4 AP Automation Features that Mitigate Occupational Fraud & Abuse

The digital revolution is reaching down into business processes that for decades, centuries even, have been manual. One of these business processes is Accounts Payable (AP). Many CFOs and executives in middle market businesses have begun to consider digitizing and automating their AP process. A lot of the enthusiasm is about automation itself, and bringing a stodgy, manual business process into the 21st century in order to increase staff efficiency and reduce costs. But, if you are currently considering an AP automation solution, you should also be thinking about security.

Startling Stats about Occupational Fraud

Research into employee fraud has shown that small and medium sized businesses are vulnerable to insider threats. And when they are hit, these businesses bear the highest losses.

Here are some stats about employee or occupational fraud:

  • Most people convicted of occupational fraud have never previously committed a crime
  • 1 of 4 companies have been victims of occupational fraud
  • 70% of employee fraud cases came from organizations with fewer than 500 employees
  • Businesses with less than 100 employees typically lose around $200,000 while those with more than 100 employees only report a median loss of $104,000
  • Organizations lose 5% of revenues to fraud globally, or more than $4.5 trillion annually
  • Employee fraud typically goes on for two years before it is detected

 

Manual AP Processes Increase Occupational Fraud Risk

Employees that commit crimes of embezzlement and fraud don’t look and act like bad people, which makes occupational fraud hard to spot. Automating your AP function will reduce the risk. Before I lay out how AP automation lessens risk, let’s take a closer look at the problems with manually processing payments, particularly checks.

First of all, you probably have boxes of checks, and those boxes need to be secured. But, depending the size of your office and its configuration, a lot of people may be able to get their hands on those checks. Checks awaiting signature may disappear.

Obtaining approvals for invoices and payments is cumbersome. The person that approved a purchase may not be the same person that’s entering the payment and the person signing the check may be, yet, someone else. It’s difficult to track whether the amount of the purchase is the same as what’s on the check.

The most insidious vulnerability is from the person to whom we’ve put the most trust–the person preparing payments. When systems are manual, small but important changes can go unnoticed. Money and payments can be siphoned off without detection. For example, a phony vendor with a very similar name as an actual vendor can be inserted into the payment stream. We know from the research that this happens and it goes unnoticed. Employee fraud typically goes on for two years before it is detected. Most people convicted of occupational fraud have never previously committed a crime.

 

AP Automation Features that Protect Against Occupational Fraud

Here are AP automation features that can help mitigate occupational fraud and reasons to automate the AP process:

  • Access – 2FA – An electronic system limits access to only the people that are required. Additionally, by using two-factor authentication–(1) your password and (2) one-time token that gets sent to your phone–you greatly reduce the risk of the wrong person getting access to your AP and payment processing. With two-factor authentication, even if your email is hacked, if you still have your phone, your AP automation system remains secure.
  • Segregation of duties, roles – With AP automation, you define the least-privileges required for each person that contributes to AP processing. Accounting managers have access to input invoices and payments, but they don’t approve invoices or payments. Each of those functions may be assigned to different people. So, invoice approvers have enough access to see and approve invoices, while payment approvers have enough access to see and approve payments. The actual processing of payments requires everyone to do their part, because no one person can perform all the steps.
  • Notification of potential fraud – There are signals that can alert you to occupational  fraud, or even vendor email compromise. When a vendor’s bank account or address is changed within your system, that’s a sensitive, significant change that requires further attention. Usually, it’s business as usual. Occasionally, it’s fraud. Your AP automation solution should proactively alert you to these types of changes for your protection.
  • Logging – Finally, even with the best of intentions and the right tools, a determined bad actor can do damage. Having a complete and read-only log of payment activity enables you to look back and see what happened when things go wrong.

 

Final Thoughts

Information Security is a huge challenge. And while our thoughts about security are often dominated by the headlines of major security hacks affecting large companies and government agencies, threats come from inside as well. Automating your AP processing is a smart choice for making your company more secure and reducing the risk of occupational fraud.

 

Kevin Eberman, Senior Director of Information Security, MineralTree

Kevin Eberman has proven ability and an enduring enthusiasm for Information Security. A Certified Information Systems Security Professional (CISSP), Kevin has more than 20 years of experience managing Information Security, Operations, and IT groups at startups and large technology companies. He has extensive technical knowledge of security, software development, cloud operations, networking, and high-availability solutions. As MineralTree’s Senior Director of Information Security, Kevin has shepherded the entire organization through a number of security certifications, including SOC 1, SOC 2, and PCI-DSS Level 1 Service Provider. As technology continues to evolve in new and exciting ways, Kevin and his team will continue playing a pivotal part in keeping MineralTree and its customers’ data secure. Follow Kevin on Twitter @Manager_of_it.