How your vendor master file is critical to governance, risk management and compliance

Vendor Master ControlsHow they are Critical to Governance, Risk & Compliance

Jon CasherPresidentCasher Associates, Inc

Al Nasser KhanPresidentControl Layers Consulting

Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |


Safe Harbor Statement

The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.

2

How Your Vendor Master Fileis Critical to

Governance, Risk Management and Compliance

Jon CasherPresident

Casher Associates, Inc.

Copyright © 2014 Casher Associates, Inc.

Permission to use granted to Oracle CorporationSlide 3

Serial Entrepreneur

Founded Casher Associates, Inc. in 1976 to design and develop custom financial systems and back office automation

Co-founded CM Associates in 1985 to provide financial industry software products

Co-founded RECAP, Inc., an A/P Audit firm, in 1988

Director of NASDAQ company from 2000-2006, head of the audit committee from 2002 until company went private in

2006

Current Focus

Consulting to Finance, AP, AR and Procure-to-Pay organizations and their service providers

Training, Certification, White Papers, Surveys, Workshops, Presentations

Contact Information

Snail Mail 110 Pond Brook Road, Newton MA 02467-2648

Web Site www.casherassociates.com

Email [email protected]

Phone 617-527-3927 or 877-527-3927

Jon CasherMy background and Contact Information



Overview

Critical Vendor Master File Issues

Vendor Management Goals, Concerns and Challenges

Other Vendor Master File Issues

Vendor Master File Standards

Best and Appropriate Practices

Third Party Resources




Your Vendor File is a Strategic Resource

Other than investments, 30-70% of all funds that flow out of non-financial institutions go out through

Accounts Payable

Federal, state, international laws and regulations make it important to keep your vendor file accurate

Accurate and complete information is key to controlling transaction processing within the Procure-to-Pay

process

Accurate reporting and analysis is impossible without a clean vendor master file

Vendor Management ‘s GRC Challenges

Overcome Barriers to Compliance

Lack of Awareness of Regulatory Compliance and Reporting Requirements by

Purchasing and Accounts Payable

Product Managers and Developers of ERP and Financial Accounting Software

Technical Limitations of ERP and Financial Accounting software

Need to Manage Vendor Risk

Policy

Contract

RegulatoryCopyright © 2014 Casher Associates, Inc.


Well Documented and Tested Procedures Define the process for doing business with new vendors

Ensure that only authorized individuals can make changes, additions, deletions

Separation of Duties People allowed to make changes must not be able to process transactions such as issuing

purchase orders, posting invoices, disbursing funds or making accounting entries

Audit Trail of Changes All additions, changes and deletions should be logged, reported, reviewed and signed off by

someone in management other than the person posting updates

Reconcile and Synchronize If multiple systems have vendor information, reconcile common information

Owner should be responsible for Defining data requirements

Setting, maintaining and monitoring standards and data quality

Coordinating the activities of those who use, enter and update vendor information

Critical Vendor Master File Issues Access, Control and Ownership



Vendor Management Goals, Concerns and Challenges



Catch / reduce fraud

Know your vendors

Comply with laws and regulations

Know where you spend money

Reduce duplicate and other erroneous payments

Controls costs and save money

Make accurate and timely vendor payments

Vendor Management Goals, Concerns, ChallengesOverview



Vendor Management Goals, Concerns, ChallengesCatch/Reduce Vendor Fraud

Main Types of Vendor Fraud Invoices with inflated prices

Requests that look like invoices or government forms with a filing fee

Invoices for goods not delivered or services not provided

Checks that sign you up for a service if you deposit them (may appear to be refunds, rebates or credits for a small amount)

Intentional double billing

Collusion with an employee, kickbacks, bribes

Fictitious companies

Bid rigging and price fixing

The Size of the Problem Kroll Global Fraud Report

19% of companies experienced vendor fraud in 2013 ACFE

5% of revenues lost due to fraud billing fraud is approx. 24% of the total monetary amount of fraud



