Why your existing supplier risk controls are no longer sufficient
27th May 2022
With a large amount of money passing through the procure-to-pay (P2P) cycle each month – for many organisations this is the second-largest cash outflow, surpassed only by payroll, the temptation to fraudsters and the potential for errors are large.
To protect supplier payments, putting in place sufficient controls to protect your P2P cycle is of vital importance. Risk exposure to the value of 0.1% to 0.5% (1) of supplier spend is common, and is a clear indication that all is not well – that the P2P controls in place are not sufficient.
The change that will most significantly improve the protection in your P2P cycle is to shift your focus from invoice-oriented controls to supplier-oriented controls. Tackling risks at the earliest opportunity, as close to their source (suppliers) as possible, leads to more risks being detected, earlier.
The majority of survey responders (2) see value in increasing their supplier checking regime:
Continue Your Risk-Protection Journey
Most organisations have already implemented controls at one or more points in the P2P cycle: automation of invoice data capture, 3-way matching by the ERP, confirmation of payee checking by the payment system, and of course, audits. These controls do help, but they are no longer sufficient.
Whilst these checks remain valid and should continue, they are operational and transaction-oriented. There’s nothing wrong with this. Indeed, FISCAL has for 18 years helped organisations check their transactions – forensically analysing invoices to find otherwise hidden risks. This regularly produces hundreds of thousands of £/€/$ of risks detected and prevented from being paid, for our customers each year. But this is the first step, not the last.
Moving To Supplier-Oriented Controls
Digital transformation and automation, shared service centres and outsourcing, coupled with higher transaction throughput volumes with fewer Finance staff have led to a change in the P2P risk profile.
Suppliers are the central entity in the P2P cycle, and suppliers are the ultimate source of risks: contracts are with suppliers, invoices and credit notes, and most of your AP team’s time-consuming queries – all come from suppliers.
Only looking at transactions is searching for the symptoms of supplier-related problems. Problems that in all likelihood arose earlier in the P2P cycle. This established approach does not adapt to the changes in risk profile, nor does it scale up effectively.
Continuous, forensic-level supplier analysis should be your next step towards best-in-class P2P risk protection.
Firstly, you should identify and remove dormant suppliers from your master supplier file. Dormant suppliers – those that you have not transacted with for 12-18 months, are a major source of subsequent invoice issues – they do not adhere to your requirements or process. And dormant suppliers are a common source of fraud – bogus suppliers hiding on your approved supplier list, sleeping, silently waiting – sometimes for years, until the time is right to commit fraud.
Secondly, you should link your transaction/invoice analysis to your supplier analysis. Identify and correlate invoice errors and queries with the suppliers that generate the most. Your options are then to “re-educate” the supplier on your invoice acceptance criteria, or to replace the troublesome supplier with another.
A smaller number of suppliers, particularly inactive suppliers, is risk protection best practice, a view supported by The Hackett Group (3):
Reorienting your primary risk detection focus to suppliers and reducing the size of your master supplier file leads to
- Reduced risk of fraud from inactive suppliers
- Procure-to-pay processing time reducing – lowering the cost to process each supplier invoice
- Fewer overpayments made – that would require recovery at a later date
- Non-compliant suppliers identified before new transactions with them occur
The one step you should take is the step up to supplier-oriented risk detection. With regular supplier master data analysis and cleansing, and forensic-level invoice analysis conducted as a related, constituent part of a supplier-oriented risk detection strategy, you will benefit from stronger risk protection and assurance.
- Risks detected during FISCAL Technologies proof of concept customer data analysis
- PPN 2022 report “Supplier risk management in procure-to-pay” available here.
- The Hackett Group report “Purchase-to-Pay Performance Study Results”