I'm not sure this will help in your exact situation and I'm a little late to the game here, but I've read through all the comments and am going to be the token "actually" guy: Actually, while it is true that you cannot limit access by user, you can limit access by role (Consumer, Business Author, or Professional Author) but only on the folders and reports YOU own, so the Standard Reports folders are out of play here.
Here is how you do it:
1 - Click Set Properties on the folder or report you want to control access to.
2 - Click the Permissions tab.
Much like items on your network, the access inherits down from the folders above it. Just like the items on your network you can override this inheritance.
3 - Click the "Override the access permissions acquired from the parent entry" checkbox.
On the left side of the screen you will see a listing of you roles starting with your entity ID. The 3 we care about are entityID_consumer, entityID_author, and entityID_professional. they equate to Consumers, Business Authors, and Professional Authors respectively.
4 - Click the role you want to change permissions for.
On the right you will see the access rights you can Grant or Deny. Don't want Consumers to run a report? Deny Execute. Don't want Business Authors modify a report? Deny Write. Don't Consumers to even know a report or folder exists? Deny everything. Change your mind about the whole thing? Uncheck the "Override the access permissions acquired from the parent entry" box.
@AmberLee I use internet explorer. GrantC has spotted the problem., you can only add permissions to reports that you actully own.
My guess would be that if Concur created the folder they would be the owner of the folder, not you, and you would not be able to set permissions. You might try making a copy of the folder though. You would be the owner of the copy and I would think could set permissions.