a leader in risk based enterprise controls management ... · pdf file17 ebtax: allow override...
TRANSCRIPT
Leverage T echnology: Move Your Business Forward™
Risk and Compliance Financial Reporting Internal Audit Controls Catalog Application Security Advanced Analytics
A Leader in Risk Based Enterprise Controls Management Solutions
Copyright ©. Fulcrum Information Technology, Inc. Give me a lever long enough and a fulcrum on which to place it, and I shall move the world - Archimedes
Oracle EBS R12 Payables and Purchasing Configura;ons you should check to mi;gate Cash Leakage in Procure to Pay Process
Educational Webinar Series
Adil Khan, Managing Director
March 26th , 2015
www.fulcrumway.com Page 2 Copyright © FulcrumWay
Oracle EBS R12 Payables and Purchasing Configurations
Introductions Oracle Payables and Procurement Overview Procure to Pay Configuration Check List Standard controls that mitigate cash leakage risk Advanced Controls – A Case Study Q&A
Agenda
www.fulcrumway.com Page 3 Copyright © FulcrumWay
A Leader in Risk Based Controls Management™
FulcrumWay: is the #1 End-to-End Provider of Risk Based Enterprise Controls Management Solutions for Oracle EBS, PeopleSoft and JDE customers with over 200 Fortune-500 to Middle Market clients. Since 2003, we have successfully assisted companies across all major industry segments.
Expertise: Risk Advisory Services. Advanced Controls Design for Enterprise Applications. Best Practices for Risk Mitigation and Internal Controls Automation. Audit, Compliance, Financial, Enterprise and Operational Risk Assessments. Risk Remediation Services.
Packaged Solutions: FulcrumWay is the #1 choice of Oracle customers for Oracle GRC Advanced Controls, GRC Manager, and GRC Intelligence/OBIEE software implementation. Oracle has certified us as the only partner with Accelerators for Oracle GRC. We also provide Managed Services
Software Services: Risk Assessment for ERP systems, Control Design and Management Tools, Controls Catalog, Enterprise Risk Manager, Financial Reporting Manager, Audit Manager
USA Presence: Privately held Delaware Corporation with US offices in New York City, Dallas and San Francisco
International Presence: in Auckland, Chennai, Johannesburg, London, Mexico City
FulcrumWay
www.fulcrumway.com Page 4 Copyright © FulcrumWay
FulcrumWay Clients Successful Track Record
Government Oil and Gas
Healthcare
Communications
Financial Services
Transportation Natural Resources
Manufacturing
Retail
High Tech Media/Entertainment Life Sciences
www.fulcrumway.com Page 5 Copyright © FulcrumWay
FulcrumWay™ Insight Thought Leadership
Co-Authored GRC Book: First book on GRC for Oracle Applications SROAUG GRC Solution Lab - February 27th – Los Angels: GRC Case Studies and Best Practices
Innovate 15 – March 19th – Iselin, NJ -GRC Case Studies and Best Practices
Collaborate 15 – GRC Client Appreciation Dinner April 13th, 2015 Las Vegas IIA/ISACA GRC Conference – August 17th - 19th, 2015 - Presentations – GRC Case Studies and Best Practices
Educational Webcasts – Every 3rd Thursday of the Month – GRC Best Practices, Trends and Expert Insight
Oracle Open World – Annual GRC Dinner on September 26th, 2015 - San Francisco, CA
LinkedIn –FulcrumWay Risk, Compliance and Audit Software Group YouTube Podcasts – FulcrumWay Instant Insight in 10 min or less
Proven Expertise
www.fulcrumway.com Page 6 Copyright © FulcrumWay
Oracle EBS R12 Payables and Purchasing Configurations
Introductions Oracle Payables and Procurement Overview Procure to Pay Configuration Check List Standard controls that mitigate cash leakage risk Advanced Controls – A Case Study Q&A
Agenda
www.fulcrumway.com Page 7 Copyright © FulcrumWay
u Business Process Models u Service Oriented Architecture
u Corporate Performance Management u Collaboration
Strategic Sourcing & Contract Mgmt
Supplier Collaboration
Spend Categories
Indirect & MRO
Direct Materials
Services SWIFTNet
Settlement
Payment Processors
Requisition Purchase Goods / Services
Receive Goods / Services
Invoice Issue Payments
Banks
Oracle Procure-to-Pay Control Points Controls Workbench
www.fulcrumway.com Page 8 Copyright © FulcrumWay
u Business Process Models u Service Oriented Architecture
u Corporate Performance Management u Collaboration
Supplier Collaboration
Spend Categories
Indirect & MRO
Direct Materials
Services SWIFTNet
Settlement
Payment Processors
Requisi- tion
Purchase Goods / Services
Receive Goods / Services
Invoice Issue Payments
Banks
Oracle Procure-to-Pay
Are your vendors compliant with trade regulations? Are the vendors
blacklisted?
