1. Attribute Standards
1.1. Accounts payable professional standards
1.1.1. The accounts payable professional should adhere to the highest level of professional standards set forth by his or her organization’s finance operation.
1.1.2. The accounts payable professional has a fiduciary responsibility to ensure that invoices are properly approved and funds are disbursed in accordance with the organization’s financial policies.
1.1.3. The accounts payable professional must maintain the highest level of integrity, objectivity, confidentiality, and professional competency to ensure that there is an awareness of the consequences of committing external, internal, and collusion fraud. (Refer to Section II, 3.2, Invoice Processing Controls)
1.1.4. The accounts payable organization should be organizationally aligned so there is a proper level of segregation of duties and organizational independence. It is the responsibility of the accounts payable professional to promote steps to achieve the maximum level of segregation of duties and organizational independence possible.
1.1.5. The accounts payable professional should be provided with a prescribed job description and development plan (if applicable). The organization’s accounts payable department as a whole comprising the associates and management team should possess or obtain the knowledge, skills, and other competencies needed to perform its responsibilities at any given time.
1.2. Accounts payable core competencies
1.2.1. With the changing world of accounts payable, the importance of the core competencies listed below will vary depending on the assignment of priorities within the organization.
220.127.116.11. The accounts payable director/manager should have strong management skills and experience in leading large teams. Often this position requires a bachelor’s degree in accounting, master’s in business administration, or certification such as CPA. The accounts payable director/manager will need to influence and team with other entities such as procurement, receiving, and business partner organizations. The director/manager will be called upon to provide metrics and report to senior management on at least a monthly basis and will require strong project management skills if a new system is being implemented or upgraded or if the organization is undertaking an outsourcing, off shoring, or shared services project. The accounts payable director/manager will require the core competency of customer service in dealing with vendors as well as internal organizational customers. Business planning and change management are important skills because the director/manager will need to ensure that his or her accounts payable organization is keeping up with the changes required to be successful. Lastly, the accounts payable director/manager is responsible for ensuring that the internal controls with the accounts payable process are properly executed and there is no risk impacting the company’s statements.
18.104.22.168. The accounts payable supervisor/team leader will require skills similar to those of the director/manager but on a smaller scale and for a specific section of the process as assigned. Additionally, the educational requirements are not as stringent but may include a bachelor’s degree in accounting. The supervisor/team leader will be responsible for supervising the team assigned to a specific accounts payable process. The supervisor/team leader is held accountable for the success, results, and outcome of the process. The supervisor/team leader will report to the accounts payable manager.
22.214.171.124. The accounts payable associate is assigned a specific job within the accounts payable process such as processing invoices for a specific range of letters within the alphabet. The associate is expected to have a good background in accounting and analytical skills. In some organizations, the position requires a degree in accounting.
2. Performance Standards
The accounts payable organization is responsible for adhering to policies that outline spending authority and segregation of duties. The accounts payable organization is additionally responsible for ensuring that all risk with the process is properly identified, and addressed by the appropriate internal control.
The following documents possible formats in which this requirement can be met:
2.1. Adherence to delegation of authority policies
2.1.1. A delegation of authority (DOA) policy is a company-wide policy that establishes the signature authority for specific levels and types of expenditures and company commitments. Expenditures include invoices and travel and entertainment transactions. Company commitments include contracts, and letters of intent. The level of authority may be directly linked to levels in a company’s job structure such as manager, director, vice president, chief financial officer or chief executive officer.
2.1.2. Certain types and levels of expenditures will require board of director approval. Examples are mergers and acquisitions, and capital expenditures greater than a specified amount such as $25 million. These approvals will be documented in board of director meetings.
2.1.3. Out-of-office delegations should be maintained systemically via e-mail or by the appropriate delegation form. It is important to maintain a copy of the supporting documentation for the delegation.
2.1.4. Permanent authority is often granted to the next level down within an organization such as a director delegating his level of authority to a trusted manager. However, while you can delegate authority, you cannot delegate ultimate responsibility.
2.1.5. Some companies apply DoA requirements to journal entries to ensure that large financial entries are properly approved and to ensure that financial results are properly reported.
2.2. Adherence to segregation of duties policies
2.2.1. The intent of a segregation of duties policy is to ensure that an organization identifies incompatible business functions and maintains a separation of such. In instances where business functions cannot be fully and appropriately segregated because of specific circumstances, management should implement mitigating controls. As changes occur in the organizational, functional, and technological environments, assessments should address the impact on the segregation of duties resulting from such changes. The policy should be enforced by the accounts payable director or manager shall enforce this policy.