Vendor Management Goals, Concerns, ChallengesKnow Your Vendors Name Changes

3%-7% of companies change their name every year

Out of approx. 15,000 US stock exchange listed companies

17 changed their names between 9/2/2014 and 9/5/2014 83 changed their name between 8/5/2014 and 9/1/2014 Over 200 were delisted or had trading suspended between 8/5/2014 and 9/4/2014

Some name changes are minor, some are significantly different

CVS Caremark changed its name to CVS Health Corporation on 9/4/2014 ICG Group, Inc changed its name to Actua Corporation on 8/12/2014

Some Types of Related Vendors Franchisees

Joint ventures

Subsidiaries

Affiliates

Vendors Operating Under Multiple Names



Federal IRS Denied, Debarred and Excluded Parties Privacy Bribery Other

States Sales & Use Tax Abandoned Property / Escheatment Privacy Deadbeat Parents Withholding and Reporting

International Denied, Debarred and Excluded Parties Privacy Bribery Value Added Tax

Vendor Management Goals, Concerns, ChallengesComply with Laws & Regulations



Comply with Laws & RegulationsFederal – IRS

Primary Forms

1099-MISC

1042-S for Non-Resident Aliens

W-9s, W-8s and FATCA (Foreign Account Tax Compliance Act)

Industry Specific Reporting

Regulations and Forms Change Often and are Complex

Penalties for Incorrect Filings Have Increased Dramatically

Electronic Deliver of 1099s to Payees is Allowed when Recipients agree to Receive Them

Tax Id masking (only showing last 4 digits) is Now Allowed

Copyright © 2014 Casher Associates, Inc. Permission to use granted to Oracle Corporation

Slide 14

US Department of Treasury Office of Foreign Assets Control (OFAC)

US Department of State Foreign Terrorist Organizations (FTO)

US Department of Commerce Bureau of Industry and Security (BIS)

All of the above maintain lists of organizations and individuals that you must not do business with

Do not buy from, sell to or disburse or receive funds from entities on these lists

Politically Exposed Persons (PEPs) who may be involved in money laundering or financing of terrorist organizations

Fines for violations can be substantial

Criminal penalties can include fines ranging from $50,000 to $10,000,000 and imprisonment ranging from 10 to 30 years for willful violations.

Civil penalties range from $250,000 or twice the amount of each underlying transaction for each violation

Over $1 billion fines recovered in each year since 2009

Comply with Laws & Regulations Federal – Denied, Debarred, Excluded Parties



Health Insurance Portability and Accountability Act of 1996 (HIPAA)

Most of this act deals with privacy of medical records

However, can impact AP if medical payments are processed through AP

Pre-employment physical exams Drug testing Other – especially companies that self insure

Gramm Leach Bliley Act of 1999 (GLB)

Restricts disclosure of nonpublic personal information

Intended to protect individuals who are customers of financial institutions but has been expanded to other types of businesses

Can impact AP if customer refunds or garnishments are processed through AP More legislation is likely due to increasing number of security breaches and identity theft

Most states already have additional restrictions Payment Card Industry Data Security Standards (PCI-DSS)

While not a federal law, these are industry standards and guidelines

Comply with Laws & Regulations Federal – Privacy



US Department of Justice (DOJ) Foreign Corrupt Practices Act of 1977 (FCPA)

Enforces accounting transparency requirements under the Securities Exchange Act of 1934 and bribery of foreign officials

Both US DOJ and Securities Exchange Commission enforce

Applies to US companies and foreign companies with US subsidiaries

Be aware of Politically Exposed Persons (PEPs)

Since 2007, number of investigations and enforcement actions has grown

Total fines and penalties have ranged from $260 million to $2 billion in each of the last 6 years (2008 - 2013) with the average settlement over $80 million in 2013

Currently, there are open investigations of approx. 100 very large + many other companies Almost half of the Dow 30 have paid fines since 2007 or are currently being investigated

Likely to see more investigation and prosecution of domestic bribery

Comply with Laws & RegulationsFederal – Bribery



Law passed in response to accounting scandals

Applies to public companies in US

Five main areas

Auditor independence

Corporate responsibility

Improved financial disclosure

Analyst conflict of interest

Accountability for corporate fraud

Comply with Laws & RegulationsFederal – Sarbanes-Oxley Act of 2002



Physician Payments Sunshine Act (Sunshine Act) which is part of the 2010 Affordable Care Act Requires manufacturers of drugs, medical devices and biologicals that participate in U.S.

federal health care programs to report to CMS certain payments and items of value given to physicians and teaching hospitals.

