Performance standards: The accounts payable organization is responsible for adhering to policies that outline spending authority and segregation of duties. The accounts payable organization is additionally responsible for ensuring that all risk with the process is properly identified, and addressed by the appropriate internal control.
The following documents possible formats in which this requirement can be met:
2.1. Adherence to delegation of authority policies
2.1.1. A delegation of authority (DOA) policy is a company-wide policy that establishes the signature authority for specific levels and types of expenditures and company commitments. Expenditures include invoices and travel and entertainment transactions. Company commitments include contracts, and letters of intent. The level of authority may be directly linked to levels in a company’s job structure such as manager, director, vice president, chief financial officer or chief executive officer.
2.1.2. Certain types and levels of expenditures will require board of director approval. Examples are mergers and acquisitions, and capital expenditures greater than a specified amount such as $25 million. These approvals will be documented in board of director meetings.
2.1.3. Out-of-office delegations should be maintained systemically via e-mail or by the appropriate delegation form. It is important to maintain a copy of the supporting documentation for the delegation.
2.1.4. Permanent authority is often granted to the next level down within an organization such as a director delegating his level of authority to a trusted manager. However, while you can delegate authority, you cannot delegate ultimate responsibility.
2.1.5. Some companies apply DoA requirements to journal entries to ensure that large financial entries are properly approved and to ensure that financial results are properly reported.
2.2. Adherence to segregation of duties policies
2.2.1. The intent of a segregation of duties policy is to ensure that an organization identifies incompatible business functions and maintains a separation of such. In instances where business functions cannot be fully and appropriately segregated because of specific circumstances, management should implement mitigating controls. As changes occur in the organizational, functional, and technological environments, assessments should address the impact on the segregation of duties resulting from such changes. The policy should be enforced by the accounts payable director or manager shall enforce this policy.
2.2.2. Adequate segregation of duties reduces the likelihood that errors (intentional or unintentional) will remain undetected by providing for separate processing by different individuals at various stages of a transaction and for independent reviews of the work performed. The segregation of duties provides four primary benefits: 1) the risk of a deliberate fraud is mitigated as the collusion of two or more persons would be required in order to circumvent controls; 2) the risk of legitimate errors is mitigated as the likelihood of detection is increased; 3) the cost of corrective actions is mitigated as errors are generally detected relatively early in their lifecycle; and 4) the organization’s reputation for integrity and quality is enhanced through a system of checks and balances.
2.2.3. The matrix on the following pages reflects the desired state of the segregation of duties for the procure-to-pay cycle. Each row and column in a matrix represents a major business sub-process. Where the intersection of a row and column is denoted by an ‘X’, the corresponding business sub-processes represent incompatible functions that should be segregated. The segregation of duties can exist and should be assessed at the organizational, functional, and/or systematic levels.
2.3. Risk management requirements within accounts payable
2.3.1. The accounts payable professional has the responsibility to identify and assess risk within the organization in a timely manner and ensure that the correct internal control has been implemented to mitigate the risk.
2.3.2. In the late 80’s, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) issued Internal Control – Integrated Framework to help businesses and other entities assess and enhance their internal control systems. That framework has since been incorporated into policy, rule, and regulation, and used by thousands of enterprises to better control their activities in moving toward achievement of their established objectives.
2.3.3. COSO Enterprise Risk Management (ERM) is a process, affected by an entity’s board of directors, management, and other personnel, applied in strategy setting and across the enterprise
- To identify potential events that may affect the entity and manage risks be within its “risk appetite”.
- To provide reasonable assurance regarding the achievement of entity objectives.
2.3.4 The accounts payable professional should consider risk from the following perspectives:
· Contracts should include defining the business relationship and transactions that occur between two or more parties.
· Managing a contract through its lifetime is critical. Thus, the requirement is to have a documented process and an internal controls program within procurement.
· Because the ultimate purpose of a contract is to create a vehicle for transferring value in the form of goods and services between entities, contracts governing that transfer need to be clearly and thoroughly documented.
· A company should be able to track all important contract risk elements, such as contingencies and interdependencies, as well as to maintain an audit trail of who reviewed and signed off on those risk elements in the contracts and when.
· Establishing and making payment to fraudulent vendors is a risk that needs to be considered when establishing an internal controls program.
· Risks should be mitigated to avoid inaccurate or erroneous payments to vendors.
· The risk of incorrect accounting treatment needs to be addressed in the establishment of account reconciliation controls and segregation of duties.