Anti-Fraud Management Example In Accounts Payable. Michael Heckner October 12, 2012

Transcription

1 Anti-Fraud Management Example In Accounts Payable Michael Heckner October 12, 2012

2 GRC Top Reasons Customers Invest Today Business Process Improvements Systematic, reliable processes Improve predictability and performance Avoid Negative Business Issues Prevent irregularities such as fraud Prevent human errors Avoid financial losses Avoid damage to reputation Compliance Comply with governmental regulations and legislation Comply with industry regulations Comply with internal company policies 2011 SAP AG. All rights reserved. 2

3 Economic Crime and Errors What Is the Damage Caused by Fraud and Errors? Economic Crime Average fraud loss: 5% of annual revenue One-fourth of the frauds caused at least $1 million in losses ( 2010 Report to the Nation, 2010 by the Association of Certified Fraud Examiners, Inc.) 46% of organizations with employees reported suffering at least one significant economic crime in the past 12 months. In addition to direct financial impact there is indirect or collateral damage incl. employee morale, business relations, reputation/brand, relations with regulators, share price, etc. (PwC Global Economic Crime Survey Nov 2009) 40% believe there is a greater risk of fraud in the current economy. Staff reductions resulting in fewer resources deployed on internal controls. (PwC Global Economic Crime Survey Nov 2009) Employee Errors More frequent than crime? Insufficient controls can result in: Procurement Errors Overpayments to Vendors Excessive Rebates to Customers Changes to Payment Terms Accidental Leakage of Intellectual Property Etc. Nearly impossible to track the total financial impact of employee errors Estimates are hard to get Grey zone of criminal behavior High number of unreported cases 2011 SAP AG. All rights reserved. 3

4 Overview SAP GRC Top-down and bottom-up risk management/ compliance SAP GRC Risk Management Policy Management SAP GRC Process Control Company Wide Procure to Pay Order to Cash IT (General) SAP GRC Access Control Internal Audit Management 2011 SAP AG. All rights reserved. 4

5

6 Enterprise Risk Management Business Risks Cause Majority of Losses Head of Risk Management 87% of risks are not financial Operational Hurricane Katrina Data center outage Delivery risk Blast furnace cold run ERP application crash Plant disaster causing production stoppage Environmental/Health West Nile Virus Safety crisis Compliance with environmental standards Food sanitary management problem Climate change Environment pollution Financial Currency exchange rates Interest issue and increasing reserves Accuracy of realistic balance sheet reporting Ability to manage cash Non-transparent markets Economic recession Energy and commodity costs Legal & Compliance Fraud Product liability claims Missed time line for legal changes Embezzlement of parts Safety of goods or products Material risk events encountered in the past three years (for enterprises over US$5 billion in revenue) Strategic Industry consolidation and globalization Error-filled release of software upgrade Change in core product demand Cancellation of major customer contracts Performance standards and service quality Political/Geopolitical Change of government and minority governments Grants and budget changes Constant change of ministers Federal Accountability Act Terrorism Source: IBM Global Business Services, The Global CFO Study SAP AG. All rights reserved. 6

7 Examples of Enterprise Risks (Transportation Industry) Examples of Enterprise Risks Strategic Risks Financial Risks Operational Risks Compliance Risks Freight Rates Liquidity Major Safety Incidents Oil & Gas Prices Credit Risk Major Environ. Incidents Political Risks Foreign Exchange War, terrorism or piracy attack Information Risk Procedures and Human Rights (OECD Standards) Tax Anti-corruption, competition and export control Insurance (Self-Insurance) 2011 SAP AG. All rights reserved. 7