Any transfers of value or payments to physicians and hospitals greater than $10, including payments, traded services, stocks, or any other returned investments.

Gifts greater than $100 will be made public and published online as of September 30, 2014.

Supersedes Maine, Vermont, Massachusetts, Minnesota, West Virginia and DC laws

Securities and Exchange Commission reporting of payments to auditors, directors, etc. Public companies must report payments to directors and auditor in Annual 10K

Other federal agencies have specialized reporting Especially, if you are a government contractor, you must keep up to date on regulations

relevant to your industry

Comply with Laws & RegulationsFederal – Other



States are increasing sales/use tax rates and some tax services Many states are doing sales/use tax audits

Marketplace Fairness Act passed US Senate but held up in US House

States are doing more aggressive abandoned property (escheat) audits and many use “bounty hunters” Most uncashed checks issued by AP should not have to be escheated

Rules depend on the state in which the vendor is located which may not be the state in which you are located or incorporated

More states are requiring withholding and/or reporting of payments to certain types of vendors as well as require deadbeat parent reporting

States are concerned about data breaches 47 states and DC have privacy laws and regulations

More states, municipalities and counties are requiring permits and filing fees

More municipalities and counties are doing personal property audits

Software packages typically do not have all needed functionality

Comply with Laws & RegulationsStates



Countries are putting in place laws, rules and regulations similar to but different from those in the US

Primary Areas Addressed

Denied, Debarred and Excluded Parties Politically Exposed Foreign Persons Privacy Bribery Value Added Tax

Rarely or Never Addressed

Abandoned Property

Comply with Laws & Regulations International



Who has the information

Purchasing thinks they know

A/P thinks they have the data

Both are partially correct

Ways you may want to analyze spend

By Vendor

By Commodity

By Dollar Amount

By Transaction Volume

Vendor Management Goals, Concerns, ChallengesKnow Where You Spend Your Money



Duplicate and Erroneous Payments

Every major software package checks for duplicates based on Vendor Id and Invoice #

Duplicate check fails if Identical vendor under multiple vendor ids

Variation on vendor name System does not support multiple addresses

Vendor at different remit address is selected Vendor under previous or new name is selected Related vendor is selected

If duplicate vendors are eliminated, over 75% of $ associated with duplicate payments can be eliminated

Stops, Voids, Reissues and Uncashed Checks

Wrong vendor selected

Payment sent to wrong address

Payment never received

Payment received by wrong vendor

Vendor Management Goals, Concerns, ChallengesReduce Costs and Save Money



“Appropriate Transaction” Attributes

Not /controlled by vendor master file data

Proper goods and/or services received/provided Sufficient invoice detail Correct amount(s) Appropriate approval(s) Correct accounting codes

Impacted/controlled by vendor master data

Who to pay How much to pay When to pay How to pay Where to send the payment

Vendor Management Goals, Concerns, ChallengesMake Accurate and Timely Payments



Why Vendor Files Grow Name entered differently by your staff

Vendor changes its name

Street Address and/or Lock Box changes

Mergers

By your organization and by your vendors Acquisitions

By your organization and by your vendors Divestitures

By your vendors Purchasing and AP use Different Files and/or Multiple Systems

Data Quality and Consistency Missing

Non-standard

Invalid

Obsolete




Other Vendor Master File IssuesMore Problems and Some Metrics

20% - 80% of vendors in current vendor master files have had no activity within the last 12 months

