I was looking for some accounts payable best practices ideas about setting stronger controls over our AP vendor files and found the table of contents to BNA's 2006 publication "Master Vendor File Maintenance, Audit & Control, Best Practices". It looked great but is no longer in print. Does anyone have a copy, or any other resources you've used to set up controls over the AP Vendor files?
I have not used a particular resource, but some items to think about as you put your policy in place: 1) who can make changes (no one who can cut checks at a minimum), 2) what information is required from the vendor, 3) how to avoid duplicate records, and 4) how to keep the information updated. There are services you can use as well to "clean" your file if it currently has some of these issues. I've used Dunn and Bradstreet; I'm sure there are others. I believe the IRS has a resource as well to check the validity of
In addition to Nicole's comments, I would offer that I actually pitched and landed the entire procure to pay cycle as part of my
Controls over the vendor list have to do with ensuring that all vendors are valid and approved. A company should establish a Vendor
Only one person should be allowed to create a new vendor. Vendors should be evaluated for related party relationships and marriages between your firm and theirs. Many times sales people are married to their best client's senior managers or directors and profit by the level of commissions their spouses earn on the sales. This happens in consulting firms but can happen in other companies as well.
The vendor list is easy to review. If you are looking for employee fraud you might try comparing payroll direct deposit accounts to the vendor ACH accounts. Sometimes they are the same due to employee fraud. Its a simple test, download and pivot and vlookup to match.
One major company I know of inactivates all vendors at the end of the year and reactivates them only as payments are made, each is reviewed for validity.
Vendors with similar names are suspect. Vendors that do not answer their phones are suspect...the list goes on.
COSO should address most of your concerns.
There are a number of controls, but most critical are to limit those able to modify [add, change, delete, block for payment, etc.] the master file and establishing a process to "suspend" or park al such changes for acceptance/approval by a designated manager. Appropriate documentation standards for each type of change need to be established and reviewed by the approving manager. We require all new US or Canadian vendors to be "verified" as acknowledged by US and Canadian services that will acknowledge a name and identification combination as in agreement with their records...or not in agreement.
