5 best internal controls over vendor master file
Internal controls over vendor master file keep your data secure with clear rules, audit trails, and consistent oversight for long-term data integrity
A well-run and secure Accounts Payable (AP) function needs comprehensive policies and procedures that are fit-for-purpose in an increasingly complex digital age. It is also critical that those policies and procedures are well understood by AP staff and adhered to.
In this blog we will explore what’s involved in implementing fit-for-purpose AP policies and procedures in your organisation.
When it comes to implementing best-practice Accounts Payable policies and procedures, it would be a huge mistake to assume that what worked yesterday will be fit-for-purpose tomorrow.
The digital landscape is changing at break-neck speed. Barely a day passes without the introduction of new technologies promising to make business operations more effective and efficient. Organisations that embrace digital transformation are reaping significant dividends. But there is also a considerable risk: Expanding the technology in your environment can lead to a corresponding expansion of your attack surface.
Your attack surface includes all the systems, from hardware devices such as laptops and smart phones, to the software you use for accounting and vendor management, that a cyber-attacker may seek to exploit in order to gain unauthorised access to your digital environment. Once inside your security perimeter, the attacker may be able to access and manipulate supplier data stored in your Vendor Master File or ERP. They may also be able to access email accounts and impersonate your organisation’s executives in order to launch a Business Email Compromise attack.
Put simply, with more hardware and software, you are expanding the opportunities for a sophisticated attacker to exploit any vulnerability they can identify in any of those systems. This in turn paves the way for them to engage in fraud against your organisation.
The AP policies and procedures you implemented in the past may have been fit-for-purpose at the time. But we now live in a whole new world. Your old AP policies and procedures are unlikely to be suitable in the current digital landscape.
As an AP manager, you need to ensure your policies and procedures are regularly reviewed and updated to take into account changing circumstances and technologies.
AP policies establish a clear set of rules that outline how your department will address certain issues.
There are four main reasons you should establish AP policies:
The main reason you should establish AP policies is that they clearly lay out what your organisation expects from staff. With clearly written and communicated policies, your AP staff will understand how they should behave and act in specific circumstances.
For any AP function, particularly as you grow and expand, ensuring all the staff are working in a consistent way is critical. For example, if every member of your AP staff follows different naming conventions when onboarding a new supplier into your Vendor Master File, you will quickly find many suppliers with multiple entries, increasing the likelihood of duplicate payments.
Without clear policies in place that all AP staff follow, it will be impossible to ensure internal controls are maintained that mitigate your risk of fraud. For example, your AP policies may require staff to undertake supplier call-backs before processing an invoice, reducing the risk of fraudulent or erroneous payments.
Clear policies allow the CFO and AP manager to ensure that the AP function performs according to best-practice principles. Through a combination of a clearly articulated vision and detailed rules, it is possible to establish a benchmark that drives enhanced employee accountability.
Whilst your AP policies provide a high-level overview of the rules, your AP procedures should provide the detailed explanation to staff about how they should implement those rules.
For example, AP procedures should articulate:
Absolutely!
An effective AP policies and procedures manual should articulate what your staff can expect from the department, and what the department expects of your staff. When creating your manual, or updating an existing manual, it is important to ensure the language is clear and concise.
Because many AP teams have grown gradually, or evolved as part of the broader accounting department, all too often they haven’t spent the time developing a specific AP policies and procedures manual that specifically covers all aspects of the AP function. Instead, AP processes have tended to develop on an ad-hoc basis, whenever a specific need arose.
The problem with this approach is that knowledge about how particular systems work, where specific information is stored and how certain tasks are carried out, often resides with one individual. Not only can this approach result in business continuity challenges if a certain individual gets sick or accepts another job, leaving the AP function in the lurch. It also makes it almost impossible to establish department-wide consistency. Without a dedicated manual, AP staff won’t have the clarity they need around how to handle specific tasks and may increase the organisation’s risk exposure.
Another reason why you should develop a dedicated AP policies and procedures manual, is that it can demonstrate to senior executives the value the AP team provides to the broader organisation. Accounts Payable is often seen as a cost centre in many organisations. This can result in a reluctance to adequately resource the function. Armed with a manual that demonstrates the breadth of business-critical tasks AP performs and the value it provides in mitigating the growing risk of fraud, it will be easier to demonstrate to senior executives how AP benefits the organisation and why it should be adequately resourced.