35% - 65% of “active” vendors are one-time vendors

3%-7% of vendors change their name annually

20% of vendors change their HQ address annually

Phone #(s), Contact Name(s), Email Addresses and Banking Information also change

The bigger your vendor file, the more duplicates you probably have

1-100 vendors - no duplicates

100 - 1,000 vendors - 1% - 3% redundant

1,000 - 10,000 - 2% - 6% redundant

10,000 - 100,000 - 4% - 10% redundant

> 100,000 - > 10% redundant



Vendor Master File Standards



Understand System(s) Features and Limitations Minimum and maximum field lengths Data types, default values and edit checks Number of name and address lines Various types of names such as Lookup name, Name on check, Legal/Tax name, Short

name, etc. Various types of addresses such as Buy From, Remit To, etc. Controls, audit trails, additions, changes and deletions How changes and deletions affect historical data Files and/or tables that may need changes and/or are affected by changes

Identify and Review for Vendors that are Your Own Company, Subsidiaries, Affiliates Employees Officers and Directors and Related Companies External Audit Firm(s) Sensitive Vendors and those that require special reporting Vendors Set Up or Referenced in Other Systems

Vendor Master File StandardsFirst Steps



Identify Vendors in Special Classes for Possible Name Standardization

Federal Government Departments and Agencies

State Governments

Local Governments

Postal Service

Individuals

Telephone Companies and Utilities

Non-Governmental Organizations (NGOs)

Garnishments

Petty Cash

Other (e.g. Universities, Courts, Agents, Medical Service Providers)

Vendor Master File StandardsNames



Address Problems and Issues

Name continuation and/or Name qualifiers in address fields

Attention (ATTN)

Internal addresses

Invalid, Missing or Inconsistent State and Zip Code

Punctuation and special characters

Improper Abbreviations

Numbers as Words

Dual Addresses

PO BOX Addresses

CMRAs (Commercial Mail Receiving Agencies)

“Bad” Addresses (many types of problems)

Vendor Master File StandardsAddresses



Vendor Master File StandardsOther Fields

Phone Tax Identifiers

US – SSN, EIN, ITIN Canada – SIN, BIN European Union – VATIN (VAT Identification Number)

Payment Terms 1099 Type/Box Payment Terms and Default Discounts Bank Routing Code and Account Number Minority, Women Owned, Small Business, etc. Default G/L Code Classification Codes Certifications Insurance Certificates Email Addresses Web Sites



Best and Appropriate Practices



Vendor Verification and Authentication

Vendor Setup and Change Management

Vendor and Address Deactivation

Vendor Review and Controls

Best and Appropriate PracticesOverview



Determine amount of checking based on Strategic importance of vendor

Amount and type of business expected to be done

Determine if vendor is already on file Dual Review

Name Qualifier

Common Abbreviation

Care Of or Agent

Minimize likelihood of fraud / Ensure that vendor is legitimate Check business history and length of time in business

Confirm street address especially if only address is a PO Box

Check third party directories

Check against Employee Data

Name, Address, Phone ,TIN, Bank Account match Check vendor address against your locations

Best and Appropriate PracticesVendor Verification and Authentication



Best and Appropriate PracticesVendor Verification and Authentication (cont’d)

Validate basic vendor address information

US Vendors

Delivery Point Validation CMRA (Private Mail Box) PO Box

Non-US Vendors

Use UPU.INT and individual country postal web sites Phone

Directory Lookup(s) Call Vendor




Regulatory

Ensure that you are not doing business with a prohibited party on the OFAC, FTO and BIS lists or other lists of denied, debarred, excluded or restricted parties

Check GSA System for Awards Management

Verify that information for regulatory reporting is correct

Get W-9s for US vendors and appropriate W-8 for non-US vendors Use IRS TIN Matching Check State of Incorporation or Local Jurisdiction

Secretary of State or Office of Corporations Determine State Reporting Requirements

State Withholding and “1099” Reporting Office of Child Support for Deadbeat Parent

Check Industry Specific lists




Other

Check Vendor’s Web Site

Check Ownership of Vendor’s Web Site (who.is)

Validate Email Addresses

Send test messages Validate Routing Code and Account Numbers

Initiate test transactions and obtain confirmations Check Third Party Data

Corporate Affiliations ChoicePoint D&B Experian Intelius


Slide 38

Best and Appropriate PracticesVendor Setup

Have general conventions and standards

Use a new vendor form with field names and positions similar to where they are in your vendor setup screens

