Accounts Payable Risk Assessment: 8 Questions to Uncover Threats

Accounts Payable Risk Assessment: 8 Questions to Uncover Threats

When accounts payable departments are run correctly, they’re an invaluable piece of an organization. AP can help maintain healthy relationships with vendors, provide detailed visibility into cash flow, and even help the company save money. In this type of situation, AP plays a role in the company strategy.

On the other end of the spectrum, poorly run AP departments only provide a transactional function. They are asked to gather the invoices, prepare the checks, and make sure nothing goes wrong. And if something does go wrong, such as a fraudulent or duplicate payment, nobody’s happy.

In an effort to move toward a more strategic role in the business, AP leaders need to run a tight ship, and an accounts payable risk assessment is a great start. Accounts payable risk assessments are a great way to uncover potential threats to your finances, your processes, and your sanity.

Today, we’ll explain how to assess any risks present in the accounts payable process and identify specific questions to ask that can help you discover specific threats for your organization.

But first, let’s take a step back and look at the big picture.

What is an Accounts Payable Risk Assessment?

What is an Accounts Payable Risk Assessment?

First things first—although they’re similar and have some overlap, an accounts payable risk assessment is actually different than an accounts payable audit.

Note the difference:

Accounts payable audit: A thorough review of the company’s accounts payable records and records keeping to ensure the AP records are an accurate view of the business. This includes data verification and risk assessment.

Accounts payable risk assessment: An examination of the AP processes (including internal payment controls) to ensure every measure is being taken to shore up weaknesses in order to maximize accuracy and minimize fraud and mistakes.

Therefore, an AP risk assessment is a part of an audit, and an important one at that.

Apart from being a mandatory piece of an AP audit, a risk assessment is a great way to look for optimizations within your current workflow, providing additional benefits beyond compliance such as efficiency and operational excellence.

Here’s what you need to know to conduct an AP risk assessment from start to finish at your organization.

How to Conduct an Accounts Payable Risk Assessment

How to Conduct an Accounts Payable Risk Assessment

Whether you’re preparing for an AP audit or just wanting to tighten up your shop, here are the areas you’ll need to cover to assess your exposure.

External and Internal Fraud

In 2019, 82% of businesses fell victim to fraudulent payments (Association for Financial Professionals). Considering the ubiquity of the risk of fraud, this is likely the first place you’ll want to assess.

Examples of external fraud (although they regularly require an insider) include:

Collusion: A staff member colludes with a vendor to create duplicate payments or fake payments to vendors and then they split the cash.

Kickbacks: A staff member falsifying records to overpay the vendor, and again, splitting the profits.

Business email compromise: This sophisticated scam works without an insider. Using social engineering, keyloggers, phishing, and other cyberattack methods, hackers initiate wire transfers to their accounts.

Apart from collaborating with outside criminals, employees can also conduct fraud all on their own. Employees can create fake vendors that receive a payment that goes directly into their account. Or, staff may intercept checks and alter them to their benefit.

In these cases of internal and external fraud, many scammers will use monetary amounts below the internally controlled cutoff amounts in order to not draw too much attention.

Rogue Spend

These are purchases that are uncategorized within the accounting system. While these purchases are less fraudulent than those listed above, they are still damaging to the company because, without categorization, they are essentially ‘invisible’ in terms of allocating spend and appear as a loss in cash flow analysis.

Conflict of Interest

As we’ve discussed before, an ideal AP system has a separation of duties as one of their internal controls. When AP departments are overworked or don’t have the proper controls in place, they end up with one person doing the job of two, which can present a problem.

The person who maintains the check inventory should not also prepare and sign the checks, just as the person who updates the vendor files shouldn’t have approval authority for contracts.

Read more about internal payment controls to limit conflicts of interest in this related post.

Payment Errors and Delays

Opposed to outright fraud, there is always a possibility of inaccurate payments due to human error. This is exacerbated by manual processes, where typos are more likely to occur.

