Royce: Welcome to "Meet the Experts," an IOFM podcast series designed to introduce you to many of the more than 200 panelists and answer your "Ask the Expert" questions. "Ask the Expert" is a popular feature allowing our members to ask fellow AP and AR practitioners any work-related questions, and get answers back within five business days. I'm Royce Morse, Institute of Finance and Management's Managing Editor.
Today we're listening to a conversation between Deborah Richardson and IOFM's Executive Editor, Jess Scheer, as they discuss the vendor master file. Deborah has over 20 years' experience at Fortune 500 companies, and she's an expert in vendor master file data and processes. One of her specialization areas is helping organizations prevent fraud, both internal and external.
Deborah is IOFM's expert on all matters VMF, answering "Ask the Expert" questions on the subject, and participating in IOFM's operation summits.
Deborah: All right, so I am here with Jess Scheer. And Jess, today we're going to talk about everybody's favorite thing: desktop procedures. But before we do that, do you want to just kind of introduce yourself to the listeners so we all know what you do?
Jess: Sure. My name is Jess Scheer, and I'm the executive editor at IOFM. IOFM is a membership organization that focuses on training and educational content for AP professionals. Particularly in this context, we're really interested in talking with experts like Deborah around desktop procedures and how we can do them better, how they can help us do our jobs better, faster, with greater confidence, and avoid fraud.
So that's a lot in the next half-hour, but we're excited to get underway. Deborah?
Deborah: Yeah, and so for those that don't know me, number one, I've been involved with IOFM for a while now. I think I got my first certification in 2013, so it's been a while. But my name is Deborah R. Richardson, and you may know me by my saying "Putting the AP in Happy." That's the name of my podcast.
I was a practitioner for AP for a little over ten years, and, within that time, I, of course, was over the vendor set-up and maintenance process and, of course, was really affected by the uptick in fraud, even back a few years ago (not to mention as we came into the last 18 or 24 months).
Now I work with the accounts payable team to help them put in those authentication techniques, internal controls and best practices, so they can avoid fraud, avoid compliance fines, and then also just overall bad vendor data, of which desktop procedures are an important part of that.
Jess: Absolutely. If folks aren’t already, they should be on your email list, because every Tuesday and Thursday you send them what’s one of the highlights or lowlights of my week which are the frauds that have been enacted or tended to be enacted against AP departments. I think of late those have sparked some ideas around desktop procedures and what folks can and should be doing to mitigate those risks. Why don’t we start there? What are some of the things you’re saying?
Deborah: So really badly, the fraudsters, of course, are getting smarter. They’re going to work in buildings every day just like you and I go to work. Or maybe not like you and I go to work in buildings. I know lots of folks are still in hybrid situations. But the point is that they go to work just like you and I do, and they are always evolving.
One of the biggest things that I found that was very alerting was a new scam alert I had late last year where the fraudsters can now remove that external email indicator where you’ve got all the warm and fuzzies because you thought that that was your internal employee emailing you because there was no external email indicator. Yeah, those warm and fuzzies are gone.
So things like that are really not necessarily surprising, but they are something that you really need to be concerned with and really need to put in those controls and try to mitigate those fraud risks. The other thing I’m seeing is not necessarily fraudsters using spoofed email. So you have to be that evil eye to find that extra letter.
In some cases, even if they are spoofing it, they’re using a double-V—or two V's—for a W. They’re using a capital “I” for an “L” so you can’t always spot that. And in some cases, they’re not even doing that. They are in your vendor’s email. They are in your employee’s email because the phishing attempts of the past 18-24 months have been successful. And so they have login credentials.
So there are lots of new scam alerts. Unfortunately, I find out two to three a week consistently, sometimes more. So when I send out those Tuesday/Wednesday or Tuesday/Thursday emails, they typically have quite a few new scam alerts in them because they’re always evolving.
Jess: Well, let’s unpack the two things you just shared with us. The first one is the little warning that says, “This email originated from an outside email address.” And the lack of that always gave me a little bit of confidence knowing that it came from someone internally who would I typically know, or know of. And now, you’re saying that spammers can remove that.
Jess: So is it better to eliminate that all together or just not give as much credence to that, not let that be your deciding factor?
Deborah: So I think you can use that as an additional red flag if there are other red flags in the email. So yes, the external email indicator, I think the warm and fuzzies that we get from that—or used to get from that—can just kind of go away. You really need to make sure you’re mitigating fraud no matter where that email originates, externally or internally. Again, because fraudsters have learned how to remove that external email indicator.
