don’t like risk? stop gambling in your accounts payable and start to take systematic control

1

Presented by Mitzi Mitchell

11/7/2012

Don’t like risk? Stop gambling in your accounts payable and start to take systematic control.

Agenda

Company and Payables Environment Overview

Risk Program Highlight

Case Study #1 Payment Approval

Case Study #2 3-Way Match Exceptions and Long Approval Time

Case Study #3 Out-of-Pocket Expenses

Case Study #4 Duplicate Payments/Invoices

Case Study #5 Fraud Monitoring Program

Confidential and Proprietary Information of T-Mobile USA 2

Company Overview

Headquarter: Bellevue, WA

Customers: 30 million

Coverage: USA and PR

Largest 4G Network

Value Plans


Payables Environment Overview

No. of countries serviced: 1 with some Euro transactions

Main P2P technologies used:

OCR IBM Filenet “Doculink”,

EDI, ERS in SAP,

ACH & Merchant Card through JPMC Xign,

Expenses & Travel through Concur

Duplicate analysis through APEX

Main ERP: SAP

Volume of Annual AP Invoices:

500K paper, 1 million electronic invoices

# of vendors – 40K, # of employees – 36K

$16B in annual payment

One thing we are most proud of:

We employ best practices for duplicate prevention.

External recovery audits are now standard operations.


Risk Program Highlight

Supporting Internal

Customers

Control Design

Evaluation

Testing Program

Fraud Analytics

Monthly Scorecard

Dept Risk Training


Leverage Third Party

Vendors

Cover AP, TE&C,

Treasury & Others

Supports Gap

Remediation

COSO Cube -

Internal Controls

Framework

P2P Risk Objectives


All transactions are recorded and

reflected on financial statement correctly.

Prevent fraud- no fraudulent vendor,

employees , invoices, expenses etc.

Pay correct amount, pay correct vendor.

Do not over pay, double pay, or pay for goods or services not

yet delivered.

Maintain cash flow objectives.

(operations)

Obtain most economical value out of the P2P process.

(operations)

Operational Controls

Key Controls

SOX/BUS Controls

Tiered Control

Structure

Apply to all transactions/process in scope to achieve

the objective

Can be consistently performed and

monitored

Can be preventative or detective

Evidence of performance need be

retained

Controls Definition Examples

Segregation of duties

System validation

3 way match

Invoice entry rules

Invoice Post Audit

Approval of PO and

invoices and vendor setup

T&E, Corporate Card,

Signing Authority Policies

Expense Audit


Case#1- Payment and Vendor Approval


No consistent approval requirements throughout the enterprise for

invoices and vendors

Automation/ Policy/Process Change/ Outsource

Cost, Enterprise Impact, Buy-In.

Case#1-Solution

Approval Authority Policy

Vendor Setup Policy

Broadly distributed approval authority implemented through

HR system.

Systematic feed of SAP HR data to all expenses, PO,

invoice processing systems.

Vendor Approval Workflow – to come

Manual approval validation where not automated.

Manual approval validation for vendor setup.


Case#2- 3 Way Match Exceptions, Long Approval Time


• Aged, large $ and volume of 3 way match exceptions. Goods receipt are not performed.

• Long approval timing for non-PO invoices.

Issue

• Automation/Policy/Process Change/Outsource Options

• Audience size, resource availability, approach. Challenges

Case#2-Solution

EDI – Large volume, high $ vendors targeted first.

Require POs for all purchases, switch vendor set up and approval timing.

Outstanding open

payables communication for unmatched items.

Dedicated contacts from each business segment.

SLA involved.


Case #3 – Out-of-Pocket Expenses

Large $ spend on personal card. Evasion of vendor setup approval, PO/Invoice approval requirement.

Loss of credit card rebate.

Policy/Automation/Outsourcing/Process

Resistance against enforcement . Culture that allows local decisions and flexibility. Ownership for

enforcement can not be decided.


Case#3-Solution

Systematic triggers implemented for

high $ out-of-pocket expenses.

Policy change to mandate corporate

card usage vs. personal card

usage.

Monthly communication for

large $ out-of-pocket spend employees.


Case Study #4 – Duplicate Payments/Duplicate Invoices


Duplicate Payments

Automation/Policy/Process/Outsource

Labor intensive

Case#4 Solution

Using recovery audit firms. Implemented five year duplicate

payment review and statement audit. (First

and second tier)

Implemented invoice numbering convention.

Implemented daily manual review for

possible duplicates.

Systematic prevention for SAP invoice

posting.

APEX First Strike for additional review.


Case #5 – Fraud Monitoring Program

Unusual transactions within T&E system. High ranking employees sharing passwords with Administrative

Assistant. Possible fake receipts.

No process in place to evaluate vendor risks.

Automation, Policy, Process, Outsource

Data mining expertise needed. Multiple databases. Customer service vs. enforcer mentality.

Labor intensive analysis with no guarantee of results. No control over vendor contract or relationship. Large

volume of results for analysis.


Case #5 Solution

T&E Concur Reporting.

JPMC Level 3 Activities Reporting.

APEX First Strike Analytics Vendor Risk Analysis.

Lowered credit line for all corporate card holders.

Provided enterprise management expenses

approval training.

T&E: 100% audit on all AA

expenses. Periodic review of T&E database for fraud.

AP: Periodic vendor/employee

match exercise. Periodic vendor risk analysis

using APEX First Strike


No sure fire way to

address each

situation

Resource priority is always an

issue

Consultant vs. Cop?


Risk Strategies

*Automation of approval or

workflow processes

*Policy changes

*Process, personnel changes

*Training

Lessons Learned

Thank you!

Contact information:

425-383-5933

[email protected]

don’t like risk? stop gambling in your accounts payable and start to take systematic control

Education