Preventing fraud using e-Invoicing and strict internal controls
In a post on Purchasing Insight, Pete Loughlin has highlighted the rise of fraud within the Procurement function. Unfortunately foul play isn’t restricted to purchasing. You don’t have to search far to find similar stories within Accounts Payable.
Last year we wrote a blog post on how e-Invoicing is uniquely equipped to help prevent invoice fraud. A recent news story is a reminder of the need for robust internal processes to mitigate abuse.
According to the press, two AP employees at a telecommunications company manipulated its systems to issue duplicate payments, defrauding the business of more than $900,000. That’s enough money to make a CFO need CPR, especially given the US-based Association of Certified Fraud Examiners’ estimate that organizations around the world lose 5% of their annual revenue to fraud.
The good news is that much of this can be prevented. While everything we wrote about last year still stands, it’s also worth specifically addressing how to avert this kind of AP abuse.
Having the right internal controls and well-defined segregation of duties (SoD) is imperative. Traditional SoD controls should be expanded to include those responsible for importing electronic invoices or enabling suppliers for e-Invoicing.
Even if the employees did not have direct invoice entry access, it is possible that they could have used the invoice import mechanisms to create a fraudulent invoice posting. Therefore, unless changes are subject to appropriate secondary review, you must ensure that employees who have access to vendor master maintenance do not have access to:
- The invoice import process
- The system settings that control which supplier accounts are authorized for e-Invoicing
- Payment processing
- Bank data
And to ensure controls can be adequately monitored, all of these activities should be logged, permanently.
Open networks and emailed PDF invoices can also allow bad actors to circumvent the normal segregation of duties by providing a secondary way to enter invoices with no control over the source, which is outside the view of the audit department. An invitation-only model minimizes this risk and gives buyers positive control over which accounts are authorized for e-Invoicing, while giving suppliers full control over who is allowed to access its account and submit invoices.
This earlier post goes into more detail on positive controls.
While fraud will never be eliminated entirely, true e-Invoicing combined with stringent internal controls will significantly diminish the threat.