Part of our series on Security for Medium Businesses.
Cheating is older than history. The oldest intact written record is a complaint against a fraudulent copper vendor. The birth of food regulations, double-entry bookkeeping, the modern banking system, Anti Money Laundering, Public Company Accounting, and the CFPB are all chapters of the same, long story. We have swindled each other for a long time.
There are many easy ways for businesses to protect against fraud. We’ve already discussed Segregation of Duties and how it can prevent malicious employees—or scammers impersonating them—from getting away with theft. We’ve also discussed how to best prevent redirected payments and email forgery. Decent contracts and product assurance also help; we’ll cover those in a future article. Today, we will look at Vendor Governance.
Many companies with a dedicated accounting staff do AP the same way: create a list of Valid Vendors (often called a Vendor Master list) and only allow payments to them. Then, they only permit a couple high-trust people to add vendors to the list, but allow many people to make payments. This system allows flexibility in day-to-day work, but the company still keeps tight control over who gets paid. The company can easily correct any payment errors—no legitimate vendors will run off in the night if overpaid.
Vetting is only helpful for important vendors; you don’t need to track every restaurant your sales reps take clients to. That sort of spending is usually called an “expense” and covered by issuing credit cards to people that do it often. There is a balance: people may try to make payments to important vendors on their cards, too, and companies try to detect that.
Maintaining a list of non-fraud opportunities allows efficiency in controlling other vendor risks by baking checklists into the vendor-adding process. Just create a procedure for how to add a vendor, and add steps that make sure the rigor you care about gets done. Some popular examples:
Contract Reviews — You may want a lawyer to review contracts with high-risk vendors. Examples include those that work with your secrets or have high fraud risk.
Product Assurance — If you worry about quality or item counts in the kinds of materials this vendor supplies, you could set conditions to ensure that all their shipments go through your Receiving and Inspection team.
Safe Payments — Requiring new vendors to use standard payment patterns can be a cheap and easy way to deliver the protections we’ve covered to avoid payments fraud.
Vendor Analytics — Once your important vendors are in a single place and you have a clear transaction history, you could start making improvements such as negotiating volume discounts and consolidating vendors. You can even buy Validated Vendor profiles containing their credit strength and ownership structure for advanced analysis.
In the vendor create step, most businesses fill out a standard form containing contact information for the vendor. Many scammers will get stuck coming up with fake data for this step, especially if you verify it through call and mail (or just checking for that business on Google Maps, though this can also be faked). Getting government registration or tax documents from the vendor is another great verification. These steps do not make it impossible for a fake vendor to sneak in, but it may cost the scammer so much time that they give up.
If your organization is not accustomed to using vetted vendors, it may take some time to adjust to the longer lead times. In most cases, the vendor information should be needed anyway, but it’ll certainly be longer than no oversight.
Some of the biggest “security” issues are really just invoice fraud and would have been caught by a combination of a Valid Vendor list and three-way matching. While most news agencies often report email as the root cause, tight control over AP can reduce fraud even more.
Have you been targeted by AP fraud? How did you stop it? If you’d like help protecting your business from fraud, drop us a line; we’d love to help.