Accounts Payable Process (DRAFT WIP)

v2024.09.20

Policies

• Expense policy
• Events policy
• Grants policy
• Signing authority policy

Vendors who ask to have > net 30 days terms

Some vendors may wish to pay on terms greater than 30 days. This is acceptable, but the vendor must be approved by the Executive Director, and Treasurer if the amount is above the Executive Director’s signing authority for income. The vendor must also have a credit check performed by the Operations Manager. The vendor must also have a credit limit set by the Executive Director and Treasurer. If the vendor exceeds the credit limit, the vendor must pay the outstanding balance before further services are rendered.

Services should only be provided after payment

In general, the OWASP Foundation should design its processes and services such that the vendor only receives the benefit of the service after payment is received. This is to ensure that the OWASP Foundation is not left with a debt if the vendor does not pay. If the vendor is a trusted vendor, the Executive Director may approve services to be rendered before payment is received. This should be documented in the CRM and the accounting system.

Accounts Receivable Process

When a payment is received by the OWASP Foundation, the following process is followed:

1. The staff member who invoiced the vendor is responsible for identifying and either verifying and/or marking the payment as received in the relevant payment platform and the accounting system.
2. If the payment is to be recorded in the CRM, the relevant staff member shall record the payment in the CRM.

This avoids the vendor receiving further reminders for payment and ensures that the aged AR report is accurate.

Grant incoming process

1. A MOU is required between the granting organization and OWASP to identify the terms of the grant. The MOU shall be reviewed by the Executive Director and Treasurer. The grant shall be recorded in the CRM and the accounting system. The grant shall be invoiced to the granting organization, with proper categorization and supporting documentation.
2. Once signed, the MOU shall be provided to Charity CFO to ensure that they have records of the income
3. If the grant is above $1000, it shall be subject to the Grants policy, with the appropriate administration fee applied. The grant must be used within 12 months of receipt, or it shall be returned to general accounts.
4. If there are deliverables and reporting requirements for the grant, these should be performed by the appropriate staff member, tracked in Monday.com, and reported to the granting organization as required.

SLA

If an invoice is expected to be paid, the relevant staff member should check OWASP’s payment platforms or accounting system daily and mark the payment as received within 1 business day of the payment being received. If the payment is to be recorded in the CRM, the payment should be recorded within 1 business day of the payment being received.

Aged AR Process

1. The Operations Manager shall run an Aged AR report weekly.
2. The Operations Manager shall review the Aged AR report and identify any invoices that are overdue.
3. The Operations Manager shall contact the vendor to request payment, if one hasn’t already been sent by the accounting system.
4. If the vendor does not respond within 30 days, the Operations Manager shall escalate the issue to the Executive Director.

If the Operations Manager cannot determine if an invoice is real, they shall work with the relevant staff member to verify the invoice. The relevant staff member is responsible for ensuring all invoices are owed and not speculative (i.e. quotes). If the invoice is not real, it shall be marked as such in the accounting system and the CRM so as to remove it from the AR report.

SLA

Aged AR above 60 days shall be reviewed weekly by the Operations Manager and the Executive Director. Aged AR above 90 days shall be reviewed by the Executive Director and Treasurer.

Aged AR above 180 days shall be reviewed by the Executive Director and the Treasurer to possibly write off the receivable.

Writing off Receivables

If this is done, the vendor is considered delinquent, and shall not be permitted to receive further services or products from the OWASP Foundation until the debt is paid, and all future terms shall be payment in advance.