Risks In a traditional finance division, the departmental structure is usually functional with a specific individual or team responsible for Accounts Payable and a separate team responsible for Accounts Receivable. This structure is vulnerable to collusion between Accounts payable staff and suppliers. Over a period of time suppliers build a relationship with Accounts payable staff and this is misused. Examples include
- Processing payments prior to credit period
- Booking duplicate invoices, bypassing system controls
- Exploit weak payment controls to book and pay unapproved invoices
- Failure to book credit notes
- Creation of unapproved vendor masters
Accounts Payable staff themselves can perpetrate a variety of frauds including directing payments to their personal accounts. Then there is the difficulty in enforcing quality and standards in processing. Accounts payable staff frequently avail themselves of shortcuts in posting, including processing payments as journal entries, crediting bank and debiting an expense account, bypassing vendor account and related controls including credit terms. This is done sometimes with malicious intent and sometimes for convenience. In either respect, the company loses important information and cash flow suffers. Staff are also less concerned about qualitative information required for management accounting and are focused primarily on processing a payment. Specific risks in an SAP environment
- Standard SAP settings permit the user to change the vendor in the invoice verification stage (MIRO transaction). PO is booked to Vendor A but at the time of the MIRO, the user can change this to vendor B. This flexibility is provided by SAP for exceptions but is open to manipulation.
- If tolerance limits are not maintained in SAP, excess amounts could be booked during invoicing.
- For invoices booked without a Purchase Order, (transaction code FB60) it is possible to account for any value at the time of invoicing. It is possible for instance to book, either by oversight or design, a USD 50,000 invoice as USD 500,000!
- If a one-time vendor is used to without controls, it is possible to process the payment to any vendor â€“ even to yourself!
- No controls in vendor master creation
- Unauthorized user access privileges with reversal rights
Why outsourcing Accounts Payable strengthens controls
- Segregation of duties is built into the process where the Purchase Order and GRN is processed by a representative of the company and the invoice verification and payment is carried out by the outsourced services provider.
- Business Process Management (BPM) companies manage Accounts Payable as a process and deploy large teams. As a result, there wonâ€™t be a specific individual handling a clientâ€™s work. Instead invoices are directed to a queue wherein agents select documents on a first in first out basis. Opportunities for collusion with suppliers is significantly reduced
- Most BPM companies invest in process reengineering, process mapping, de-risking a process and improved controls. Controls introduced by InfoMate on an SAP environment include
- blocking the facility to change vendors at the MIRO stage,
- building intolerance limits during invoice verification
- Blocking baseline date change field and the ability to advance payments prior to credit limit
- Discouraging the use of FB60 postings. We report monthly on the number of non-PO invoices posted monthly so that client can introduce measures to increase the use of Purchase Orders.
- Limiting the use of one-time vendor and insisting on the use of named vendors from the master file
- BPM companies also invest in quality control and Six Sigma. InfoMate maintains an independent quality team which carries out quality audits and reports on defects.
- Rotation of personnel between processes
- Use of scanning and imaging facilitates checks against the original source document and facilitates audits since the image is made available through integration of the document management solution with ERP
- Use of KPIs and Six Sigma to continually improve a process
- User access is strictly controlled and only necessary transactions are granted to processing staff. Reversal rights are not granted
- Creation of new vendors is carried out by an independent team and all new creations require approval from a designated senior officer of the company. Vendor masters are periodically audited and inactive suppliers blocked.
- An independent team carries out indexing of supplier invoices, indexing invoice amounts. This is automatically matched against the amounts keyed in by agents and discrepancies highlighted.