The Public Company Accounting Oversight Board PCAOB defined Segregation of Duties as “Assigning different people the responsibilities of authorizing transactions, recording transactions, and maintaining custody of assets is intended to reduce the opportunities to allow any person to be in a position to both perpetrate and conceal errors or fraud in the normal course of his or her duties.”
There are three essential steps in the vendor payment cycle:
Creating a vendor record in the vendor master file
Creating/Posting the Invoice from the Vendor
Paying the Invoice from the vendor
So, what do you do if your company does not have enough employees to comply with Segregation of Duties? Not to worry, the PCOAB addressed the difficulty of small to medium sized businesses achieving this preventative control and recommended management oversight be used to achieve the control objectives. Here are four recommendations for compensating controls that can be put into place where Segregation of Duties is not possible to protect the vendor master file from fraud:
Require Management Approvals for New Vendor Setups and Existing Vendor Changes
Require approval for all new vendor adds and vendor changes
Require supporting documentation including the source of the add or change request
Copy of Secure Email – no changes or adds should be done via phone or person to person without documentation
Vendor Setup Request Form signed
Try to refrain from AP personnel requesting vendors, but if needed, have management sign-off
Require validation be attached to the vendor record
IRS Tin Match – ensure the vendor legal name remains valid
OFAC Validation (Bank and Vendor)
Both the requirement of the documentation and the validation of that documentation is a quick indication that the vendor information is valid and not fraudulent.
Management review all new vendor setups and vendor changes – prior to payment runs
Look for changes in banking or remit addresses that were changed then changed back quickly. For each change, your system should maintain an audit log that will tell you the date, time and user making the change.
Cross-check that the vendor address or vendor banking if changed, does not match the employees address or banking. You may need to collaborate with Payroll and/or IT for this one if you do not have access to those records. If you don’t already have access, you don’t need to get it, you only need a way for that check to be done in the background and have them notify you if there is ever a match.
Management review pay cycles prior to releasing payments
Review invoices for existing vendors to ensure the invoice numbering is consistent with historical invoice numbers.
Investigate any that have additional letters or numbers such as “a” or “1” that adds to an otherwise valid invoice number
Investigate any invoices out of sequence
Review the backup for any Non-PO invoices
Inactivate Vendors - Monthly, Quarterly or at the very least annually – Review your Vendor Master and inactivate vendors that have not had Invoices, Purchase Orders or Payments in 12, 15 or 18 months. This will reduce the # of vendors that management needs to be concerned with, reduce the potential for fraud because the record will not be available to select in error or intentionally to perpetrate fraud. Require that all inactive vendors follow the same process for new vendor setups.
As normal, review these recommendations with your leadership and/or auditing team and make adjustments based on your Accounting system/ERP or 3rd Party systems for your company processes and your industry.
If you enjoyed these recommendations, consider taking my Vendor Master file training that consists of Authentication, Validation and Management courses or eGuide as part of a 3 Step Vendor Setup and Maintenance process to protect the vendor master file from fraud and keep it clean. Visit www.debrarrichardson.com/training for more details.
#stayhappy #puttingtheapinhappy #Vendorsetup #accountspayable
Debra R. Richardson,
MBA, APM, APPM, CPRS
Debra is an accounts payable speaker, consultant, and trainer with over 20 years of experience in AP, AR, general ledger, and financial reporting for Fortune 500 companies including Verizon, General Motors and Aramark.
For the past eight years, Debra has focused on Global Vendor Maintenance, and implemented a vendor self-registration portal for 140k+ global vendors across five Accounting Systems/ERPs. In her consultancy, she focuses on internal controls and authentication to prevent fraud in the vendor master file.