What’s really funny though is that I still run into clients or accounts payable teams that don’t have an external email indicator. I do recommend them, but I don't think you should get the warm and fuzzies from them if there is no external email indicator.
Jess: Right. I guess if it says it’s coming from an external, that’s okay. But the lack of one doesn’t necessarily mean that it’s coming from an internal source. Your radar still needs to be up.
Deborah: Correct. That’s why I still recommend them.
Jess: Yeah, every bit helps. It speaks to how the fraudsters are staying one step ahead of us. We thought the external email notification would alleviate. And sure enough, they found a way around it. And then the second point you were making around the lack of spoof emails scares me too.
We used to be able to look for something that just didn't look right, didn't feel right in looking at an email address. And now you’re telling me that’s not enough anymore either. My Spidey sense isn’t enough.
Deborah: First of all, the Spidey sense and relying on yourself or your employees or team members to find that extra letter in the email address domain, that was really never good. Because no one can be 100% all day every day to spot those little things, those little red flags to let you know that it’s not a valid email.
Number one, the fraudsters aren’t necessarily spoofing them anymore. But even if they are, they’ll take a “W" in the email domain—or the domain address—and use two “V's.” How do you spot that? That’s hard to spot. They will use a capital “I” in place of an “L.” How are you ever gonna spot that with the naked eye? And so those things are out there, and there are mitigations for that as well.
But then the other disturbing piece of it is that they don’t even have to use that nowadays because of the successful phishing attempts that have gone on for the last 18-24 months when phishing really increased. The fraudsters now have our login credentials. They have your vendor’s—or they can have your vendor’s—login credentials.
So that email that’s coming to change bank account information is coming from your vendor’s email. And so there’s no way to spot that. So you have to have mitigations such as authentication techniques, internal controls, and best practices in place so that you can avoid that type of fraud. And that’s just what we’re seeing now. I hate to see what’s going to be developed in the future. But there are mitigations that you can put into place to thwart these types of fraud.
Jess: Absolutely. And I think that’s a nice segue. Because I think while we want to be diligent and maybe even be afraid of what’s out there, we don’t want to lose faith and lose hope that we can mitigate. So let’s start to unpack the three things that you started to describe. The authentication, what do you recommend?
Deborah: For authentication, I always talk about or give the example of when you call your bank. I don't know, maybe you want to transfer funds, or maybe you want to ask questions about your account. They don’t just start talking to you about whatever you called to do. They make sure that you are who you say you are. And they will authenticate you by having you answer two to three specific questions. And then when you get on the phone with them, they may even ask you more. But the point is that they authenticate you to make sure you are who you say you are.
You need to do the same thing with your vendors and with your internal employees in some cases. Because if they’re not calling in from a system phone, sometimes when that happens, you can verify that they are calling from an internal phone. In lots of cases, they will call from their cell phones, or even email for that matter.
I saw instances, especially in 2020, where internal employees were using their personal email because they couldn’t get set up right at home. And so you need to authenticate internal employees too in most cases. But that authentication piece is really good to put into place. And then also if you have a banking change, I always say make sure you authenticate the data.
Which means that instead of only accepting their bank letter or a voided check—which can be fraudulent, they can be fake—also require a company‑branded ACH form. And on that company-branded ACH form make sure that you request the existing vendor banking that’s on file.
And if they can’t give you that, if they don’t have the existing account where the last payment was deposited—and remember, they have to keep that on file or retain that information for up to seven years—and maybe more than that on their side—but if they don’t have access to get that, why on Earth do they have access to give you—or the authority to give you—a new bank account?
And so if you get pushback on that, then I would say that’s a big red flag. The authentication piece, making sure you’re asking those questions before you start identifying, or before you start talking to them about what they called for, that is a must. And then authenticating the data, making them give you the existing banking information, along with some other elements, can go a long way towards ensuring that you are actually dealing with your real vendor and your real vendor’s bank account.
I’ve actually had clients that if we put those two things in place and we send that to the auditors to approve getting rid of that confirmation phone call, because I know everybody says to do that. But anybody that is doing that knows how long and tedious that is. Because the vendor never picks up on the first try. They give you their updated information, and then they’re off doing vendor things. You’re calling that vendor again and again and again and again, and it’s a labor-intensive process.
Jess: Absolutely. It’s interesting because my next question—I think you can read my mind—was do you take care of all that on that vendor call? But you’re saying skip the call, just ask for information that a fraudster is less likely to have.
Deborah: Yeah. If you think about it, at the time that you are communicating with them via email or via phone, you have their attention. You have their attention, so you can ask them those authenticating questions. One thing I didn’t say is only send that company-branded ACH form once they have authenticated.
