are your internal controls keeping up with your …...are your internal controls keeping up with...
TRANSCRIPT
Slide 1
November 12-14, 2018 | Las Vegas
Are Your Internal Controls Keeping Up
With Your Automation Changes?
Chris Doxey, CAPP, CCSA, CICA, [email protected]
571-267-9107
Slide 2
Contents
November 12-14, 2018 | Las Vegas
• How big is the problem?
• P2P Process Vision and Goals
• Key P2P Controls
• Achieving Internal Controls Excellence through Automation
• Measuring Success!
• Q&A
Slide 3
Learning Objectives
November 12-14, 2018 | Las Vegas
• The internal controls you had in place to manage manual processes are no
longer sufficient as you automate an increasingly amount of the work.
• Your internal controls need to be continually managed and redesigned to
ensure that any risk in a paperless environment is mitigated.
• As an example, Internal Controls expert Chris Doxey will discuss the key controls
for your suppler master that can be established in a supplier portal, how to
handle signature authority in a workflow environment, and the key controls for
E-Invoicing and E-Payments.
Slide 4
HOW BIG IS THE PROBLEM?
4
PROPRIETARY AND CONFIDENTIAL PAGE 5
The 2018 Association of Certified Fraud Examiners (ACFE) Report to the Nations
5
Source: https://www.acfe.com/report-to-the-nations/2018/
▪ The total loss caused by the cases in the study
exceeded $7.0 billion.
▪ The median loss for all cases in the study was
$130,000, with 22.0% of cases causing losses of $1
million or more.
▪ The median duration for a fraud scheme is 16 months.
▪ Corruption is the most common scheme in every
global region.
▪ Financial statement fraud is the most common and
costly case of fraud with 10% of all case and a median
cost of $800,000.00.
▪ Internal control weaknesses were responsible for
nearly half of all frauds reported.
▪ Fraudsters who had been with their company longer
stole twice as much. Those with a tenure of more than
5 years were responsible for a median loss of
$200,000 and fraudsters with a tenure of less then 5
years were responsible for a median loss of $100,000.
PROPRIETARY AND CONFIDENTIAL PAGE 6
2018 Association for Finance Professionals (AFP) Payments Fraud and Control Survey Key Findings
6
1. Though finance professionals are actively implementing controls to prevent p
ayments fraud, 78% of organizations were still impacted in 2017.
2. Checks were subject to more payments fraud than any other payment
method, a staggering 74% of finance professionals report that their
organizations’ check payments were exposed to fraud.
3. 77% of organizations experienced fraud via Business Email Compromise in
2017. From CEOs to treasury analysts, anyone and everyone is a likely
target.
• 65 percent of payments fraud is committed by individuals outside the organization.
• 67 percent of payments fraud is discovered by treasury staff.
• 92 percent of organizations report that payments fraud attacks collectively cost 0.5 percent of the
organization’s annual revenue.
• 47 percent of organizations discovered fraud less than two weeks after the incident occurred.
