Part 4: Using credit cards and purchasing cards

Controlling sensitive expenditure: Guide for public organisations.

Using credit cards and purchasing cards8 is a common way to pay for sensitive expenditure and is more transparent than using cash. However, specific policies and procedures are needed for using cards to manage the associated risks. These risks include cards being used:

  • for inappropriate business-related expenditure (in both the type of expenditure and how much);
  • to obtain cash for a business purpose, with subsequent expenditure being poorly documented or justified; and
  • for personal benefit, by obtaining cash or paying for personal items.

Organisations that allow credit cards and purchasing cards should have suitable policies and requirements governing use of the cards. They should also have controls to ensure that those policies and instructions are observed.

Policies for credit cards and other purchasing cards need to set out:

  • who is eligible for a business credit card/purchasing card;
  • the person or people responsible for authorising card issue, managing the acquisition of cards, and monitoring and reporting on their use;
  • the process for cancelling and destroying cards;
  • credit limits (set by the public organisation and not by the card holder). The limit should be the minimum necessary to enable the card holder to carry out their duties for the public organisation;
  • that using cards for private expenditure or credit is prohibited;
  • the need to have acceptable original documentation to explain and corroborate transactions;
  • how credit card and purchasing card transactions are to be reviewed and approved by a person senior to the card holder (the one-up rule); and
  • the consequences of unauthorised use.

Credit card cash advances

Credit cards should not be used to obtain cash advances unless cash is required:

  • in an emergency (usually related to travel); or
  • for official purposes (in rare circumstances).

If an organisation would like to allow cash advances, they would need to be specifically provided for in the organisation's policy and should be properly documented and accounted for and reconciled to actual expenses.

Internet purchases using credit cards

Credit card payments made on the internet need to reflect good security practice, such as purchasing only from reputable companies known to the public organisation. The card holder needs to keep a copy of any online order forms completed when making purchases. The practice also needs to be consistent with the public organisation's normal purchasing controls.

8: These include credit cards, vehicle fleet cards, purchasing cards, and equivalent cards used to obtain goods and services before payment is made.