How Electronic Invoicing helps to reduce the risk of fraud
As in the paper invoice environment, the real risk in the electronic invoicing process is not in the delivery of the data but in the matching, processing and payment of the invoices in the receiver’s system. A company can be a victim of fraudulent behaviour only if it does not have the appropriate controls in place.
Security measures at the data transport level do not protect from fraudulent behaviours. If, for example, a company (or fraudster within that company) issues an e-invoice for products that have never been produced or with different bank account details, the security transport mechanism (for example an advanced electronic signature) will have absolutely no power to protect the receiver. Only the receiver’s internal controls and procedures will protect the receiver company.
Typical points of failure reside in the lack of data matching and verification of the supplier payment details.
In order to effectively minimise the instance of internal or external fraud, it is of paramount importance that there is an internal policy regarding segregation of duties to ensure that:
- the verification of client bank details is carried out independently (i.e. verified by person A) from the input of those details to the company master data (i.e. performed by person B)
- the verification should include the initial input and any subsequent updates to the client master data;
- the verification must be done whether the bank details are derived from an automated or manual process.
The above mentioned policy represents the most important step to reducing invoicing fraud.
For smaller companies it can be quite difficult to maintain staff levels at all times to ensure complete segregation between the receipt, input and approval of an invoice. This can leave the business and often unsuspecting employees open to the occurrence of fraud. Since the e-Invoicing process removes the human receipt of the invoice (along with the manual cross-referencing, approval and input to the ERP system), the risk of internal fraud is significantly reduced. Therefore, SMEs are able to carry out these automated transactions and maintain controls with a smaller number of staff involved.
Additionally, the initial set up of an e-Invoicing customer requires entries into software tables (mapping) of all the known, agreed, and mandatory data that those invoices will contain. These tables will include specific references (which may be alpha or numeric codes) that only the supplier’s system uses to describe their terms and products. The sender ‘codes’ will be cross-referenced to the equivalent codes that the receiving company’s system uses to describe them.
For example: the supplier’s system may identify itself as a company with a code of ‘A1234’ while the receiver’s system might identify that particular supplier as ‘B5678’. In this case the cross-reference table in the receiver’s system to identify this supplier will have an entry of A1234=B5678. This cross-referencing process may be repeated several times for any type of known data such as VAT IDs, product codes, payment terms codes, etc. Once the invoice has been accepted as having been sent by an established sender, it typically goes through a secondary process of matching to an established order (by matching on an order number or product details, amounts, etc.). Therefore, the automated matching process – that occurs during the daily invoice translation and load to the ERP system – will reject any invoices that do not match these mandatory values. This is the second step to significantly reducing the risk of external invoice fraud.
In summary, the combination of e-Invoicing adoption with a well thought out matching process and strict controls on bank account entries are key to eliminating business fraud.
This exerpt is from the European e-Invoicing Guide for SMEs. To download the guide please click on the following link: European e-Invoicing Guide for SMEs