Additionally, late or missing payments can damage relationships with your vendors and suppliers, or worse, lead to penalties or lawsuits.

Note—One question you may have is “How often do I need to perform a risk assessment?” If you’re going through all of these tasks manually, it can add labor and expense to your department, which may already be stretched thin.

A solution to a constant cycle of risk assessments is to implement an AP automation solution equipped with artificial intelligence that continuously seeks out abnormalities that might create risk, and also opportunities that create efficiency within the AP department. Visit our AP automation page to learn more.

AP Process Risk Assessment Questions

Now that you have a general understanding of what risk looks like, let’s go over a series of questions that will help you identify specific risks in your AP department.

1. How do invoices arrive at your office?

Do you receive mostly hard-copy invoices via post, PDFs attached to an email, or online invoices?

If you’re still receiving a lot of invoices by snail mail, this creates an extra step of scanning it into your system, which creates an unnecessary risk of misplacing the invoice or forgetting to scan it. The most common format for invoices are PDFs. While PDFs can be used as a Trojan horse to commit cyberattacks through phishing emails, AP Automation systems remove this risk since corrupt files will not make it past the systems security stack. Moreover, invoices from vendors are often sent directly to the AP system which protects any inbox that would have received the phishing email. Online invoices routed directly to your centralized AP system represent the safest and most accurate way to process invoices.

2. How do you capture invoice data?

To fully capture an invoice, you’ll not only need to pull the data from the document, but you also might have to input the cost center, project code, and general ledger code.

Is AP staff manually keying in these amounts? If this is the case, you’re exposing yourself to more mistakes via typographical errors, but also a lengthier process—this data now has to be manually routed to the correct person for approval, etc. Touchless invoice processing (no manual data entry) is now achievable through technology, but only 7% of all organizations have managed to achieve a rate of 90% touchless or higher.

With AP automation, not only is invoice data automatically captured, it is also intelligently coded and routed to the correct person for verification and approval.

3. How often do you have missing or misplaced invoices?

Building on Question #1, if you regularly have missing invoices, your risk is high—risk of late payments, penalties, strained vendor relationships, etc. So, how often—rarely, sometimes, or all the time?

4. How much time do your employees spend chasing down invoices?

Ideally, this should be less than one hour per week. If it’s regularly more than five hours per week chasing down invoices, you’re at risk of burning your employees out and missing other, higher-value tasks your department should be working on.

6. How often do you encounter missing or incorrect invoices?

Obviously, frequently misplacing invoices opens you up to a ton of risk. If a vendor calls and asks about a payment (that they’ve already received) but you can’t find a record, what’s to stop you from issuing a duplicate payment? The same goes for inaccurate data on an invoice.

If this is a regular occurrence at your organization, watch out!

7. How long does it take—on average—to process a single invoice?

If you’re processing invoices in less than a week, congrats—you’re a rockstar. Unfortunately, this is rare, and lagging AP departments can sometimes take over two weeks to process an invoice. Where do you rank?

Accounts payable automation can reduce invoice processing time from 20.8 to 3.8 days.

8. What type of visibility do you have of your outstanding liabilities?

An accurate view of an organization’s cash position is essential to the success of an organization, and if it can be accessed in real-time, that’s even better. If you have no visibility into these outstanding payments—or your data is disparate, hard-to-find, or difficult to report—you have an opportunity to reduce risk with a centralized payments system.

Well, how did you do? Did your answers inspire confidence in your current systems, processes, and outcomes? Or, did you cringe a bit during some of your responses?

Either way, it’s better to have these types of answers out in the open where you can deal with them in broad daylight. If you have any questions about this post or would like to talk with an accounts payables automation expert, don’t hesitate to reach out to us.

Interested in claiming some of the benefits from AP automation for your own company? Schedule and appointment to chat with one of our AP heroes!

Share this Story

Ready to

Take the first step towards better Accounts Payable.
Meet with one of our AP experts.

Let's Talk