2.2.2. Adequate segregation of duties reduces the likelihood that errors (intentional or unintentional) will remain undetected by providing for separate processing by different individuals at various stages of a transaction and for independent reviews of the work performed. The segregation of duties provides four primary benefits: 1) the risk of a deliberate fraud is mitigated as the collusion of two or more persons would be required in order to circumvent controls; 2) the risk of legitimate errors is mitigated as the likelihood of detection is increased; 3) the cost of corrective actions is mitigated as errors are generally detected relatively early in their lifecycle; and 4) the organization’s reputation for integrity and quality is enhanced through a system of checks and balances.
2.2.3. The matrix on the following pages reflects the desired state of the segregation of duties for the procure-to-pay cycle. Each row and column in a matrix represents a major business sub-process. Where the intersection of a row and column is denoted by an ‘X’, the corresponding business sub-processes represent incompatible functions that should be segregated. The segregation of duties can exist and should be assessed at the organizational, functional, and/or systematic levels.
2.3. Risk management requirements within accounts payable
2.3.1. The accounts payable professional has the responsibility to identify and assess risk within the organization in a timely manner and ensure that the correct internal control has been implemented to mitigate the risk.
2.3.2. In the late 80’s, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) issued Internal Control – Integrated Framework to help businesses and other entities assess and enhance their internal control systems. That framework has since been incorporated into policy, rule, and regulation, and used by thousands of enterprises to better control their activities in moving toward achievement of their established objectives.
2.3.3. COSO Enterprise Risk Management (ERM) is a process, affected by an entity’s board of directors, management, and other personnel, applied in strategy setting and across the enterprise
- To identify potential events that may affect the entity and manage risks be within its “risk appetite”.
- To provide reasonable assurance regarding the achievement of entity objectives.
2.3.4 The accounts payable professional should consider risk from the following perspectives:
- Contracts should include defining the business relationship and transactions that occur between two or more parties.
- Managing a contract through its lifetime is critical. Thus, the requirement is to have a documented process and an internal controls program within procurement.
- Because the ultimate purpose of a contract is to create a vehicle for transferring value in the form of goods and services between entities, contracts governing that transfer need to be clearly and thoroughly documented.
- A company should be able to track all important contract risk elements, such as contingencies and interdependencies, as well as to maintain an audit trail of who reviewed and signed off on those risk elements in the contracts and when.
- Establishing and making payment to fraudulent vendors is a risk that needs to be considered when establishing an internal controls program.
- Risks should be mitigated to avoid inaccurate or erroneous payments to vendors.
- The risk of incorrect accounting treatment needs to be addressed in the establishment of account reconciliation controls and segregation of duties.
3. Process Controls
As previously stated, delegation of authority and segregation of duties are two corporate policy related or foundational controls required for the accounts payable profession. The following controls are specifically related to the accounts payable process and should be evaluated and implemented as appropriate for the organization
3.1. Vendor master controls: Because the accounts payable function is responsible for the proper disbursement of funds to the correct vendor, the accounts payable professional should ensure that the vendor has been validated before setup on the vendor master.
3.2. Invoice processing controls: The accounts payable function is responsible for the timely and accurate processing of invoices adhering to the internal controls. Controls could include but are not limited to those listed below:
3.3. Disbursement controls: Along with payroll, accounts payable represents the largest percentage of disbursements within a company. It is critical to adhere to the following internal process controls to detect and prevent fraud within a timely manner.
- Check requests should be routed to the appropriate personnel for review prior to payment release.
- For audit purposes, disbursement activities should be traceable to the general ledger and bank statement.
- Approved purchase orders, receiving transactions, and invoices must support requests for payment.
- Vendor discounts should be taken according to company policy.
- Disbursements must be recorded in the period the payment was made.
- Expenses must be properly and accurately recorded in the accounting records during the period in which the liability was incurred.
- Blank checks should be properly stored and safeguarded in a secure area.
- Proper accounting should be ensured for void or canceled checks.
- Specific limits of signed authority must be established for bank accounts.
- Banking and disbursement information must be safeguarded from loss or destruction.
- Checking accounts must be provided with a “match pay,” “positive pay,” or “positive payee” control that permits a preview of checks presented to the bank for payment.
