Q. (cont.) Recently our internal auditors asked if we refer to and verify authorized signatures for every payment type, including travel reimbursements, travel advances, employee expense reimbursements, consultant payments, PO invoices, non-PO invoices.
Due to the magnitude of our authorized signer list and the fact that the list is often outdated, we in AP only refer to the list when we suspect a problem. We are hoping that someday in the near future, we will make a shift to an automated invoice and workflow solution that will eliminate the need to keep a massive, manual list of signatures on file. Do you have any recommendations on how to maintain a date-driven database list of authorized signers for easy "view only" AP access for in our manual paper process, prior to moving to an automated solution?
A. Checking signatures is an important control.
For a short-term solution, talk with your auditors, but it might be possible to create an electronic file with signature images having limited access. It could then be pulled up on the computer, could include the date of the signature, etc.
For example, you could scan the signatures and insert the images into an Excel spreadsheet, along with name, title, areas of authorization, date of signature, and whatever other necessary information (department); put on a server accessible to AP staffers—with an open password-protect (complex password), and maybe a separate “write” password-protect. Ask IT for help, especially with the password security.
However, for authorization above a certain dollar amount where the risk is higher, you should verify the signatures against signature cards. The auditors may accept that until you can automate.