As you know, with proper internal controls along with segregation of duties, establishing a new vendor or updating the Vendor Master file will reduce the exposure of fraud. Without being complacent regarding fraud, you are probably comfortable with your current updating process. Many A/P shops are faced with recent or anticipated A/P system and process changes that you know has or will disrupt the Vendor Master process status quo. To gain increased efficiencies and productivity, A/P and procurement applications are relying on the use of internet and intranet technologies to update the Vendor Master. Use of these technologies should present an opportunity for A/P to improve internal controls or in fact may present internal control challenges when updating the Vendor Master.
Let me first address the latter – The Challenge. “According to a recent global study by PriceWaterhouseCoopers and the Martin Luther University in Germany, corporate fraud increased 22% over the last two years…Despite significant investment in internal corporate controls in the wake of Sarbanes-Oxley Act.
The study also noted that most corporate fraud was detected by accidental means. Therefore, implementing preemptive internal control enhancements will only help in your attempt to minimize your exposure to fraud, especially when the integrity of Vendor Master is to be maintained. Let me describe a how a productivity enhancement presented a challenge for one company to protect itself against fraud. During a recent recovery audit I conducted, A/P headcount was reduced when the company installed an A/P linked front end intranet application that allowed and authorized non A/P employees to enter invoice and account code data, and access the Vendor Master to identify the vendor number, etc. The data was edited for completeness and for valid account coding before it reached the A/P application and A/P processor. When the invoice and the approved input document were received in A/P the A/P processor would perform their normal processing and approval routines. What caught my attention was process now allowed employees who now performed the front end invoice processing to establish a new vendor in the Vendor master.
Although the new vendor entry into the Vendor Master had to be approved by an independent party, I felt new process opened up the A/P tasks to potential employee mischief and fraudsters. Although A/P increased its vigilance over the new process, some additional actions using the Internet to guard against potential fraud involving the Vendor Master needed to be taken were some of the actions I normally recommend to my clients.
I feel that use of the Internet is cost effective and is an opportunity to monitor the Vendor Master updating process….keeping in mind that the extent of the controls adopted by any business is often limited by cost considerations. Realizing that it is not feasible from a cost standpoint to establish controls that provide 100% protection against fraud, adopting a vendor verification process that will add reasonable assurances against fraud is probably the best that can be achieved.
Confirming New Vendors
When I managed an A/P department, we verified that new vendors with significant first time payments were legit. Also, payments to vendors who provided only a PO box as a remit to or address. Back in the days before the internet, we used D&B and any other manual means to confirm their authenticity – like the yellow pages, phone contact, etc. Yet, today it is much easier to perform this check on almost every new vendor using the internet (web sites and yellow pages) and on line D&B, Hoover access, etc. During my A/P audits, I always recommended this added control to protect my clients against any potential fraud.
Why Is Front-End Verification Is Important
I bring this to your attention, since there are a number of front end AP systems
The employee then prints out the coversheet, obtains management approval (signatures) on the coversheet, attaches the invoice to the cover sheet and forwards the packet to AP for payment. In such front end systems where every field AP needs must be completed by the invoice submitter, mischief can occur.
Therefore, I believe it is critical to have some kind of vendor verification to prevent fraud when new vendors can be added by employees or even other company assigned employees. You may want to address adding another separate vendor verification control point, if you think vendor verification is worthwhile from your experience?
New Vendor Verification Guidelines
I highly recommend that someone not directly involved in setting up the vendor perform a double check. Any vendor who submits a PO Box for an address and no telephone number deserves a little additional scrutiny. Many organizations do not have the staff to verify every new vendor. The accompanying table contains a New Vendor Checklist for your staff to use when selecting new vendors to verify.
When verifying a new vendor, one of the first places to check is the yellow pages. Now, not every legitimate vendor advertises there. In fact, depending on your business, you will find that many don’t. If your potential new vendor is not in the yellow pages, try some other database such as D&B, Hoovers, Google, Yahoo, etc.
During your cross checking, keep a record of where you found the verification information. Each company will need to select the criteria that they want to check, the items that they think will protect them the best.
One Last Technique
Even if you don’t actually verify vendors in accounts payable, you can tell people that you do. Put a little blurb on your material saying that “New vendors set up outside AP will be verified by AP.” This warning will help scare off petty theft. Those crooks will have to be a little more creative if they want to defraud your organization.
Similarly, you can create a long list of items verified-even if you don’t check everything. This is one place where it is perfectly acceptable for accounts payable to less than 100% honest. With limited staff, a little creative license is sometimes called for.
What this process does is to help protect against collusion within the process since ideally the person checking in AP is not the person who sets up the master vendor list. If your organization does not do this, your organization is exposed as vendor theft is among the easiest of frauds to commit.
o Vendor Verification Criteria
o Vendors whose invoices do not have invoice numbers
o Vendors with PO Box addresses
o Any new vendor over certain dollar amount
o Non form looking invoices
o Any invoice without a phone number
o A certain percentage of all new vendors