Process Control Optimisation with SAP



Similar documents
An Introduction to Continuous Controls Monitoring

Fraud Prevention and Detection in a Manufacturing Environment

Continuous Monitoring and Auditing: What is the difference? By John Verver, ACL Services Ltd.

Invoice Processing. Start today: Jump-Start Solution for Finance:

SAP BusinessObjects GRC Access Control 10.0 New Feature Highlights and Initial Lessons Learned

Accounts Payable Automation: Top 9 Reasons to Automate: The Essential Guide to Why Your Business Needs to Automate its Invoice Processing.

High Value Audits: An Update on Information Technology Auditing. Robert B. Hirth Jr., Managing Director

Schedule 46 SAO Certificate FAQs

BPM IN F&A THE DIGITAL CFO PARTNERING THE BUSINESS IN GROWTH. xchanging.com BUSINESS PROCESS MANAGEMENT 1

CONTINUOUS CONTROLS MONITORING

S24 - Governance, Risk, and Compliance (GRC) Automation Siamak Razmazma

Introduction. Table of Contents

Payment Card Industry Data Security Standard (PCI DSS)

Capital Projects and Construction: Building in Risk Management and Project Controls

Continuous Monitoring: Match Your Business Needs with the Right Technique

GXS Active. Orders. Optimising the Procure-to-Pay Process. Order Planning and Execution. Order Lifecycle Management.

Business Process Management & Workflow Solutions

PROCURE-TO-PAY TRANSFORMATION FOR CFOs. Achieving Control, Visibility & Cost Savings.

Automating Procure-to-Pay

Preventing Fraud: Assessing the Fraud Risk Management Capabilities of Today s Largest Organizations

PROACTIS Solutions & Services for Finance

Ensure Effective Controls and Ongoing Compliance

Jump-Start Service for Procurement: Contract Management. Start today: Find, store and manage all your supplier contracts

Making Automated Accounts Payable a Reality

Optimize procure-to-pay processes for profitability, efficiency, and compliance

Extraction of SAP Data for Audit & Compliance

Customer Data and Reputational Risk in the Pharmaceutical Industry

Service Procurement process improvement in SAP. Copyright 2008, Advanced Contractor Cost Management Inc. All Rights Reserved 1

ACCOUNTING POLICIES AND PROCEDURES

Financial Close Optimization: Five Steps for Identifying and Resolving Systems and Process Inefficiencies

SAP Solution Brief SAP ERP SAP Invoice Management by OpenText. Take Control with Invoice Management Software

Procure-to-pay and commercial card best practices during a difficult economy.

Transform Invoice Management with a Hybrid of Cloud and On-Premise Software

1. FPO. Guide to the Sarbanes-Oxley Act: IT Risks and Controls. Second Edition

Internal Auditing is an Asset for Small Companies as well as Large Ones

How To Optimize The Procure To Pay Process In An Orgosade

Unlocking the Value of Continuous Monitoring and Control Automation Capabilities in SAP Process Control

Buried Beneath the AP Paper Crush?

Vendor Audit and Cost Recovery: Improving Bottom Line Results WHITE PAPER

GXS Active. Orders. Optimizing the Procure-to-Pay Process. Order Planning and Execution. Order Lifecycle Management.

Accounts Payable. How to Cut Costs and Improve Invoice Processing Efficiency

Proactive Risk Management with SAP BusinessObjects

Accounts Payable Automation

Risk Management in Role-based Applications Segregation of Duties in Oracle

Accounts Payable Outsourcing

Introduction. Table of Contents

Results of audits: Internal control systems Report 1 :

Strong Corporate Governance & Internal Controls: Internal Auditing in Higher Education

The Role of Governance, Risk and Compliance in a Firm

Best Practice exensys Asset Purchases

Accounts Payable Automation Benefits

BT Managed Mobility Expenses. Complete visibility and control to reduce your mobile communication costs

Axis Cloud Collaboration Platform Business Partner Collaboration

LEVERAGE TECHNOLOGY TO EMPOWER INTERNAL AUDIT

5 Ways Senior Finance Executives are Improving Visibility Across the Procure-to-Pay Cycle

Reduce Audit Time Using Automation, By Example. Jay Gohil Senior Manager

Accounts Payable. Survey: The Impact of Invoice Automation on Financial Performance INVOICE

Brazil T&E Management

IT Audit Perspective on Continuous Auditing/ Continuous Monitoring KPMG LLP

Software Asset Management: Risk and Reward. March 2015

ACCOUNTS PAYABLE AUTOMATION and DOCUMENT MANAGEMENT FOR ERP

Case Study: ICICI BANK INTERNAL AUDIT DEPARTMENT PENTANA AUDIT WORK SYSTEM IMPLEMENTATION

Application Control Effectiveness for SAP. December 2007

The Role of Oversight and Monitoring and the Use of Analytics to Increase Effectiveness of your Compliance Program

Four Steps to Invoice Automation. From Manual to a Fully Electronic Purchase-to-Pay Process

SUGGESTED CONTROLS TO MITIGATE THE POTENTIAL RISK (Internal Audit)

A Control Framework for e-invoicing

How To Use The Sap Process Control Application

Procure-to-Pay. How Finance and Procurement Can Join Forces to Drive Significant Savings

Get Invoice Processing That s Ready for the Digital Economy and Your IT Landscape

Automating the Order to Cash Process

Accounts payable automation benefits. Facts and best practices by leading analysts

2010 Sarbanes-Oxley Compliance Survey. Where U.S.-Listed Companies Stand: Reviewing Cost, Time, Effort and Processes

CFO. Improving the Bottom Line with Advanced Controls CONTENTS

Streamline your Purchase to Pay (P2P) functions within your business

ACL WHITEPAPER. Automating Fraud Detection: The Essential Guide. John Verver, CA, CISA, CMC, Vice President, Product Strategy & Alliances

Leveraging Treasury to Support Working Capital Management: Payments on Behalf of

Accounts Payable Services. A strong foundation for sustained benefits. Accounts Payable

TRANSFORM YOUR FINANCIAL PROCESSES. Efficiently capture, share and communicate information seamlessly across the business.

