This article was originally published in the AICPA Corporate Finance Insider.
Given the current state of the economy, as Corporate Finance Insider readers must have guessed, fraud is on the uptick. With employee layoffs on the rise, your company is more vulnerable to internal payment fraud because employees know where the weaknesses are in your organization's processes. And, whether the staff is disgruntled because of a job termination or just pressed for money, all companies are at an increased risk.
Internal controls have always played a strong role in preventing fraud but it's only recently that they've begun to get the attention and respect they deserve.
This is a good time to review your internal controls related to payments.
Take this 20-question diagnostic challenge and see if you can identify the potential landmines that can open your organization up to internal payment fraud.
- Do you require all employees who have anything to do with the payment process to take at least five consecutive days of vacation? ___ Yes ___ No
- Do you prohibit the ability to both approve invoices and enter invoice data? ___ Yes ___ No
- Do you prevent one or more of your managers/executives from having access to all phases of the payment process, even though it might make training and managing more difficult? ___ Yes ___ No
- Do you have a strong policy prohibiting the return of checks to requisitioners? ___ Yes ___ No
- Are all changes made to the master vendor file periodically checked, no less frequently than once a month, but ideally every week? ___ Yes ___ No
- Do you periodically (at least once a year) deactivate inactive accounts in your master vendor file? ___ Yes ___ No
- Do you have an anonymous tip hotline? ___ Yes ___ No
- Do you periodically check that your processors are not writing their passwords down where anyone can see them? ___ Yes ___ No
- If you have a petty cash box, do you make sure that the location of the key is not common knowledge? ___ Yes ___ No
- Do you wait until the end of the day to deliver checks to the mailroom for mailing? ___ Yes ___ No
- Are unsigned checks always left in a secure location while waiting for signature — and not on someone's desk in an empty office? ___ Yes ___ No
- Is the positive pay file uploaded only when checks are mailed? ___ Yes ___ No
- Are checks only printed when they are going to be mailed — not earlier so they will reflect a date that matches your payment terms? ___ Yes ___ No
- Are open receivers and POs always extinguished when an invoice is paid even if the invoice is paid outside accounts payable? ___ Yes ___ No
- Is access to the master vendor file for entering vendors or changing vendor information severely limited? ___ Yes ___ No
- When an employee making electronic payment transfers is terminated or leaves voluntarily, is the bank and p-card administrator immediately notified and passwords changed? ___ Yes ___ No
- When a new vendor is to be entered into the master vendor file, do you require at least two signatures or approvals before adding them? ___ Yes ___ No
- When a new vendor is to be entered into the master vendor file, do you do some checking to make sure the vendor is legitimate before adding them?
___ Yes ___ No
- If you have a petty cash box, do you hold surprise audits and does everyone know you do that? ___ Yes ___ No
- Do you have a written fraud policy, signed by a top-level executive, indicating zero tolerance for employee fraud? ___ Yes ___ No
The preferred response, as most readers have probably concluded, to all the questions is yes. A negative response does not indicate fraud but rather that the controls surrounding that issue are weak and your organization is vulnerable. Nearly every organization will have at least a few areas that are less than perfect when it comes to internal controls. Look into them and determine if it is possible to tighten the controls or if you have to live with the weaker controls. If you cannot implement the best practices suggested here, regularly audit your problem areas.