To be SOX compliant and for the purposes of internal audit you need to look at risk from a process perspective. You need to ensure your process is controlled and compliant. Mitzi Mitchell will share how to reduce risk to achieve systematic control of the highest P2P risk areas, including:
- Three-way matching errors
- Ensuring approval limits are correct and monitoring approval authority changes
- Minimising employee fraud (using Concur’s T & E tool)
- Avoiding duplicate payments (using APEX Analytics' audit recovery tool)
- Ensuring users in the process are following the rules to ensure compliance
Decoding the Tweet _ Practical Criticism in the Age of Hashtag.pptx
Don't gamble - take control of payables risk
1. Don’t like risk? Stop
gambling in your
accounts payable
and start to take
systematic control.
Presented by Mitzi Mitchell
11/7/2012 1
2. Agenda
Company and Payables Environment Overview
Risk Program Highlight
Case Study #1 Payment Approval
Case Study #2 3-Way Match Exceptions and Long Approval Time
Case Study #3 Out-of-Pocket Expenses
Case Study #4 Duplicate Payments/Invoices
Case Study #5 Fraud Monitoring Program
Confidential and Proprietary Information of T-Mobile USA 2
3. Company Overview
Headquarter: Bellevue, WA
Customers: 30 million
Coverage: USA and PR
Largest 4G Network
Value Plans
Confidential and Proprietary Information of T-Mobile USA 3
4. Payables Environment Overview
No. of countries serviced: 1 with some Euro transactions
Main P2P technologies used:
OCR IBM Filenet “Doculink”,
EDI, ERS in SAP,
ACH & Merchant Card through JPMC Xign,
Expenses & Travel through Concur
Duplicate analysis through APEX
Main ERP: SAP
Volume of Annual AP Invoices:
500K paper, 1 million electronic invoices
# of vendors – 40K, # of employees – 36K
$16B in annual payment
One thing we are most proud of:
We employ best practices for duplicate prevention.
External recovery audits are now standard operations.
Confidential and Proprietary Information of T-Mobile USA 4
5. Risk Program Highlight COSO Cube -
Internal Controls
Framework
Supporting Fraud Leverage
Internal Third Party
Customers Analytics Vendors
Control Cover AP,
Monthly TE&C,
Design Treasury &
Evaluation Scorecard
Others
Testing Dept Risk Supports
Gap
Program Training Remediation
Confidential and Proprietary Information of T-Mobile USA 5
6. P2P Risk Objectives Tiered Control
Structure
All transactions are Obtain most
recorded and economical value out SOX/BUS Controls
reflected on financial of the P2P process.
statement correctly. (operations)
Key Controls
Prevent fraud- no
Maintain cash flow
fraudulent vendor,
objectives.
employees , invoices,
(operations)
expenses etc. Operational Controls
Do not over pay,
Pay correct amount, double pay, or pay for
pay correct vendor. goods or services not
yet delivered.
Confidential and Proprietary Information of T-Mobile USA 6
7. Controls Definition Examples
Segregation of duties
System validation
Apply to all 3 way match
Can be consistently
transactions/process
performed and
in scope to achieve
monitored Invoice entry rules
the objective
Invoice Post Audit
Approval of PO and
invoices and vendor setup
T&E, Corporate Card,
Signing Authority Policies
Evidence of Expense Audit
Can be preventative
performance need be
or detective
retained
Confidential and Proprietary Information of T-Mobile USA 7
8. Case#1- Payment and Vendor
Approval
No consistent approval requirements
throughout the enterprise for
invoices and vendors
Automation/ Policy/Process Change/
Outsource
Cost, Enterprise Impact, Buy-In.
Confidential and Proprietary Information of T-Mobile USA 8
9. Case#1-Solution
Broadly distributed approval
authority implemented through
HR system. Manual approval validation
where not automated.
Approval Authority Policy
Systematic feed of SAP HR
data to all expenses, PO,
Vendor Setup Policy
invoice processing systems. Manual approval validation for
vendor setup.
Vendor Approval Workflow – to
come
Confidential and Proprietary Information of T-Mobile USA 9
10. Case#2- 3 Way Match
Exceptions, Long Approval Time
• Aged, large $ and volume of 3 way match
exceptions. Goods receipt are not
Issue performed.
• Long approval timing for non-PO invoices.
• Automation/Policy/Process
Options Change/Outsource
• Audience size, resource availability,
Challenges approach.
Confidential and Proprietary Information of T-Mobile USA 10
11. Case#2-Solution
Outstanding open
Require POs for all
EDI – payables communication
purchases, switch
Large volume, high $ for unmatched items.
vendor set up and
vendors targeted first. Dedicated contacts from
approval timing.
each business segment.
SLA involved.
Confidential and Proprietary Information of T-Mobile USA 11
12. Case #3 – Out-of-Pocket Expenses
Large $ spend on personal card. Evasion of vendor
setup approval, PO/Invoice approval requirement.
Loss of credit card rebate.
Policy/Automation/Outsourcing/Process
Resistance against enforcement . Culture that
allows local decisions and flexibility. Ownership for
enforcement can not be decided.
Confidential and Proprietary Information of T-Mobile USA 12
13. Case#3-Solution
Policy change to Monthly
Systematic triggers
mandate corporate communication for
implemented for
card usage vs. large $ out-of-
high $ out-of-pocket
personal card pocket spend
expenses.
usage. employees.
Confidential and Proprietary Information of T-Mobile USA 13
14. Case Study #4 – Duplicate
Payments/Duplicate Invoices
Duplicate Payments
Automation/Policy/Process/Outsource
Labor intensive
Confidential and Proprietary Information of T-Mobile USA 14
15. Case#4 Solution
Using recovery audit Systematic prevention
Implemented invoice
firms. Implemented for SAP invoice
numbering convention.
five year duplicate posting.
Implemented daily
payment review and
manual review for
statement audit. (First APEX First Strike for
possible duplicates.
and second tier) additional review.
Confidential and Proprietary Information of T-Mobile USA 15
16. Case #5 – Fraud Monitoring
Program
Unusual transactions within T&E system. High ranking
employees sharing passwords with Administrative
Assistant. Possible fake receipts.
No process in place to evaluate vendor risks.
Automation, Policy, Process, Outsource
Data mining expertise needed. Multiple databases.
Customer service vs. enforcer mentality.
Labor intensive analysis with no guarantee of results.
No control over vendor contract or relationship. Large
volume of results for analysis.
Confidential and Proprietary Information of T-Mobile USA 16
17. Case #5 Solution
Lowered credit line for all
T&E Concur Reporting. corporate card holders. T&E: 100% audit on all AA
JPMC Level 3 Activities expenses. Periodic review of
Reporting. T&E database for fraud.
Provided enterprise
management expenses
AP: Periodic vendor/employee
approval training.
match exercise.
APEX First Strike Analytics Periodic vendor risk analysis
Vendor Risk Analysis. using APEX First Strike
Confidential and Proprietary Information of T-Mobile USA 17
18. Lessons Learned
No sure fire
way to
address
Risk Strategies each
situation
*Automation of approval or
workflow processes Resource
*Policy changes priority is
always an
issue
*Process, personnel changes
*Training
Consultant
vs. Cop?
Confidential and Proprietary Information of T-Mobile USA 18