- Check requests must be used for the proper purpose and are limited in value.
- Segregation of duties controls are exercised when granting system access to the vendor master file.
- A W-9 form is executed prior to setup on the vendor master when required.
- A vendor profile form is completed when required (i.e. global vendors).
- Vendors are screened against Office of Foreign Asset Control (OFAC) and other government watch lists or according to company’s policy.
- Inactive vendors are flagged or purged on an annual basis or other prescribed frequency.
- Changes to vendor master files are accurate and reported for audit purposes.
- Addresses of vendors are validated as accurate and reported for audit purposes.
- Updates to employees on the vendor master file are accurate and complete.
- EDI vendors are properly set up and appropriately validated.
- Standard vendor naming conventions are applied.
- Duplicate vendor remit to addresses are reviewed with appropriate action taken.
- Segregation-of-duties controls are exercised when granting system access to invoice processing functionality.
- Vendors are paid once and only once.
- Discounts are taken if appropriately approved.
- Vendors are paid at the appropriate price in accordance with the terms and conditions of the contract.
- Payments to contract labor vendors do not exceed the authorized amount.
- Vendor invoices are paid upon validation of goods received and purchase order; blocked three-way match exceptions are not processed and are monitored by AP for clearing.
- Purchases are authorized and in accordance with the company’s approval levels. Third party support (invoices/contracts) is sent directly to AP.
- Interface, EDI and spreadsheet upload transactions are accurately and completely transmitted to the ERP.
- Transactions are accurately reflected in the general ledger; AP reconciliations for aging and clearing accounts are timely performed and reviewed.
- Invoices are processed according to invoice payment terms.
- EDI transactions are accurate and completely recorded in the organization’s ERP system.
- ACH accounts should have debit blocking capabilities to ensure that no authorized debits can be placed.
4. Management Reporting
The accounts payable director or manager has the responsibility of keeping accurate information about balances due, due dates,and available discounts and should be able to track and take advantage of terms and discounts, predict cash requirements, and monitor payments so that they are made only once.
4.1. Accounts payable reporting: The accounts payable director or manager should have the following reports available to make sound cash management decisions about which invoices to pay and when to schedule the disbursement. It’s important to take advantage of available cash discounts (according to corporate policy) and be cognizant of invoice aging periods and monthly and quarterly cut-off dates. The following list of reports provides the tools to assist with managing the accounts payable process.
- Aged trial balance report
- Accounts payable analysis report
- Cash flow report
- Check register
- Miscellaneous debits journal
- Open invoice report
- “Blocked” or “on hold” invoice report
- Payment history reports (by vendor, business units, subsidiaries)
- Purchase analysis report
- Purchases journal
- Outstanding balances by vendor
- Vendor activity report
- Vendor analysis report
- Vendor detail history report
- Vendor purchase history report
- Inactive vendors
- Vendors with the same address
- Paid credits
- Open credit balances
- 1099 reporting
- Withholding reporting (VAT, freight, sales and use tax)
- P-card reporting
4.2. Accounts payable metrics: The accounts payable director or manager should exercise caution when implementing a metrics program. A metrics program must be easy tormenting and update, and reporting should be seamless. The accounts payable professional should have knowledge of key metrics such as:Days payable outstanding: The (DPO) metric calculates the total time it takes a business to pay invoices. The DPO is calculated by taking the accounts payable divided by the cost of sales and then multiplying that number by the total number of days.
Days Payable Outstanding Formula:
- DPO= AP Balance (at a point in time) / Average Daily Purchases
- Average DPO= Average AP Balance (for (X) period of time, i.e. 1 year) / Average Daily Purchase (for (X) period of time, i.e. 1 year)
- Cost per invoice: This can be a difficult metric to capture because many organizations capture the hard costs to send an invoice such as materials and postage and some accounts payable labor costs, but tend to ignore labor costs allocated to the accounts payable process such as IT, facilities, and other overhead costs. Cost per invoice is calculated by determining the total cost of the accounts payable process and dividing by the total number of invoices processed for the period.
Use of a standard formula will allow comparison across entities:
Include the following costs for the time period measured:
- Direct Labor Cost associated with Process Being Measured (could be invoice, non-PO invoice, employee expense report, EDI invoice).
- Plus: Benefit Markup (usually a percentage that can be provided by Payroll department).
