5 best internal controls over vendor master file
Internal controls over vendor master file keep your data secure with clear rules, audit trails, and consistent oversight for long-term data integrity
As businesses continue to rely more heavily on automated systems, strong internal controls are increasingly critical. These financial controls are necessary to protect your organisation’s financial assets and lower the risk of fraud, especially in the accounts payable (AP) function.
And one of the most important elements of internal controls is segregation of duties (SoD).
However, a poll from KPMG found that more than a third of survey respondents described their internal controls as either “basic” or “rudimentary.” It’s a concern because cyber-crime rates are rising and the threat landscape is evolving rapidly – today’s fraud risks are different from the analogue risks from a few decades ago. Finance leaders can’t afford to settle for “rudimentary” or outdated controls.
To stay ahead of today’s threats, let’s explore segregation of duties for AP and find out how it can help you lower risks of fraud or error in the digital age.
The Australian Auditing and Assurance Standards Board defines segregation of duties as “assigning different people the responsibilities of authorising transactions, recording transactions and maintaining custody of assets.”
In other words, segregation of duties is all about ensuring no single individual has total control over any process. This spreads accountability throughout a team, making it harder for any one person to circumvent a business process or standard, intentionally or unintentionally. It also helps contain risk if a malicious actor does manage to infiltrate your systems or dupe an employee.
Within an AP team, segregation of duties helps to prevent errors, fraud and other irregularities across payment processes and financial reporting. Several different functions should be separated, including:
For example, if a single employee can unilaterally approve invoices for payment and initiate payment, they could potentially approve and pay fraudulent invoices to themselves or to a fictitious vendor. But, when these duties are segregated, there would need to be a conspiracy between multiple employees. And, well, conspiracies are a lot less likely than a single bad actor.
A segregation of duties violation occurs when one person is responsible for more than one step in the payment process, or when two or more individuals collude to circumvent the controls designed to prevent fraud or errors. Within the modern threat landscape, this might not even be staff acting maliciously – through hacking, social engineering or other tactics, cyber-criminals can work to circumvent segregation of duties from outside your organisation.
This can open your organisation to risks like duplicate payments or making unauthorised payments to fictitious vendors.
So what does this mean for accounts payable teams?
What is segregation of duties in auditing? In Australia, the Auditing and Assurance Standards Board developed a framework known as “ASA 240: The Auditor’s Responsibilities Relating to Fraud in an Audit of a Financial Report.”
ASA 240 emphasises the importance of segregation of duties in internal controls. It advises auditors that inadequate segregation of duties – also called “independent checks” – might make the organisation more susceptible to misappropriation of assets. Auditors understand that segregation of duties is a crucial way to manage the risks associated with fraud and human error.
You might feel like your team is totally trustworthy – and there’s a great chance that they are! But the reality is that there will always be risks, even when employees only act with the best intentions. Aside from the risk of internal fraud, two of the biggest risks are human error and cyber threats. Let’s examine all three.
While it’s always uncomfortable to suspect a team member, trusted insider threats are still very real. Take the Australian National Maritime Museum, where an IT support contractor allegedly committed fraudulent activities totalling an estimated $90,000.
There are several reasons why employees may engage in fraud:
Internal fraud can take many months, if not years, to identify and address, especially since inside actors tend to have the organisational knowledge to cover their tracks. With a strong SoD controls system, it’s harder for any malicious actor to defraud your organisation, whether they’re internal or external.
Your team may be capable and hardworking but human error will always be a factor. No one is perfect, and we shouldn’t design processes or standards around the fantasy that anyone ever can be perfect.
Busy staff can easily make data entry errors that see you remitting funds to an incorrect bank account. Or they can skip a callback when verifying supplier details. These sorts of risks are even higher during especially hectic periods or during later hours when staff might be losing energy and ready to finish their workday.
Cyber-criminals like to exploit those human errors, increasing the risk that an honest mistake can facilitate malicious activity. Cyber-crime is rising, so it’s important to know that fraudsters increasingly use tactics such as social engineering to lure employees into giving away sensitive information or processing fraudulent payments.
With cyber-criminals hunting for new ways to deceive employees or circumvent controls, it’s even more important to ensure your segregation of duties is strong.
There are many different ways to implement segregation of duties within an organisation. Some examples include:
To put it simply, you want at least two sets of eyes on every transaction.
