Few of us would give a key to our house to all of our surrounding neighbors; many of us are reluctant to even give a key to our teenage children! Once the front door (or back door) is unlocked, all of our stuff can disappear as quickly as it can be loaded up and hauled off. While we would hope other neighbors would notice a huge moving van parked in our driveway and eventually call the police, a quick stop by an apparent delivery truck probably wouldn’t even raise an eyebrow and would give industrious thieves ample time to relieve us of our electronics and jewelry. It’s no wonder, then, that we carefully choose who has a key to our house.
However, we often fail to employ that same level of caution in determining who gets a key to our company’s cash accounts. Sure, we make certain that only specific individuals can sign checks, and that only specific individuals can complete wire transfers – so we don’t leave the front door unlocked. But we often do hand out the key quite routinely – in the form of access to the vendor master file. Consider the following scenarios:
– An employee creates a vendor with a name similar to an existing vendor and submits an invoice for payment. (Generally, such invoices are for “consulting services” or “IT services” since most healthcare organizations have plenty of consulting and electronic health records activities these days and these types of services often receiving less scrutiny before payment).
– An employee creates an actual company to provide items at an inflated price. Goods are actually received and therefore, the invoice from the “employee” company is approved for payment to the vendor set up by the employee. (Often, these “goods” are for specialty-type items, such as computer hardware, medical supplies or specialty durable medical equipment, where an unusually high price would not be as easily noticed).
– An employee changes the address for an existing vendor to have payments diverted to a PO Box maintained by the employee. The employee creates a company with a name similar to the real vendor and deposits the payments meant for the real vendor. (This is more easily accomplished with high volume vendors and vendors with a high volume of credits, such as pharmacy and medical supplies, where it may take the vendor some time to realize payment has not been received).
While companies can, and do, implement controls to detect such schemes after they have occurred, the adage “an ounce of prevention is worth a pound of cure” is generally the best policy. The following preventive measures should be taken:
– Ensure only one or two employees have the ability to make changes to the vendor master file. Those employees should not have the ability to initiate purchase orders, receive items, approve invoices for payment or sign checks.
– Institute robust procedures for verifying new vendors, such as:
- Verify EIN with the IRS;
- Verify existence on Secretary of State website; ensure associated persons are not employees;
- Obtain a Dunn & Bradstreet report;
- Call references; and
- Require a physical address for verification purposes (even if payment is made to a PO box) and ensure physical address corresponds to a business location.
What if it’s too late? What if at least half the accounts payable department has access to the vendor master file and vendor verification procedures have been somewhat lax? First, remain calm. Second, limit access to the vendor master file going forward and institute robust procedures for vendor verification. Lastly, perform an audit of the vendor master file to ferret out any suspicious vendors and determine if any misappropriation of assets has occurred. While it can be a time-consuming task to play “catch-up,” that time can be reduced by the use of computer-aided audit tools, the assistance of personnel in departments outside of accounts payable, and the assistance of forensic accountants.
Hashtags: vendor master file, fraud, accounts payable, AP, audit, forensic, healthcare, hospital, vendor fraud, accounts payable fraud, AP fraud, misappropriation, cash