency (usually related to travel for the entity); or
  • cash is required for official purposes (in rare circumstances); and
  • these situations are allowed for in the entity’s policy.

Internet purchases using credit cards

Credit card payments over the Internet need to reflect good security practice, such as purchasing from only established reputable companies known to the entity. The card holder needs to keep a copy of any online order forms completed when purchasing, and purchasing by credit card over the Internet needs to be consistent with the entity’s normal purchasing controls.

Cash advances

In instances where an individual does not have an entity credit card, but is required to travel overseas to undertake entity business, it may be necessary to provide the individual with a cash advance. The entity’s policies and procedures should allow for this. In these instances, expenditure of the cash advance should be properly documented and accounted for.

page top