Are Your Internal Controls Keeping Up With Your …...Are Your Internal Controls Keeping Up With...

November 12-14, 2018 | Las Vegas

Are Your Internal Controls Keeping Up

With Your Automation Changes?

Chris Doxey, CAPP, CCSA, CICA, [email protected]

571-267-9107

mailto:[email protected]

Contents


• How big is the problem?

• P2P Process Vision and Goals

• Key P2P Controls

• Achieving Internal Controls Excellence through Automation

• Measuring Success!

• Q&A

Learning Objectives


• The internal controls you had in place to manage manual processes are no

longer sufficient as you automate an increasingly amount of the work.

• Your internal controls need to be continually managed and redesigned to

ensure that any risk in a paperless environment is mitigated.

• As an example, Internal Controls expert Chris Doxey will discuss the key controls

for your suppler master that can be established in a supplier portal, how to

handle signature authority in a workflow environment, and the key controls for

E-Invoicing and E-Payments.

HOW BIG IS THE PROBLEM?

4

PROPRIETARY AND CONFIDENTIAL PAGE 5

The 2018 Association of Certified Fraud Examiners (ACFE) Report to the Nations

5

Source: https://www.acfe.com/report-to-the-nations/2018/

▪ The total loss caused by the cases in the study

exceeded $7.0 billion.

▪ The median loss for all cases in the study was

$130,000, with 22.0% of cases causing losses of $1

million or more.

▪ The median duration for a fraud scheme is 16 months.

▪ Corruption is the most common scheme in every

global region.

▪ Financial statement fraud is the most common and

costly case of fraud with 10% of all case and a median

cost of $800,000.00.

▪ Internal control weaknesses were responsible for

nearly half of all frauds reported.

▪ Fraudsters who had been with their company longer

stole twice as much. Those with a tenure of more than

5 years were responsible for a median loss of

$200,000 and fraudsters with a tenure of less then 5

years were responsible for a median loss of $100,000.

https://www.acfe.com/report-to-the-nations/2018/


2018 Association for Finance Professionals (AFP) Payments Fraud and Control Survey Key Findings

6

1. Though finance professionals are actively implementing controls to prevent p

ayments fraud, 78% of organizations were still impacted in 2017.

2. Checks were subject to more payments fraud than any other payment

method, a staggering 74% of finance professionals report that their

organizations’ check payments were exposed to fraud.

3. 77% of organizations experienced fraud via Business Email Compromise in

2017. From CEOs to treasury analysts, anyone and everyone is a likely

target.

• 65 percent of payments fraud is committed by individuals outside the organization.

• 67 percent of payments fraud is discovered by treasury staff.

• 92 percent of organizations report that payments fraud attacks collectively cost 0.5 percent of the

organization’s annual revenue.

• 47 percent of organizations discovered fraud less than two weeks after the incident occurred.

Source: https://dynamic.afponline.org/paymentsfraud/p/1

https://dynamic.afponline.org/paymentsfraud/p/1

P2P PROCESS VISION AND GOALS

7


The Foundation of the Procure to Pay (P2P) Process

Supplier Master

•Controls and Validation

•Compliance

• Supplier Data Standards

• Trade Directories

Invoice Process

• Invoice Automation

• Accuracy and Validation

Payment

• Payment Automation

• Accuracy and Validation

• Fraud and Risk Mitigation

Segregation of Duties

Systems Access

Delegation of Authority

General

Corporate

Controls


An Overview of the P2P Process (Supply Chain Model)

Procurement Accounts PayableReceiving

Internal Controls and Compliance

ERP Systems

P2P Automation Solutions

Process Development

The need for Goods & Services is Identified

RFI

RFP

Data Acquisition

Terms & Conditions

Contract

Purchase Order

Supplier Master

Production

eInvoice

Manual Invoice

Receipt (ERS)

PO Flip

Capacity Management

AP Sub ledger

Clearing Accounts

Outbound Logistics and

Controls

Cash Management

DPO & Other AP Metrics

Channel

P-Card, ACH & ePayments

Manual Checks

Customers

Suppliers

Business Partners

Shared Service Center

Customers


1. Decrease P2P Cost by Implementing Best Practices2. Obtain Additional Discounts3. Increase Payments by ACH and Electronic Payments4. Implement Electronic Invoicing5. Implement Electronic Purchase Orders6. Streamline the Approval Process7. Streamline and Improve Internal Controls to Mitigate Risk 8. Enhance Supplier Master Controls in the Onboarding Process9. Implement Procurement and Payment Card Best Practices10.Improve the P2P Cycle Time11. Increase Data Accuracy12. Increase Strategic Sourcing Processes