Don’t put it on your website, but if you change it every year and you all of a sudden get in a company-branded ACH form that’s an old version, you know that you didn't just give them the updated version, which means they did not authenticate. And so that’s a big red flag. So the authentication piece from authenticating the requester to authenticating the data can go a long way towards eliminating that whole confirmation process. Because by that time, the vendor’s gone. You don’t have their attention anymore, and it’s just a labor-intensive process.
Jess: What I like about that, not only is it mitigating essential red flags, but it’s also relatively efficient, right?
Jess: You’re not saying, “Here are the 17,000 steps you need to undertake to validate each and every new change,” but, “Here are the practical handful of things that you should be doing every time.” And one of the challenges that I’m hearing is folks are working longer and longer hours, which means they’re working after business hours. Which means they’re working after the vendor has left, right? There’s no time for that phone call.
Deborah: Yes. And not to mention time zone differences, right? It’s issues all the way around with that confirmation. But if you do still have to make that confirmation phone call, make sure you document it. Or document the vendor, the vendor ID, the phone number, what happened, what the status is so that if the employee who originally called, they’re out the next day, someone could come back and pick up where they left off. Or as management, you can make sure that those calls are being made.
Because especially if you have quotas for other tasks that are being done by AP, they don’t want to make those calls. Because in some cases, it’s kind of a—I won’t say a waste of time, but it’s something that doesn’t contribute to their quota. And if they’re continuing to make calls and the vendor’s not picking up, they could see it as a waste of time. Or not necessarily a waste of time, but time taken away from things that they’re actually being tracked for performance on. So if you are still having that confirmation phone call, then make sure you at least have the team members document it so that you know the status of all the requests.
Jess: So let me ask you a sideways question, and that is should we be changing what people are being tracked by? At this point, pluses are working efficiently and effectively. And then they get dinged, obviously, if they let a fraudulent payment go through. Should we consider switching that around and including taking necessary steps like the ones you’re describing as part of their day job, part of their quota? Or is that not practical?
Deborah: Yeah. I think it’s a combination. I know most everybody in AP, we’re all Type A personalities. You find some of the hardest working people in AP. But you do want to make sure that they are following the processes that you put into place. And so you do have to make that part of their performance. That’s really the only way that I’ve seen that you can ensure that things are being done.
And in order for that to happen, you have to have certain things in place, including desktop procedures. Because you don't want to ding an employee for something that you don’t have documented and that they don’t necessarily know how to do. I think that’s even more important now as we have the great resignation going on, and we’ve got those employees that are taking that knowledge with them.
You need to make sure that your processes are documented, that they include those authentication techniques, internal controls, and best practices for the new team members, and also for existing team members that are there. They can use it for reference. And then with that, you can then put audit procedures in place so that you can track performance, or have it affect their performance if they are not using or putting into place those things that you implemented to mitigation fraud. You need to make sure that those processes are being followed.
Jess: Right. I think one of the challenges is we do quarterly surveys at IOFM, and we’ve seen the number and size of invoices go up every quarter, which means two things. It means there’s more work to be done. It also means that if there’s a problem, the cost of that problem has gone up each and every quarter.
And there’s pressure just to get the work done because there’s going to be a new stack of invoices the next morning. So being able to balance that with, “But at the same time, we don’t want you to take shortcuts.”
Deborah: Yeah. I will tell you, the fraudsters are counting on that. I always used to say, “Why did the fraudster cross the road to AP? That’s because that’s where the money is.” They know to strike at the end of the year. They struck a lot when everyone abruptly went home back in March of 2020. I forgot what the number was, but it was some ridiculously high number of fraud attempts or phishing emails that were sent out I think the week of April 12, 2020.
Don’t quote me on that, but one of the weeks in April there was a record number of phishing emails sent out. So they know when to strike. And one, they depend on us not having enough time to find those red flags because we’re processing things so quickly. And then with the whole social engineering behind it, they’re counting on the urgent requests and then angst that you get if you get an email that’s supposedly from your CEO because you want to please them.
But I’ll tell you now, I was a senior manager at Verizon for a few years. And the CEO never contacted me. I actually advocate for making sure that a policy is in place that C-suite or leadership follows the process—especially for vendor setup because that’s where it all starts, but—for getting an invoice paid or getting a vendor set up and not go outside of the process. So that if your accounts payable team member or vendor team member receives an email from the CEO or CFO, it’s automatically a red flag.
Jess: Absolutely. Yeah, unfortunately, the CEO doesn’t really care much about what’s happening in AP unless there’s a problem. So the likelihood of them emailing you directly isn’t terribly high. We talked about authentication. Are there other internal controls or best practices that you would recommend?
