A well-functioning AP department is an invaluable asset to the organization it supports. With AP’s support, vendor relationships go more smoothly, payments are issued on time and sent to the right place, cash flows efficiently, and fewer mistakes lead to less loss. Of course, all of that is easier said than done.
Often there are four vectors for the risks that upset this sparkling vision for AP. They are why things get askew in the payments department; the four most significant risks in AP today.
Vendor Master Risks
The vendor master is central to AP functionality. Errors in these records lead to other preventable run-on errors: if the address or the bank account information for a vendor is listed incorrectly, payments can fail to post to an account on time or wind up in the wrong hands. While most organizations have adequate controls at the point of information input, it’s the maintenance where things change, errors seep in, and risks start hitting.
Errors in the vendor master have a way of multiplying down the line. Nowhere is this truer than in the form of mistakes like duplicate payments. In enterprise corporations, duplicate payments are at once uncommon – they only represent about 0.5% of all payments – and still very costly. After all, 0.5% doesn’t sound like much, yet it can reflect significant sums at scale. For example, 0.5% of $1B in AP is a whopping $5M in duplicate payments going out the door each year.
That’s how the entire recovery audit industry came to exist – outside groups purpose-built to find and recover those millions of dollars in duplicate payments that organizations didn’t even know they’d wasted.
Tack on the costs associated with late and missed payments to vendors, along with all the payments sent to the wrong addresses, or the wrong entity, the ensuing tax implications, the discount opportunities lost, the penalties incurred: all told, errors in payments can become costly.
Fraud (internal and external)
Beyond the risk of errant payments lies the darker and more insidious potential for outright fraud. Fraud can come from one of two vectors: internal or external.
Internal fraud in AP often occurs when someone on the team or inside the group knows that a lack of controls exists and uses those blind spots to pay invoices to themselves or make purchases. With the spread of the pandemic, it’s increasingly common in 2020 for organizations to find misuse and waste in employee purchases, as more employees than ever order purchases to their homes and use personal cards.
Externally, some of the world’s largest organizations have fallen victim to phishing scams that allow outside access to the vendor master. With backdoor access, scammers can change bank account information in the vendor master with ease. Other common scams include posing as the recipient for wire transfers, often to the tune of hundreds of thousands or even millions of dollars. Sometimes, it’s as easy as getting lost in the crowd. In one famous case, several of Silicon Valley’s largest companies paid a phishing scammer more than $100M in fake invoices before realizing they’d fallen victim.
Lack of Visibility or Controls
All of these risks hint at a more overarching concept, a broader threat. Organizations that do not have continuous monitoring of their AP processes are blind to changes, trends and errors. They cannot identify outliers. They lack visibility, and their system fails to provide controls.
As such, organizations open themselves up to a non-compliance culture internally and make fraud and waste possible externally. They are spending blindly today, with the hope of catching and recovering some percentage of their waste tomorrow.
Continuous monitoring is the solution.
Here’s how to move from high risk to low: implement continuous controls.
With AI-powered technology that monitors the totality of spend in near-real-time, organizations can flag suspicious and unusual activity, and warn of questionable changes in the vendor master. These analyses don’t occur a year later during recovery audit; they are immediate. They are not a snapshot into 5% of spend like a sample audit; they are the process by which every invoice gets processed and paid.
With continuous controls, AP processors let system controls tell them which of the thousands of possible risk vectors require attention, which of the outliers are benign, and which may indicate fraud. In this way, AP becomes an analysis department, looking at spending norms over time to help optimize spend. Through continuous monitoring, their very roles elevate, and the gaps in financial systems close.