Corporates have automated many manual payments; next is learning to manage the risk of those you can’t eliminate.
Digital transformation and automation initiatives have helped many corporations significantly reduce manual payments, improving efficiency and reducing fraud risk. But implementing automated systems usually requires considerable time and effort—just one reason most companies have not eliminated all manual payments. The challenge for treasury teams then becomes ensuring proper controls and safeguards are in place.
- Those are among the takeaways gleaned from a recent session of NeuGroup for Large-Cap Assistant Treasurers that included insights from NeuGroup Senior Executive Advisor John Sanders, a former treasurer, as well as questions and answers posted by treasury team members on NeuGroup’s members-only online communities.
Cut manual payments. It’s important to reiterate what is already gospel for a majority of treasury teams: automate as many payments as is feasible. But great strides can still leave thousands of manual payments. One member said his company has automated nearly 95% of all payments but made 50,000 of them manually last year. He and others said the non-automated transactions include tax and supplier payments, some requiring additional documentation.
- Mr. Sanders, when he was treasurer at a multinational, aimed at getting as close to zero manual payments as possible. “I didn’t want treasury people doing transactions, I wanted them using their horsepower,” he said. “To improve the efficiency of processes and minimize interruptions, eliminating manual payments allows teams to focus on the work at hand while ensuring higher approval protocol compliance and reduction of fraud risk.”
- But approaching zero manual payments took between three and five years, he added. Reasons included the need to work with internal IT systems (on employee reimbursement, for example) as well as external vendors (e.g., payroll providers) to link data and change processes.
Controls, AP and risk. Mr. Sanders, who leads NeuGroup for Private Equity Treasury, said another common hurdle to elimination or further reduction arises when manual payments are initiated outside of treasury, which doesn’t own the process.
- Members agree that the more authority treasury has over manual payment approvals and controls—without becoming accounts payable—the better. One member’s treasury handles manual payments “so none of the business users on a legal entity can log into a bank portal to transact.” The member added, “at the end of the day, that’s the most risky volume we have.”
- AP is more involved at other companies, but ideally with treasury oversight. “Manual payment requests go to our AP team like any other request,” one member said. “Once AP processes it, it becomes a payment file and gets uploaded to a special report and gets sent to us. We create payment templates with instructions validated by AP. It’s tremendously helpful since we know any requests we get have gone through control elements.”
- At another company, “most manual payments are managed by AP but we do have the access rights in treasury to also process and approve these; our payroll and accounting departments also have certain accesses,” one member said. “Treasury controls the admin rights to add/delete users.”
Tools and frameworks. On the online communities, members recently exchanged insights about the workflow tools they use as well as the policies governing treasury approval of manual payments. One team looking for input is doing a feasibility study on creating additional treasury approvals for payments above a certain amount initiated outside treasury. One responder provided this useful framework to “holistically assess and manage the risk of manual payments”:
- “Establish company-wide guidelines on payment platform eligibility criteria based on features such as multi-factor authentication, dual control (segregation of duties), vulnerability risk assessment, etc.
- “Document the purpose of each system and reasons to continue using it if it does not comply with guidelines.
- “Identify an owner of each system (presumably in the non-treasury organization that uses it).
- “Ensure risk awareness and accountability for each payment system owner.
- “Assess security administration (access management) to control payment authorities.
- “Put in place a periodic review of the list of payment systems in use to ensure accuracy and completeness.”
A risk-aware mindset. Several members shared that the first step in establishing a risk-aware culture is education. It can be difficult to instill the importance of following established controls, especially when those controls involve call backs to verify bank information and can’t be handled solely over email.
- One AT said, “Buy-in from the lower-level payables employees is needed. We’ve gotten used to emails and electronic forms of communication, and people have gotten to where they don’t like to pick up the phone. Trying to instill that importance is our biggest pain point.”
- Mr. Sanders talked about establishing a mindset of risk management on his team, noting that criminals prey on our sense of urgency and desire to please others. He stressed that same-day requests present a red flag. And he relayed this message to his team:
- “You will not be disciplined if you delay a payment because it looks suspicious, but you may be terminated if you approve a fraudulent request.” He added, “You have to work to counter that urgency that criminals use.”
