An Internal Control Tip from Weaver |
Electronic payments to vendors are easier and faster than printing and signing hundreds of checks, but what are you risking for convenience? As more and more payments become electronic, wise districts will take steps to protect their bank accounts. Electronic payments to vendors are easier and faster than printing and signing hundreds of checks, but what are you risking for convenience? As more and more payments become electronic, wise districts will take steps to protect their bank accounts.
Accounts payable (A/P) errors are sometimes big and obvious. But more often, money seeps out in small amounts, month after month, to a vendor who long ago stopped supplying your district. Or worse, you discover the district has been paying a fraudulent vendor created by your own long-time employee.
Stop Mispayments at the SourceThe best protection starts with your ERP — specifically, setting up effective processes to monitor your vendor database as well as electronic payment mechanisms.
How do you create those processes? To be most effective, start at the source, your list of vendors, and work through to payments and then follow-through. A sample step-by-step process is shown below, with key points to remember at each stage.
The Process
Setting up and maintaining the vendor list• Limit the number of people who can set up or edit vendors. Setting up vendors should be limited to those in purchasing to establish appropriate segregation of duties.
• Ensure vendor additions or changes are verified by a second person (see the October 22, 2018, TASBO internal control tips).
• Establish an active vendor list of approved entities who are allowed to receive payments.
• Restrict electronic payments to only those vendors who are on the active vendor list.
Utilizing Positive Pay and other dual controls over payments• Implement dual controls over sending all forms of electronic payments, with the bank requiring two authentications – a transaction initiator and an approver.
• Take advantage of Positive Pay, if your bank offers it — and request this service if it doesn’t. Positive Pay requires the payer (you) to send a separate file listing payees and amounts to be paid each time payments are disbursed. If an EDI payment request comes through that doesn’t match the Positive Pay list, the bank will reject it.
• Segregate the responsibility for creating the Positive Pay list from the ability to prepare EDI payments themselves. This reduces opportunities for errors or fraudulent payments.
Review the Active Vendor Listing
• Establish a process for reviewing the active vendor listing, at least annually. Deactivate “stale” vendors — those who haven’t supplied the district in the last year.
• As part of this review process, identify vendors with duplicate or missing information so those records can be corrected.
• Deactivate vendors, rather than deleting them, so that you retain the purchase history.
Periodic data analytics• Consider performing a periodic data analytics review over the vendor file and payment histories to identify vendors or entries that should be scrutinized.
• Data analytics can help find duplicate entries, such as multiple suppliers with the same address, or potential signs of fraud, such as a vendor address that matches an employee’s.
• Your internal auditor should be able to perform these analytics; ask them if they have this capability.
Maintain Strong Controls, Beginning to EndThe strongest banking and vendor controls in the world won’t protect your bank account if you don’t also practice basic internal controls: segregation of duties, consistent invoice review and approval, strong user access controls, and regular vendor maintenance.
Simple but consistent controls like these can help protect your district from fraud or from innocent but costly mistakes. It’s worth a little time and expense to make sure your funds are protected.
Dan Graves, CPA will speak on “DIY Construction Risk Management” at the 2019 TASBO Conference, March 4-8.
