How often do you think about ongoing checks on your vendor status, after vendor creation in your system?
Most organisations place great emphasis on ensuring their transactional data is correct. This is totally justified, after all, this is often the area where immediate ROI can be achieved or where revenue leakage is easier to identify. However, while we put a lot of resources there, an area that gets neglected is the accuracy of Masterfile data, which nullifies the efforts put into monitoring transactional data. We tend to think of Masterfile data as something that we only have to put in once (on creation), and only ever update when there are changes to be made.
People forget that we need to be proactive with ensuring our Masterfile data is clean and up to date, and that often the root cause of transactional inaccuracies are due to a dirty Masterfile. Additionally, the Masterfile is the area where potential fraud can stem from.
Examples on Masterfile Data
Let us take the simple example of a Vendor Masterfile (the principle really applies to all Masterfile data). All companies have a stringent vendor on boarding up process where we ask for credit history, we check vendor’s ABN against the ABR website, we confirm their bank details, and everything is fine and up to date when we create the vendor.
How often do you think about ongoing checks on the vendor status post vendor creation in your system?
For most of us, we only check this information if we receive notification from the vendor about any detail changes. But what if after a few months of being set up a vendor who was originally registered for GST now deregisters for GST and does not let you know? Now you are exposed to them potentially charging you for GST despite being unauthorised to do so… and worst of all you would not know about it. While we mostly trust our business partners to conduct themselves in the correct way, the stress of the current economy may lead to companies (and individuals) straying from the straight and narrow. That opportunity, even if just a small one, is something that must be removed to protect your organisation. A constant – ideally daily – check of the vendor’s data against the ABR website is needed to ensure these issues are picked up in a timely manner… but how often do you do that?
While that example leans towards the darker side of potential fraud, let us have a look at something a bit more innocent, like setting up a vendor twice by mistake. How often do staff make errors by setting up an ABC Pty Ltd because they could not find ABC Pty. Ltd. in the system? Now this vendor is duplicated, meaning there may be more room for error. This may be more prevalent during the corona virus forcing everyone to work from home, the lack of supervision, and the loosening of controls that comes along with it.
A duplicate vendor can easily result in an invoice being paid twice (once to ABC Pty Ltd and a second time to ABC Pty. Ltd.). While this may – and should – be identified in your monitoring of transactional data, it is unnecessary overhead spent on processing that invoice.
So! What sort of resources and efforts are required to clean everything up if it is just an annual exercise??
The two simple examples above are around Vendor Masterfile, but the same rigour of continuous monitoring should be applied to any sort of Masterfile data. Further examples include:
- Credit limits/Credit Holds: multiple customer accounts are set up and the credit limit/hold placed on the customer is therefore redundant. The controls placed on customers should have arrived after a risk assessment or late/no payment, so bypassing this exposes your organisation to greater risk, especially if it is a post paid agreement.
- Ghost Employees – Is everyone on your payroll real? Did someone create a ghost employee and set up their spouse’s bank account to receive a salary?
- Conflict of Interest (1) – Do any of your employees share the same details as a vendor? Is this relationship disclosed and arm’s length? Are they in a position to award, or influence the awarding of contracts to their own business?
- Conflict of Interest (2) – Do any of your employees share details? Are they married/partners, and if so, is this relationship disclosed and will it impact someone’s employment/promotion opportunities?
- Access – Is the right level of access given for that employee’s employment level? This issue is extremely topical due to the recent enforced working from home period, as access controls would be reduced to ensure productivity. Or more generally, were employees given a temporary status to their manager’s access level while the manager was on leave and then not reverted?
These are just some very common challenges we have helped our customers overcome, but they serve as a good reminder that while it is good practice to monitor transactional data, it is also extremely important to partner this with the monitoring of Masterfile data.
Learn more about Continuous Control Monitoring