Perforating the voucher package after a check has been signed was one of the controls needed in a manual system, since it is an effective way to keep the same backup materials from being used a second time to authorize an additional payment. Though this control can still be used in a computerized system, there is less need for it, since the software automatically warns users of the presence of duplicate invoice numbers.

The preceding list of controls constitutes the basic controls needed for a computerized accounts payable system, but the controls that follow can also be used to bolster the level of control over the process.

• Restrict access to the vendor master file. For a variety of reasons that are enumerated in the next bullet points, it is unwise to allow unrestricted access to the vendor master file. Instead, use password access to restrict access to the smallest possible number of people, and only to those peo­ple who have no other responsibilities within the accounts payable and bank reconciliation areas.
• Separate the supplier record creation and payment approval functions. A strong risk of fraud arises when the same person can create a supplier record in the vendor master file and approve payments to the same sup­pliers, since this person is capable of creating a fake supplier and ap­proving payments to it. Instead, split these two responsibilities among different employees.
• Use a standard naming convention to create supplier names in the ven­dor master record. Having multiple supplier records for the same sup­plier presents a problem when attempting to locate duplicate supplier invoices, since the same invoice may have been charged multiple times to different supplier records. One of the best ways to address this prob­lem is to adopt a standard naming convention for all new supplier names, so that it will be readily apparent if a supplier name already ex­ists. For example, the file name might be the first seven letters of the supplier name, followed by a sequential number. Under this sample convention, the file name for Smith Brothers would be recorded as SMITHBR001
• Review daily changes to the vendor master file. An employee with ac­cess to the vendor master file could alter a supplier’s remit-to address, process checks having a revised address that routes the checks to him or her, and then alter the vendor master record again, back to the supplier’s remit-to address. If this person can also intercept the cashed check copy when it is returned by the bank, there is essentially no way to detect this type of fraud. The solution is to run a report listing all changes to the vendor master record, which includes the name of the person making changes. A second control that provides evidence of this type of fraud is to only use a bank that creates an electronic image of all checks processed, so there is no way for an employee to eliminate all traces of this type of crime.

• Require independent review of additions to vendor master file. To reduce the risk of having an employee create a shell company to which pay­ments are made by the company, have a person not associated with the payables process review all additions to the vendor master file and con­firm that they are acceptable prior to any payments being made. Under this approach, only collusion that involves the reviewer will result in shell company fraud.
• Purge the vendor master file. The vendor master file within the ac­counting software can become clogged with multiple versions of the same supplier information, if not regularly reviewed and cleaned up. Having multiple supplier records presents a problem when attempting to locate duplicate supplier invoices, since the same invoice may have been charged multiple times to different supplier records. The solution is to conduct a regularly scheduled review and purge of the vendor mas­ter file.
• Run a credit report on every new supplier added to the vendor master file. A clear sign of fraud is when a shell company is set up specifically to receive fraudulent payments from someone within the accounts payable department. By running a credit report on every new supplier, it is possible to see how long a supplier has been in business and investi­gate further as necessary.
• Run a report listing identical remit-to addresses for multiple suppliers. Sometimes even the best manual review of the vendor master file will not detect all instances of duplicate records, because the variety of names used for a single supplier may be widely separated within the vendor master file. A good way to spot this problem is to sort the vendor master file by remit-to address, which tends to cluster multiple instances of the same supplier close together in the report.
• Match supplier addresses to employee addresses. Employees can cre­ate shell companies and fraudulently have checks sent to themselves. To detect this issue, create a computer report that matches supplier addresses in the vendor master file to employee addresses in the employee master file (assuming that the payroll function has also been computerized).

