By Chris Doxey

Despite extensive focus on risk management and internal controls, why are there still situations in which payments are mistakenly paid to criminals and/or phony companies posing as legitimate suppliers? How is it possible that a seemingly legitimate company has a private mailbox at the local UPS Store, a private residence, or even a prison address? Is it possible that invoices have consecutive numbers? Shouldn’t it be a red fag if invoices from a supplier are issued from the same address as an employee? How can a company properly vet a potential supplier?

Most leading organizations recognize the importance of comprehensive supplier qualification processes but struggle to communicate qualification requirements to potential suppliers, and have difficulties creating a baseline for evaluating supplier risk levels. Ardent Partners reports that 51% of the respondents in “The CPO’s Top Goals for Investing in Technology” survey report improving compliance as a goal. The Hackett Group includes customizing supplier onboarding, identifying fraud, and addressing internal policy non-compliance as the best practice tactics for a world class P2P organization.

So how can we stop these fraudsters, improve compliance, reduce risk, and establish a good supplier onboarding process? Consider the following best practices and controls to ensure that your suppliers are legitimate.

1. Segregation of Duties:

Setting up a new supplier or making changes to an existing supplier record requires appropriate segregation of duties. This means that the individual or department establishing the supplier is from a different department than the team processing invoices and creating disbursements. When considering segregation of duties for the supplier master, consider both the ownership of the process along with systems access. System access should be controlled and reviewed on a periodic basis to ensure that authorized individuals are processing transactions as assigned. Unfortunately, poor segregation of duties controls is one of the leading causes of fraud.

2. Supplier Master and Onboarding Controls:

Onboarding new suppliers should include the following set of controls that will improve the accuracy of your P2P process:

1) Requiring W-9 and W-8 forms for all new suppliers before invoices and payments are processed

2) Using the IRS TIN matching service is a recommended control for your supplier master. This validation can be completed by using an IRS website dedicated to TIN Matching. The IRS eServices site enables entry of both a Federal Tax ID and vendor name to confirm the existence of the vendor and the validation of the Tax ID. TIN’s can be validated in a group up to twenty, or you can upload your entire supplier master file, in the required IRS format for validation. The IRS eServices site can be found at: Registration/index.htm

3) Supplier Master Naming Conventions establish the business rules and data formats for new suppliers, such as the use of appreciations in company names and addresses. This process will also reduce duplicate and erroneous suppliers in your Supplier Master.

4) Confirm Supplier Information: Confirm your supplier’s information against one of the many online resources that enable company look-ups. Review the information provided by a new supplier and check-out the supplier’s website to help ensure that your supplier is a legitimate company.

Examples of these resources are: ces/enforcement/ofac/

3. Supplier Master Compliance Screening:

The Office of Foreign Assets Control (OFAC) is a financial intelligence and enforcement agency of the U.S. Treasury Department. It administers and enforces economic and trade sanctions in support of U.S. national security and foreign policy objectives. Under Presidential national emergency powers, OFAC carries out its activities against foreign states as well as a variety of other organizations and individuals, like terrorist groups, deemed to be a threat to U.S. national security. As part of its enforcement efforts, the U.S. Department of Treasury, OFAC publishes a list of individuals and companies owned or controlled by, or acting for or on behalf of, targeted countries. It also lists individuals, groups, and entities, such as terrorists and narcotics traffickers designated under programs that are not country-specific. Collectively, such individuals and companies are called “Specially Designated Nationals” or “SDN.”

  • The Bureau of Industry and Security (BIS) is an agency of the United States Department of Commerce that deals with issues involving national security and high technology.

  • The Office of Inspector General (OIG) for the UnitedStates Department of Health and Human Services (HHS) is charged with identifying and combating waste, fraud, and abuse in the HHS’s more than 300 programs, including Medicare and programs conducted by agencies within HHS, such as the Food and Drug Administration, the Centers for Disease Control and Prevention, and the National Institutes of Health. OIG Screening is applicable to healthcare organizations since there should be validation that a Medicare or Medicaid fraudster is not being paid.

  • The Foreign Corrupt Practices Act (FCPA) is a United States law passed in 1977 that prohibits U.S. firms and individuals from paying bribes to foreign officials in furtherance of a business deal. Since the FCPA places no minimum amount for a punishment of a bribery payment, you need to make sure that your suppliers aren’t actually foreign officials.

Key Point:

All these compliance requirements sound incredibly daunting, but using a third party software or services can significantly streamline your screening process. Additionally, using a B2B Trade Directory can provide you with credit checked and compliance screened company data.

4. Supplier Profile Form

The supplier profile form contains the information that further increases your ability to verify a company’s existence. The supplier is required to provide certain documents that include an insurance certificate, certificate of incorporation, payment (ACH) information, sales tax certificate, and a city business license. The objective of the supplier profile form is to gather sufficient information to verify a company’s legitimate operation, gather the names of key officers from a conflict of interest perspective, and gain physical business address, daytime phone number, and other confirmable data points. As a recommendation, the supplier profile form should be obtained and verified using an automated supplier portal.

5. The Continuous Monitoring process

Should include a review of the controls noted above. The review should include selecting a sample of suppliers and reviewing the supporting documentation for the validation of a new vendor and the supporting documentation for a change of address.

All system generated audit reports must be reviewed – not only for segregation of duties, but to determine if a vendor address has been changed, and then immediately changed back to the original address.

Another consideration for the Continuous Monitoring process is to periodically review all duplicate suppliers and initiate a vendor master clean-up process. It is much easier to control a smaller vendor master than a large one. The clean-up process will alleviate duplicate suppliers that have been set-up for the same vendor at the same address. There could be a slight difference in spelling or the use of abbreviation.

Key Point:

Legitimate Time Continuous Monitoring will quickly identify a potentially fraudulent supplier and will identify where your controls need to be improved. If there is a concern about a specific supplier, raise the issue to your internal controls or internal audit department after gathering all the facts.