P2P Process Vision and Goals


P2P Best Practices

11

Top 6 AP Controls

Top 5 Supplier Management Controls

3 Critical Corporate Controls

Self Audit Processes and Tools

Analytics and Reporting

Continuous Monitoring and

Action


1. Qualification: Establish & Enforce a Supplier Qualification Process

2. Sourcing: Implement Templates for Request for Proposal (RFP) and Request for Information (RFI)

3. Onboarding: Obtain a W-9 form for domestic suppliers and a form W-8 for foreign suppliers; Validate (TIN, VAT) and Perform Initial Compliance Screening

4. Doing Business and Managing Performance: Fine Tune & Enrich your Supplier Master with Visible & Actionable KPI’s

5. Probation or Exit: Define Exit Requirements, Communication Process & System Inactivation

The Top Five Supplier Management Controls


1. Performance of Delegation of Authority (DoA) Controls

2. Assurance of Segregation of Duties (SoD) Controls

3. Implementation of System Access (SA) Controls

4. Implementation of Positive Pay, Positive Payee & Electronic Payment Controls

5. Implement and Review AP Operational Metrics & Analytics

6. Implementation of Cardholder Agreements for all Corporate Credit Cards

with Mandatory Training Programs

Top Six Accounts Payable Controls


The three most critical internal controls for any company can be established by

corporate policies should be "operationalized" into your company's business

processes and monitored by the applicable internal control programs. These

controls are:

1. Segregation of Duties

2. Systems Access

3. Delegation of Authority

The Three Critical Corporate Controls

ACHIEVING INTERNAL CONTROLS EXCELLENCE THROUGH AUTOMATION

15


1. Supplier Portals

2. eProcurement

3. eInvoicing

4. PO to Invoice Conversion

5. Document Management, Invoice Scan and Data Capture

6. Automated Matching

7. Automated Workflow Approvals

8. ePayment

9. System Access Verification Tools

10. Accounts Payable Self-Audit Tools

Automate the P2P Function to Mitigate Risk and Improve Efficiency

Enhanced P2P

Controls


Supplier Portals - Supplier Portals are used to validate supplier information before it is entered into the supplier master file. Companies can request additional records to validate the supplier and support the onboarding process.

Risks Mitigated

• Suppliers are automatically validated before they are entered into the supplier master file. “Scam” and “at risk” suppliers can be spotted with validation rules contained in Supplier Portals.

• A sound upfront supplier validation process reduces the risk of an employee attempting to act as a supplier.

• Documentation supporting the validation of the supplier is obtained within the onboarding process. Besides tax forms, insurance forms, ePayment information and supplier profile information can be gathered in a single process.

1. Supplier Portals

17


eProcurement - eProcurement facilitates greater accountability and reconciliation of orders, invoices and provides organizational and supplier spend visibility for accurate and timely decision making.

Risks Mitigated

• Requisitions and Purchase Orders are created electronically removing the risk of errors made in an manual data entry process.

• Direct integration with an ERP system supports the three-way matching process and removes the risk of any clearing account reconciliation issues.

2. eProcurement


eInvoicing - Companies around the world are adopting eInvoicing to streamline their accounts payable operations. This eliminates waste and unlocks the working capital value of innovative payment strategies.

Risks Mitigated

• eInvoicing eliminates the risk of processing a duplicate invoice, paying an incorrect amount, or paying the invoice to an incorrect supplier.

• Removes possible financial exposure for the company since invoices are paid more accurately and in a timely manner.

3. eInvoicing


PO to Invoice Conversion - This technology allows a buying organization to send a purchase order electronically to a supplier and then allows the selling organization to convert the purchase order into an electronic invoice.

Risks Mitigated

• Eliminates the risk of processing a duplicate invoice, paying an incorrect amount, or paying the invoice to an incorrect supplier.

• This automation solution also reduces the risk of fraud and builds in Segregation of Duties (SoD) controls.

• Speeds up the approval time and can improve working capital management since there are now more opportunities for early payment discount.

• The approval status of an invoice can be shared with a supplier as part of this automation solution. This alleviates the need for supplier inquires and can improve supplier satisfaction.

4. PO to Invoice Conversion


Document Management, Invoice Scan and Data Capture - Many accounts payable automation solutions facilitate conversion of paper-based invoices through scan and data capture. Instead, your suppliers can submit invoices in paper format to a PO Box managed by a solution provider.

Risks Mitigated

• Eliminates the risk of processing a duplicate invoice, paying an incorrect amount, or paying the invoice to an incorrect supplier.