• Reconcile supplier statements to payment detail. When a supplier’s monthly statement reveals that some payments are overdue, this can be evidence of a diverted payment by an employee. Consequently, the timely comparison of any supplier statements containing overdue pay­ment notices to the vendor ledger in the computer system can be a good way to detect fraud. This control is also possible for a paper-based payables system, but requires considerably more review time, since pay­ment records must be manually assembled for comparison purposes.
• Access the vendor history file when paying from a copy. There is a greatly increased chance of duplicate payment when paying from a document copy, since the document original may already have been processed for payment. To mitigate this risk, always review the vendor history file to see if the same invoice number or an identical dollar amount has already been paid. An additional control is to require more approval signatures whenever a document copy is used.
• Match quantities ordered to MRP requirements. When the purchasing department orders more materials than are required by the material re­quirements planning (MRP) system, this may represent fraud by the purchasing staff, which may be diverting the excess materials for their own uses. Using the computer to match quantities ordered to actual re­quirements needed will spot this problem.
• Match purchase order records to actual quantities received. If a com­pany has a policy of paying the full amount of the purchase order if the delivered quantity is within a small percentage of the ordered amount, a canny supplier can continually short-ship deliveries by a small amount and never be caught. To detect this problem, run a computer report com­paring the purchased amount to the delivered amount to see if there are any suppliers who have an ongoing pattern of delivering less than the ordered quantity.
• Track changes in customer complaints related to suppliers. A supplier can improve its profits by selling low-quality goods to the company. Though this problem is difficult to detect, an indication is a sudden increase in customer complaints related to the materials provided by the supplier. Running a summary-level report itemizing customer com­plaints by supplier or type of complaint can spot this problem.
• Track short-term price changes by suppliers. There is a possibility that suppliers will offer a kickback to a person in the purchasing department in exchange for allowing price increases by the supplier. To detect at least the possibility of this type of fraud, run a report listing short-term price changes by suppliers. By screening the report to show only sig­nificant price increases, the probability of the report showing evidence of fraud will increase. However, if a canny supplier increases prices only by a small amount, such a report will still not detect the problem, unless the filter is set to report on price changes of any size.
• Audit acquisitions made within authorized purchase levels. Employees sometimes attempt to circumvent maximum purchase authorization lev­els by having suppliers split invoices into multiple smaller-dollar in­voices. To detect this control circumvention, have the internal auditors run a report listing multiple small payments to suppliers within a short time period, and see if these payments are related to a single acquisition.
• Investigate payments made for which there are no purchase orders. If the purchase order is the primary control over the payables process, then it is critical to ensure that all payments made (above a minimum-dollar threshold) are supported by an authorizing purchase order. To lo­cate control failures in this area, run a report comparing the payables file to the purchase order file, and list all payments for which there is no authorizing purchase order record.
• Use varying font sizes for each character in a check payment. Using a computer to print checks has the advantage of allowing for a wide array of printing techniques that makes it more difficult for someone to alter a printed check. One approach is to have the computer use a dif­ferent font size and type for each character of the written payment amount listed on the face of a check. This type of printing is extremely difficult to modify.
• Restrict access to check-signing equipment. If a company uses any form of computerized check-printing equipment, it may be necessary to lock down all access to it. This can include any printers in which check stock is maintained, signature plates, and signature stamps.
• Require a manual signature on checks exceeding a predetermined amount. This control is useful when signature plates are used for smaller check amounts. When signature plates are used, there is no longer a final review of payments before they are mailed. Therefore, requiring a “real” signature for large checks adds a final review point to the payment process.

• Implement positive pay. A strong control that virtually eliminates the risk of an unauthorized check being cashed is “positive pay.” Under this approach, a company sends a list of all checks issued to its bank, which only clears checks on this list, rejecting all others. However, this ap­proach also calls for consistent use of the positive pay concept, since any manual checks issued that are not included on the daily payments list to the bank will be rejected by the bank.
• Use electronic payments. There are several types of fraud that employ­ees can use when a company pays with checks, while outside parties can also modify issued checks or attempt to duplicate them. This problem disappears when electronic payments are made instead. In addition, the accounts payable staff no longer has to follow up with suppliers on un­cashed checks or be concerned about remitting payments to state gov­ernments under local escheat laws, since there are no checks.
• Reconcile the checking account every day. An excellent detective con­trol, this approach ensures that any fraudulently modified checks or checks not processed through the standard accounting system, will be spotted as soon as they clear the bank and are posted on the bank’s Web site. This control is not available to companies not having Inter­net access.

As is readily apparent from the number of controls associated with the ven­dor master file, this is an area requiring restricted access and regular review in order to reduce the risk of multiple payments and fraudulent payments. Also, a computerized accounting environment allows for a panoply of addi­tional controls that are not cost-effective in an entirely paper-based envi­ronment, allowing for cross-checking of accounting records against the purchasing, production planning, receiving, and customer complaints data­bases to unearth control problems.

[tags]computerized accounts, payable environment [/tags]

Pages: 1 2