Is it against best practices to have an invoice processor be able to process payments if payments are based off of a system report and no overrides can be done?
Our practitioner expert says:
1. I think there is a segregation of duties conflict, yes. What if someone in vendor management changed the VM record to fraudulently pay to their personal address? When the invoice comes back to them for audit, they would certainly not flag that as an incorrect address and let it go through.
2. Although it isn't best practice, this shouldn’t be a problem in theory, especially when headcount is an issue. However, you may want a compensating control in place to randomly sample to make sure there are no errors or tampering. And if the team member does see a check that has an issue or error, who researches it? People tend not to see their own errors because they made them in the first place, and assume their own work is accurate, so having the same person who entered the invoice also pay it is not optimal.