Source: https://dynamic.afponline.org/paymentsfraud/p/1
Slide 7
P2P PROCESS VISION AND GOALS
7
PROPRIETARY AND CONFIDENTIAL PAGE 8
The Foundation of the Procure to Pay (P2P) Process
Supplier Master
•Controls and Validation
•Compliance
• Supplier Data Standards
• Trade Directories
Invoice Process
• Invoice Automation
• Accuracy and Validation
Payment
• Payment Automation
• Accuracy and Validation
• Fraud and Risk Mitigation
Segregation of Duties
Systems Access
Delegation of Authority
General
Corporate
Controls
PROPRIETARY AND CONFIDENTIAL PAGE 9
An Overview of the P2P Process (Supply Chain Model)
Procurement Accounts PayableReceiving
Internal Controls and Compliance
ERP Systems
P2P Automation Solutions
Process Development
The need for Goods & Services is Identified
RFI
RFP
Data Acquisition
Terms & Conditions
Contract
Purchase Order
Supplier Master
Production
eInvoice
Manual Invoice
Receipt (ERS)
PO Flip
Capacity Management
AP Sub ledger
Clearing Accounts
Outbound Logistics and
Controls
Cash Management
DPO & Other AP Metrics
Channel
P-Card, ACH & ePayments
Manual Checks
Customers
Suppliers
Business Partners
Shared Service Center
Customers
PROPRIETARY AND CONFIDENTIAL PAGE 10
1. Decrease P2P Cost by Implementing Best Practices2. Obtain Additional Discounts3. Increase Payments by ACH and Electronic Payments4. Implement Electronic Invoicing5. Implement Electronic Purchase Orders6. Streamline the Approval Process7. Streamline and Improve Internal Controls to Mitigate Risk 8. Enhance Supplier Master Controls in the Onboarding Process9. Implement Procurement and Payment Card Best Practices10.Improve the P2P Cycle Time11. Increase Data Accuracy12. Increase Strategic Sourcing Processes
P2P Process Vision and Goals
PROPRIETARY AND CONFIDENTIAL PAGE 11
P2P Best Practices
11
Top 6 AP Controls
Top 5 Supplier Management Controls
3 Critical Corporate Controls
Self Audit Processes and Tools
Analytics and Reporting
Continuous Monitoring and
Action
PROPRIETARY AND CONFIDENTIAL PAGE 12
1. Qualification: Establish & Enforce a Supplier Qualification Process
2. Sourcing: Implement Templates for Request for Proposal (RFP) and Request for Information (RFI)
3. Onboarding: Obtain a W-9 form for domestic suppliers and a form W-8 for foreign suppliers; Validate (TIN, VAT) and Perform Initial Compliance Screening
4. Doing Business and Managing Performance: Fine Tune & Enrich your Supplier Master with Visible & Actionable KPI’s
5. Probation or Exit: Define Exit Requirements, Communication Process & System Inactivation
The Top Five Supplier Management Controls
PROPRIETARY AND CONFIDENTIAL PAGE 13
1. Performance of Delegation of Authority (DoA) Controls
2. Assurance of Segregation of Duties (SoD) Controls
3. Implementation of System Access (SA) Controls
4. Implementation of Positive Pay, Positive Payee & Electronic Payment Controls
5. Implement and Review AP Operational Metrics & Analytics
6. Implementation of Cardholder Agreements for all Corporate Credit Cards
with Mandatory Training Programs
Top Six Accounts Payable Controls
PROPRIETARY AND CONFIDENTIAL PAGE 14
The three most critical internal controls for any company can be established by
corporate policies should be "operationalized" into your company's business
processes and monitored by the applicable internal control programs. These
controls are:
1. Segregation of Duties
2. Systems Access
3. Delegation of Authority
The Three Critical Corporate Controls
Slide 15
ACHIEVING INTERNAL CONTROLS EXCELLENCE THROUGH AUTOMATION
15
PROPRIETARY AND CONFIDENTIAL PAGE 16
1. Supplier Portals
2. eProcurement
3. eInvoicing
4. PO to Invoice Conversion
5. Document Management, Invoice Scan and Data Capture
6. Automated Matching
7. Automated Workflow Approvals
8. ePayment
9. System Access Verification Tools
10. Accounts Payable Self-Audit Tools
Automate the P2P Function to Mitigate Risk and Improve Efficiency
Enhanced P2P
Controls
PROPRIETARY AND CONFIDENTIAL PAGE 17
Supplier Portals - Supplier Portals are used to validate supplier information before it is entered into the supplier master file. Companies can request additional records to validate the supplier and support the onboarding process.
Risks Mitigated
• Suppliers are automatically validated before they are entered into the supplier master file. “Scam” and “at risk” suppliers can be spotted with validation rules contained in Supplier Portals.
• A sound upfront supplier validation process reduces the risk of an employee attempting to act as a supplier.
• Documentation supporting the validation of the supplier is obtained within the onboarding process. Besides tax forms, insurance forms, ePayment information and supplier profile information can be gathered in a single process.
1. Supplier Portals
17
PROPRIETARY AND CONFIDENTIAL PAGE 18
eProcurement - eProcurement facilitates greater accountability and reconciliation of orders, invoices and provides organizational and supplier spend visibility for accurate and timely decision making.