Require names and signatures of requestor, person doing setup and person reviewing and verifying correct setup information

Standardize how vendor names are entered

Insist that the guidelines be followed – verify periodically Punctuation Abbreviations Name Prefixes and Suffixes Name Qualifiers


Slide 39

Use postal guidelines for addressing standards

Punctuation

Abbreviations

Between Name and Delivery Address Line

Name Qualifiers Internal Addresses

Delivery Address Line

7 Components Last Line

City State ZIP Non-US

Best and Appropriate PracticesVendor Setup (cont’d)



Have guidelines for how other fields are formatted and/or valid values

Vendor Type and/or Class

1099 Type (Box)

Phone Numbers

Taxpayer Identifiers

Payment Terms

ACH, P-Card, EDI, etc.

Women Owned, Minority Owned, Small Business, Veteran, Disabled Veteran, etc.

Insurance Certificate(s)

Tax Certificate(s)

Certifications

Contacts

Email addresses and web sites





Flag Special and Sensitive Vendors

Vendors that are your company’s audit firm(s)

Your company’s offices, directors and their affiliated companies

Employees

Vendors subject to other regulatory checking and reporting

Based on your company’s lines of business Based on the types of good or services to be provided Subject to state withholding and/or reporting

Mask or Restrict Access to Sensitive data

Restrict access to TIN, Bank and Card information

Mask TIN, Bank and Card information

Redact information on Source Documents

Link and/or combine duplicate and some related vendors

Promptly review all additions to the vendor master file


Slide 42

Provide to Vendors

Send out a welcome letter and information packet that identifies:

What to do to get paid When a contract or Purchase Order is required Whom to contact regarding issues Optionally, ethics and dispute resolution guidelines




Best and Appropriate PracticesVendor and Address Deactivation

Decide when/how to purge or block inactive vendors and addresses

15 – 18 months of inactivity is a typical rule

Deal with Open Items

POs Invoices Disbursements



Best and Appropriate PracticesVendor Review and Controls

Promptly review all additions and changes to the vendor master file

Check vendor name and address when checks are uncashed for more than 30 days

Check endorsement on first check sent to a PO Box for a new vendor

Check vendor name and address for all mailed items returned by the postal service

Check vendor against OFAC and other denied party lists before issuing a contract, cutting a PO or disbursing funds

Check deadbeat reporting requirements

Ensure separation of duties

Periodically check Vendor Master File against lists for

Name changes

Duplicates



Best and Appropriate PracticesVendor Review and Controls (cont’d)

Communicate regularly with vendors

Prepare a document that explains how a vendor should conduct business with your firm

Require vendors to sign a business practices statement

Use email intelligently

Accept electronic input

Provide sufficient remittance information to vendors so that they can properly apply payments

Provide on-line inquiry and self service capability (Vendor Portal)

Monitor vendor performance – accuracy and timeliness of invoices

Consider having “Service Level Agreements” with your strategic vendors



Third Party Resources



Third Party ResourcesUS Government Web Sites

US Department of Treasury - IRS

www.irs.gov

US Department of Treasury - OFAC

www.treas.gov/offices/enforcement/ofac

US Department of State - FTO

See OFAC

US Department of Commerce – Lists of Parties of Concern

www.bis.doc.gov/index.php/policy-guidance/lists-of-parties-of-concern

US Department of Health & Human Services

www.acf.hhs.gov/programs/css

www.acf.hhs.gov/programs/css/resource/state-and-tribal-child-support-agency-contacts

US General Services Administration – System for Awards Management

www.sam.gov



Third Party ResourcesNon-US Web Sites

Australia DFAT List

www.dfat.gov.au

Bank of England List (BOE)

www.bankofengland.co.uk/publications/financialsanctions/index.htm

Canada OSFI List

www.osfi-bsif.gc.ca/osfi/index_e.aspx?DetailID=525

European Union (EU) Consolidated List

ec.europa.eu/external_relations/cfsp/sanctions/list/consol-list.htm



Third Party ResourcesNon-US Web Sites (cont’d)

Guernsey Financial Services Commission (GFSC)

http://www.gfsc.gg/

Hong Kong Monetary Authority Lists (HKMA)

www.info.gov.hk/hkma/eng/bank/three_tier/three_tier_f.htm

Interpol

www.interpol.int

Access to the Interpol Terrorism Watch list is restricted to authorized police agencies



Third Party ResourcesStandards and Guidelines

TIN Matching, 1099-MISC, 1042-S, etc.

