A Control Framework for e-invoicing



Similar documents
Nigel Taylor Head of e-invoicing Solutions, EMEA

Code of Practice on Electronic Invoicing in Europe

Code of Practice on Electronic Invoicing in Europe

4.0 Receiving Process

LOST? Follow these signs on the road to e-invoicing.

Making Automated Accounts Payable a Reality

Explanatory notes VAT invoicing rules

SUGGESTED CONTROLS TO MITIGATE THE POTENTIAL RISK (Internal Audit)

Accounts Payable. How to Cut Costs and Improve Invoice Processing Efficiency

Today, the Cisco Enterprise B2B team has created automated and standardized processes in the following areas:

Audit Program for Accounts Payable and Purchases

February 2, 2012 ACCOUNTS PAYABLE BEST PRACTICES

Optimizing Your Accounting Process with Electronic Invoicing. A GXS White Paper for the Active Business

E-Invoicing Supplier Manual

Doing Business with Serco - A Suppliers Guide

How To Validate a Digitally Signed PDF document. [7 th September 2006] SECURITY TRUST COMPLIANCE REGIONALITY

ADDITIONAL TERMS FOR VIRTUAL DATA CENTRE SERVICE SCHEDULE 2N

ORACLE FINANCIALS ACCOUNTING HUB

Audit Evidence. AU Section 326. Introduction. Concept of Audit Evidence AU

Solutions for Accounts Payable Process Optimization

Leverage Your Financial System to Enable Sarbanes-Oxley Compliance: An Evaluator s Guide

Welcome to Metafile. Solving document issues for over 30 years. Matt Akin x 301

Florida A & M University

The Requirements Compliance Matrix columns are defined as follows:

idocuments Solutions Overview Enterprise financial management & workforce solutions June 2015

Process Control Optimisation with SAP

FINANCIAL CONTROLS POLICIES AND PROCEDURES FOR SMALL NONPROFIT ORGANIZATIONS

PROCURE-TO-PAY TRANSFORMATION FOR CFOs. Achieving Control, Visibility & Cost Savings.

Continuous Monitoring: Match Your Business Needs with the Right Technique

BDO Consulting. Segregation of Duties Checklist

Managing your finances with Sage 50 Accounts Professional

Implementing the Scottish Government s einvoicing Solution at West Lothian Council - Case Study

An Introduction to Continuous Controls Monitoring

How Your Accounts Payable Strategy Can Boost ROI ADP Procure-To-Pay Jeff White - Director of Implementations Session #1050

E-invoices. What they are. Different types. Best practices for implementation. R E A D S O F T W H I T E P A P E R

Final. Internal Audit Report. Creditors System

Accounts Payable Automation Benefits

LIANZA Code of Practice - Part Four

The Business Value of e-invoicing

5 Ways Senior Finance Executives are Improving Visibility Across the Procure-to-Pay Cycle

Oracle ERP Cloud Period Close Procedures O R A C L E W H I T E P A P E R J U N E

S24 - Governance, Risk, and Compliance (GRC) Automation Siamak Razmazma

UFI s Auditing Rules January 2015

Invoicing Innovation - Taking Accounts Payable to the Next Level

MHRA GMP Data Integrity Definitions and Guidance for Industry March 2015

Chapter 15: Accounts Payable and Purchases

The New Data Integration Model. The Next Real B2B Integration Opportunity for System Integrators & VARs

AAT Level 2 Diploma in Accounting and Business

POLICY MANUAL. Credit Card Policy (July 2015)

PEOPLESOFT ENTERPRISE esettlements

Internal Control Systems

Procure-to-Pay Best Practices

Accounts Payable. Best Practices: Existing Control: Control Gap: Controls Evaluation and Gap Analysis. Purchasing

The Power of Risk, Compliance & Security Management in SAP S/4HANA

Accounts Payable Automation: Top 9 Reasons to Automate: The Essential Guide to Why Your Business Needs to Automate its Invoice Processing.

