FROM CPA2BIZ.COM -
An employee notices a record for an inactive vendor on the master vendor list and changes the street address or bank routing number for that vendor. The employee then enters periodic disbursements for that vendor. Payments for those disbursements are deposited in an account controlled by the employee.
Such acts of fraud happen all too frequently. Fortunately, understanding and using data maintained in a master vendor list provides opportunities to detect suspicious activity and identify areas where internal controls can be strengthened. Companies can use master vendor list information to monitor future vendor-related activity, thereby mitigating fraud risk.
Examination of current master vendor list
Understanding the structure and layout of the master vendor list data fields and initiating a comparison of a current master vendor list to the previous year’s list allows the organization to see differences or discrepancies that should be investigated because they may indicate fraud.
The review of master vendor lists can be manual or automated. For a smaller organization or a company in a specific market niche, manual reviews of master lists may be sufficient. Manually reviewing and comparing master vendor lists in larger, more diverse organizations, however, can be tedious and time-consuming. A variety of robust investigative applications exist, including ACL, IDEA, and ActiveData for Excel, to perform such tasks. Those applications deploy data-mining processes and highlight anomalies related to the records that may need further investigation.
Data-mining queries call out changes from one master vendor list to another. Data field items and queries that should be the focus of further investigation include but are not limited to:
New vendors added.
Address changes for vendors.
Changes in vendor status from inactive to active.
Disbursements made to two or more vendors with the same mailing address.
Disbursements made to vendors with similar names.
Vendors with P.O. boxes as an address.
Matches of vendor addresses and employee addresses.
Matches of vendor bank accounts against employee bank accounts.
Once any unusual activities have been identified, additional comparisons can be made to other tables. The master vendor list, for example, may be compared to the disbursement table for the same year. That comparison provides additional information regarding the amounts and frequency of payments made to any vendors in question.
Such comparisons help uncover instances of potential fraud that require additional investigation. Such examinations also illustrate control vulnerabilities that need to be mitigated.
Perhaps duplicate records show up for a vendor, with a typo appearing in the initial entry. Because of that typo, someone with accounts payable processing responsibility may have been unable to locate that specific vendor record and may have made another entry to the master vendor file, based on information available from the vendor’s invoice.
In another instance, someone without proper authorization may have accessed the master vendor list to update a vendor’s address. Those instances could indicate the need for more regular review of entries and the need to restrict some users’ editing privileges.
While no intent to commit fraud may exist, such scenarios raise questions regarding internal processes and controls, including:
How are new vendors entered into the master vendor list, and what controls are in place to ensure proper authorization and record accuracy?
How can changes be made to the master vendor list, and what controls ensure those changes are authorized?
What controls exist to deter entries to the master vendor list related to fictitious vendors or duplicate vendors?
A smaller organization might easily identify individuals and specific steps. For a larger organization, a matrix helps identify processes and activities surrounding the master vendor list, as well as current controls and the need for further oversight. All companies should ask: What could go wrong with vendor setup, and what current controls are in place to address those issues?
Additional controls may include further segregation of duties as well as redefining IT access rights and privileges. These examinations and subsequent ones need to encompass the various functions, such as procurement, operations, and accounts payable, related to use of the master vendor list.
Ongoing monitoring of master vendor list
Once instances of potential fraud and potential vulnerabilities have been identified, additional controls may be implemented. Companies then need to decide what criteria need to be periodically reviewed and how frequently master vendor list examinations should take place.
Companies should designate who will be responsible for conducting those examinations. That person may be someone within internal audit, finance, IT, or some other function outside the responsibility of vendor payment. If organizations do not have IT and audit expertise in-house, consider contracting for such services with an accounting firm or other external resource.
The frequency of such examinations may hinge upon various considerations, including the size and scope of the organization, as well as cost. For some organizations, such examinations may be appropriate every three or six months. Other organizations may wish to conduct an analysis of a master vendor list once a year.
Each examination may help to uncover potential instances of vendor-related fraud, highlight opportunities for strengthening controls around vendor-related files, and mitigate future exposures.
By evaluating current practices and identifying vulnerabilities, master vendor list examinations serve as tools for mitigating exposure to loss of company assets and for moving toward a continuous improvement environment.
Several benefits are obtained from applying routine data-mining techniques involving an entity’s master vendor list. The biggest benefit is gaining further knowledge about the operations of your entity. This knowledge and its application can be used to improve the current and future operations of your organization.
No comments:
Post a Comment