Deborah: Yeah. I actually do have quite a few of them. I know that validation is a big piece. What’s big now is the whole bank account ownership validation. There are some resources for that. I would just encourage everyone to make sure that you validate that information. Once you authenticate your vendor, you validate that information to make sure that what you put in your accounting system or ERP is valid.
Because we all know, we’ve dealt with that random person at your vendor’s business that doesn’t necessarily know what the right legal name/tax ID combination is. We’ve all done the W-9 back and forth, back and forth game. And so you need to make sure you validate for that reason as well. In this day and age, I am always still so surprised when I come across accounts payable teams or clients that are not doing the IRS 10 match, but there are still some out there.
And you can not only verify that legal name/tax ID combination is valid so that you don’t get compliance fines, what everybody’s thinking about nowadays because it’s January and 1099 reporting month. But also to make sure that that vendor is real. So you do need to validate, and there are some resources out there to validate bank account ownership.
There’s more in the U.S., but there’s at least one that can validate U.S. and non-U.S. banks. I have a free download that includes 24 validations. I think four of those validations are where you can go to research more information on bank account ownership validation. And I’ll include that in the show notes. But if you go to Deborahrrichardson.com, there’s a button there that says, “Free validation resource,” and you can download it whenever you need it. Share it with the whole team. So make sure you’re validating that information once it gets into your vendor master file, or before it gets into your vendor master file.
Jess: That’s a great resource. We’ll promote it beyond just the show notes. If they want additional training, you provide that service as well. What else would you recommend?
Deborah: In addition to the Tuesday/Thursday email that has the new scam alerts in them, also on my website you can sign up to get next-day notification when I post new scam alerts. Unfortunately again, most days I’m posting it, so you can get those alerts. And then I also offer training for the vendor process. Because I’ll tell you, at my last position I was over global vendor setup and maintenance, and there wasn’t a lot of information out about that.
And so when I came out, I created that content via my vlogs, my podcast. And then last year, I added a training pass to that where I offer weekly training on Thursdays that just talks about vendor setup and maintenance processes. And then on the last Thursday of every month, we take all those new scam alerts that I gave you in the Tuesday/Thursday email that I posted on my site, and we go through each one. And I talk about how that could have been avoided with specific techniques or tools that are in place so that you could have avoided that new scam alert.
With that, I also have a 2-hour Q & A, open, drop-in live session every Friday, trying to make sure that we keep the vendor setup and maintenance process at the forefront and we get specific training for your team members that handle the vendor setup and maintenance process. Because it’s just not simply setting up a vendor so you can hurry up and get a PO or hurry up and post an invoice anymore.
Jess: No, it’s not. I think one of the things that we’re going to be experiencing is a lot of turnover in our staff. And so this is a great resource for onboarding. It’s a great resource for veteran talent that’s been around for a while but looking for new ideas. It is a great resource. Cannot endorse and support it and encourage folks to take advantage of it enough. Deborah, thank you so much for your time.
Deborah: Great. Thank you. Glad to be here. Love talking about AP. Love talking about vendor setup and maintenance, and love talking about how to avoid fraud.
So Jess, where can folks go to either connect with you or get more information on IOFM? If you guys have seen the letters behind my name and wonder what the heck is that, those are all certifications from the Institute of Finance & Management, and that’s IOFM. So Jess, if they want more information about information about IOFM, what you guys do, what certifications you offer, how they can get training from your side, where would everybody go?
Jess: IOFM.com is the easiest place to start the conversation. Let’s not send people to LinkedIn, Facebook, and other places where we exist as well. I think IOFM.com is a great starting place. We have a lot of free content in front of firewalls. But then obviously, for members there’s thousands of articles, hundreds and hundreds of tools and templates like the one I’m stealing from Deborah as of this conversation.
And podcasts, webinars, white papers, et cetera.
Deborah: Perfect, and how simple, IOFM.com. Me, I have Deborahrrichardson.com/ and then some long name with some hyphens in it for special stuff. I should have taken a little hint from you guys, but it’s all good. We’ve got lots of free [unintelligible]. Well thanks, Jess. It was great talking to you today.
Jess: Thank you.
Deborah: Maybe we can do this again in the future with some new and better ways to mitigate fraud.
Jess: Fraudsters are always coming up with better ways to trick us, so we’ve got to stay on top of it.
Deborah: All right. Thanks a lot.
Royce: Thank you for listening to “Meet the Experts,” an IOFM podcast series. Remember, if you have a question for our guest or any of our experts, be sure to log into IOFM.com/ask-the-experts.