• This automation solution also reduces the risk of fraud and builds in Segregation of Duties (SoD) controls.

5. Document Management, Invoice Scan and Data Capture


Automated Matching - Automated three-way matching provides an immediate match of the invoice, purchase order, and receipt. The user establishes specific business rules for the matching process and reviews resulting audit trails to ensure the process is working.

Risks Mitigated

• Automated matching performs the three-way with no human intervention reducing the risk of error and improper matches.

• Reduces the risk of paying an erroneous or duplicate payment and improves the invoice cycle time process and reduces processing costs by providing data accuracy based on user defined matching rules.

6. Automated Matching

22


Automated Workflow Approvals – In an automated workflow approval process, the invoice approval process is linked to your company’s Delegation of Authority (DoA) policy. The invoice approval process is completely automated based on defined rules via workflow.

Risks Mitigated

• An automated workflow can be linked to the employee master file in which approval levels are automated updated when an approval moves to another department and is promoted.

• Reduces the risk of fraud since there is no opportunity for manual manipulation.

• Escalation processes can be built into the workflow to link to the Delegation of Authority (DoA) policy and tables.

7. Automated Workflow Approvals


NOTE: All approvals are subject to operating unit budget authorizations. R is Review, A is Approve, I is Inform, and P is Propose. DR is Direct Report. BUL is the

Business Unit Leader. O&TL is the Operations and Technology Leader. (1) Non-Audit Accounting, Tax or Consulting Services offered by the external auditor. (2) The CEO and CFO will co-approve. (3) The BUL/O&TL and Corporate Finance will co-approve. (4) The DR-BUL/O&TL and Corporate Finance will co-approve. (5) Review for capital expenditures. (6) Approval on non-Business as Usual Transactions. (7) Augments require at least one-level higher approval than initial project (excluding CEO). (8) Procurement and Tax review considered as overall Corp Finance review and approval.

Summary Delegation Of Authority Matrix

MCI Board CEO

BUL DR-BUL

General Counsel CFO Controller

(8) Corporate Finance

O&T and IT

DR–O&T and IT

SPENDING (7) Expenditures, Commitments, Leases, General Purchases, Disposals

> 50MM A (6) P

> 5MM A (2) P A (2) R(5) R

> 1MM A (3) P R(5) A (3)

< 1MM A (4) R(5) A (4)

ACQUISITIONS / MERGERS / DIVESTITURES / JOINT VENTURE

> 50MM A (6) P

< 50MM A (2) P A A (2) R R

LEGAL SETTLEMENTS

> 50MM I A (2) A A (2) R R

> 5MM A (2) p A A (2) R R

< 5MM A (3) P A R A (3)

CONSULTING/CONTRACTOR AGREEMENTS

> 1MM A(1) (6) A (2) P R A (2) R (1) R

> 500K A(1) (6) A (3) P R R (1) A (3)

< 500K A(1) (6) A (4) R R (1) A (4)

Example: Summary Delegation of Authority Policy Matrix

24

Key Points: Approval levels are linked to job levels.


Fast Invoice Approval Cycles

Strengthen

Provide Buyers with greater

leverage when it is time to renegotiate

contracts with Key Suppliers.

Address Late Payment Penalties

Strengthens Supplier

Relationships


leverage when it is time to

renegotiate contracts with Key Suppliers

Adds Additional Controls to the

Closing Process

Allows Early Payment

Discounts

Improves Cycle Cost and

Reduces Cost


Roadmap: Delegation of Authority Policy and Workflow

Strengthen


leverage when it is time to renegotiate

contracts with Key Suppliers.

1. Develop Policy 2. Approval Policy

(BOD)

3. Develop Signature Approval Level

Matrix for Expenditures and

Company Commitments

4. Link Approval Matrix to Job Level

within the Employee Master

5. Implement Automated Workflow

Tool and Process


Impact on Metrics

Metric Results

Days to Process an Invoice with Fully Automated Processes 3.9 Days

Decrease in Processing Times after Implementing Invoice Approval with Workflow 70%

46%

28%

14%6%

Under 5 Days 10-15 Days 15-30 Days 30 Days orMore

Time to Process a Single Invoice

Source: Ardent Partners 2017


ePayment – If your company is paying more than 50% of invoices by check, it’s way too many. Consider the cost of issuing the check, postage fees, resource fees, reconciliation costs, and the risk of check fraud.

Risks Mitigated and Process Impact

• The ePayment process reduces risk and enhances controls for the AP process.

• The use of ePayment reduces check fraud, check reconciliation issues, and escheatment process challenges

• Besides obtaining significant rebates as more suppliers settle with P-Cards, one of the advantages to using a P-card is that the buyer is making a deferred payment.