Do you have duplicate suppliers?
Are there inappropriate associations between a
vendor and an employee?
Are there frequent changes to Supplier
information?
Are you missing critical supplier information? Is the information valid?
Strategic Sourcing & Contract Mgmt CONTROLS
Controls Workbench
www.fulcrumway.com Page 9 Copyright © FulcrumWay
u Business Process Models u Service Oriented Architecture
u Corporate Performance Management u Collaboration
Strategic Sourcing & Contract Mgmt
Supplier Collaboration
Spend Categories
Indirect & MRO
Direct Materials
Services SWIFTNet
Settlement
Payment Processors
Receive Goods / Services
Invoice Issue Payments
Banks
Oracle Procure-to-Pay
Do you have duplicate Purchase Orders?
Are there purchases with non-preferred vendors?
Are there split POs?
Are POs created on the same day as goods
arrive? Requisition
Purchase Goods / Services
CONTROLS
Controls Workbench
www.fulcrumway.com Page 10 Copyright © FulcrumWay
u Business Process Models u Service Oriented Architecture
u Corporate Performance Management u Collaboration
Strategic Sourcing & Contract Mgmt
Supplier Collaboration
Spend Categories
Indirect & MRO
Direct Materials
Services SWIFTNet
Settlement
Payment Processors
Requisi- tion
Purchase Goods / Services
Banks
Oracle Procure-to-Pay
Are you making accurate and timely payments?
Did the person making the payment create or modify
the vendor?
Are there discrepancies in freight charges?
Receive Goods / Services
Invoice Issue Payments
CONTROLS
Are payment term changes reviewed before payment?
Are there duplicate invoice amounts being processed?
Controls Workbench
www.fulcrumway.com Page 11 Copyright © FulcrumWay
Oracle EBS R12 Payables and Purchasing Configurations
Introductions Oracle Payables and Procurement Overview Procure to Pay Configuration Check List Standard controls that mitigate cash leakage risk Advanced Controls – A Case Study Q&A
Agenda
www.fulcrumway.com Page 12 Copyright © FulcrumWay
Risk Based Access Management
Detect/ Analyze Findings
Implement Corrective
Actions
Monitor Controls
Scope
Application Controls
Sample ERP Data
Manage Exceptions
Implement Controls
Risk Advisors/ ERP Managers/ Control Owners
Risk Advisors/ Control Owners
Control Owners/
ERP Managers
Establish Test
Environment Assess Risk Identify Risk
Design Controls
Advanced Controls Experts/
ERP Managers
Approach
www.fulcrumway.com Page 13 Copyright © FulcrumWay
Procure to Pay Configuration Checklist
Navigation: Payable Manager--> Setup -->Options--> Payables Options Click on Approval Tab
www.fulcrumway.com Page 14 Copyright © FulcrumWay
Procure to Pay Configuration Checklist
Navigation: Payable Manager--> Setup -->Options--> Payables Options Click on Approval Tab
www.fulcrumway.com Page 15 Copyright © FulcrumWay
Procure to Pay Configuration Checklist
Navigation: Purchasing Supper User > Setup > Purchasing > Document Types
www.fulcrumway.com Page 16 Copyright © FulcrumWay
Procure to Pay Configuration Checklist
Navigation: Payables Super User->Setup->Options->Payables Options and then click on Invoice Tab.
www.fulcrumway.com Page 17 Copyright © FulcrumWay
Procure to Pay Configuration Checklist
Navigation: Purchasing Supper User ->Setup-> Organizations -> Receiving Options
www.fulcrumway.com Page 18 Copyright © FulcrumWay
Procure to Pay Configuration Checklist
Navigation: Payables Super User->Supplier ->Entry. Select Supplier, and then Click Invoice Management
www.fulcrumway.com Page 19 Copyright © FulcrumWay
Configuration Checklist Procure to Pay Item Configura;on Control Risk 1 Allow Address Change (Single Payment) Set to No Check payments are sent to an incorrect or invalid address, which could increase
the risk of unauthorized payments. Automatically Create Employee as Supplier Define Unauthorized supplier records are created for unauthorized employees, which
may result in invalid reimbursement of employee expenses. 2 Allow Pre-Date (Single Payment) Set to No Payments may be recorded on dates preceding invoice dates, resulting in an
understatement of the AP liability account.
3 Use Invoice Approval Allow Force Approval
Set to Yes Unapproved or invalid invoices are created and paid.
4 Hold Unmatched Invoice Set to Yes Supplier may over-bill and invalid or inaccurate invoices may be paid that could increase the risk of unauthorized transactions and misstatement in accounts.
