A vendor master database is common to most companies but is often overlooked and can become rampant with fraud. In part one of this series, we reviewed steps for decreasing the size of the vendor population. With a slimmer vendor master, we are ready to take your review to the next level.
Ensure vendor and payment validity:
1. P.O. boxes. P.O. box addresses are a red flag for shell companies and phony vendors. Select a sample of vendors with P.O. boxes and research the company’s website, transaction history, and other information to validate the vendor’s legitimacy. Also, select a sample of payments to ensure reasonableness of services performed and/or goods delivered.
2. Completeness. Eliminate information gaps in vendor files by searching for missing tax ID, address, etc. Ensure that vendors with any missing information are legitimate and obtain the necessary information to fill any gaps. Missing information could be a sign of a shell vendor or a related party. Keep in mind a taxpayer ID is nine digits with a hyphen after the first two (unless it is a social security number). If the vendor is using a social there is a heightened risk associated and you may want to do additional testing.
3. Ensure employees are not vendors. Compare names, addresses, bank account numbers and telephone numbers of vendors and employees. You should also determine if a vendor is listed as the health or life beneficiary of an employee.
4. Invoice / payment review. Select a sample of high-risk invoices or payments and consider the following red flags: invoices without taxes added, vague service descriptions and rounded dollar amounts. Payments to vendors with minimal days outstanding when compared to normal terms and vendors with suspicious invoice numbers may also be considered. Look for sequential invoice numbers compared to the invoice date to check for gaps in invoice numbers.
Ensure segregation of duties:
5. Review access rights and segregation of duties. You will want to review an access rights report for any who can view or edit the vendor master. As a general rule, limit the number of users who can edit the vendor master and ensure these employees cannot update vendor bank account information, post to cash, in the general ledger or cut checks. Additionally, it is important to review the audit log for any changes to the vendor master file.
Conduct ongoing maintenance:
6. Annual review. After an initial ‘clean up,’ establish an annual assessment. Based on the initial assessment results, you can determine the appropriate sample selection methodology and necessary sample size to reduce risk to an acceptable amount. After several assessments, you can perform more targeted reviews based on trends and organizational needs.
7. Outsourcing the review. Whether it’s the first time your vendor master has been reviewed or you would like to establish an annual review, turn to a consultant. Independent reviews can provide a unique perspective and help to ensure the accuracy and validity of vendors.
With these tools, you can start reviewing your vendor master file and implement an annual review if desired. No matter the status of your vendor file, completing these steps will help to decrease risk and elevate the control environment.
Interested in learning more? Connect with HORNE Franchise.