The Business Case for Automated Solutions from B2B Payment Providers

purchase to pay at its best providing solutions for hospitality professionals peace of mind

Streamlining Your AP Processes with Electronic Document Management

DOYLESTOWN FAMILY MEDICINE, P.C. IDENTITY THEFT PREVENTION PROGRAM TEMPLATE ADOPTED AND EFFECTIVE: APRIL 15, 2009 UPDATED:

Kofax White Paper. Overcoming Challenges in AP Automation. Executive Summary. Benefits of Accounts Payable Automation

Sarbanes-Oxley Compliance A Checklist for Evaluating Internal Controls

Balancing and Settlement Code BSC PROCEDURE CLEARING, INVOICING AND PAYMENT BSCP301. Version Date: 25 June 2015

WEEK 6. Objective 1: Sales Transaction Cycle Risks

10-1. Auditing Business Process. Objectives Understand the Auditing of the Enteties Business. Process

perspective SOX Controls Driving Transformation of the Order-to-Cash Value Chain - Shyam R Rao

This paper looks at current order-to-pay challenges. ECM for Order-to-Pay. Maximize Operational Excellence

NCOE whitepaper Master Data Deployment and Management in a Global ERP Implementation

AP Automation Checklist

ReconArt for NetSuite

Code of Practice on Electronic Invoicing in the EU

Nordic Practice and Experience on e-invoicing. Erkki Poutiainen 20 November 2007

The Terms of Reference should be completed by the Beneficiary and be agreed with the Auditor

COUNCIL OF THE EUROPEAN UNION. Brussels, 23 June 2010 (OR. en) 10858/10 Interinstitutional File: 2009/0009 (CNS) FISC 60

I. Purpose. Definition. a. Identity Theft - a fraud committed or attempted using the identifying information of another person without authority.

Substantive Tests of Transactions and Balances

Chapter 10 Receiving, Inspection, Acceptance Testing and Acceptance or Rejection

Buried Beneath the AP Paper Crush?

Brazil T&E Management

It all Starts with the Invoice

Automated INVOICE Processing A User s Guide

CLASSIFICATION SPECIFICATION FINANCIAL ANALYST

Kofax White Paper. Overcoming Challenges in Accounts Payable Automation. Executive Summary. Benefits of Accounts Payable Automation

Financial and Commercial Services. Government Purchasing Card (GPC) Procedures

FORUM ON TAX ADMINISTRATION

JD EDWARDS ENTERPRISEONE PROCUREMENT MANAGEMENT

ACCOUNTS PAYABLE AUTOMATION FOR SAP

Requirements set for account holders and representatives of emissions trading accounts

PDF Invoicing. Dispelling the Myths. My suppliers want to send PDF invoices are these the same as electronic invoices?

Financial Accounting. John J. Wild. Sixth Edition. McGraw-Hill/Irwin. Copyright 2013 by The McGraw-Hill Companies, Inc. All rights reserved.

Accounts Payable Automation Benefits

Performing Audit Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtained

Leveraging Accounts Payable Automation as a Service

Transcription:

A Control Framework for e-invoicing White Paper by TWIST Dematerialisation of paper invoices and purchase orders may unleash greater efficiencies and cost savings in the order to pay process. Led by Steven Hartjes, senior partner at Ernst & Young, an ad-hoc working group of TWIST delivered a white paper on the control framework for e-invoicing, with the need for an enhanced validation and approval process. Version 1.0 - London, August 2008 Feedback and input on this White Paper are welcomed. Please provide comments to steven.hartjes@nl.ey.com and tom.buschman@twiststandards.org 1

