From the November 2011 issue of Treasury & Risk magazine

Gold AHA Winner in Enterprise Risk Management

Mayo Clinic's own data-mining software spots credit card abuse.

Linda Unterborn, audit and controls analyst, supply chain management, and Erich Heneke, senior manager, supply chain management Linda Unterborn, audit and controls analyst, supply chain management, and Erich Heneke, senior manager, supply chain management

Mayo Clinic takes a gold for developing data-mining software that monitors its employees’ use of credit cards. The cards enable small-dollar purchases without time-wasting paperwork and processing—key for staff who should be focused on patients’ needs—but introduce the potential for abuse or policy violations.

Credit card issuers have long used software to identify potentially problematic patterns when, for example, purchases are made in New York and then 10 minutes later in Seattle. The Mayo Clinic’s software, says Erich Heneke, senior manager of supply chain audit and controls, instead looks for internal fraud.

“A credit card company would never notice if you use a corporate credit card in a neighborhood grocery store, but that looks suspicious to us,” Heneke says.

A quarter of the healthcare provider’s 60,000 employees carry travel credit cards backed by the Mayo Clinic, which is liable for any misuse. An additional 700 have procurement cards. However, distribution of those cards had been restricted because of the company’s limited ability to identify suspect transactions. That had to change, so departments including supply chain, internal audit and purchasing collaborated to develop software to monitor for risky purchases.

Mayo Clinic customized the software entirely in-house, which Heneke described as a challenge for his finance-minded team because it involved complicated programming and a lot of trial and error. Then the cross-functional team imagined as many scenarios as possible that suggested misuse for the software to search for.

An even-dollar purchase, for example, could indicate buying a gift card, which “we feel is similar to cash,” Heneke says.

The team also analyzed the credit card industry’s list of merchant category codes and red-flagged sellers that Mayo Clinic employees would never be expected to purchase items from—another risk factor for the software to consider.

The software attaches a score to each risk factor and adds them together to identify the riskiest cardholders. Those with high scores, or their managers, may be contacted—a potential deterrent.

“The strength of timely, accurate and customizable risk factors provides solid controls not only to Mayo but potentially to other industries without a card-monitoring solution,” says Jim Francis, assistant treasurer at Mayo Clinic.

Heneke notes that it is difficult to measure the initiative’s success in terms of cost savings, since it’s impossible to know what fraud could have taken place. However, in addition to increasing top management’s comfort level with continuing to back the credit-card program, the system provides an immediate recap of a cardholder’s risk related to his or her card use, as well as profiles of high-risk cardholders. It also shortened the fraud discovery period and reduced the need to recover money through payroll reductions.

In addition, the software provided management with a better idea about how much risk exists, which allowed Mayo Clinic to expand the cost-saving card program to more employees. It also allowed Mayo Clinic to identify groups with “special purchasing needs” and monitor those employees differently, so they are not unnecessarily tagged as potential high-risk employees. A transaction at Wal-Mart, for example, suggests a personal item, but it may be in order for an employee in facilities.

Currently, the software scans credit card purchases monthly, but Heneke’s team is working on a Web-based product that will monitor transactions on a daily basis.

“It will also create a scorecard and refresh it when we want to,” Heneke says, “and it will catch suspect transactions on a daily basis and put them in a queue to follow up on.”


Advertisement. Closing in 15 seconds.