5 best internal controls over vendor master file
Internal controls over vendor master file keep your data secure with clear rules, audit trails, and consistent oversight for long-term data integrity
3-way matching is an essential control that all Accounts Payable (AP) teams should implement. In this guide, we will examine everything you need to know about 3-way matching so you can protect your organisation from fraudulent and erroneous payments.
Your Accounts Payable (AP) team may receive dozens, if not hundreds, of invoices. Most will be sent by suppliers via email. Some still send them via the post.
The AP team needs to be able to determine whether or not an invoice should be paid. This is one of the most important responsibilities of the AP team. Get it wrong, and the organisation could face substantial losses.
It is critical that once an invoice is received, the AP team has a system in place to efficiently check the validity of the invoice.
This is where 3-Way matching comes in.
With 3-way matching, your AP team can verify that the invoice they have received aligns with actual goods or services the organisation has procured.
The AP team is on the front line in protecting your organisation’s financial assets. They have responsibility for ensuring that all outgoing payments are legitimate.
As the department with the authority to process outgoing payments, the AP team is tasked with a heavy responsibility. After all, any fraudulent or erroneous payments can result in costly losses for the organisation.
The challenge is exacerbated by the fact that many malicious actors, whether external or internal to the organisation, deliberately target the AP team. Such criminals know all too well that one slip in payment controls could see them profit handsomely at the organisation’s expense.
With effective 3-way matching in place, it is possible to limit the risk of illegitimate outgoing payments.
Whenever your AP team receives an invoice, they should ensure the details match the information in the Purchase Order (PO) and the Receiving Report (sometimes known as the Receipt Note).
The PO will outline what goods or services your organisation has decided to procure. It should outline details such as quantities, the date when the order was expected to be fulfilled, who within the organisation authorised the procurement and any payment arrangements.
A Receiving Report is usually prepared by a Receiving Department. They are tasked with verifying that goods the organisation has procured have in fact been delivered to the organisation.
Your organisation should assign a unique PO number every time it procures anything. This number should be noted on both Receiving Reports, as well as invoices from suppliers. If a supplier neglects to include the PO number on an invoice they send you, return it to them so the invoice can be updated.
It is essential that all suppliers include the PO number on their invoices, as this enables your AP team to efficiently cross-match the invoice with both the PO and Receiving Report. An invoice without a PO number can result in fraudulent invoices being paid, or invoices being paid multiple times.
Only when the details on an invoice match both the PO number and the Receiving Report can your AP team effectively implement 3-way matching.
Invoice fraud is having a major impact on Australian organisations.
Whether your organisation is in the private, public or not-for-profit sectors, criminals are actively looking for opportunities to deceive AP teams into processing payments to bank accounts they control. And it’s not only large organisations that are targeted. Small and medium sized enterprises are also actively being targeted.
According to Scamwatch, payment redirection scams cost Australians over $128 million in 2020. During that time, Scamwatch received over 1,300 complaints of such scams, up from just 900 the previous year.
Invoice fraud can occur in a number of ways.
Unscrupulous suppliers may inflate the amount to be paid, submit duplicate invoices, or may not render the goods and services as outlined in the PO. Sometimes they do this with the complicity of malicious insiders. Matching every invoice with the PO and Receiving Report will help your AP team identify such practices.
Another invoice fraud tactic involves cyber-criminals manipulating the banking information contained within invoices. Typically, the supplier’s BSB and Account Number are changed, so the AP team inadvertently ends up sending the funds to a bank account controlled by the criminals. 3-way matching can help reduce this risk if the supplier’s bank details are included in the PO. It will be possible for the AP team to manually verify that the bank details contained in the PO align with those listed on the invoice.
Of course, such manual checking of bank details can be time consuming. Busy AP teams should look to embrace tech solutions that make verifying bank account details efficient.
Busy AP teams are susceptible to making errors that can cost their organisation dearly. The most common error involves duplicate payments.
In cases where a supplier has multiple entries in a Vendor Master File or ERP system, staff may erroneously pay the same invoice more than once.
Another common error may see AP staff pay invoices where the supplier has failed to render the goods or services as outlined in the PO.
With effective 3-way matching in place, the risk of such errors is significantly reduced.
In order to achieve greater efficiencies, some organisations may choose to set a threshold under which the AP team may simply conduct 2-way matching. Typically, invoices with values under $10,000 only require 2-way matching.
Such thresholds are usually set by the CFO or senior management.
2-way matching requires AP staff to match an invoice against a PO, but removes the requirement to also match the invoice against a Receiving Report.
Whilst 2-way matching will help increase the efficiency of the AP team, it also has an element of increased risk. When conducting 2-way matching, the AP team is not verifying that the supplier has fulfilled their obligations as stated in the PO. Therefore, 3-way matching is definitely preferable whenever possible.
When it comes to procurement of goods with detailed specifications, or the procurement of services, many organisations now require 4-way matching.
In addition to matching an invoice against the PO and Receiving Report, 4-way matching also requires the invoice to be checked against an Inspection Report.
An Inspection Report is prepared by the individual within the organisation who has responsibility for procuring the good or service. Whilst a Receiving Report simply confirms that goods were delivered to the organisation, an Inspection Report is more qualitative in nature. The Inspection Report confirms that the goods or services meet the expectations and standards stipulated during the procurement process.
An Inspection Report should be completed by the individual within the organisation who requested and/or authorised the purchase of the goods or services. This report should then be made available to the AP team.
Inspection Reports are particularly useful when procuring services. Unlike goods that are physically delivered to the organisation, there is no Receiving Report for services purchased. So, an Inspection Report can be a useful alternative to a Receiving Report.
As with everything, there is a degree of trade-off between efficiency and security. 3-way matching does slow down the AP function as staff need to manually check all invoices against the PO and Receiving Report.
Of course the benefit of such checking is that the risk of fraudulent or erroneous payments is significantly reduced.
However, through embracing the latest technologies, it is possible to achieve security benefits without compromising organisational efficiency.
Eftsure is a unique platform that allows your AP team to verify in real-time that the bank details listed on a supplier’s invoice are accurate. Our proprietary database comprises banking details for over 2 million Australian organisations. Sitting on top of your payment processes, it is possible to check that the banking details being used to process a payment to a supplier match the bank details used by others when transferring funds to the same supplier.
Eftsure is being embraced by organisations around Australia as the most effective way to mitigate the risks of invoice redirection fraud or payment errors. With eftsure, 3-way matching becomes more efficient, as your AP team ceases to be reliant on it to verify banking information.
Contact eftsure today for a comprehensive demonstration of our platform and learn how it can help your organisation achieve security whilst maintaining efficiency.
Internal controls over vendor master file keep your data secure with clear rules, audit trails, and consistent oversight for long-term data integrity
The vendor master data cleansing process is a critical activity every AP team should periodically undertake to stop payment errors and fraud.
Establishing vendor master file best practices is the first step to cleaning your how your supplier data should be handled and maintained.
Eftsure provides continuous control monitoring to protect your eft payments. Our multi-factor verification approach protects your organisation from financial loss due to cybercrime, fraud and error.