Accounts Payable Process (DRAFT WIP)

v2024.09.20

Policies

• Expense policy
• Events policy
• Grants policy
• Signing authority policy

Accounts Payable Process

1. Invoices to be paid shall be uploaded by trainers, OWASP leaders, vendors, or staff on behalf of vendors to the Jira OSD service portal
2. All invoices, including those less than the Executive Director’s signing authority, shall be approved by a relevant staff member or Executive Director’s signing authority
3. After October 1, 2024, all OWASP Leader expense claims are subject to the Leader being an OWASP member in good standing.
4. If a payment request or expense claim is above the Executive Director’s signing authority and the vendor is an existing vendor, banking details should be verified that they are the same as previous requests by the Operations Manager prior to submitting the payment for approvals. If the vendor is new, this should be highlighted to the Executive Director and Treasurer for their consideration.
5. If the invoice is above the Executive Director’s signing authority and below the upper approval threshold of the Treasurer’s approval threshold, it shall be co-approved by the Treasurer
6. If the invoice is above the Treasurer’s signing authority, it shall be co-approved by majority vote of the Board
7. Once approved, the ticket shall transition to the Charity CFO, who will process the payment and pay it via BILL.COM or ACH transfer

SLA

Expenses and invoices to be paid must be submitted within 60 days of all invoices or expenses being incurred. Any approval after 60 days requires the Executive Director’s approval.

Accounts shall be paid within 30 days of receipt of the invoice. Invoices with less than 30 days terms cannot guaranteed to be paid in less than 30 days.

Fraud protection

If an invoice is:

• unexpectedly submitted from a new vendor, leader, or member of the public, or
• the vendor’s previous banking details do not match the vendor’s new banking details, or
• arrives via irregular channels, such as email or Slack messages, or
• is particularly large, seems unreasonable, or is for an unusual purpose

the Executive Director will raise it with the Treasurer before approval and co-approval.

If an irregular request to co-approve a payment, such as through email or Slack messages, comes from the “Treasurer” or a “Board member” to co-approve a payment, the OWASP Foundation shall reject the payment request entirely, with a message to submit the payment request using the standard process. The Foundation shall notify the real Treasurer or Board member by previously arranged and verified encrypted messaging app, a voice phone call, or in person where possible. The Foundation should privately alert relevant staff and the Board of the attempted fraud.