Accounts payable fraud is a widespread problem that can take many forms, some right at the start of the payments process and others occurring anytime until the very end. While some of these are external (such with forged checks and invoices that a vendor submits more than once) something that's often overlooked is the fact that Accounts Payable (AP) fraud can not only be an external but also an internal phenomenon. Employees, after all, know the system best since they work with it every day and are familiar with the weaknesses and blind spots. In some cases, employees may even collude with an external party to pass through erroneous or fictitious invoices. In other scenarios, a third-party gains unauthorized access to wreak havoc with your AP workflow for financial or other gain. And the price tag for these intrusions can be substantial.
Consider these facts: a typical fraud case goes unnoticed for an average of 12 months and results in median losses of $117,000, according to the 2022 research report on occupational fraud conducted by the Association of Certified Fraud Examiners (ACFE). In the accounting department, median losses caused by fraud run even higher, reaching $155,000. That's almost $13,000 a month.
The growing frequency and price tag of fraud - and even errors - makes a checks and balances system more important than ever before. Every organization should make it a good practice to determine if its AP internal controls are strong enough to catch errors, mistakes, or fraud before they become a drag on the company’s cash position or bottom line.
Good Control Starts With Sound Policies and Processes
What exactly makes for solid and reliable internal controls? It starts with having sound policies and processes in place to handle purchase orders and invoices, continuing all the way through to leveraging state-of-the-art technology as a means of digitizing and automating the entire purchase-to-pay workflow. Having an intelligent platform in place that streamlines invoice capture, review, approval, and payment in one place will translate into fewer openings for bad actors to control and pull off any attack.
As previously mentioned, the security starts right at the beginning of the payments process with capture and review; key waypoints to thwart fraud attempts. For example, its a good idea for all invoices to be entered into a single system straightaway, regardless of what format they arrive. If a business still receives a lot of paper invoices or as email attachments, they should without exception be digitized and transformed into structured data quickly and consistently. The reason? Having a single ground truth for the AP workflow provides visibility from the start.
Once in the system, a three-way matching control process can weed out errors and detect intentional fraud attempts. Simply put, does your AP team know if the items listed on an invoice match the items listed in the related purchase order and also match the goods or services actually received? Perhaps that invoice for 100 widgets or a new software license for 25 users is inflated, either in price or quantity. An automated system that puts each incoming document through rigorous matching will quickly identify erroneous data.
Three-Way Matching to the Rescue
The same goes for financial information contained in invoices. A stressed and overworked AP team might not immediately notice that a trusted vendor’s most recent invoice suddenly contains new bank account information and send it through for payment. However, an automated AP system will quickly and easily pick up on the difference, flag it as an outlier, and route them to a designated specialist’s attention.
Three-way matching will also catch duplicates, whether they are accidental or intentional. A supplier who’s facing a cash crunch might have submitted an invoice twice in order to get paid faster as the due date is approaching, they might even have slightly different numbers, which has the potential to slip through. AP automation, again, is purpose-built to find those needles in the haystack without human intervention.
Why You Have an Obligation to Set AP Roles and Permissions
Automation doesn't determine everything - for lack of a better word - automatically. Clearly drawn rules and permissions are equally important in maintaining a strong AP internal controls process. They come into play once an invoice or document is run through modern technology such as Optical Character Recognition (OCR) and Machine Learning (ML) algorithms to capture all relevant data.
For example, who in your organization has the right to view, edit, and approve invoices? An intelligent platform allows you to define the team’s individual roles (and the permissions that go with them) according to what best fits your operations. Here are seven good additional questions to consider when creating the workflow process rules and permissions:
- Should invoices above a certain amount be routed only to a senior team member?
- Do you regularly review and update the vendor master list and who has access to make changes to it?
- Should new vendors undergo a special screening before the first payment goes out
- Who reviews an invoice when three-way matching discovers inconsistencies?
- What’s the procedure for exceptions due to missing or bad data on an invoice?
- Do you want to tie up valuable time with checking recurring invoices from a long-standing supplier that arrive every few weeks? Or route them straight through the process?
- Finally, who on your team should have overall control? Somebody able to open all or certain invoices, including older ones that are securely archived in the cloud?
Those workflow rules are easily set up and can be quickly changed as the situation merits. How about an AP clerk who is out sick for a longer period of time and colleagues have to pick up the slack? Or even one that is suddenly out of the office and unable to call in? A good system will notify you of their absence rather than let things just pile up. Visibility counts, not only to avoid a backlog of unprocessed invoices that can lead to late payments, but also to make sure those documents are routed to the right person and not haphazardly spread around the team.