- Plus: Occupancy Cost Markup (actual if known or a percent of direct labor determined by cost of comparable space).
- Plus: Systems and/or IT Support Markup (actual if known or a percent of direct labor).
- Divide the sum of the costs by the number of transactions processed for the time period measured.
- Disclose types of transactions included/excluded and costs included/excluding if benchmarking.
- Measure at as low a level as possible (can always combine transaction types for rolled up results).
- Number carried-over from previous month
- Number received as mail
- Number received as paperless transactions
- Number processed per month
- Number on hand at month end
- Average processed per day
- Number processed in previous year
- Percent of change from previous fiscal year
Overhead and labor.
- Managers and administrators
- Regular associates
- Part-time associates
- Contract associates
- Full-time equivalents
- Open positions
- Overtime hours paid
- Sick pay
- Vacation pay
- Business days
- Paper checks
- ACH transactions
- Debit blocks
- Positive pay/payee flags
- Frequency of payments
- Emergency/manual payments
Vendor master file.
- Number of active vendors
- Inquiries — voice, e-mail, Web, internal/external
- Number of new vendors
- Re-activated vendors
- De-activated vendors
- Purged vendors
- Merged vendors
- Electronic invoice trading partners
- Review of vendor master quarterly, annually
- Comparison of vendor master with employee file quarterly, annually
- Number of controls, reviewed quarterly
- Percentage of control deficiencies per quarter
- Account reconciliation issues, identified per quarter
- Outstanding variances
- Clearing account issues (GRIR)
- Disclosure items, identified per quarter
- System access issues and segregation of duties exceptions
- Delegation of authority overrides
- Outstanding debit balances
- Duplicate erroneous payments
- Accounting and tax accrual errors
- Vendor risk management impact items
5. Regulatory Requirements
The accounts payable process includes regulatory requirements such as the 1099 process, Sections 302 and 404 of the Sarbanes Oxley Act of 2002, and others that may be applicable.1099 Reporting: Form 1099 is a form promulgated by the Internal Revenue Service (IRS) and is used in the United States income tax system to prepare and file an information return to report various types of income other than wages, salaries, and tips for which Social Security Administration Form W-2 is used instead. Within the accounts payable process, the W-9 is the driver of the 1099 process. A valuable internal control within the vendor master process is to require a W-9 with TIN matching to avoid B notices at 1099 processing time.
5.1. Sections 302 and 404 of the Sarbanes Oxley Act of 2002: Within Section 302. CEOs and CFOs must personally certify that they are responsible for disclosure controls and procedures. Each quarterly filing must contain an evaluation of the design and effectiveness of these controls. The certifying executives must state that they have disclosed to their audit committee and independent auditor any significant control deficiencies, material weaknesses, and acts of fraud. An expanded certification requirement that includes internal controls and procedures for financial reporting may also be included when the SEC issues its final rules. The accounts payable director or manager may be included in this process on a quarterly basis.
Within Section 404, the accounts payable director or manager will play a more significant role. Section 404 mandates an annual evaluation of internal controls and procedures for financial reporting. It also requires the company’s independent auditor to issue a separate report that attests to management’s assertion of the effectiveness of internal controls and procedures for financial reporting. In order to properly represent an assessment of internal controls, management accepts responsibility (written assertion) for the effectiveness of control. It is important that controls are suitably designed to achieve the objective (reliability of financial reporting) using established criteria and control objectives and related controls need to be appropriately documented. Lastly, management assesses the effectiveness of internal control over financial reporting and reports thereon (both design and operating effectiveness).
The Institute and the accounts payable profession gain credibility by maintaining a level of open, honest, and professional communication within an environment of respect and of the highest ethical standards. Accounts payable directors and managers have a responsibility to create an open and supportive environment where their employees feel comfortable not only to perform their assigned roles, but also to offer suggestions. Every accounts payable associate should be able to speak his or her mind. Matters of a confidential nature should be treated as such to ensure trust and professionalism.
The Institute and the accounts payable profession must maintain the highest standards of leadership through The Institute’s Code of Ethics, Member Code of Conduct, and Professional Standards. To make these codes and standards work, professionals must be responsible for promptly addressing ethical questions or concerns raised, and for taking the appropriate steps. AP professionals should not consider ethics concerns as threats or challenges to authority, but rather as another form of business communication. The ethics dialogued thus should become part of our ongoing work.