Without a doubt, vendor management is no longer an ignored issue. Smart organizations everywhere realize that it is critical that vendors be verified before they make their way into your vendor files. They also have learned that any changes to the original information must be verified as well. Too many have learned the hard way, that skipping the verification step can result in millions of lost dollars.
The Control Challenge in Real Life
Despite significant investment in internal corporate controls in the wake of Sarbanes-Oxley Act, corporate fraud has increased in the last few years. Outsiders have figured out how to successfully manipulate their way into corporate bank accounts through various accounts payable functions. What’s more, OFAC actions continue. This means that your organization could be at risk, if it pays someone the US government has deemed to be a “specially designated national,” (SDN) even if that payment was not intentional. Every organization should be verifying upfront that they are not falling into this trap. What follows is a look at some recommendations many can use to limit the potential for vendor or employee fraud related to establishing a vendor.
Three New Verifications
First, verify that new vendors with significant first-time payments are legit. Also check payments to vendors who provide only a PO Box as a remit to or address. Today it is fairly simple to check almost every new vendor using the Internet to check yellow pages, run Google searches, and access sites such as D&B Hoover’s. This is critical to protect against potential fraud.
In addition to the traditional validations, you might want to update your processes to include the following:
- While many organizations realize they are supposed to verify all payments against the US Treasury Department’s SDN list, few do so. They believe that, of course, they are not paying a drug lord or terrorist or other party deemed undesirable by the US government. Many have learned the hard way that this was not the case. So, even if you don’t check every single time, at least verify when you first set the vendor up. Expect a number of false positives and don’t forget to download the most recent list, before verifying. It is updated several times a week.
- Additionally, you should run the addresses of all new vendors against addresses in your HR file. The purpose of this task is to identify employees who might be attempting to set up a phony vendor. It won’t happen often, but when it does, the damage can be harsh. Again, expect false positives. So, don’t ring the alarm bells, if you find a match. Do your research and only when you are certain, get HR involved. One company who does this religiously reports that in six years it found two employees playing such games.
- And of course, any request to change information must be verified, ideally by picking up the phone and calling the organization. Use a phone number you have in your records or one that you find on the vendor’s internet site.
One Last Technique
Sometimes an ounce of prevention is worth a pound of cure. One way to deter fraud is to scare people into doing the right thing. The tactful way to say this is to say you are deterring fraud.
Even if you don’t actually verify vendors in accounts payable, you can tell people that you do. Put a little blurb on your material saying that “New vendors set up outside AP will be verified by AP.” This warning will help scare off petty theft. The unscrupulous will have to be a little more creative if they want to defraud your organization.
Similarly, you can create a long list of items verified—even if you don’t check everything. No one needs to know this. This is one place where it is perfectly acceptable for accounts payable to be less than 100% honest. With limited staff a little creative license is sometimes called for.
What this does is to help protect against collusion within the process since ideally the person checking in AP is not the person who sets up the master vendor list. If your organization does not do this, your organization is being exposed to fraud as vendor theft is among the easiest to commit.
Clearly, continued monitoring of the process will assess the quality of internal controls overtime. Keep in mind that the extent of the controls adopted by any business is often limited by cost considerations. But given some of the horrific loses in the last few years, more than a few organizations have come to realize, that verifying vendor information is not the place to cut corners. Taking this route has cost some organizations millions of dollars.
This blog was written by the founder of AP Now, Mary S. Schaeffer.