Implementing segregation of duties requires a thorough understanding of the organisation’s processes and risks. CFOs should identify critical processes and tasks and then determine which team member should be responsible for each task.
It’s also important to ensure that there’s no conflict of interest.
For example, the person responsible for accounts receivable should not also be responsible for accounts payable. This could create a conflict of interest, and increase the risk of fraud or errors. CFOs should also ensure there’s adequate supervision and monitoring of segregation of duties policies. This can be paired with a clear matrix of the procure-to-pay cycle, helping to identify all the steps that need to happen.
Finally, CFOs should regularly review and update their segregation of duties policies. As the business grows and changes, new risks may emerge and new controls may be necessary. Regular reviews and updates of the segregation of duties policies ensure that they remain effective in reducing the risk of fraud and errors.
Some practical tips for implementing segregation of duties include:
With these system restrictions in place, it should be possible to get visibility and ensure that teams are adhering to segregation of duties policies.
Use the following checklist to ensure your organisation has appropriate segregation of duties in place:
If your business lacks segregation of duties in its accounts payable function, it could mean that the same individual or group of people may be responsible for a number of problems. This includes a higher risk of errors and mistakes, regulatory breaches and, finally, external and internal fraud.
One of the biggest risks associated with the lack of segregation of duties is the increased risk of fraud.
When a single person is given the sole responsibility of two conflicting tasks, such as entering payment information and approving payments, it creates an opportunity for fraudulent activity to occur. This risk is compounded when a single individual is responsible for both tasks.
One example is a bank manager who was sentenced for stealing $16 million from the Bank of Montreal. The manager was able to commit 63 counts of fraud, at least in part due to a lack of segregation of duties.
Implementing strict Segregation of Duties controls in a large organisation is easier, as there are many more employees. This allows the Accounts Payable Manager to ensure segregation of responsibilities to which different employees have responsibility for different steps in the Procure-to-Pay cycle.
However, this may not be possible in smaller organisations.
Smaller organisations don’t usually have enough employees to adequately implement a comprehensive Segregation of Duties framework. If this is the case, then smaller organisation need to establish compensating controls which are controls designed to compensate for the increased risk. For smaller organisations, you should consider other options that will deliver you the same level of protection afforded by comprehensive Segregation of Duties, such as:
As an example, you may decide to outsource responsibility for managing your Vendor Master File.
Of course, deciding to outsource management of some confidential corporate data carries its own potential problems. However, with the right outsourcing model, this option can help you achieve Segregation of Duties, whilst also making your Accounts Payable team run efficiently and leanly.
Another option is to implement additional checks into your Procure-to-Pay cycle. These may be manual in nature, but given your staffing constraints, this is probably not possible. An automated solution, such as Eftsure, will help you achieve the same protections as comprehensive Segregation of Duties controls, without having to hire additional staff.
Regardless of the cause of any irregularities, it’s important to investigate the issue and take corrective action to prevent further problems.
This can involve implementing additional controls or reviewing and updating payment processes and procedures. This way, it reduces the likelihood of fraudulent activities occuring with the rotating roles and responsibilities. It may also be necessary to investigate and take disciplinary action against any individual involved in fraudulent activity like accounts payable fraud.
Prioritising SoD ensures accountability and transparency in the organisation’s operations. It enables a clear chain of command and provides a system of checks and balances that ensures that no one employee has too much control over crucial business processes. It’s important that CFOs become aware that SoD processes are a crucial element of compliance with regulations and standards such as the ASAE 3150 (Assurance Engagements on Controls) and ISO 27001.
These regulations require Australian businesses to implement proper controls, including SoD to reduce the risk of fraudulent activities.
The benefit of Eftsure is that it ensures the banking details you’re using to pay a supplier match the details used by other organisations when paying the same supplier. It helps mitigate your risk of both human error and fraud each time you process an electronic bank payment.
For a demonstration of how Eftsure can help standardise segregation of duties and protect your organisation from fraud or error, contact us today.
Internal controls over vendor master file keep your data secure with clear rules, audit trails, and consistent oversight for long-term data integrity
The vendor master data cleansing process is a critical activity every AP team should periodically undertake to stop payment errors and fraud.
Establishing vendor master file best practices is the first step to cleaning your how your supplier data should be handled and maintained.
End-to-end B2B payment protection software to mitigate the risk of payment error, fraud and cyber-crime.