Risks Mitigated
• Requisitions and Purchase Orders are created electronically removing the risk of errors made in an manual data entry process.
• Direct integration with an ERP system supports the three-way matching process and removes the risk of any clearing account reconciliation issues.
2. eProcurement
PROPRIETARY AND CONFIDENTIAL PAGE 19
eInvoicing - Companies around the world are adopting eInvoicing to streamline their accounts payable operations. This eliminates waste and unlocks the working capital value of innovative payment strategies.
Risks Mitigated
• eInvoicing eliminates the risk of processing a duplicate invoice, paying an incorrect amount, or paying the invoice to an incorrect supplier.
• Removes possible financial exposure for the company since invoices are paid more accurately and in a timely manner.
3. eInvoicing
PROPRIETARY AND CONFIDENTIAL PAGE 20
PO to Invoice Conversion - This technology allows a buying organization to send a purchase order electronically to a supplier and then allows the selling organization to convert the purchase order into an electronic invoice.
Risks Mitigated
• Eliminates the risk of processing a duplicate invoice, paying an incorrect amount, or paying the invoice to an incorrect supplier.
• This automation solution also reduces the risk of fraud and builds in Segregation of Duties (SoD) controls.
• Speeds up the approval time and can improve working capital management since there are now more opportunities for early payment discount.
• The approval status of an invoice can be shared with a supplier as part of this automation solution. This alleviates the need for supplier inquires and can improve supplier satisfaction.
4. PO to Invoice Conversion
PROPRIETARY AND CONFIDENTIAL PAGE 21
Document Management, Invoice Scan and Data Capture - Many accounts payable automation solutions facilitate conversion of paper-based invoices through scan and data capture. Instead, your suppliers can submit invoices in paper format to a PO Box managed by a solution provider.
Risks Mitigated
• Eliminates the risk of processing a duplicate invoice, paying an incorrect amount, or paying the invoice to an incorrect supplier.
• This automation solution also reduces the risk of fraud and builds in Segregation of Duties (SoD) controls.
5. Document Management, Invoice Scan and Data Capture
PROPRIETARY AND CONFIDENTIAL PAGE 22
Automated Matching - Automated three-way matching provides an immediate match of the invoice, purchase order, and receipt. The user establishes specific business rules for the matching process and reviews resulting audit trails to ensure the process is working.
Risks Mitigated
• Automated matching performs the three-way with no human intervention reducing the risk of error and improper matches.
• Reduces the risk of paying an erroneous or duplicate payment and improves the invoice cycle time process and reduces processing costs by providing data accuracy based on user defined matching rules.
6. Automated Matching
22
PROPRIETARY AND CONFIDENTIAL PAGE 23
Automated Workflow Approvals – In an automated workflow approval process, the invoice approval process is linked to your company’s Delegation of Authority (DoA) policy. The invoice approval process is completely automated based on defined rules via workflow.
Risks Mitigated
• An automated workflow can be linked to the employee master file in which approval levels are automated updated when an approval moves to another department and is promoted.
• Reduces the risk of fraud since there is no opportunity for manual manipulation.
• Escalation processes can be built into the workflow to link to the Delegation of Authority (DoA) policy and tables.
7. Automated Workflow Approvals
PROPRIETARY AND CONFIDENTIAL PAGE 24
NOTE: All approvals are subject to operating unit budget authorizations. R is Review, A is Approve, I is Inform, and P is Propose. DR is Direct Report. BUL is the
Business Unit Leader. O&TL is the Operations and Technology Leader. (1) Non-Audit Accounting, Tax or Consulting Services offered by the external auditor. (2) The CEO and CFO will co-approve. (3) The BUL/O&TL and Corporate Finance will co-approve. (4) The DR-BUL/O&TL and Corporate Finance will co-approve. (5) Review for capital expenditures. (6) Approval on non-Business as Usual Transactions. (7) Augments require at least one-level higher approval than initial project (excluding CEO). (8) Procurement and Tax review considered as overall Corp Finance review and approval.
