We are working through an implementation project, and some questions have come up about financial controls. For example, we can set a per-PO purchase limit, but what about the situation where a staff member issues a series of POs to a friend that is providing them a kickback?
I am looking for thoughts / discussion / best practices for what other companies have done in this area, and if there is anything specific (maybe not out-of-the-box) that you have done to set these up.
Maybe you could add the buyers as an attribute to the supplier that are restricted from purchasing from this supplier and then add a BPM that doesn’t let that buyer select that supplier in PO entry? Or you could do the same with a UD field.
Sorry, just to clarify, it’s not just that specific situation we are trying to address. To do what you suggested, you would have to be aware of prior relationship of the staff member with the supplier. I was using it more as an example of how a single PO limit can easily be circumvented by using multiple POs within the limit.
You could create a BPM that checks other recent PO’s with the same vendor and buyer. If more than one PO with the same vendor in the past week shows up, then stop the PO. Very generalized, but I think this is possible.
You can set the PO limit to 0.01 which is what one of our sites like to do so every PO has to go through the approval process. Not ideal, but what they wanted to do. The site is in Europe. Then it goes to a second and third tier approval depending on the PO limit of the supervisor, etc.
Thanks for the ideas. We would define purchase limits (I don’t think we want to approve all POs). I like the BPM idea to flag multiple POs in a time period to the same vendor, then route for approval.
Edited my original post to reiterate that I am looking for feedback on other high-level controls that others have used that we may not have thought of.
Segregation of duties is another key one - don’t allow the same person to add Supplier, then PO, PO Receipt and then key an AP Invoice.
I log and make FD aware when bank details are changed for any Supplier in the system too. That would be my weapon of choice if I were wanting to get locked up for fraud - just change bank details on an existing supplier that has a decent level of spend and wait for the payment to hit your bank 
Good call, Mark - I have seen news articles about this particular hack recently: MacEwan University defrauded of $11.8M in online phishing scam | CBC News
A back end approach would be to do similar checks during AP Invoice entry, or Payments. It’s a little late in the game, but could act as one last check.
