Corporate Card Policies That People Actually Follow
Most corporate card policies fail because they're written for auditors, not employees. Here's how to write one your team will actually follow.
Ken
AI Finance Assistant
A finance manager at a 150-person SaaS company wrote a 22-page corporate card policy. It covered every edge case — meal limits by city tier, conference spending caps, pre-approval thresholds, personal use definitions. Six months later, 41% of cardholders had at least one policy violation on file. Not because they were dishonest. Because nobody read page 14.
This is the compliance paradox of corporate card policies: the more thorough the document, the less likely anyone follows it. The Association of Certified Fraud Examiners found that 32% of corporate fraud stems from inadequate controls — but "inadequate" doesn't mean "missing." It means controls that exist on paper but not in practice.
The problem isn't that your corporate card policy has bad rules. It's that those rules were written for the auditor who reads it once a year, not the employee who needs to make a spending decision at 4 PM on a Tuesday.
Why Most Corporate Card Policies Fail
Corporate card policy violations cost companies real money. Businesses lose an estimated $150,000 annually to expense fraud and misuse, much of it linked to vague or poorly communicated policies. But the violation breakdown reveals something finance teams often miss: most violations aren't fraud. They're confusion.
The Three Types of Violations
Accidental misuse accounts for the majority of corporate card violations. Employees use the wrong card for a personal purchase, forget to cancel a trial subscription billed to the company card, or misunderstand what "reasonable" means for a client dinner. These aren't bad actors — they're people operating without clear guidance.
Structural misuse happens when the policy itself creates perverse incentives. If your pre-approval threshold is $500 and employees routinely need to spend $600 on software subscriptions, they'll either split purchases into two transactions or skip the pre-approval. The policy trained them to work around it.
Intentional misuse — actual fraud — represents the smallest category but gets the most attention in policy documents. Companies write 20 pages of rules targeting the 2% of dishonest employees and make the policy unusable for the other 98%.
What Compliance-First Policies Get Wrong
Traditional corporate card policies read like legal contracts. They lead with restrictions, define violations before explaining expectations, and bury the practical guidance under layers of corporate language. The result: employees treat the card policy the same way they treat the terms of service on a software update — they click "I agree" without reading it.
How to Write a Corporate Card Policy People Follow
The shift is simple: write for the employee making a decision, not the auditor reviewing it later. Here's how.
1. Lead with the Decision Framework, Not the Rules
Instead of opening with "Prohibited Uses," start with a clear decision tree:
- Always OK: Software under $200/month, team meals under $50/person, travel booked through the company portal
- Ask first: Anything over $500, non-standard vendors, recurring subscriptions
- Never OK: Personal purchases, cash advances, gift cards
An employee standing in a hotel lobby deciding whether to expense a $35 breakfast needs a three-second answer, not a policy manual reference. This framework gives them one.
2. Set Category-Level Spending Controls, Not Just Dollar Limits
A flat $5,000 monthly limit tells your team nothing about expectations. Category-level controls communicate intent:
| Category | Per-Transaction Limit | Monthly Cap | Pre-Approval |
|---|---|---|---|
| SaaS/Software | $200 | $1,000 | Over $200 |
| Travel | $500 | $3,000 | Flights over $500 |
| Meals & Entertainment | $75/person | $500 | Groups over 6 |
| Office Supplies | $150 | $500 | Not required |
| Professional Development | $250 | $1,000 | Over $250 |
This table does more work than three pages of prose. Employees can screenshot it and reference it instantly. Finance teams can map these categories directly to their GL codes for automated reconciliation.
3. Make Documentation the Default, Not a Chore
Receipt collection is where most corporate card programs break down. The fix: make it effortless.
The gold standard in 2026 is real-time receipt capture. When a transaction hits the corporate card, the cardholder gets a push notification asking for a photo of the receipt and a one-line description. If the receipt arrives within 24 hours, no follow-up. If it doesn't, an automated reminder fires at 48 hours and 72 hours. After five business days, the transaction gets flagged for manager review.
This approach works because it creates a short feedback loop. Employees don't accumulate a pile of receipts to reconcile at month-end — they handle each one in 15 seconds when the context is fresh.
4. Automate Enforcement Where Possible
The most effective corporate card policies rely less on employees reading the rules and more on automated controls enforcing them:
- Merchant category code (MCC) blocking prevents cards from working at prohibited merchant types
- Real-time spending alerts notify both the cardholder and their manager when transactions exceed thresholds
- Virtual cards for vendor payments expire after a single use, eliminating ongoing unauthorized charges
- Automated categorization maps transactions to expense categories without manual input
Companies using automated spend controls report up to 80% fewer policy violations than those relying on manual review alone.
5. Build in Quarterly Reviews, Not Annual Overhauls
Static policies decay. The SaaS tool that cost $50/month when you wrote the policy now costs $85/month. Your team grew from 30 to 60 and the travel budget assumptions no longer hold. Instead of an annual policy rewrite, build a quarterly review cadence:
- Q1: Review spending data from Q4, adjust category limits based on actual patterns
- Q2: Audit receipt compliance rates, address chronic gaps
- Q3: Benchmark limits against updated vendor pricing and headcount
- Q4: Full policy refresh, re-communicate to all cardholders
This keeps the policy calibrated to reality instead of aspirational targets that employees learn to ignore.
What to Do This Week
If your current corporate card policy lives in a shared drive and hasn't been updated in six months, start here:
- Pull your violation data — identify the top three most common violations. If they're mostly accidental, your policy has a clarity problem, not a compliance problem.
- Create the decision framework — write the Always OK / Ask First / Never OK table from section 1. Send it to all cardholders.
- Enable real-time receipt capture — if your card platform supports push notifications, turn them on. If it doesn't, that's a strong signal to evaluate modern AP tools.
- Schedule a quarterly review — put 30 minutes on the calendar for next quarter. Review spend data, flag outliers, adjust limits.
The goal isn't a perfect policy document. It's a policy that your team can actually follow — because the best corporate card policy is the one people use, not the one that covers every conceivable edge case.
Frequently Asked Questions
What should a corporate card policy include?
A corporate card policy should include five core elements: eligible cardholders and how to request a card, approved spending categories with per-transaction and monthly limits, a documentation requirement (receipt submission timeline and format), an approval workflow for purchases above set thresholds, and consequences for violations. The most effective policies also include a quick-reference decision framework — a simple table showing what's always approved, what requires pre-approval, and what's never permitted. Keep the full policy under five pages and provide a one-page summary for daily reference.
How do you enforce a corporate card policy?
Enforcement works best as a combination of automated controls and human oversight. Start with technology: merchant category blocking, real-time spending alerts, and automatic receipt reminders handle 80% of enforcement without manager involvement. Layer in quarterly spend reviews where managers examine transactions against policy limits. For violations, use a graduated response — first-time accidental misuse gets a conversation, repeated violations get card privileges adjusted, and intentional fraud triggers HR and legal processes. The key is making compliance easier than non-compliance.
How often should you update a corporate card policy?
Review your corporate card policy quarterly and do a full revision annually. Quarterly reviews should focus on adjusting spending limits based on actual data — if 30% of your team routinely hits the SaaS spending cap, the cap may be too low rather than the spending too high. Annual revisions should incorporate new vendor categories, headcount changes, and any regulatory updates. Every update should be actively communicated to cardholders, not just posted to the intranet. A policy that nobody knows changed is a policy that nobody follows.
Related Topics
Ready to automate your invoices?
See how Ken can extract invoice data in seconds, right in Slack. No credit card required.