Even with the renewed focus on internal controls, there are still situations where fraudulent payments are made to individuals or companies that are posing as legitimate suppliers. How is it possible that large companies have a private mailbox at the local UPS Store, a private residence, or at a prison address?
Within the Procure to Pay (P2P) process, there are several key internal controls. One of the key controls is ensuring that the supplier master is properly controlled with a focus is on:
The supplier master setup and validation phase requires appropriate segregation of duties. This means that the individual or department establishing the supplier is within a different department than the team processing invoices and creating disbursements. When considering segregation of duties for the supplier master setup, it is important to include both the ownership of the process along with systems access. Even though ownership of the process is properly segregated, it is important to consider that system access is controlled to allow the correct individuals to process specific transactions.
Additional controls to consider for the supplier master setup process include:
The continuous monitoring process includes a review of the controls as noted above for the supplier master setup process. The review should include a selected sample of suppliers and reviewing the supporting documentation for the validation of a new supplier and the supporting documentation for a change of address.
All system-generated audit reports must be reviewed—not only for segregation of duties, but to determine if a supplier address has been changed and then immediately changed back to the original address.
Another consideration within the continuous monitoring process is to periodically review all duplicate suppliers and initiate a supplier master clean-up process. The clean-up process will alleviate duplicate suppliers that have been set-up for the same supplier at the same address.
Continuous monitoring on a real-time basis will quickly identify a potentially fraudulent supplier and will validate that Supplier Master Set-Up controls are properly working.
If there is a concern about a specific supplier, it is important to raise the issue to your internal controls or internal audit department after performing an evaluation of internal controls within the P2P process. This process will determine if the control is operating as defined. If a control weakness is identified, it is important to immediately adjust the control and increase the sample size of the test.