How to Establish an Internal Controls Framework for Accounts Payable
Accounts Payable has a critical role in the internal controls of a business as the custodian of funds leaving the finance organization. Much like trying to get water back into a leaky pipe, once payments are sent to suppliers, any opportunity for retrieving funds becoming increasingly complex, if not impossible. Yet data entry errors and payment fraud do happen. An internal accounts payable controls framework and AP automation – including approval workflows, signatory rights, and payment processes – provides the basis for minimizing risk and error in AP controls and ensuring financial compliance before payment.
Determining Roles and Responsibilities
From the CFO to Controller to AP staff, there are considerations for each to ensure a strong internal accounts payable control framework. Senior staff set the tone for the organization as well as ensure a Segregation of Duties (SoD). SoD enables points between entities to “check each other’s work,” as it were. That way, no one individual becomes the source for releasing funds. It also double-checks for potential errors. The most effective way to establish SoD is to enable approval workflows such that any supplier-based transactions are verified by multiple entities. Automating such approvals streamlines the effort – not to mention maintains a digital audit trail should further investigation be required.
Exercising a Well-Defined Supplier Onboarding Program
Knowing who your suppliers are goes a long way to ensuring they are not bad apple entities. Particularly when working with cross-border suppliers where access is more limiting, making them jump through a few extra hoops to demonstrate their authenticity may not be a bad thing. This may be requiring and validating business addresses and asking the supplier to submit banking details for electronic payments during the supplier onboarding process. One benefit to the US government’s Foreign Account Tax Compliance Act (FATCA) is that additional identity information can be requested such as where the supplier is doing business and their tax IDs. While it may seem a formality, it can actual be very useful in determining who the payee is.
Leveraging Known Blacklists
And of course, verifying any supplier against the OFAC SDN database (as well as other global databases) to ensure the payee hasn’t been blacklisted for illegal activities minimizes the moneylaundering risk exposure for the company. In addition, it may be worthwhile to consider an internal database as well depending on the amount of supplier churn. That includes listing any suppliers who may have been problematic in the past. With frequent turnover of AP staff, visual checks may not always be enough to sustain controls over funds to bad actors. Checking both the SDN database as well as internal risk lists for each payment – and not only at onboarding – should close an often overlooked loophole.
Proactive Steps for Detecting Fraud
The most basic internal control reporting involves an adequate and detailed payment reconciliation process. Knowing the state of funds and transactions are critical to monitoring activities. All of this should be reported back to the general ledger or ERP system as soon as possible. If an organization waits until month-end close to reconcile, that’s a 30-day head-start for anyone attempting to defraud the organization.
This whitepaper from IOFM and the APP2P network includes a full list of internal control processes to support the accounts payable record to Report (R2R) effort. It also provides a deeper set of guidelines for establishing internal controls and compliance.