Jun 1, 2017 Chris Doxey
Even with the renewed focus on internal controls, there are still situations where fraudulent payments are made to individuals or companies that are posing as legitimate suppliers. How is it possible that large companies have a private mailbox at the local UPS Store, a private residence, or at a prison address?
Within the Procure to Pay (P2P) process, there are several key internal controls. One of the key controls is ensuring that the supplier master is properly controlled with a focus is on:
- Supplier master setup & validation
- Continuous monitoring
Supplier master setup and validation phase
The supplier master setup and validation phase requires appropriate segregation of duties. This means that the individual or department establishing the supplier is within a different department than the team processing invoices and creating disbursements. When considering segregation of duties for the supplier master setup, it is important to include both the ownership of the process along with systems access. Even though ownership of the process is properly segregated, it is important to consider that system access is controlled to allow the correct individuals to process specific transactions.
Additional controls to consider for the supplier master setup process include:
- Requiring a W-9 form is completed for supplier setup before issuing payment.
- Using the IRS TIN matching service is another good control to use during the supplier master setup phase. An IRS web site enables entry of both a Tax ID and supplier name to confirm the existence of the supplier and the validation of the Tax ID.
- An additional control is to confirm the supplier against one of the many resources that enable one to confirm the validity of a company’s identity and performance the applicable regulatory compliance checks required by your industry.
- A final step is to require suppliers to complete an online supplier profile form to collect information that further increases your ability to verify a company’s existence. The supplier is required to provide certain documents that include sales tax certificate and insurance certificate. The objective of the supplier profile form is to gather sufficient information to verify a company’s legitimate operation, gather the names of key officers from a conflict of interest perspective, gain physical business address, daytime phone number, and other key data points. Much of this supplier information is available via a supplier portal.
The continuous monitoring phase
The continuous monitoring process includes a review of the controls as noted above for the supplier master setup process. The review should include a selected sample of suppliers and reviewing the supporting documentation for the validation of a new supplier and the supporting documentation for a change of address.
All system-generated audit reports must be reviewed—not only for segregation of duties, but to determine if a supplier address has been changed and then immediately changed back to the original address.
Another consideration within the continuous monitoring process is to periodically review all duplicate suppliers and initiate a supplier master clean-up process. The clean-up process will alleviate duplicate suppliers that have been set-up for the same supplier at the same address.
Continuous monitoring on a real-time basis will quickly identify a potentially fraudulent supplier and will validate that Supplier Master Set-Up controls are properly working.
If there is a concern about a specific supplier, it is important to raise the issue to your internal controls or internal audit department after performing an evaluation of internal controls within the P2P process. This process will determine if the control is operating as defined. If a control weakness is identified, it is important to immediately adjust the control and increase the sample size of the test.