Summary Delegation Of Authority Matrix
MCI Board CEO
BUL DR-BUL
General Counsel CFO Controller
(8) Corporate Finance
O&T and IT
DR–O&T and IT
SPENDING (7) Expenditures, Commitments, Leases, General Purchases, Disposals
> 50MM A (6) P
> 5MM A (2) P A (2) R(5) R
> 1MM A (3) P R(5) A (3)
< 1MM A (4) R(5) A (4)
ACQUISITIONS / MERGERS / DIVESTITURES / JOINT VENTURE
> 50MM A (6) P
< 50MM A (2) P A A (2) R R
LEGAL SETTLEMENTS
> 50MM I A (2) A A (2) R R
> 5MM A (2) p A A (2) R R
< 5MM A (3) P A R A (3)
CONSULTING/CONTRACTOR AGREEMENTS
> 1MM A(1) (6) A (2) P R A (2) R (1) R
> 500K A(1) (6) A (3) P R R (1) A (3)
< 500K A(1) (6) A (4) R R (1) A (4)
Example: Summary Delegation of Authority Policy Matrix
24
Key Points: Approval levels are linked to job levels.
PROPRIETARY AND CONFIDENTIAL PAGE 25
Fast Invoice Approval Cycles
Strengthen
Provide Buyers with greater
leverage when it is time to renegotiate
contracts with Key Suppliers.
Address Late Payment Penalties
Strengthens Supplier
Relationships
Provide Buyers with greater
leverage when it is time to
renegotiate contracts with Key Suppliers
Adds Additional Controls to the
Closing Process
Allows Early Payment
Discounts
Improves Cycle Cost and
Reduces Cost
PROPRIETARY AND CONFIDENTIAL PAGE 26
Roadmap: Delegation of Authority Policy and Workflow
Strengthen
Provide Buyers with greater
leverage when it is time to renegotiate
contracts with Key Suppliers.
1. Develop Policy 2. Approval Policy
(BOD)
3. Develop Signature Approval Level
Matrix for Expenditures and
Company Commitments
4. Link Approval Matrix to Job Level
within the Employee Master
5. Implement Automated Workflow
Tool and Process
PROPRIETARY AND CONFIDENTIAL PAGE 27
Impact on Metrics
Metric Results
Days to Process an Invoice with Fully Automated Processes 3.9 Days
Decrease in Processing Times after Implementing Invoice Approval with Workflow 70%
46%
28%
14%6%
Under 5 Days 10-15 Days 15-30 Days 30 Days orMore
Time to Process a Single Invoice
Source: Ardent Partners 2017
PROPRIETARY AND CONFIDENTIAL PAGE 28
ePayment – If your company is paying more than 50% of invoices by check, it’s way too many. Consider the cost of issuing the check, postage fees, resource fees, reconciliation costs, and the risk of check fraud.
Risks Mitigated and Process Impact
• The ePayment process reduces risk and enhances controls for the AP process.
• The use of ePayment reduces check fraud, check reconciliation issues, and escheatment process challenges
• Besides obtaining significant rebates as more suppliers settle with P-Cards, one of the advantages to using a P-card is that the buyer is making a deferred payment.
8. ePayment
PROPRIETARY AND CONFIDENTIAL PAGE 29
System Access Verification Tools – Systems Access Verification tools can provide real-time monitoring and proactive enforcement to Segregation of Duties (SoD) policies.
Risks Mitigated
• System Access Verification tools can prevent a fraudulent transaction from being processed within the AP process. As an example, an individual cannot set up a supplier in the supplier master file, pay that supplier and void the transaction with proper system access controls in place. These are referred to as “intra” SoD controls.
• These tools can also catch an “extra” SoD conflict in which an employee from another department may attempt to process an unrelated transaction. An employee in accounts receivable may try to process a fraudulent accounts payable transaction.
9. System Access Verification Tools
PROPRIETARY AND CONFIDENTIAL PAGE 30
Accounts Payable Self-Audit Tools - The goal of any accounts payable department is to pay a supplier “once and only once.” Rather than have a third party or external audit firm identify a control weakness, many companies have worked with a solution provider to implement a self-assessment process that identifies a possible duplicate payment before the payment is initiated. This software considers “fuzzy” logic algorithms that flag a potential duplicate or erroneous payment.
