Locked From the Inside: Protecting Your Electronic Payments

Electronic payments to vendors are easier and faster than printing and signing hundreds of checks, but what are you risking for convenience? As more and more payments become electronic, wise businesses will take steps to protect their bank accounts. 

Accounts payable (A/P) errors are sometimes big and obvious. But more often, money seeps out in small amounts, month after month, to a vendor who long ago stopped supplying your business. Or worse, you discover your company has been paying a fraudulent vendor created by your own long-time employee.

Stop Mispayments at the Source

The best protection starts with your ERP — specifically, setting up effective processes to monitor your vendor database as well as electronic payment mechanisms.

How do you create those processes? To be most effective, start at the source — your list of vendors — and work through to payments and then follow-through. A sample step-by-step process is shown below, followed by key points to remember at each stage. 

The Process

Setting up and maintaining the vendor list

• Limit the number of people who can set up or edit vendors. Only people in the purchasing department should have the ability to set up vendors, in order to establish appropriate segregation of duties. 
• Ensure vendor additions or changes are verified by a second person.
• Establish an active vendor list of entities who are approved to receive payments. 
• Restrict electronic payments to only those vendors on the active vendor list.

Utilizing Positive Pay and other dual controls over payments

• Implement dual controls over sending all forms of electronic payments, with the bank requiring two authentications — a transaction initiator and an approver.
• Take advantage of Positive Pay, if your bank offers it — and request this service if it doesn’t. Positive Pay requires the payer (you) to send a separate file listing payees and amounts to be paid each time payments are disbursed. If an EDI payment request comes through that doesn’t match the Positive Pay list, the bank will reject it. 
• Segregate the responsibility for creating the Positive Pay list from the ability to prepare EDI payments themselves. This reduces opportunities for errors or fraudulent payments.

Review the Active Vendor Listing

• Establish a process for reviewing the active vendor listing, at least annually. Deactivate “stale” vendors — those who haven’t supplied your business in the last year.
• As part of this review process, identify vendors with duplicate or missing information so those records can be corrected.
• Deactivate vendors, rather than deleting them, so that you retain the purchase history.

Periodic data analytics

• Consider performing a periodic data analytics review over the vendor file and payment histories to identify vendors or entries that should be scrutinized.
• Data analytics can help find duplicate entries, such as multiple suppliers with the same address, or potential signs of fraud, such as a vendor address that matches an employee’s.
• Your internal auditor should be able to perform these analytics; ask them if they have this capability. 

Maintain Strong Controls, Beginning to End

The strongest banking and vendor controls in the world won’t protect your bank account if you don’t also practice basic internal controls:  segregation of duties, consistent invoice review and approval, strong user access controls, and regular vendor maintenance. 

As more and more payments become electronic, wise businesses will take steps to protect their bank accounts. Simple but consistent controls like these can help protect your business from fraud or from innocent but costly mistakes. It’s worth a little time and expense to make sure your funds are protected. 

© 2019