Introduction Today s business processes are to a large extent still paper-based, which results in inefficiencies as paper needs to be forwarded from one employee to the next before it reaches its final destination. Many companies have implemented some form of dematerialisation. In most cases, this is an internal process, whereby paper received is scanned, stored and then follows an electronic workflow. Sometimes, this process is extended to external parties, with companies receiving paper in digital (often PDF) format. The next step (comparable to the few large corporates that have implemented EDIFACT) is real electronic exchange of data so the entire process can be automated, not just within a company but also within its main trading partners, such as suppliers, customers and banks. The increasing use of internet technology and available bandwidth are enabling this next step. The potential downside of dematerialisation is that the human factor in the process is reduced. As long as this relates to irrelevant, duplicate activities such as re-keying data, this is not an issue. However, part of the human factor also relates to validating and approving data. This validation and approval process has to be redesigned to stay in control as a company. The number one driver here is the internal controls of the organisation itself. An additional set of requirements is posed by regulators, especially tax authorities, who define specific rules for allowing dematerialisation. This control framework presents an end-to-end analysis of how to control the purchase to pay process of a company, in which various controls will be linked to the objectives they aim to achieve. High level overview of the sales and purchasing cycle The sales cycle and the related purchasing cycle provide a common reference framework. The customer and the supplier each hold a sub-ledger (purchasing administration and / or sales administration) which contains all the details of each purchase / sales order including all events in its life cycle. These events involve the management of the purchase / sale itself but also inventory management, credit management, delivery of the product or service and the management of payments / collections with involvement of banks. There are many interactions between customers and suppliers with the exchange of multiple messages and documents such as information requests, offers, orders, receipts / delivery notifications, invoices and payments. Each stage in the life of the sales and purchasing cycle is linked to information available from the previous stage, which may indicate inconsistencies that require resolution. This will lead to disputes, which eventually may lead to adjustments such as credit notes. 2

The handling of purchase invoices The EU Directive on Invoicing (2001/115/EC) [the provisions of which are now included in the VAT Directive (2006/112/EC)] applies to all types of invoicing, not just electronic invoicing. As soon as an invoice is received, it is first validated to ensure that the invoice is destined for the organisation that received it and that the vendor is known. When using electronic invoices, the origin and integrity of the data in the invoice will be validated using the digital signature from the vendor, or other means if digital signatures are not used. Invalid invoices will be returned immediately. After the organisation has determined that the invoice is a valid document, it will be recorded and eventually posted to the accounts payable ledger to reflect the gross amount payable. Then the invoice is routed through the approval process in which the invoice data is checked against records of other parts of the purchasing process, for example, the purchase order itself, the receipt of goods or services and any issues that may have already been identified in earlier stages of the process. If existing issues or new issues relating to the invoice itself have been identified, a dispute process will be initiated. Otherwise, the invoice is approved (status change in the purchase records). Depending on system settings, the approved invoice will be selected for payment on the due date. Data on how to make the payment (which bank account and which payment terms to use) will be derived from the vendor master file. As soon as the invoice has been paid, it can be archived. If the entire purchase order (with one or more invoices) has been completed, the purchase order will be archived (with the related set of records for the completed transaction). Control objectives for the purchase to pay process Any organisation will control its purchase to pay process, primarily from a business perspective, but also from a financial reporting perspective in view of corporate governance regulations (such as Sarbanes-Oxley), which exist in many countries. The controls operate on the whole purchase to pay process rather than just on the invoice. The overall control objectives are: All purchases are recorded (completeness) Purchases recorded are correctly recorded (which may be subdivided into delivery of product / service and correctness of that delivery) Purchases recorded are properly valued / priced (valuation) Purchases recorded are properly presented (purchases are classified by the organisation to be capitalised or expensed, including selecting the appropriate reporting line). Completeness of records 3

