Even with today’s intense scrutiny to supplier compliance and internal controls due to the impact of the Sarbanes Oxley Act of 2002 and other regulatory compliance requirements such as the Foreign Corrupt Practices Act (FCPA), there are still situations in which contracts are established with phony suppliers, employees posing as suppliers, or entities on government watch lists. In many cases invoices are paid to these suppliers resulting in significant losses, fines, and damage to a firm’s reputation. A 2014 Aberdeen study indicated that 40% of the respondents reported the P2P process as having some of the most significant internal control and fraud challenges. Many of these challenges can be mitigated by implementing the following five best practices within your firm’s procure to pay (P2P) process.
Five Best Practices to Ensure Supplier Compliance throughout the P2P Process
1) Implement a Robust Supplier Qualification Process: Many firms utilize well defined templates and processes throughout the decision making process. They also ensure objectivity and segregation of duties throughout the process to avoid possible collusion with potential suppliers. Some firms may outsource the entire process to a third party so that they can focus on analyzing the results. But to ensure objectivity in the decision making process, companies implement a scoring or rating system so that suppliers are selected based upon a consistent ranking process.
2) Define a W-9s, W-8s, and TIN Matching Process: During a conference or webinar presentation about the topic of supplier master best practices, I usually ask if my attendees collect W-9s from their new suppliers. About 80% confirm that their firms are obtaining W-9s. When asking if they are performing TIN Matching, sometimes as few as 30% answer “yes”. For more information on the TIN Matching services provided by the IRS at no cost go to: https://www.irs.gov/Tax-Professionals/e-services—Online-Tools-for-Tax-Professionals
3) Identify Your Firm’s Compliance Screening Requirements: Understand the compliance requirements for your industry and perform initial compliance screening. Initial screening should be performed for all new suppliers before they are entered on your supplier master file. Additionally, since “watch lists” are updated regularly, I suggest that your suppliers are screened quarterly to every six months. Here are five key “watch lists” with the application, description and references that can be used to define your firm’s initial and ongoing compliance screening requirements.
4) Complete a Supplier Risk Analysis: Besides qualifying and screening your suppliers within the supplier master validation process, there are additional elements of risk to consider within the P2P process. A supplier risk analysis process includes analyzing the specific data elements within the invoice and the payment history such as consecutive invoice numbering from the same supplier, the first invoice payment is low as compared to the average payments, and the payments are all even dollar amounts.
To complete a comprehensive supplier risk analysis process, I suggest analyzing the following data elements from both the supplier master and payment history for major suppliers or supplier with suspected fraud. Here’s a table of data elements to review. The next step is to assign a designated “risk rank’ to each data element by: 1) Supplier Attribute and 2) Invoice and Payment Attributes to determine if the supplier is at risk.
5) Implement an Annual Supplier Master “House Cleaning” Process: The following five components are suggested components of your Annual Supplier Master “House Cleaning” process.
In conclusion, I’ve presented you with a summary of five of the best practices should be considered throughout the P2P process that can ensure supplier compliance and establish the foundation for solid internal controls and fraud detection and prevention.
Watch for my next blog, “Modern Risk Management Models for the P2P Process.” I’ll take a deeper dive into establishing a continuous controls monitoring (CCM) foundation for the P2P process and will explore several models to ensure that risk is detected and mitigated within a timely manner.