Risks Mitigated and Process Impact
• A self-audit tool can often be included in a company’s internal control program as continuous control monitoring (CCM), controls self assessment (CSA) and continuous auditing (CA) initiatives.
• Duplicate and erroneous payments are prevented before the cash is disbursed improving the company’s working capital and cash flow position.
• Process improvements and improvements to internal control programs as well as the AP process can be made in a real-time environment.
10. Accounts Payable Self-Audit Tools
PROPRIETARY AND CONFIDENTIAL PAGE 31
How a Accounts Payable Self-Audit Tool Works
PROPRIETARY AND CONFIDENTIAL PAGE 32
Auditing
Business Process Control
Compliance Management
Corrective Actions Tracking and Remediation
Dashboard and Metrics
Incident Management
Internal Controls Management
Operational Risk
Risk Analytics
Risk Assessment
How Solution Providers Can Help!
Continuous Controls Monitoring (CCM)
Continuous Auditing (CA)
Controls Self Assessment
(CSA)
Automate AP Processes and
Payments!
Provide Supplier Portals, Compliance Management Solutions that Streamline Data and Provide “Real Time” Analytics and Tools
Slide 33
MEASURING SUCCESS!
33
PROPRIETARY AND CONFIDENTIAL PAGE 34
• To derive the most benefit from metrics and your P2P Scorecard
• Keep the process simple!
• This communication element is a detail often overlooked, but it is important that P2P team members have a good sense of what success might look like.
• Good analytics will:
– Drive the strategy and direction of the organization
– Help make informed decisions
– Drive process improvements
– Support best practices
Develop Your P2P Scorecard
11/6/2018
PROPRIETARY AND CONFIDENTIAL PAGE 35
• Reduce costs by consolidating expenditures on fewer providers, thereby exerting greater leverage in purchasing negotiations.
• Avoid wasteful expenditure through over-specification
– Where materials are ordered to a higher standard or specification than is actually required and the use of ‘off-list’ non-preferred suppliers.
• Improve buying efficiencies by enforcing compliance with pre-agreed pricing, discount, and volume-based price break structures.
Use Analytics in the decision making process
11/6/201835
PROPRIETARY AND CONFIDENTIAL PAGE 36
1. Number of Invoices Processed per Day, Per Associate
2. Average Cost to Process an Invoice
3. Percentage of Invoices Matched as a Percentage of Total Invoices (First Time Matches)
4. Average Cycle Time to Process an Invoice from Receipt to Payment
5. Number of eInvoices as a Percentage of Total Invoices
6. Number of Suppliers Accepted eInvoicing as a Percentage of Total Suppliers
7. Dollar Impact of Discounts Captured as a Percentage of Discounts Offered
8. Dollar Duplicate and Erroneous Payments as a Percentage of Total Payments
9. Percentage Change in Invoice Exceptions
10. Percentage Change in Payment Types (Checks, ACH, P-Cards, Wires)
10 Key Metrics that indicate Automation Excellence
11/6/2018
PROPRIETARY AND CONFIDENTIAL PAGE 37
AP Automation Scorecard
11/6/201837
PROPRIETARY AND CONFIDENTIAL PAGE 3838
Best Practice Process for Internal Controls Automation
Identify Unwanted
Transactions
Deploy Controls
Address Issues
Report Results
38
Create Models and Assess Results
Remediate Unwanted Transactions Where
Feasible
Convert Models to Controls
Run Control Analysis Periodically
Manage Incidents -Options:
Remediate Transactions
Adjust ERP Configuration
Add Compensating Access Controls
Report Incident Management Results to Managers and Auditors
PROPRIETARY AND CONFIDENTIAL PAGE 39
The Four Levels of Continuous Controls Monitoring (CCM)
Business Transaction Monitoring
User Access Controls Monitoring & Remediation
Application & Process Configuration Controls
Monitoring
Master Data / Static Data Controls Monitoring
Slide 40
Q&A