To be SOX compliant and for the purposes of internal audit you need to look at risk from a process perspective. You need to ensure your process is controlled and compliant. Mitzi Mitchell will share how to reduce risk to achieve systematic control of the highest P2P risk areas, including: - Three-way matching errors - Ensuring approval limits are correct and monitoring approval authority changes - Minimising employee fraud (using Concur’s T & E tool) - Avoiding duplicate payments (using APEX Analytics' audit recovery tool) - Ensuring users in the process are following the rules to ensure compliance

1. Don’t like risk? Stop
gambling in your
accounts payable
and start to take
systematic control.
Presented by Mitzi Mitchell
11/7/2012 1

2. Agenda
Company and Payables Environment Overview
Risk Program Highlight
Case Study #1 Payment Approval
Case Study #2 3-Way Match Exceptions and Long Approval Time
Case Study #3 Out-of-Pocket Expenses
Case Study #4 Duplicate Payments/Invoices
Case Study #5 Fraud Monitoring Program
Confidential and Proprietary Information of T-Mobile USA 2

3. Company Overview
Headquarter: Bellevue, WA
Customers: 30 million
Coverage: USA and PR
Largest 4G Network
Value Plans
Confidential and Proprietary Information of T-Mobile USA 3

4. Payables Environment Overview
 No. of countries serviced: 1 with some Euro transactions
 Main P2P technologies used:
OCR IBM Filenet “Doculink”,
EDI, ERS in SAP,
ACH & Merchant Card through JPMC Xign,
Expenses & Travel through Concur
Duplicate analysis through APEX
 Main ERP: SAP
 Volume of Annual AP Invoices:
500K paper, 1 million electronic invoices
 # of vendors – 40K, # of employees – 36K
 $16B in annual payment
 One thing we are most proud of:
We employ best practices for duplicate prevention.
External recovery audits are now standard operations.
Confidential and Proprietary Information of T-Mobile USA 4

5. Risk Program Highlight COSO Cube -
Internal Controls
Framework
Supporting Fraud Leverage
Internal Third Party
Customers Analytics Vendors
Control Cover AP,
Monthly TE&C,
Design Treasury &
Evaluation Scorecard
Others
Testing Dept Risk Supports
Gap
Program Training Remediation
Confidential and Proprietary Information of T-Mobile USA 5

6. P2P Risk Objectives Tiered Control
Structure
All transactions are Obtain most
recorded and economical value out SOX/BUS Controls
reflected on financial of the P2P process.
statement correctly. (operations)
Key Controls
Prevent fraud- no
Maintain cash flow
fraudulent vendor,
objectives.
employees , invoices,
(operations)
expenses etc. Operational Controls
Do not over pay,
Pay correct amount, double pay, or pay for
pay correct vendor. goods or services not
yet delivered.
Confidential and Proprietary Information of T-Mobile USA 6

7. Controls Definition Examples
Segregation of duties
System validation
Apply to all 3 way match
Can be consistently
transactions/process
performed and
in scope to achieve
monitored Invoice entry rules
the objective
Invoice Post Audit
Approval of PO and
invoices and vendor setup
T&E, Corporate Card,
Signing Authority Policies
Evidence of Expense Audit
Can be preventative
performance need be
or detective
retained
Confidential and Proprietary Information of T-Mobile USA 7

8. Case#1- Payment and Vendor
Approval
No consistent approval requirements
throughout the enterprise for
invoices and vendors
Automation/ Policy/Process Change/
Outsource
Cost, Enterprise Impact, Buy-In.
Confidential and Proprietary Information of T-Mobile USA 8

9. Case#1-Solution
Broadly distributed approval
authority implemented through
HR system. Manual approval validation
where not automated.
Approval Authority Policy
Systematic feed of SAP HR
data to all expenses, PO,
Vendor Setup Policy
invoice processing systems. Manual approval validation for
vendor setup.
Vendor Approval Workflow – to
come
Confidential and Proprietary Information of T-Mobile USA 9

10. Case#2- 3 Way Match
Exceptions, Long Approval Time
• Aged, large $ and volume of 3 way match
exceptions. Goods receipt are not
Issue performed.
• Long approval timing for non-PO invoices.
• Automation/Policy/Process
Options Change/Outsource
• Audience size, resource availability,
Challenges approach.
Confidential and Proprietary Information of T-Mobile USA 10

11. Case#2-Solution
Outstanding open
Require POs for all
EDI – payables communication
purchases, switch
Large volume, high $ for unmatched items.
vendor set up and
vendors targeted first. Dedicated contacts from
approval timing.
each business segment.
SLA involved.
Confidential and Proprietary Information of T-Mobile USA 11

12. Case #3 – Out-of-Pocket Expenses
Large $ spend on personal card. Evasion of vendor
setup approval, PO/Invoice approval requirement.
Loss of credit card rebate.
Policy/Automation/Outsourcing/Process
Resistance against enforcement . Culture that
allows local decisions and flexibility. Ownership for
enforcement can not be decided.
Confidential and Proprietary Information of T-Mobile USA 12

13. Case#3-Solution
Policy change to Monthly
Systematic triggers
mandate corporate communication for
implemented for
card usage vs. large $ out-of-
high $ out-of-pocket
personal card pocket spend
expenses.
usage. employees.
Confidential and Proprietary Information of T-Mobile USA 13

14. Case Study #4 – Duplicate
Payments/Duplicate Invoices
Duplicate Payments
Automation/Policy/Process/Outsource
Labor intensive
Confidential and Proprietary Information of T-Mobile USA 14

15. Case#4 Solution
Using recovery audit Systematic prevention
Implemented invoice
firms. Implemented for SAP invoice
numbering convention.
five year duplicate posting.
Implemented daily
payment review and
manual review for
statement audit. (First APEX First Strike for
possible duplicates.
and second tier) additional review.
Confidential and Proprietary Information of T-Mobile USA 15

16. Case #5 – Fraud Monitoring
Program
Unusual transactions within T&E system. High ranking
employees sharing passwords with Administrative
Assistant. Possible fake receipts.
No process in place to evaluate vendor risks.
Automation, Policy, Process, Outsource
Data mining expertise needed. Multiple databases.
Customer service vs. enforcer mentality.
Labor intensive analysis with no guarantee of results.
No control over vendor contract or relationship. Large
volume of results for analysis.
Confidential and Proprietary Information of T-Mobile USA 16

17. Case #5 Solution
Lowered credit line for all
T&E Concur Reporting. corporate card holders. T&E: 100% audit on all AA
JPMC Level 3 Activities expenses. Periodic review of
Reporting. T&E database for fraud.
Provided enterprise
management expenses
AP: Periodic vendor/employee
approval training.
match exercise.
APEX First Strike Analytics Periodic vendor risk analysis
Vendor Risk Analysis. using APEX First Strike
Confidential and Proprietary Information of T-Mobile USA 17

18. Lessons Learned
No sure fire
way to
address
Risk Strategies each
situation
*Automation of approval or
workflow processes Resource
*Policy changes priority is
always an
issue
*Process, personnel changes
*Training
Consultant
vs. Cop?
Confidential and Proprietary Information of T-Mobile USA 18

19. Contact information:
425-383-5933
qin.mitchell@t-mobile.com
Thank you!