8. ePayment


System Access Verification Tools – Systems Access Verification tools can provide real-time monitoring and proactive enforcement to Segregation of Duties (SoD) policies.

Risks Mitigated

• System Access Verification tools can prevent a fraudulent transaction from being processed within the AP process. As an example, an individual cannot set up a supplier in the supplier master file, pay that supplier and void the transaction with proper system access controls in place. These are referred to as “intra” SoD controls.

• These tools can also catch an “extra” SoD conflict in which an employee from another department may attempt to process an unrelated transaction. An employee in accounts receivable may try to process a fraudulent accounts payable transaction.

9. System Access Verification Tools


Accounts Payable Self-Audit Tools - The goal of any accounts payable department is to pay a supplier “once and only once.” Rather than have a third party or external audit firm identify a control weakness, many companies have worked with a solution provider to implement a self-assessment process that identifies a possible duplicate payment before the payment is initiated. This software considers “fuzzy” logic algorithms that flag a potential duplicate or erroneous payment.

Risks Mitigated and Process Impact

• A self-audit tool can often be included in a company’s internal control program as continuous control monitoring (CCM), controls self assessment (CSA) and continuous auditing (CA) initiatives.

• Duplicate and erroneous payments are prevented before the cash is disbursed improving the company’s working capital and cash flow position.

• Process improvements and improvements to internal control programs as well as the AP process can be made in a real-time environment.

10. Accounts Payable Self-Audit Tools


How a Accounts Payable Self-Audit Tool Works


Auditing

Business Process Control

Compliance Management

Corrective Actions Tracking and Remediation

Dashboard and Metrics

Incident Management

Internal Controls Management

Operational Risk

Risk Analytics

Risk Assessment

How Solution Providers Can Help!

Continuous Controls Monitoring (CCM)

Continuous Auditing (CA)

Controls Self Assessment

(CSA)

Automate AP Processes and

Payments!

Provide Supplier Portals, Compliance Management Solutions that Streamline Data and Provide “Real Time” Analytics and Tools

MEASURING SUCCESS!

33


• To derive the most benefit from metrics and your P2P Scorecard

• Keep the process simple!

• This communication element is a detail often overlooked, but it is important that P2P team members have a good sense of what success might look like.

• Good analytics will:

– Drive the strategy and direction of the organization

– Help make informed decisions

– Drive process improvements

– Support best practices

Develop Your P2P Scorecard

11/6/2018


• Reduce costs by consolidating expenditures on fewer providers, thereby exerting greater leverage in purchasing negotiations.

• Avoid wasteful expenditure through over-specification

– Where materials are ordered to a higher standard or specification than is actually required and the use of ‘off-list’ non-preferred suppliers.

• Improve buying efficiencies by enforcing compliance with pre-agreed pricing, discount, and volume-based price break structures.

Use Analytics in the decision making process

11/6/201835


1. Number of Invoices Processed per Day, Per Associate

2. Average Cost to Process an Invoice

3. Percentage of Invoices Matched as a Percentage of Total Invoices (First Time Matches)

4. Average Cycle Time to Process an Invoice from Receipt to Payment

5. Number of eInvoices as a Percentage of Total Invoices

6. Number of Suppliers Accepted eInvoicing as a Percentage of Total Suppliers

7. Dollar Impact of Discounts Captured as a Percentage of Discounts Offered

8. Dollar Duplicate and Erroneous Payments as a Percentage of Total Payments

9. Percentage Change in Invoice Exceptions

10. Percentage Change in Payment Types (Checks, ACH, P-Cards, Wires)

10 Key Metrics that indicate Automation Excellence

11/6/2018


AP Automation Scorecard

11/6/201837


Best Practice Process for Internal Controls Automation

Identify Unwanted

Transactions

Deploy Controls

Address Issues

Report Results

38

Create Models and Assess Results

Remediate Unwanted Transactions Where

Feasible

Convert Models to Controls

Run Control Analysis Periodically

Manage Incidents -Options:

Remediate Transactions

Adjust ERP Configuration

Add Compensating Access Controls

Report Incident Management Results to Managers and Auditors


The Four Levels of Continuous Controls Monitoring (CCM)

Business Transaction Monitoring

User Access Controls Monitoring & Remediation

Application & Process Configuration Controls

Monitoring

Master Data / Static Data Controls Monitoring

Are Your Internal Controls Keeping Up With Your …...Are Your Internal Controls Keeping Up With...

Documents

Transcript of Are Your Internal Controls Keeping Up With Your …...Are Your Internal Controls Keeping Up With...