P2P Internal Controls for Education

In my work in the procure to pay (P2P) internal controls field across several industries, I have seen several common themes. You’ll recognize some of these control themes below. I’ve specified how they apply to education and have recommended solutions to consider.

Control themes:

• General
• Theft, collusion, and kick-backs
• Fictitious suppliers
• P-cards, T&E and petty cash

General

• If there is a lack of attention to internal controls, there is a risk of fraud. Sometimes roles and responsibilities for internal controls are not clearly defined.
• Universally, the three critical controls are: 1) Segregation of Duties (SoD), 2) Delegation of Authority (DOA) and 3) System Access. These controls are critical within the education industry.

Solutions

• Clearly communicate internal control policies, programs, and responsibilities. This includes routine P2P process testing with a focus on high-risk areas.
• Establish a code of conduct and ethics training program to coincide with your internal controls program.

Theft, collusion, and kickbacks

• Collusion and kickbacks occur when suppliers offer special pricing or deals to university personnel with the promise of an incentive such as tickets to an event, gift cards, free conference passes, or even offers of a book deal or speaking engagement.
• University personnel may order excessive goods for personal use.

Solutions

• Establish a supplier selection process with requirements for approved contracts, requisitions, and purchase orders.
• Ensure that a service level agreement (SLA) process is in place for all suppliers.
• Establish a supplier management review (SMR) process to check the performance of all suppliers.
• Lastly, review key contracts to determine if there are pricing anomalies.

Key Point: Suppliers with a number of large credits may indicate a problem with pricing.

Fictitious suppliers and phony invoices

• Think it can't happen to you? A radio station engineer at the College of DuPage submitted fraudulent invoices over the course of seven years—those invoices amounted to over $200,000. It turns out this wasn’t his first offense—he also embezzled from Elmhurst College. In both cases, he was listed as the owner of the company issuing the invoices.

Solutions

• Implement supplier master controls which include W9s, W8s, TIN matching, and compliance screening.
• Cross-check the master vendor file (MVF) against HR's employee file. This ensures no employee is posing as a supplier. Check names, address, phone number, and bank account.
• Perform background checks for all employees.

P-cards, T&E, and petty cash

• There may be personal or non-university purchases, or “out of policy purchases” on a P-card.
• In some cases, a seminar or conference that is paid directly by the hosting organization to the university speaker may be submitted again for reimbursement. The university has no way of knowing that those expenses were already paid by another organization.
• Many universities and schools still use petty cash system which creates a big temptation for theft.

Solutions

• Communicate P-card and T&E policies and implement training programs.
• Establish a P-card and T&E Administrator for each program and institute mandatory cardholder agreements.
• Replace outdated petty cash systems with P-cards. This reduces reconciliation nightmares caused by reconciling cash and the never ending stream of “IOUs” and will enhance productivity and improve internal controls in the P2P process.
• Use automated systems and approval processes wherever possible.

The solutions recommended in this blog will provide you with the tools needed to enhance your P2P controls within your university or school.