Internal Audit – Vendor Masterfile

Over the past few months I have been out and about meeting a number of Finance and Accounting professionals across the country. Discussions have covered a broad range of matters relating to our internal audit, internal controls and process improvements service lines at AAB.

One recurring theme was the issue of processes and controls relating to the Vendor Masterfile. This database is where sensitive supplier information, including bank account details, is held. These discussions covered various control weaknesses that may expose organisations to potential fraudulent activity when payments are made.

With ever increasing reliance on IT systems in business, comes an increased risk of fraudsters attempting to obtain confidential information through illegal means. Recently, there has been an increase in falsified or “phishing” emails from director(s) of a company claiming that they are short of funds and requesting urgent payment from select members of staff within the purchase/banking function. In addition to this, fraudsters can send legitimate looking supplier statements on easily replicated headed paper with covering letters, claiming they never received payment and to request payment again as their bank details have changed.

One specific example is of a disgruntled former employee sending change of bank account details to his ex-employer’s suppliers. This resulted in a number of these suppliers paying for goods and services legitimately received, but into the fraudulent bank account. This demonstrates an absence of controls within the Vendor Masterfile change process.

As part of the review process, discussions with key finance staff can quickly identify such risks. Thereafter, a few key changes can be implemented in order to ensure that you have procedures in place to help minimise the risk of your business being the victim of fraud. These include:

• Ensuring sufficient verification details are in place for any new suppliers/bank details change request. If your company receives any request from a supplier for a change of bank details, pick up the telephone to a known and/or trusted contact at the business and ensure that the request is genuine.
• Providing Finance staff with awareness training, emphasising that they seek support and authorisation if someone telephones asking for an unexpected payment to be made urgently.
• Implement segregation of duties within the Finance function and ensure that preventative manual and IT controls are in place to restrict access to only relevant staff and limit the opportunity for key information to be manipulated by staff.
• Put in place sufficient access controls to ensure that only key staff involved in the process are afforded access to sensitive bank account details

Companies need to identify where the weak points of the process are. This can be at the control boundaries where value is leaving the business. Given that fraudsters are finding newer and more innovative ways of manipulating businesses, these processes should be constantly reviewed and updated to ensure that your business is tackling fraud risk head on.

An internal audit review of such processes can protect your business and minimise the risk of such fraudulent schemes occurring. Ultimately, any change to a customer’s bank account details must be verified as being genuine. If you want to discuss this, or any other internal controls challenges further, please contact Mark Dailey at Anderson Anderson & Brown LLP – mark.dailey@aab.uk