Completeness of records can only be controlled through the reconciliation of information received from different sources. Initial capture of purchases will be in the purchases subledger, which should reconcile to the company s general ledger to record the liabilities incurred. Indirect information on completeness of records will be received if new events happen which can not be reconciled to earlier events captured (for example, goods are received or invoices are received for which no matching purchase order can be found, which may indicate incomplete capturing of purchase orders or lack of proper reference information or a purchase made without reference to a purchase order). Correctness of purchases The objective that receives most attention in terms of expense recognition as well as deductibility of input VAT on invoices received is whether the products or services purchased have actually been received at the agreed quantity and quality. The existence of a purchase can be divided into various subcomponents: Validity of the supplier Fulfilment of the obligation (goods / services delivered at the agreed quantities and qualities) Validating identity In a paper-based situation, the validity of the supplier will be first determined by reviewing invoices received with respect to supplier details as well as the addressee of the invoice. In an electronic invoicing situation, the objective is to avoid manual interference with invoices received. This means that the validity needs to be checked electronically as well. One solution is to have e-invoices signed with a digital signature. Any invoice that is not properly signed will be rejected. The digital signature not only demonstrates the identity of the invoice issuer, but can also be used to detect and highlight any changes to the content of the invoice subsequent to the digital signature being applied. In a situation with many trading partners operating in different countries, setting up and maintaining an infrastructure for digital signatures can be burdensome as countries have applied different implementations of the generic requirements of regulations such as the EU directives. For example, some EU countries require a personal signature rather than a signature for the organization to authenticate electronic documents. The benefit of requiring personal signatures is clear accountability. This may complicate the maintenance as people tend to change jobs over time. One may question whether the person behind the signature is actually signing the invoices themselves. All too often administrative tasks are delegated to operational staff who sign on behalf of their signatory. Most relevant from a business perspective would be a signature by the function in the organisation rather than an individual person. When using a service provider, they will sign invoices on behalf of the invoice issuer. This will shift the burden to maintain the digital signatures to the service provider. Checking the electronic signature is a first formal step. Another check to verify that invoices have not been technically corrupted unintentionally could be to compare the 4

structured data on an electronic invoice that identify the vendor / invoicer (e.g. name, address, company VAT number) to data that is already stored in the vendor master file. An invoice will be rejected if the data is inconsistent. This could deal with the identity of the issuer situation and can also take care of the on behalf question (if properly included in the data file), but will not address the validity of the invoice content. Fulfilment of the contract. The most significant part in the purchase-to-pay cycle is where the organisation receiving the invoice validates that the goods / services invoiced have actually been received in the proper quantity and quality and that the prices quoted on the invoice agree to the confirmed purchase order. Only if the details of the invoice match the data stored about the purchase order on the quantity and quality received as well as the price quoted (or vary within a small tolerance of the agreed values), will the invoice be approved and released for payment on or around the due date. In most ERP systems, this is known as a three way match (purchase order goods / services receipt invoice). In cases where there is no administrative record of receipts (more likely with services than with goods), a two way match (purchase order to invoice) may apply. Certainly in highly automated, high volume situations, this control can be very effective for automatically approving consistent data flows and highlighting any discrepancies beyond the tolerance defined by the organisation to initiate a dispute. The purchase administration will record through purchase order statuses the point which a purchase order has reached in its life cycle and whether or not any issues have been identified requiring (manual) resolution. From an audit point of view, a follow-up question would be to what extent the expenses recorded make sense in the business context of the organisation. This is an issue that requires judgment and can not be solved by automated electronic validation, but can be supported by analysis of the data. Retrieving invoice details for later verification Each organisation is required by law to store its value documents such as invoices (both copies of sales and original purchase invoices) for inspection and verification at a later date. In an e-invoicing environment, organisations are required to store the original invoice with the digital signature (in an environment where digital signatures are being used) to prove that the invoice has not been tampered with. To verify this, it would be necessary for the invoice content to be reprocessed with the digital certificate. This action by itself will not confirm the details regarding fulfilment of the contract - additional verifications would be required. Another audit procedure would be for the auditor to select invoices for verification from the automated purchase records. These are likely to record the life cycle events of the purchase from purchase order up to the final payment of any invoice related to that purchase order. 5

