Vendor Onboarding 101: How to Build a More Secure and Compliant Process
Top 3 Take-Aways from Our Live Event with AP Guru, Debra R. Richardson
We recently had the pleasure of talking to Debra R. Richardson, LLC., who is using her 20+ years of experience in AP, AR, general ledger and financial reporting for Fortune 500 companies to help AP teams implement authenticationtechniques, internal controls and best practices to prevent fraud in the vendor master file. She also has a weekly blog and hosts the podcast: “Putting the AP in hAPpy”.
Thinking about moving to automation, but haven’t made the jump yet? Here are 3 actionable items that you can implement today to mitigate the risks associated with fraud and compliance and mistakes!
- The Confirmation Phone Call Isn’t Fool-Proof: If you are in AP then you know the only way to verify changing account information is to pick up the phone and make that confirmation call. Right? Yes, but even this tried-and-true approach is flawed, so it can’t be the only practice in place to mitigate fraud.
Watch Debra dig in on this below:
What goes wrong:
- Vendors Don’t Pick-up: Vendors send you their information to change, and then they're busy doing vendor things, so when you call, they don't pick up - now what?
- Confirmation Isn’t Always Valid: If you do get the “vendor” to pick up, there is really no way to know that you are taking to the correct person. Also, many times within that confirmation call, AP actually ends up revealing the banking information. Finally, if you leave a voice message and the vendor calls back, there's no way to authenticate that it's actually the correct vendor that's calling in.
- Calls Are Not Being Done: Finally, is the fact that the calls just aren't being done, at least not consistently. Many times, team members just assume the requester is authentic and don’t bother calling because the fraudster is in your vendor’s email and they use an existing email string to make the banking change request. Other times, after attempting to call multiple times, they give up and just go ahead and make the change because they have other things to do.
- Validate Against Sanctions Lists: Once you authenticate the requester (Debra outlined this process in the live event), you have to look at validation. Is the vendor real? Are they sanctioned? Is the data valid? There are many sanctions lists, but these are the three that are most common to most U.S. entities:
- Vendor Legal Name & Foreign Bank > OFAC: entities, and the individuals that are prohibited from doing business with vendors are on this list, but it's also the same for foreign banking institutions as well. So, if you have foreign vendors that have foreign banks, you need to check those foreign bank names against the list as well. OFAC has a CAPTA list that has banks, foreign banks, that you are not allowed to do business with as well.
- gov EPLS Exclusion List: If you are a government entity receiving federal funds, then you are prohibited from paying anyone on the Excluded Parties List System, EPLS, and you can search that on sam.gov.
- OIG LEIE Exclusion List: If you are a healthcare entity receiving Medicare or Medicaid funds, then your organization is prohibited from doing business with anyone on the list of excluded individuals and entities list.
The thing to note is that these lists are not static; they are constantly changing, so you need to validate against these lists not only at vendor setup, but with every issued PO.
3.Conduct a Management Review & Audit: So, you put all these internal controls, authentication techniques and best practices in place, but how do you ensure that the team is really following those processes?
Watch Debra speak to the necessity of the audit:
What do to now:
- Create Desktop Procedures: The first thing you want to make sure you do is create (or update) desktop procedures. This makes it an auditable process and gives a reference to all team members on what you expect to be done.
- Have Management Review Vendor Adds/Changes: Next, management conducts a review of adds and changes for all of your vendor activity. This is a great compensating control to mitigate the segregation of duties issue.
- Conduct Monthly Internal Audits: Finally, have a monthly internal audit at the vendor process level to ensure that the team is following the authentication techniques, internal controls and best practices you put into place.
Ready to Make the Case for Automation?
If the the manual process of authenticating the requester, authenticating the data, validating the vendor data, confirming the vendor activity, and auditing at the vendor process level seems daunting, that’s because it is! Maybe it’s time to make the move to automation? (Link to calculator below.)
We walked through a formula to calculate what this process costs your organization, and what sort of return you could see with investing in automation.
At PaymentWorks, we have worked with prospects and customers to help actually quantify the cost benefit of automation in terms of time and resources. (If nothing else, this exercise would be a good part of your audit process). Our cost benefit calculator allows you to quantify the ROI of automating and securing the vendor on-boarding process – and all we need is just three simple data points from you.