8 Examples of Enterprise Risks Governance Strategy and Planning Operations Compliance Reporting Corp. Governance Ethics Corp. Responsab./ Sustainab. External Factors Planning Strategy Corp. Assets Finance Human Resources Information Technology Legal Product Development Sales, Marketing & Communic. Supply Chain Compliance Reporting Board Effectiveness / Knowledge Management Addressing Allegations Biodiversity Competition Business Continuity Management (BCM) Alliances Facilities and Equipment Accounting Corporate Culture Architecture Bankruptcy Discontinuance and Divestiture Branding and Reputation Planning Communication and Training Compliance with Accounting Standards and Policies Board Structure and Leadership Communication Climate Change Credit Rating Capital Planning Business Concentration Intangible Assets Audit Quality Health and Welfare Benefits Asset Management Competition Innovation, Research and Development Communication Sourcing Compliance Culture Financial Disclosures Compensation / Performance Incentives / Alignment Corrective Actions and Discipline Community Investment Customer Demands Knowledge Management Business Model Personal Safety Capital Management Human Resources Policies and Procedures Business Continuity Management (BCM) Contract Management Launch Customer Relations / Customer Support Production Compliance Information Management Financial Information Availability Corporate Responsibility & Sustainability Ethical Culture / Tone at the Top Energy Management and Alternative Sourcing Economic Conditions / Industry Trends Operational Planning Customers Physical Security Credit Implications of Significant Events Change Management Corporate Investigations Liability Distribution Delivery Compliance Organization Financial Statement Fraud Reputation / Shareholder Relations Ethics Reporting Fair Trade Certification External Fraud Performance Management Extended Enterprise Process Management Financial Asset Management Labor Relations Contracting and Outsourcing Environmental, Health and Safety Product Design / Quality E-Commerce / Internet Strategy Returns Compliance Reporting Management Reporting Risk Oversight Investigation Natural Resource Utilization and Accounting Geopolitical Scenario Planning Growth Taxation Insurance and Hedging Organization Structure Information Security Finance and Accounting Production Investor Relations and Monitoring Regulatory Reporting Transparency & Financial Integrity Monitoring and Auditing Philanthropy Hazards / Catastrophic Loss Innovation Utilization Liquidity Payroll Operations Government Investigations Substitution Marketing Programs Policies and Procedures Reporting Quality Policies and Procedures Project Financing Laws and Regulations Markets Pensions Performance / Talent Management and Compensation Physical and Environmental Intellectual Property Technology Obsolescence Market Research Risk Assessment Statutory Reporting Program Assessment and Evaluation Resource Scarcity Markets Mergers / Acquisitions / Divestitures Planning / Budgeting / Forecasting Retirement Programs Privacy and Data Protection Labor and Employment Issues Testing Marketing Strategy Supervision Sustainability Reporting Structure and Oversight Sustainability Strategy Third Party / Joint Venture Requirements Outsourcing Taxation Talent Pipeline / Recruitment Problem Management Legal and Regulatory Compliance Timing Public Relations Tax Reporting Training Sustainable Water Quality Policy Training and Development Project Management Legal Entity Planning Sales Strategy Waste Reduction and Closed Loop Production Pricing Records Management Litigation and Dispute Resolution Technology Technology Licensing Privacy and Security Laws Vision, Mission, and Values Records Information Management 2011 SAP AG. All rights reserved. Source: Deloitte Risk Intelligence Map,

9 SAP Risk Management Heatmap Fraudulent AP activities 2011 SAP AG. All rights reserved. 9

10 Risk Fraudulent Accounts Payable Chief Security Officer / IT Prevent Accounts Payable risk (errors and fraud) 2011 SAP AG. All rights reserved. 10

11 Risk Fraudulent Accounts Payable Chief Security Officer / IT Prevent Accounts Payable risk (errors and fraud) 1 st Risk Driver: Lack of SoD 2011 SAP AG. All rights reserved. 11

12 Risk Fraudulent Accounts Payable Chief Security Officer / IT Prevent Accounts Payable risk (errors and fraud) (resulting from lack of SoD) 1 st First Driver: Lack of SoD 2011 SAP AG. All rights reserved. 12

13 Risk Fraudulent Accounts Payable Chief Security Officer / IT Prevent Accounts Payable errors and fraud (resulting from lack of SoD) Access Control 2011 SAP AG. All rights reserved. 13

14 Risk Fraudulent Accounts Payable Head of Internal Head of Compliance Chief Security Officer / IT Question: Prevent Are Accounts SoD violations Payable the only errors risk to and the fraud Accounts (resulting Payable from lack Process??? of SoD) IT General Control 1: Access Control 2011 SAP AG. All rights reserved. 14

15 Risk Fraudulent Accounts Payable Head of Internal Audit,, Compliance Chief Security Officer / IT Example: What about abuse of one time vendor accounts??? Process-Level Control 1: Accounts Payable IT General Control 1: Access Control 2011 SAP AG. All rights reserved. 15

16 Risk Fraudulent Accounts Payable Head of Internal Audit,, Compliance Chief Security Officer / IT Payments Example: What about abuse of one time vendor accounts??? Date Vendor Amount ABC Chemicals 1, Anonymous1 1, Northstar Energy Anonymous1 10, Hardware Central 23,618.- Process-Level Control 1: Accounts Payable IT General Control 1: Access Control 2011 SAP AG. All rights reserved. 16