5 HR: Expand Role of Contingent Worker profile option
Set to No Unauthorized commitments and orders could be made by contingent workers, outside of the corporate policy.
6 Purchasing approval groups Define Approval groups and assignments may not be appropriately defined, resulting in invalid or unauthorized approval of transactions.
7 Owner Can Approve Set to No Unauthorized changes to transactions may occur resulting in unauthorized orders, requisitions or other transactions.
8 Approver Can Modify
Set to No
9 Use Approval Hierarchies Set to Yes Documents may be authorized by the incorrect authority.
www.fulcrumway.com Page 20 Copyright © FulcrumWay
Configuration Checklist Procure to Pay Item Configura;on Control Risk 10 GL Date Basis S (system)/I (Invoice) Liabilities are not recorded in the correct period.
11 Employee Signing Limits Define Employees may be allocated greater signing limits than planned, resulting in employee expenses outside of company policy.
12 Exchange Rate Amount" tolerance configuration
Define Inconsistent exchange rates may be used resulting in inaccurate and invalid valuation of accruals and liabilities.
13 The "Shipment Amount" tolerance configuration
Define Liabilities may be misstated if invoice amounts are more than what was ordered and received; or vice versa.
14 Allow Distribution Level Matching Set to Yes Invoices can only be matched to shipment lines, potentially resulting in invalid accounting of the invoice.
15 Over Receipt Tolerance Over Receipt Action
Verify Values Goods may be received and paid for which were not ordered, or payments may be made for services which were not actually rendered.
16 Receipt Required Set to Yes. Verify for outside processing, rate based temp labor, fixed price temp labor and fixed price services
Invoices are paid without receiving goods/services
17 eBTax: Allow Override of Tax Recovery Rate profile option
Set to No The tax recovery rate could be overridden by unauthorized individuals, resulting in inaccurate tax calculations.
www.fulcrumway.com Page 21 Copyright © FulcrumWay
Oracle EBS R12 Payables and Purchasing Configurations
Introductions Oracle Payables and Procurement Overview Procure to Pay Configuration Check List Standard controls that mitigate cash leakage risk Advanced Controls – A Case Study Q&A
Agenda
www.fulcrumway.com Page 22 Copyright © FulcrumWay
Procure to Pay Standard Controls
Prevent Duplicate
Supplier Name and Sites
www.fulcrumway.com Page 23 Copyright © FulcrumWay
Procure to Pay Standard Controls
RequisiOons Require PO Approval
www.fulcrumway.com Page 24 Copyright © FulcrumWay
Procure to Pay Standard Controls
Purchase Orders can only be issues to valid suppliers and goods received at
valid sites
Purchase Orders Require Approval
www.fulcrumway.com Page 25 Copyright © FulcrumWay
Procure to Pay Standard Controls
Goods and Services are received based
on control configuraOons
www.fulcrumway.com Page 26 Copyright © FulcrumWay
Procure to Pay Standard Controls
Duplicate Invoice numbers are prevented
Invoice items are matched with PO and Receiving to
ensure 3-‐Way match
www.fulcrumway.com Page 27 Copyright © FulcrumWay
Procure to Pay Standard Controls
Payments are released to valid suppliers and
Invoices
Payments Terms are enforced
www.fulcrumway.com Page 28 Copyright © FulcrumWay
Oracle EBS R12 Payables and Purchasing Configurations
Introductions Oracle Payables and Procurement Overview Procure to Pay Configuration Check List Standard controls that mitigate cash leakage risk Advanced Controls – A Case Study Q&A
Agenda
www.fulcrumway.com Page 29 Copyright © FulcrumWay
Fiscal watchdog ensures tens of billions of dollars in
payments are lawful and correct Our Client A state government agency responsible for
safeguarding financial assets – more than $120 billion of public funds.
Helps local governments and nonprofits invest their money with flexibility, security, and confidence.
Challenges Replace fragmented legacy system for recovery
audit department with a single incident management system
Replace manual control checklists with a audit analy;cs system to iden;fy suspicious vouchers submiNed for payments by 28+ agencies across the state.
Assign suspension transac;on to auditors for final review and approval using a paNern matching system
Solu;ons Oracle GRC Advanced Controls
Results: Reduce erroneous payment processing by 5% on
millions of payments processed each day by consolida;ng all vouchers across 28 agencies into a single data hub.
Improve incident inves;ga;on process by establishing business rules to assign incidents based upon risk level, inves;ga;on type, priority that match the auditor skills and job role
Provide management visibility and independent oversight to monitor approved and rejected payments
Eliminate inconsistent and contradictory ac;ons by auditors by providing a structured inves;ga;on process based on approved inves;ga;on checklists based on type of the suspicious transac;on.