Internal Revenue Service - www.irs.gov

Standard Country Names and Codes

International Standards Organization - www.iso.org

en.wikipedia.org/wiki/ISO_3166-1

US Addressing Standards

United States Postal Service - www.usps.com

pe.usps.gov/text/pub28/welcome.htm

Canada Addressing Standards

Canada Post - Postes Canada - www.canadapost.ca

www.canadapost.ca/tools/pg/manual/default-e.asp

International Addressing Standards

Universal Postal Union - www.upu.int


Slide 51

Third Party ResourcesStandards and Guidelines (cont’d)

Telephone Number Formats

International Telecommunications Union - www.itu.int

en.wikipedia.org/wiki/National_conventions_for_writing_telephone_numbers

Name Changes

OTC Markets - www.otcmarkets.com

Corporate Affiliations - www.corporateaffiliations.com

Fraud

Kroll Global Fraud Reports - fraud.kroll.com/report-archive

Association of Certified Fraud Examiners Report to the Nations - www.acfe.com/rttn/docs/2014-report-to-nations.pdf

Search wikipedia.org for other resources




Comprehensive Risk & Controls Mgmt.

Detect and Fix Issues

Continuous Improvement and Monitoring

Assess Risk & Compliance

Close the LOOP

Identification

Analysis

Evaluate

1. BUSINESS RISKS

Document

Assessments

Reviews

2. CONTROL OBJECTIVES

Author

Execute

Investigate

3. CONTINUOUS MONITORS


Custom or Legacy Applications

Enterprise Risk and Controls FoundationOne Unified Platform

Flexible

• Graphical Authoring• Detect and Prevent• Access, Transactions, Setups

Data Driven

• 100% of Transactions• Manage by Exception• Pattern Analysis

Comprehensive

• Multiple GRC Projects• From Documentation to Test• Closed Loop Approach

Enterprise Risk & Controls Foundation

Dashboards, Reports and Alerts

NotificationsWorklists Email PerspectivesSearch

Risk, Controls & Compliance Management

ReviewsDocumentation Assessments RemediationSurveys

Continuous Controls & Risk Monitoring

SetupsAccess Master Data Audit TestsTransactions

User Authored ControlsData Connectors Fraud & Error Patterns

Ro

le B

ased

Acc

ess

Secu

rity

Web

Se

rvic

es

& A

PIs


Nasser Khan, CISA, MBA

Nasser Khan is a Governance, Risk & Compliance Solutions Architect

Over 28 years of global experience in business process management that range from Financials, Supply Chain and Human Capital Management. Nasser has executed several process transformation initiatives through ERP implementations, I.T. auditing, and audit process automation

Bringing vast experience working globally with manufacturing, healthcare and public sector clients, Nasser Khan specializes in assisting clients to realize business gains by enterprise risk management

Delivered consulting services in PeopleSoft, Oracle, and Deloitte

Grcystems.com

IntroductionControlLayers is a service line of NHI GRCystems

A business technology systems’ risk consulting practice dedicated to

thought leadership and implementation, management, automation, and

enforcement of business process and technology controls

High caliber advisory and implementation services

Consultants provide deep domain expertise in enforcing internal controls

in enterprise business processes and security functions

Assists clients in managing operational, regulatory compliance, and

privacy-related risks by providing strategy, roadmap and tools to ensure

effective and continuous compliance utilizing its partner’s tools and its

own proprietary service offerings

57

Grcystems.com

Client Profiles

Major healthcare and other service providers in North America averaging over 100 business units all over North America

On average, over 130,000 employees

Master Data Management is key risk mitigation control with large data entry and management teams