17 Risk Fraudulent Accounts Payable Head of Internal Audit,, Compliance Chief Security Officer / IT Example: What about other process level risks in Accounts Payable??? Process-Level Control 1: Accounts Payable Process-Level Control n: Accounts Payable IT General Control 1: Access Control 2011 SAP AG. All rights reserved. 17

18 Risk Fraudulent Accounts Payable Head of Internal Audit,, Compliance Chief Security Officer / IT Business Necessity: Process and Access Level to protect AP process Process-Level 1-n: Accounts Payable IT General Control 1: Access Control 2011 SAP AG. All rights reserved. 18

19 Other Risks? In Other Processes? At the IT-Level? Head of Internal Audit,, Compliance Chief Security Officer / IT What about other processes and their controls? Process 1: Procure to Pay Process n: Order to Cash IT General Control 1: Access Control IT General Control n: 2011 SAP AG. All rights reserved. 19

20 Other Risks? In Other Processes? At the IT-Level? Head of Internal Audit,, Compliance Chief Security Officer / IT Group/Entity: Company Wide Group/Entity: Company Wide Process 1: Procure to Pay Process n: Order to Cash IT General Control 1: Access Control IT Control n: (IT General) 2011 SAP AG. All rights reserved. 20

21 SAP Process Control Control at all levels Head of Internal Audit,, Compliance Chief Security Officer / IT SAP Process Control Group/Entity: Company Wide Group/Entity: Company Wide Process 1: Procure to Pay Process n: Order to Cash IT General Control 1: Access Control IT Control n: (IT General) 2011 SAP AG. All rights reserved. 21

22 Risk-based Approach to Internal Head of Risk Management Head of Internal Audit,, Compliance Chief Security Officer / IT SAP Risk Management SAP Process Control Group/Entity: Company Wide Group/Entity: Company Wide Process 1: Procure to Pay Process n: Order to Cash IT General Control 1: Access Control IT Control n: (IT General) 2011 SAP AG. All rights reserved. 22

23 Continuous Monitoring Example Accounts Payable Manager - Dashboard 2011 SAP AG. All rights reserved. 23

24 Continuous Monitoring Example Accounts Payable Manager: Issues Report 2011 SAP AG. All rights reserved. 24

25 Continuous Monitoring Example Drill-Down into One-Time Vendor Issue 2011 SAP AG. All rights reserved. 25

26 Continuous Monitoring Example Accounts Payable Manager: Issues Report 2011 SAP AG. All rights reserved. 26

27 Continuous Monitoring Example Drill down into Segregation of Duties Issue 2011 SAP AG. All rights reserved. 27

28 Achieving Higher Confidence # controls Manual time Today 2011 SAP AG. All rights reserved. 28

29 Achieving Higher Confidence Lower Cost # controls Cost Reduction Less Manual Labor Less Pushback from the Business Lower Cost of Preparing for an Audit Manual Automated Manual time Today Maturity Level SAP AG. All rights reserved. 29

30 Achieving Higher Confidence Lower Cost and Business Process Improvement # controls Cost Reduction and Process Improvement Less Manual Labor Less Pushback from the Business Lower Cost of Preparing for an Audit More controls More granularity Higher frequency of checks Consistency Automated Manual Automated Manual Manual time Today Maturity Level 1 Maturity Level SAP AG. All rights reserved. 30

31 Achieving Higher Confidence Lower Cost and Business Process Improvement # Cost Reduction and Process Improvement Automated Assurance Manual Automated Manual Manual Cost Time Today Maturity Level 1 Maturity Level SAP AG. All rights reserved. 31

32 Managing Risk and Compliance SAP GRC Solutions CEO / CFO Managing Risk and Compliance ensures all categories of risk across the organization are aggregated at the enterprise level and managed holistically Head of Risk Management Head of Compliance/ / Internal Audit Head of Internal Audit/ Chief Security Officer Head of Internal Audit Enterprise Risk Management Risk-Based Internal Access Management Audit Management Risk Planning SAP GRC Solution Risk Risk SAP Identification Analysis Risk Response SAP Risk Mgmt Risk Monitoring Document Compliance Process Initiatives Control Plan and Perform Assessments and Tests SAP Remediate Issues and Certify Results Access Planning Control Access Analysis & Response SAP Access Monitoring NetWeaver Planning Audit Mgmt Manage Audit Engagements Remediation 2011 SAP AG. All rights reserved. 32

33 Questions? Michael Heckner Sr. Director, EMEA Solutions Business Development Phone +49 (170) Michael. sap. com SAP AG. All rights reserved. 33

34 Thank You! Contact information: Michel Heckner Sr. Director, EMEA Solution Business Development (GRC) Zeppelinstrasse Hallbergmoos/München