1 Segregation of Duties:
Setting up a new supplier or making changes to an existing supplier record requires appropriate segregation of duties. This means that the individual or department establishing the supplier is from a different department than the team processing invoices and creating disbursements. When considering segregation of duties for the supplier master, consider both the ownership of the process along with systems access. System access should be controlled and reviewed on a periodic basis to ensure that authorized individuals are processing transactions as assigned. Unfortunately, poor segregation of duties controls is one of the leading causes of fraud.
2 Supplier Master and Onboarding Controls:
Onboarding new suppliers should include the following set of controls that will improve the accuracy of your P2P process: 1) Requiring W-9 and W-8 forms for all new suppliers before invoices and payments are processed 2) Using the IRS TIN matching service is a recommended control for your supplier master. This validation can be completed by using an IRS website dedicated to TIN Matching. The IRS eServices site enables entry of both a Federal Tax ID and vendor name to confirm the existence of the vendor and the validation of the Tax ID. TIN’s can be validated in a group up to twenty, or you can upload your entire supplier master file, in the required IRS format for validation. The IRS eServices site can be found at: https://la.www4.irs.gov/e-services/ Registration/index.htm 3) Supplier Master Naming Conventions establish the business rules and data formats for new suppliers, such as the use of appreciations in company names and addresses. This process will also reduce duplicate and erroneous suppliers in your Supplier Master. 4) Confirm Supplier Information: Confirm your supplier’s information against one of the many online resources that enable company look-ups. Review the information provided by a new supplier and check-out the supplier’s website to help ensure that your supplier is a legitimate company. Examples of these resources are: www.anywho.com www.superpages.gte.net www.infospace.com www.switchboard.com www.sec.gov http://www.treasury.gov/off ces/enforcement/ofac/ www.bbb.org
3 Supplier Master Compliance Screening:
Compliance screening is a key component of supplier validation. It’s also important to complete the due diligence process to ensure that an issue is acted upon. The due diligence process includes researching the Better Business Bureau. You can also validate the supplier’s State of Incorporation by individual state. Other imperative compliance screening should be completed by screening new suppliers against the following lists: • The Office of Foreign Assets Control (OFAC) is a financial intelligence and enforcement agency of the U.S. Treasury Department. It administers and enforces economic and trade sanctions in support of U.S. national security and foreign policy objectives. Under Presidential national emergency powers, OFAC carries out its activities against foreign states as well as a variety of other organizations and individuals, like terrorist groups, deemed to be a threat to U.S. national security. As part of its enforcement efforts, the U.S. Department of Treasury, OFAC publishes a list of individuals and companies owned or controlled by, or acting for or on behalf of, targeted countries. It also lists individuals, groups, and entities, such as terrorists and narcotics traffickers designated under programs that are not country-specific. Collectively, such individuals and companies are called “Specially Designated Nationals” or “SDN.” • The Bureau of Industry and Security (BIS) is an agency of the United States Department of Commerce that deals with issues involving national security and high technology. • The Office of Inspector General (OIG) for the United States Department of Health and Human Services (HHS) is charged with identifying and combating waste, fraud, and abuse in the HHS’s more than 300 programs, including Medicare and programs conducted by agencies within HHS, such as the Food and Drug Administration, the Centers for Disease Control and Prevention, and the National Institutes of Health. OIG Screening is applicable to healthcare organizations since there should be validation that a Medicare or Medicaid fraudster is not being paid. • The Foreign Corrupt Practices Act (FCPA) is a United States law passed in 1977 that prohibits U.S. firms and individuals from paying bribes to foreign officials in furtherance of a business deal. Since the FCPA places no minimum amount for a punishment of a bribery payment, you need to make sure that your suppliers aren’t actually foreign officials. (Continued on page 13)
7
