Part of our series on Security for Medium Businesses.
Last week, we discussed how maintaining a list of Valid Vendors can help prevent fraud, especially payments interception. Three way match applies extra strength, protecting you from fraud from valid vendors.
The approach was created to address physical deliveries, but it can be tweaked for services. This is how it works:
You make a purchase and send the vendor a Purchase Order (PO).
The vendor sends you an invoice.
The vendor sends you what you ordered and includes a packing slip.
You verify everything matches. If so, you pay them.
The PO, invoice, and packing slip all contain the items, quantities, and total cost. Usually, items are listed as SKUs (a universal item number) to make part verification easy. Large companies let their finance systems talk to each other by automating the whole process to alert the AP team when a match fails.
Automation is most effective for catching shipping and billing mistakes. If your PO specifies one part and the vendor misreads it and sends you a different part, the three-way match will notice. If you negotiated a rate for a certain part and they charge you a different one, the three-way match will notice.
It is also effective for fraud. If you get a scam invoice, the three-way match will look for the associated PO and packing slip. It won’t find either, so rejects it. Even if a malicious employee or compromised account creates a PO to match the invoice, they will still have to ship something to match. Even then, the chance of detection remains high because the Receiving team won’t know what to do with the package and call around. Three-way matching makes it much harder to pull off AP fraud.
Combine three-way match with the core protections we describe in the Small Business Paying guide. As with all protections described in our Small Business series, they provide the most protection for the least effort and prevent fraud at businesses of all sizes. Three-way match will benefit from integrating into these protections. Some of the cheapest and most effective ways to identify the most sophisticated scams are setting a “normal” monthly spend for a vendor, new-vendor alerts, and alerts when vendors exceed the monthly spend figure.
Even if you only match the PO and invoice, you still get most of the protection. This is called two-way match. If you do not get enough packages to make a standard receiving capability worth it, just go with two-way match.
When buying intangibles like services, software, or legal rights, there is nothing physical delivered, so you cannot match with the packing slip. Most companies just do a two-way match for such purchases. You can still get some of the value of the three-way match by getting creative. At the point of “delivery”, many companies send a standard email to the internal PO requester asking if the services have been fully delivered, then use that confirmation as a stand-in for the packing slip check.
Three-way match first got popular in the 70s, so now it is cheap and easy. Most commercial ERPs do it well, with many offering automation and partner integrations at low cost. They automatically read invoices and packing slips your teams scan and notify about unmatched items.
Three-way match depends on Purchase Orders. If your company is not used to that, adjusting to that extra step may need time to iron out. People used to whipping out a credit card may get grumpy about submitting POs.
Examples & Lessons
Some of the biggest “security” issues are really just invoice fraud and would have been caught by a combination of a Valid Vendor list and three-way match. While most news agencies often report email as the root cause, tight control over AP makes a huge difference. Stopping AP fraud is not hard, even for medium businesses.
Have you been targeted by AP fraud? How did you stop it? If you’d like help protecting your business from fraud, drop us a line; we’d love to help.