An AP policies and procedures manual should be a living document. Whether you choose to review it on an annual basis, or every time a new process is added or amended, will be at your discretion. However, by regularly reviewing the practices followed in your AP function, you will be able to ensure your team is always keeping up with industry best-practices, and that all the activities remain in alignment with your organisation’s requirements over time.
Of course, whenever you identify mistakes in your AP function that require a change in processes, your manual should be amended immediately in order to eliminate those errors.
Another benefit of regularly reviewing your manual is that allows staff within the department to have greater input on a regular basis into how the AP function is run. Staff should have the opportunity to regularly come forward with suggested improvements to the way tasks are undertaken, and if management agrees with the changes, they can be incorporated into the manual so that all staff can follow the amended methodologies.
As an AP manager, you should also ensure that all AP staff receive adequate training every time any of the policies and procedures contained in the manual are updated.
A good AP policy and procedures manual, that accurately reflects your AP practices in use, can be used in the following ways:
When creating your manual, remember that it should be a clear and concise how-to guide. The purpose of the document is not to provide lengthy explanations on the broader corporate mission, nor on theoretical principles underpinning accounting practices.
Following these style guidelines will help ensure your AP policies and procedures manual becomes an invaluable resource for your staff:
Compiling a comprehensive AP policies and procedures manual may seem like a relatively straight forward task. Be warned, it will likely take you considerably longer that you initially anticipate. Once you need to start breaking down all the AP processes into step-by-step instructions, you will realise how complex many of the tasks are. This is a great opportunity to identify gaps in the way your staff handle certain tasks and will allow you to improve many aspects of the AP function.
Also be warned that every organisation’s AP requirements are different. As such, no two AP teams operate in exactly the same way. It would be great if you could simply borrow another organisation’s manual and update it for you own requirements, however this is unlikely to work very well.
It’s all very well having a fit-for-purpose AP policies and procedures manual, but if it isn’t adhered to, you will have a major problem on your hands.
The first step is to disseminate the manual to all AP staff. However, you will need to do much more than that to ensure the information contained in the manual is absorbed, understood and followed. Breaking the manual down into its various chapters and running individual training sessions dedicated to each chapter is one way to ensure the entirety of your team sees its value.
Another worthwhile exercise would be to initiate discussions with individual employees about various aspects of the AP policies and procedures during periodic staff reviews. This makes staff feel invested in the operations of the AP function and can contribute to stronger staff morale.
Having checks and balances in place to ensure all members of your team are sticking to the rules as stipulated in the manual will also be critical, with additional training for those who may not be following the steps correctly. Importantly, you need to convey to staff the reason why the manual stipulates that certain tasks be conducted in a specific way, and why consistency across the AP team is critical from a risk mitigation and business continuity point of view.
Finally, there may be other staff in other departments across the organisation who engage with AP from time to time. These other staff members may also need to be trained in various aspects of the AP policies and procedures.
Whilst a fit-for-purpose AP policies and procedures manual is an important element in a well-run and secure AP function, alone it will not eliminate all risk of fraud. Sophisticated fraudsters will always look for ways to circumvent your processes and controls, no matter how comprehensive they are.
With eftsure sitting on top of your AP processes, you have an important layer of defence that ensures outgoing payments are verified in real-time. This helps mitigate the risk of range of threats, such as breaches of your attack surface that can result in fraudulent payments.
To learn how eftsure can align with your AP policies and procedures, whilst affording you an important additional layer of protection, contact us today.
Internal controls over vendor master file keep your data secure with clear rules, audit trails, and consistent oversight for long-term data integrity
The vendor master data cleansing process is a critical activity every AP team should periodically undertake to stop payment errors and fraud.
Establishing vendor master file best practices is the first step to cleaning your how your supplier data should be handled and maintained.
Eftsure provides continuous control monitoring to protect your eft payments. Our multi-factor verification approach protects your organisation from financial loss due to cybercrime, fraud and error.