Control framework for purchase orders Many companies have a considerable number of purchase orders and invoices. Rather than just auditing or validating individual occurrences (such as a single invoice), analysing and monitoring the total mass of purchase orders can be more powerful. Where all the purchase orders and their life cycle events are stored in an electronic archive, analytical tools can be used to monitor the flow of purchase orders through the life cycle as well as the discrepancies identified through the internal controls in the process (any exceptions flagged during the purchasing process and their resolution). A conceptual overview of typical life cycle events for a purchase order and the related accounting entries is set out in Table 1. Table 1. Typical life cycle events for a purchase order Event Debit (D) / Credit (C) Submit purchase order (not all D organisations post this) D Account Against which Event is Booked Goods to receive Receive goods D Inventory C C Services to receive Committed purchases Goods to receive Receive services D Expenses Resolve disputes on receipts Inventory C Disputes on receipts Services to receive Goods to receive Disputes on receipts Receive invoice D Committed purchases C Accounts payable Disputes on invoices Resolve invoice disputes Committed purchases Accounts payable Disputes on invoices Pay invoice D Accounts payable C Bank 6

Each event will relate to a status of the purchase order in the purchasing process. For purchases with issues identified anywhere in the life cycle, at any point in time summarising orders with respect to disputes on receipts (quantity, quality etc.) or disputes on invoices (related to receipt disputes or purely invoice disputes, for example, price differences) will need to reconcile to one of the dispute accounts. The purchasing data should store all statuses considered relevant with time stamps, so that it will be possible to review the life cycle of the entire purchase order with all related receipt events, invoice events and dispute / resolution events. The history of paid invoices should reconcile to the stored original invoice documents. Similarly, the movements and actual balances per status of the purchase order should reconcile to the related general ledger accounts. Risk analysis Organisations set out to implement controls to manage their business operations. The way in which these controls operate may change over time, depending on the degree of automation. Sometimes specific controls are designed in response to new business models. A change of business model has a bigger impact and often causes concern on the implications of the change. This has led in many cases to implementing additional controls that address these concerns. Dematerialisation replacing paper based solutions with electronic ones is a typical example where organisations have to go through a phase of discomfort as they can not deploy visual controls and have to implement alternatives. Assuming that the alternatives are properly designed and highly automated (as in the case of digital signatures), this may not be too disruptive and costly. The risk analysis below demonstrates what the key risks are not in terms of missing controls, but in terms of not meeting objectives. The next step is to identify how these risks can be mitigated by controls. Risk: Committed obligations not complete Controls: Reconcile purchase orders to external information / confirmation Alerts by the purchasing process of discrepancies between lifecycle events (for example: goods / services received for which no purchase order can be found) Monitor the development of liabilities through analysis of the purchasing flows Risk: Purchases recorded are not correct. 7

Table 2: Controls for mitigating dematerialisation risks Primary control Supporting control When creating a purchase order, verify existence of vendors / suppliers and products / services involved to master data On receipt of electronic invoice, validate the digital signature of the sender to ensure authenticity Compare static data on invoice (vendorname / address, vendor VAT number) to master data stored Compare products on invoice to master data Compare goods received to purchase order, highlight and resolve discrepancies Compare invoices received to purchase order (including status of receipt of goods / services), signal and resolve discrepancies Ensure that invoices submitted for payment can not be submitted again (no double payment) Ensure payment to correct counterparty by using critical data (e.g. bank account number) from master data files Monitor expense types in relation to budgets Monitor the processing of purchase orders Monitor number and percentage of exceptions encountered in the purchasing cycle and nature of resolution Static data maintenance, supported by access control Maintain digital signature infrastructure (in an environment where digital signatures are used) Static data maintenance Static data maintenance Implement and parameterise (two or) three way match, access control for authorised issue resolution Implement and parameterise (two or) three way match, access control for authorised issue resolution Implement and parameterise application control Static data maintenance, supported by access control Tailored reports Tailored reports Tailored reports Static data maintenance The nature of static data is that these are recorded only once and reused in future business events. Typical examples are supplier and vendor master files, in which names, addresses, bank account numbers etc. are stored. Of course, even static data is subject to change over time. A clear process is required in terms of who is allowed to update static data (more likely the purchase or sales departments having the primary contact, 8

