The Accounts Payable process needs to be very carefully controlled.
Since it involves cash disbursements, it is an area that is highly susceptible to fraud. Furthermore, duplicate payments and financial reporting errors can easily occur without proper policies, procedures, and segregation of duties.
Basic internal controls needed for Accounts Payable include the following:
• Segregation of duties – for instance, the same people should not have access to blank cheques, approve invoices, post journal entries and perform bank reconciliations. Internal controls should ensure that “one person cannot do it all” when it comes to cash disbursements. Splitting functions amongst several people means fraud would require collusion between employees–which acts as a major deterrent. In small companies these is often difficult and the temptation is to by-pass controls – my advice is don’t! Find a way to involve other people in the process, and mitigate the risk.
• New vendor set up – this is also a segregation of duties control specific to the set up of new suppliers and vendors. Most organizations have IT systems that process accounts payables and it is extremely important that the person processing accounts payables and cheques cannot set up new vendors. System access must be secured, such that only authorized person can set up and approving a new vendors.
• Accounting Policies – most accounting entries affecting an organization involve cash disbursements, so it is important to make sure that the correct account coding is done when the transaction occurs. Particularly in an organization with a high volume of accounts payable transactions, it is often very difficult to detect and correct posting errors after the fact. Best practice is to ensure that the correct general ledger account is charged at the time of the disbursement transaction.
• Delegation of Authority (DOA) – in most companies the invoice approval process must follow a prescribed procedure which includes matching invoices against approved Purchase Orders, and bill of lading (for goods). The DOA should also include details pertaining to “who and approve what within the organization, and how much”. If the AP is automated, ideally the DOA should be imbedded within the system to ensure compliance.
• Reconciliations – make sure the bank reconciliation is done on a timely basis, and reviewed and approved by management. The Accounts Payable amount on the Balance Sheet should reconcile to the AP sub-ledger, which in turn should detail the $ amounts owing to each supplier, and length of time the invoice has been outstanding for payment (aging). The latter can be used to ensure that the organization is optimizing payment terms, and flag any potential issues.
Best Practices for Accounts Payable SOX Testing at a minimum, include the following:
• Test a sample of invoices that are paid during the period. (Note – sample size depends on a number of factors including type of controls in place, materiality, but typically 25 transactions should be tested and reviewed at various times throughout the year). For the invoices selected, ensure that the following as applicable;
• Properly approved Purchase Order Requisition and Purchase Order (general ledger account code is recommended on the PO),
• $ amounts agree with approved invoice (note – if the invoice agrees with the PO, separate approval of the invoice is redundant),
• Supported by a bill of lading or other receiving document,
• Disbursement has been recorded in the appropriate general ledger account with offset to Accounts Payable account,
• Payment has been made to the supplier (copy of cheque),
• Payment debited to the Bank and offset with a credit to AP.
• Review IT system controls to determine which people are authorized to set up new vendors and ensure proper segregation of duties. Also do a real time test on the system to see if there is password protection to restrict access. This is very important.
• Supplier A/P ledger, that is aged (current, 30, 60 days etc) and reviewed on a monthly basis. The A/P ledgers should be printed and maintained for review, and should be approved (evidenced by way of signature and date) by the appropriate management personnel (Controller, etc).
I have seen so many instances of fraud in the disbursements process – it really needs strong controls.
I hope this helps. Please contact Edelkoort Smethurst Schein CPA’s LLP if you have any questions or comments.
Edelkoort | Smethurst | Schein CPAs LLP is located in Burlington Ontario servicing the Golden Horseshoe and Greater Toronto Area and beyond. The firm is fully licensed with CPA Ontario to provide assurance, tax and accounting services as well as registered as tax preparers with the Canada Revenue Agency (CRA) & Internal Revenue Service (IRS). The firm is also registered as an IRS Certified Acceptance Agent.
All blog posts published on this site are for informational purposes only and do not constitute professional advice. Readers should contact a professional to discuss their individual situation. Neither the author or the accounting firm shall accept any liability for any reliance placed on the information posted.