1
Presented by Mitzi Mitchell
11/7/2012
Don’t like risk? Stop gambling in your accounts payable and start to take systematic control.
Agenda
Company and Payables Environment Overview
Risk Program Highlight
Case Study #1 Payment Approval
Case Study #2 3-Way Match Exceptions and Long Approval Time
Case Study #3 Out-of-Pocket Expenses
Case Study #4 Duplicate Payments/Invoices
Case Study #5 Fraud Monitoring Program
Confidential and Proprietary Information of T-Mobile USA 2
Company Overview
Headquarter: Bellevue, WA
Customers: 30 million
Coverage: USA and PR
Largest 4G Network
Value Plans
Confidential and Proprietary Information of T-Mobile USA 3
Payables Environment Overview
No. of countries serviced: 1 with some Euro transactions
Main P2P technologies used:
OCR IBM Filenet “Doculink”,
EDI, ERS in SAP,
ACH & Merchant Card through JPMC Xign,
Expenses & Travel through Concur
Duplicate analysis through APEX
Main ERP: SAP
Volume of Annual AP Invoices:
500K paper, 1 million electronic invoices
# of vendors – 40K, # of employees – 36K
$16B in annual payment
One thing we are most proud of:
We employ best practices for duplicate prevention.
External recovery audits are now standard operations.
Confidential and Proprietary Information of T-Mobile USA 4
Risk Program Highlight
Supporting Internal
Customers
Control Design
Evaluation
Testing Program
Fraud Analytics
Monthly Scorecard
Dept Risk Training
Confidential and Proprietary Information of T-Mobile USA 5
Leverage Third Party
Vendors
Cover AP, TE&C,
Treasury & Others
Supports Gap
Remediation
COSO Cube -
Internal Controls
Framework
P2P Risk Objectives
Confidential and Proprietary Information of T-Mobile USA 6
All transactions are recorded and
reflected on financial statement correctly.
Prevent fraud- no fraudulent vendor,
employees , invoices, expenses etc.
Pay correct amount, pay correct vendor.
Do not over pay, double pay, or pay for goods or services not
yet delivered.
Maintain cash flow objectives.
(operations)
Obtain most economical value out of the P2P process.
(operations)
Operational Controls
Key Controls
SOX/BUS Controls
Tiered Control
Structure
Apply to all transactions/process in scope to achieve
the objective
Can be consistently performed and
monitored
Can be preventative or detective
Evidence of performance need be
retained
Controls Definition Examples
Segregation of duties
System validation
3 way match
Invoice entry rules
Invoice Post Audit
Approval of PO and
invoices and vendor setup
T&E, Corporate Card,
Signing Authority Policies
Expense Audit
Confidential and Proprietary Information of T-Mobile USA 7
Case#1- Payment and Vendor Approval
Confidential and Proprietary Information of T-Mobile USA 8
No consistent approval requirements throughout the enterprise for
invoices and vendors
Automation/ Policy/Process Change/ Outsource
Cost, Enterprise Impact, Buy-In.
Case#1-Solution
Approval Authority Policy
Vendor Setup Policy
Broadly distributed approval authority implemented through
HR system.
Systematic feed of SAP HR data to all expenses, PO,
invoice processing systems.
Vendor Approval Workflow – to come
Manual approval validation where not automated.
Manual approval validation for vendor setup.
Confidential and Proprietary Information of T-Mobile USA 9
Case#2- 3 Way Match Exceptions, Long Approval Time
Confidential and Proprietary Information of T-Mobile USA 10
• Aged, large $ and volume of 3 way match exceptions. Goods receipt are not performed.
• Long approval timing for non-PO invoices.
Issue
• Automation/Policy/Process Change/Outsource Options
• Audience size, resource availability, approach. Challenges
Case#2-Solution
EDI – Large volume, high $ vendors targeted first.
Require POs for all purchases, switch vendor set up and approval timing.
Outstanding open
payables communication for unmatched items.
Dedicated contacts from each business segment.
SLA involved.
Confidential and Proprietary Information of T-Mobile USA 11
Case #3 – Out-of-Pocket Expenses
Large $ spend on personal card. Evasion of vendor setup approval, PO/Invoice approval requirement.
Loss of credit card rebate.
Policy/Automation/Outsourcing/Process
Resistance against enforcement . Culture that allows local decisions and flexibility. Ownership for
enforcement can not be decided.
Confidential and Proprietary Information of T-Mobile USA 12
Case#3-Solution
Systematic triggers implemented for
high $ out-of-pocket expenses.
Policy change to mandate corporate
card usage vs. personal card
usage.
Monthly communication for
large $ out-of-pocket spend employees.
Confidential and Proprietary Information of T-Mobile USA 13
Case Study #4 – Duplicate Payments/Duplicate Invoices
Confidential and Proprietary Information of T-Mobile USA 14
Duplicate Payments
Automation/Policy/Process/Outsource
Labor intensive
Case#4 Solution
Using recovery audit firms. Implemented five year duplicate
payment review and statement audit. (First
and second tier)
Implemented invoice numbering convention.
Implemented daily manual review for
possible duplicates.
Systematic prevention for SAP invoice
posting.
APEX First Strike for additional review.
Confidential and Proprietary Information of T-Mobile USA 15
Case #5 – Fraud Monitoring Program
Unusual transactions within T&E system. High ranking employees sharing passwords with Administrative
Assistant. Possible fake receipts.
No process in place to evaluate vendor risks.
Automation, Policy, Process, Outsource
Data mining expertise needed. Multiple databases. Customer service vs. enforcer mentality.
Labor intensive analysis with no guarantee of results. No control over vendor contract or relationship. Large
volume of results for analysis.
Confidential and Proprietary Information of T-Mobile USA 16
Case #5 Solution
T&E Concur Reporting.
JPMC Level 3 Activities Reporting.
APEX First Strike Analytics Vendor Risk Analysis.
Lowered credit line for all corporate card holders.
Provided enterprise management expenses
approval training.
T&E: 100% audit on all AA
expenses. Periodic review of T&E database for fraud.
AP: Periodic vendor/employee
match exercise. Periodic vendor risk analysis
using APEX First Strike
Confidential and Proprietary Information of T-Mobile USA 17
No sure fire way to
address each
situation
Resource priority is always an
issue
Consultant vs. Cop?
Confidential and Proprietary Information of T-Mobile USA 18
Risk Strategies
*Automation of approval or
workflow processes
*Policy changes
*Process, personnel changes
*Training
Lessons Learned
Top Related