Catch You Down the Audit Trail: AP Automation Keeps Track
Think about a manual process, one where the "human factors" such as fatigue set in. Without an adequate system of checks and balances there will be processing gaps that create breakpoints in the purchase-to-payment workflow. These points - the ones that require humans to step in a figure out the next step - are the perfect entry for any fraudulent attack. They are the blind spots that bad actors actively search for and exploit (since humans are notoriously prone to entry errors). Software, on the other hand, never gets distracted or tired of hunting for duplicates and other problems.
What’s more, AP automation creates a detailed digital audit trail, the breadcrumbs any organization needs to keep proper financial records for its own sake and for preparing taxes. Anything that might have slipped through is preserved in the cloud and can at any point in time be retrieved with a simple keyword search, that is as long as permission rights have also been set for the task.
Questions to Ask to Make Payments Safer
Payments, one of the final steps in the payables workflow, are yet another place where strong internal controls need to be in place. For example, rules involving:
- Who has the right to select invoices to schedule a payment and approve them for what amount?
- Has the vendor’s payment information been verified one last time?
What happens if there is a new bank account? How are changes handled and reviewed?
- What payment methods does your organization use, and do they need to vary from vendor to vendor? A process that juggles paper checks, eChecks, ACH payments, and digital payments creates unnecessary complexity and even more room for problems.
- What’s the process to reconcile payments with information already stored in your financial system or ERP? Ideally, those updates should happen automatically since your AP automation platform should integrate with the other systems.
- Does the payment system perform a last round of checks before payment goes out, looking into parameters such as velocity and volume? Again, software is best suited to catch outliers in a flood of payments that have come due.
- Lastly, does the system automatically generate a payment notification?
Why Digital Payments Matter for Better AP Internal Controls
Digital payments, although they are still not the most popular method of settling invoices, are quickly becoming the new normal. One in three companies polled for the second State of Automation in Finance report by Yooz admitted that manual invoice processing had caused errors and an equal number said they had been forced to pay their vendors late. Speeding up the cycle from automated capture to automated payment not only avoids those errors and delays but it also lets the AP team do more in less time, keeping their minds fresh to focus on true exceptions.
That payments are a particularly important area with room for improvement has been noted. While 27% of US organizations surveyed for the report have already adopted digital payments, another 49% planned to follow suit in 2022 and with good reason.
Digital payments are not only faster, which makes vendors happy, they also come with better internal controls. Take Virtual Credit Cards (VCCs). These are digital versions of the traditional credit cards where each card has its own distinct set of numbers, expiration date, and security code. With a VCC, there is no physical card to get lost or steal, increasing control and security. A VCC can also be set up for single use and be pre-funded for the specific amount a vendor is invoicing. Since there is no signing, mailing, or depositing checks the process is also much faster.
Choosing digital payments allows the AP function to compartmentalize operations. You can share certain cards for certain projects with the right group of people processing the invoices and payments. It’s a convenient and safe way to maintain full control and visibility over your payments workflow without sacrificing speed and scale.
Better Compliance Thanks to Smart AP Automation
Internal controls also help with financial reporting and compliance. Every bad invoice that falls through the cracks eventually has an impact on the cash position, the P&L statement, and the balance sheet. If strategic plans or decisions are made based on incomplete or faulty information from the AP department, it can have tangible consequences for the entire business. The correct financial intelligence is a valuable asset, especially if you let technology help you gather it, one invoice at a time.
The same goes for complying with the Sarbanes-Oxley Act (SOX) that tightened requirements around AP internal controls and the System and Organization Controls (SOC) report for outsourcing operations. If an organization’s internal processes are lacking, they can put those certifications at risk and create additional, unnecessary administrative and legal headaches.
Uncertain Times Call for Watertight AP Internal Controls
As if there aren’t already enough reasons why AP internal controls make a lot of sense, there’s also the economic climate to consider. When businesses are dealing with supply chain uncertainties, global concerns about rising inflation, and battling a lasting talent shortage, it pays to update and streamline all processes that will save time, money, and labor. Internal controls are an insurance policy to build more resilience against external shocks and implement checks against internal ones.
Digital transformation can build an intelligent protective fence around your business, always checking to make sure you pay vendors the right amounts on time, every time, while not exposing yourself to internal or external fraud or cyber-attacks. Implementing good, automated AP internal controls serves as the always-on guard to catch errors, mistakes, and fraud attempts without forcing you to slow down or cut corners.
It’s the perfect antidote to chaotic spending, unapproved purchases, duplicate payments, and forged checks.