The accounts payable department, especially those working with the vendor master file and payments, have access to very sensitive information: tax identification numbers, credit card numbers and bank account numbers. All of these must be protected to prevent fraud and misappropriation of funds. There are strict laws governing protection of this data.
Here are methods and controls for protecting sensitive data:
- Train staff about data sensitivity and require staff to sign confidentiality contracts every year; enforce consequences for violations of policy.
- Segregation of duties, protected by passwords; this has to be matched with a very strict procedure that no one leaves their desk with the screens open/active (to prevent someone else accessing restricted files/data in the authorized person’s absence). Areas of responsibility to segregate:
o Vendor master file
o Invoice processor
o Payment processor
o Bank reconciliation
o Unclaimed property processing
o Wire processor
- Individual password protection, to enforce the above segregation of duties
- System Controls: Set controls who can view, add, or change any sensitive information; ties in with passwords and duty segregation
- Reduce or eliminate non-PO spend: It allows one person to have too much control
In a paper realm, physical controls are important—locks that prevent access by unauthorized personnel. Again, it’s important for staff to understand their responsibilities, and to have policies established and enforced to protect data. For example, just as it is important not to leave an active computer screen open in the absence of the authorized user, it is important not to leave paper documents or files open on unattended desks.
You might also want to review TAPN’s section on Internal Controls.