and not the accounts payable / accounts receivable departments who deal with the transaction flows). Changes to static data should be subject to review / authorisation. If static data contain errors, they will have an impact on many transactions, so the data recorded must be accurate. Maintain digital signature infrastructure Some EU member states require digital signature certificates that are accepted by the relevant authorities. Other member states accept a self issued advanced signature. A company or person that wants to use a digital signature needs to demonstrate its identity and comply with regulations by providing certain information to obtain a digital certificate. Nowadays, the process for obtaining / maintaining digital certificates is largely inefficient, requiring paper work and physical travel. From a control point of view, two important criteria need to be met before issuing a digital certificate: all the data required need to be provided and checked with information from independent sources (such as public registers and Chambers of Commerce) the identity of the person obtaining the certificate needs to be determined by an independent organisation which registers the identity document details (for example, passport or driver s licence number). The first process could be automated to a large extent as public institutions also have electronic infrastructures. The identity verification process requires physical interaction. The current practice whereby countries require physical presence at a domestic location is a considerable and unnecessary burden. As an implementation of the digital signature requirement, permitting the use of publicly trusted parties such as banks or postal services to perform these identity checks and make the results available to the certificate authority is suggested. Digital certificates require periodic renewal to ensure that the data is still valid (certainly for persons representing companies as they move to other positions inside the same company or elsewhere). In some countries, digital certificates expire after a certain period of time. Changes to the certificate then need to be communicated to business partners so they can validate transactions that have been signed using signatures based on the changed certificate. Parameters for matching process During the implementation of an ERP solution, choices have to be made with respect to parameters. With respect to matching, it is relevant to identify which elements should be included in the matching process and which tolerances will be set within which variances can be treated as though they have matched exactly (often expressed as a percentage of purchase/sales value and maximum monetary amount of discrepancy). Only discrepancies which exceed the parameterised thresholds will be subject to a manual review process. 9

Conclusions Purchase and sales processes have existed for many years. These processes are well developed, supported by software (such as ERP solutions) and well controlled. The dematerialisation of these processes (replacing paper by electronic documents) however is still in its early stages. Where at first the technology was a constraint (bandwidth of networks), today the main constraints are reluctance to change existing processes (impact on staff levels and ways of doing things) and regulatory constraints as authorities often have specific requirements for accepting the use of electronic documents. The fact that different countries have created different requirements for the same purpose (for example, in terms of digital signatures and obtaining and maintaining digital certificates) has to date impeded the further uptake of e-invoicing. The starting point should be that sound business controls are applied by a company that wants to use e-invoicing. Many of these controls already exist today and are not specific to the use of e-invoicing. From an audit perspective, the possibility to obtain, analyse and compare data from various stages of the process life cycle, which have often been subject to controls implemented within ERP systems, as well as images of electronic documents provide sufficient information to conclude upon the correctness of the business transactions recorded. These ambitions should also be achievable for medium sized as well as several smaller companies. At the start of e-invoicing, specific requirements have been created to ensure that data can not be corrupted (unintentionally or intentionally) during transport and storage. Although the use of digital signatures may be useful to companies that process large volumes of data and thus allow for automatic validation very early in the process, for smaller companies (certainly those operating in multiple countries) the burden of maintaining the digital certificates may well exceed the potential benefits in the current environment. The process for obtaining a digital certificate should ideally consist of a combination of an electronic application procedure using digital information from trusted sources such as public registers and an identity verification performed by trusted parties such as banks or postal offices that register the identity check to alleviate the administrative burden. This would require that in the EU the regulators (EU and member states) support such a best practice as an implementation of their requirements (Einvoicing Directive, Digital Signature Directive). 10

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information