Over 8,000 unique vendors supply sources

Purchasing spend in excess of $ 100 million

Significant PeopleSoft clients of Oracle globally

Highly regulated environments

Stakeholders need higher degree of assurance from internal controls over financial reporting

58

Grcystems.com

Challenges at clients

Ambitious business transformation initiatives involving PeopleSoft

FSCM 9.1, HCM 9.1 and OBIEE (centralized reporting)

Financial transformation processes include GL, AP, AR, AM, KK,

PC and Supply Chain transformed by deploying PO, IN, and

Vendors, Contracts and Items

Over 100 business units purchasing from over 8000 vendors

59

Grcystems.com

Challenges at clients

One vendor (name) may have many subsidiaries dealing with totally different items, pricing models, payment terms, lead times

Consistent and accurate data needed to be entered based against stringent standards

Same name vendor may have different subsidiary at same location or same city

Distributed purchasing at BU level, conflicting and sometimes unfavorable contract terms were in force

Receiving and matching challenges occurred on many levels

Vendor approvals not structured, inactive or blocked vendors could get paid (OIG of Dept. of HHS)

60

Grcystems.com

Key Needs and Control Gaps

Needed at critical system to provide operating effectiveness of application-based controls in Procure to Pay on a continuousbasis

Duplicate Vendor report in PeopleSoft had limitations (only on short name) and does not provide real-time validations

Financial Sanctions Validation was not enabled in PeopleSoft, an independentvalidation methods needed to be used based on data from another source

Comparison of address history in PeopleSoft, was again, not real-time.

Needed to map controls in source system conveniently with the control framework to assist in operational and compliance audits

No Control

PS Control

PS Control

No Control

PS Control

Manual Control

No Control

Manual Control

No Control

Manual Control

61

Grcystems.com

Actual Vs. Desired Controls Landscape

62

Grcystems.com

Why did we need Advanced Controls?

• Audit coverage, confidence, reporting

• Incident investigation, whistle-blower support

• Continuous Process Monitoring

Improve Audit Efficiency

• Fictitious vendors

• Overstated invoices

• Receiving discrepancies

Minimize Fraud and Abuse

• Overpayment, duplicate payment

• Payment timing, discounts

• Reduce cost of manual controls-Incorrect vendor paid

Reduce Error and Leakage

• Preventative and detective segregation of duties policy enforcement

• Access appropriateness reporting

• Mapping users to transactions and providing audit trails of actions

Secure Systems Down

63

Grcystems.com

Main Vendor Management Goals

Increase buying leverage significantly and get the volume discounts based on collective purchasing power of all entities across operations

Improve many procure-to-pay sub processes

Uniquely identify vendor operating across service geographies

Standardize payment methods and terms of payment

Reduce incorrect PO issuance, check issuance, late payment penalties, and overheads in managing the vendor landscape

Ensure vendors or their banks are not on OIG or OFAC lists

Make Item and Catalog administration structured and clear

64

Grcystems.com

Advanced Transaction Controls

65

Grcystems.com

Found this value in Oracle Advanced Controls

Continuous Monitoring-Transaction Controls Governor

Pre-seeded best practice controls for PeopleSoft Vendor management

Scalable to add more automated controls

Pre-seeded controls for Procure-to-Pay use gave perspective on vendor

information being reported

Continuous monitoring and schedulable alerts for exceptions

Independent ‘Witness System’ to hold evidence data should external

auditor or regulator need it

66

Grcystems.com

Key Transaction Controls Deployed

Duplicate vendors entries

Duplicate invoice payments

Vendor address similar to employee address

Payments made to blocked vendors

More than one vendor, similar addresses

Payments beyond norm, outliers

Monitor for approval of payments to vendors which were

created by the same user

67

Grcystems.com

TCG Model Setup: Is Vendor Overpaid?

68

Grcystems.com

TCG-Managing Incidents

69

Grcystems.com

Remediation

Similar names

Unapproved Vendor not

setup correctly

70

As part of remediation, user would likely merge if same vendorhas been created with more than one similar names.