Op;mize recover audit business process with integra;on to the ERP system for vendor management and payment processing
Case Study
www.fulcrumway.com Page 30 Copyright © FulcrumWay
Our Client Designs, develops, markets, and distributes
footwear for men, women, and children The company operates through four segments:
Domes;c Wholesale Sales, Interna;onal Wholesale Sales, Retail Sales, and E-‐commerce Sales.
Operates 122 stores, 131 factory outlets, and 71 warehouse stores in the United States; and 44 stores and 26 factory outlets interna;onally.
Challenges Control cash leakage in Procure to Pay Process. Assess Vendor Risks based on internal and external
data sources Streamline internal audit of Fright costs, Media
fees Ensure Contract compliance
SoluOons Oracle Transac;on Controls FulcrumWay OAT™ Analy;cs
Results: Enabled AP payment tracking , and prevented over
200K in future losses by catching them earlier. Enabled comprehensive vendor risk analysis using all
available data -‐ from fraud and conflicts of interest to lapsed business licenses and liability concerns.
Safeguarded freight-‐related disbursements by iden;fying payment errors and analyzing whether vendors and carriers have complied with your shipping guidelines
Enabled Agency and media invoices match up. Iden;fy duplicates and overpayments, review contracts, media plans, inser;on orders, print orders and billing statements, and accurately determine whether there have been mistakes and under-‐achieving performance.
Improved contract compliance combines using automated techniques with focused strategic buyer dashboards to iden;fy the causes behind overpayments, and developed preven;on techniques for minimizing future exposure.
Case Study A global leader in the lifestyle footwear controls cost with Transaction Analytics
www.fulcrumway.com Page 31 Copyright © FulcrumWay
Advanced Controls
Layer of automated controls over ERP controls Continuously monitor key controls Detect and Report issues as they occur Prevent issues from occurring Quickly see high risk issues with exception based dashboards Address issues that affect the bottom line Reduces operational risk and improve process effectiveness
What are Advanced Controls?
www.fulcrumway.com Page 32 Copyright © FulcrumWay
Standard + Advanced Controls
User Roles
3-Way Match
Track Payments
Sentiment Analysis
Split Purchase
Orders Hide Displays of Sensitive
Data Duplicate Payments
Transaction Threshold Amounts
Duplicate Vendors
Fine-grained
User Access
Configuration Snapshots & Audit Trial
Transaction Pattern Analysis
Fuzzy Logic, ‘similar values’
Advanced Controls
Standard Controls
Approval Hierarchies
Track Discounts
Advanced Controls
www.fulcrumway.com Page 33 Copyright © FulcrumWay
Advanced Controls Procure to Pay with Advanced Controls
www.fulcrumway.com Page 34 Copyright © FulcrumWay
A Risk Based Approach to Controls
Monitor Controls
Mitigate Remediate & Prevent
Accept
High Risk
Medium Risk
Medium Risk
Low Risk
Low
High
High
I M P A C T
PROBABILITY
Advanced Controls
www.fulcrumway.com Page 35 Copyright © FulcrumWay
Business application does not keep a record history of change details nor does it alert users to changes.
Continuously Monitor Controls
When?
What?
Where?
Who?
www.fulcrumway.com Page 36 Copyright © FulcrumWay
Advanced Controls Exception Based Dashboard
www.fulcrumway.com Page 37 Copyright © FulcrumWay
Advanced Controls Continuous Monitor – Duplicate Invoices
www.fulcrumway.com Page 38 Copyright © FulcrumWay
Advanced Controls Definition – Control Model Logic
www.fulcrumway.com Page 39 Copyright © FulcrumWay
Advanced Controls Incident Management
www.fulcrumway.com Page 40 Copyright © FulcrumWay
Advanced Controls Incident Management
www.fulcrumway.com Page 41 Copyright © FulcrumWay
Advanced Controls Preventive Controls
www.fulcrumway.com Page 42 Copyright © FulcrumWay
Advanced Controls Preventive Controls
www.fulcrumway.com Page 43 Copyright © FulcrumWay
AP Audit FulcrumWay Retail Industry
Claims Trend
www.fulcrumway.com Page 44 Copyright © FulcrumWay
Merchandise FulcrumWay Retail Industry
Merchandise Losses
Net Price
www.fulcrumway.com Page 45 Copyright © FulcrumWay
FW Controls Catalog with over 1,000 advance controls
Select SOD, Master Data, Setup, and Transac;on Controls Risk Assessment
Detect control weaknesses across ERP system to iden;fy business process op;miza;on opportuni;es
Case Study
www.fulcrumway.com Page 46 Copyright © FulcrumWay
Leader in Risk Based Management Controls Q & A
Visit Resources to get started with Security Assessment and Role Design