I am interested in hearing more about best practices for SOX controls around supplier maintenance, specifically controls for mitigating the risk of fraudulent activities.


TAPN has a number of resources to help you understand and develop good internal controls on your vendor master file.

SOX requires that a company have and attest to having internal controls in place. A good place to start would be TAPN’s Sarbanes-Oxley, Controls and Accounts Payable. There are very good background materials on Internal Controls in the AP Compliance Suite section titled "Internal Controls / SOX."

Make sure your vendor master policy has controls that are preventive, detective and corrective. The best are preventive controls, as they are designed to prevent errors or irregularities from occurring; then detective controls, which look for errors or irregularities; and lastly, corrective measures, which are designed to correct those errors.

It is very important for the vendor master file clerk is to understand why a procedure is in place to ensure compliance with the procedure. Procedures are part of internal controls. If you understand why you are performing a certain task, you are less likely to change or skip a process. Usually a heavy workload or a late invoice will put vendor maintenance staff under pressure to "push" (hurry) the work through. This really should be an alarm to make sure all steps are followed.

If for some reason a RUSH payment needs to be made today, find ways to get all the information you need quickly. For example, suppose you are missing the taxpayer ID and the normal process is to receive via post the form filled out by the vendor. You could make an exception to receive it as an attachment in email, in order to accomplish the RUSH payment. You can stop other work and process the hot item, but don’t break controls to accomplish the task. You must retain the integrity of the internal controls.

As noted above, segregation of duties is a very important internal control. Make sure segregation of duties is intact. For instance, vendor maintenance should not pay invoices or work on the escheat process.

Have more questions? Submit a request