Vendor setup may have inconsistency which would need remediation

Grcystems.com

Advanced Access Controls

71

Grcystems.com

Access Controls: Segregation of Duties

For the User Activity, we utilized the Oracle Advanced Controls application Application Access Controls Governor (AACG) that flagged if same user who created a vendor, also approved vendors, for example.

72

Grcystems.com

Access Remediation

73

Remove the SOD conflicts

Grcystems.com

Advanced Configuration Controls

74

Grcystems.com

Found this value in Oracle Advanced Controls

Master data entry exception detection-Configuration Controls

Governor

Reduced manual data entry controls that included daily checking of

vendor and vendor-related entries. With CCG, only changes were

needed to be analyzed selectively

Incorrect vendor on POs and reqs

Payments term changes and incorrect terms on PO

Bank account or Address changes

User data quality improvements

Leverage CCG-reported data to educate user in good practices and

process improvement

75

Grcystems.com

Key Configuration Change Controls Deployed

For change management, we used CCG Change Tracking. Daily notifications of high risk field changes

CCG allowed to report daily on who changed, what, when and where

Limit performance impact on PeopleSoft on PeopleSoft due to audit data build up

On event, and at certain financial period ends, took Snapshots of configuration sets for a point-in-time picture

Combined front-end Vendor setup procedures like use of one entry per vendor and designate it as ‘Primary Vendor’ and then use address sequencing to identify multiple locations of fulfillment by vendors

76

Grcystems.com

Configuration Change Tracking

Create Queries to track changers

77

Grcystems.com

Setup Alerts on Vendor Changes

Specify what actions to be notified of, date range, backend or frontend, table object etc. We took a risk-based approach on only were interested on specific fields on tables

78

Grcystems.com

Who changed from frontend?

Type of change?

Table name?

For what key values & What the change?

When?Who changed from

Backend?

Oracle Advanced Controls (Configuration)

79

Grcystems.com

Goals Vs. Value Realized

80

Goals Value Realized

Increase buying leverage significantly and get the volume discounts based on collective purchasing power of all entities across operations

Reduced spend significantly enough to justify the initial effort and opex of centralized vendor data management staff

Improve many procure-to-pay sub processes The exercise gave structure to work methods ensuring accurate and timely processing of vendor payments

Uniquely identify vendor operating across service geographies Reduced duplicate vendor situations to almost zero and allowed benchmarking of prices for all locations for same items

Standardize payment methods and terms of payment Cleanup gave clarity and ability to demand same terms for vendors of same or similar items. Brought all vendors on standard terms thus helped avoid payment delays and PayCycle processing

Reduce incorrect PO issuance, check issuance, and overheads in managing the vendor landscape

Vendor entry errors went down from 40% to less than 5%. Reduced need for exception Purchase Orders and helped setup priority vendors

Make Item and Catalog administration structured and clear

Grcystems.com 81

Lessons learned

Effective Controls with Low Resource Cost PeopleSoft is a vastly-configurable ERP system. Having additional controls configured in it, or queries built, places a burden

on it. The Oracle Advanced Controls (OAC) applications proved to be an effective companion system for controls.

Early Gap Identification for Effective Design Assess PeopleSoft and explore complimentary resolution of gaps by OAC early in implementations

Embed Controls within the Process Treat OAC as part of ‘your daily diet’ business process flows and not add-ons to achieve process control, completeness and

effectiveness

Automate Controls for Efficiency Adopt the mantra of ‘automated’ versus ‘manual’ and chips will fall in place

Highlight Root Causes by Identifying Control Points Identifying control points as ‘after thoughts’ results in band-aids. Instead, have business process flows nailed down first

Layered Controls=Deeper Defense


Follow Us & join the conversation .

Oracle GRC Advanced Controls Group

@OracleAdvCntrls

https://www.linkedin.com/groups?mostRecent=&gid=5185359&trk=my_groups-tile-flipgrp

https://www.linkedin.com/groups?mostRecent=&gid=5185359&trk=my_groups-tile-flipgrp

https://twitter.com/OracleAdvCntrls




Safe Harbor Statement

The preceding is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.

84

How your vendor master file is critical to governance, risk management and compliance

Business

Transcript of How your vendor master file is critical to governance, risk management and compliance