E-INVOICING A COMPANY-WIDE PROJECT?

Spreadsheet Risk Management. Frequently Asked Questions

Optimizing Your Accounting Process with Electronic Invoicing. A GXS White Paper for the Active Business

Analysis. The Opportunity to Automate Accounts Payable. January Service Areas. Comments or Questions? Digital Peripherals Solutions

Leveraging Accounts Payable Automation as a Service

Supplier Relationship Management Analysis PURCHASING FINANCIAL SUPPLIER BUYER PERFORMANCE ANALYSIS PERFORMANCE PERFORMANCE

GUIDANCE NOTE FOR DEPOSIT-TAKERS. Operational Risk Management. March 2012

Automated Invoice/P2P Processing

Accounts Payable Automation Benefits

Continuous Controls Monitoring ISACA, Houston Chapter. August 17, 2006

VISA COMMERCIAL SOLUTIONS BEST PRACTICES SUMMARIES. Profit from the experience of best-in-class companies.

Internal Controls, Fraud Detection and ERP

Automated Invoice/P2P Processing

IBM Tivoli Asset Management for IT

February 2, 2012 ACCOUNTS PAYABLE BEST PRACTICES

Introduction. Table of Contents

The Power of Risk, Compliance & Security Management in SAP S/4HANA

IBM Maximo Asset Management for IT

How To Save Money On Production

Our Service Offering to SASOL

These are some labor burden test queries that auditors can make if they have the contractor s or vendor s labor burden breakdown:

Transcription:

Process Control Optimisation with SAP The procure-to-pay cycle, which includes all activities from the procurement of goods and services to receiving invoices and paying vendors, is a basic business process. It also presents significant risks if all aspects are not managed effectively and monitored continuously. Organisations that do not have optimal control over, and visibility into, their procure-to-pay business cycle can face late fees, missed discounts, wasted time and loss of assets as well as noncompliance issues due to inaccuracies or overlooked incidents of fraudulent activity. Following are the three major phases of the procure-to-pay business cycle and some common risks organisations face in each area due to a lack of effective controls and visibility: Supplier management (vendor master file) duplicate and unauthorised vendors, unauthorised access to the vendor master file, and incorrect 1099 reporting Purchasing unauthorised purchases, inaccurate purchase order processing, and unauthorised returns, adjustments and allowances Accounts payable incomplete or inaccurate payment information, duplicate payments, liabilities and disbursements not recorded completely, and invoices that do not represent goods and services actually received One key reason organisations have difficulty managing and monitoring their procure-to-pay process effectively is an overreliance on manual controls, which are prone to errors and can be easily changed or circumvented. To make better use of automated controls and optimise their overall control environment, more organisations are choosing to improve their knowledge of the functionality within their enterprise resource planning (ERP) solutions, such as the SAP ERP Central Component (ECC) 6.0. Companies are realising significant cost and resource savings by optimising their ECC configuration and deploying governance, risk and compliance (GRC) solutions like SAP BusinessObjects GRC. SAP s GRC solution performs critical monitoring of major business processes on a continuous basis. Configurable and customised controls can be easily implemented and maintained in the procure-to-pay cycle so that inaccuracies and inconsistencies, as well as potential incidents of fraud and noncompliance, can be identified and addressed quickly. However, despite the availability of tools like SAP BusinessObjects GRC, many organisations fail to take full advantage of the procure-to-pay control options available in their SAP environment, primarily because they are not aware of SAP ECC 6.0 s standard control functionality.

By implementing and maintaining optimised controls within SAP and using the right mix of both automated and manual controls to ensure all gaps in the procure-to-pay process are closed organisations can reduce the risk of fraudulent activity (both through prevention and detection), ensure compliance with Sarbanes-Oxley, and generate significant cost savings. The ideal control environment for managing risks effectively in the procure-to-pay cycle should include the following six areas: Configurable controls these controls are designed to maintain the integrity of master data, such as information in the vendor master file Manual controls these controls include approvals by authorised individuals (SAP automated workflow also can be set up for approvals) General IT controls the computing controls and IT notifications process that reduce the risk of unauthorised changes to SAP systems Detective reports SAP, for example, has many standard detective reports that do not need to be customised to be used as control reports Security this includes clearly defining access rights and segregation of duties rules Policies and procedures the rules that dictate how the organisation controls, within its purchase cycle, which vendors will be used, what their limits are, and which people in the organisation have the authority to approve invoices and purchase orders There are many problems common to organisations that do not have optimised control of their procure-to-pay business cycle. The following are examples typically experienced in the supplier management, purchasing and accounts payable processes. Supplier Management For many businesses, especially large national or global companies working with a wide range of suppliers, the vendor master file can grow exponentially very quickly. This makes master data associated with the procure-to-pay process difficult to maintain efficiently, leaving the organisation more susceptible to the risk of financial leakage and fraud. Here is one example of what can happen when the supplier management process is not optimally controlled: Protiviti s GRC and SAP experts recently examined the vendor master file of a large organisation and discovered it had listings for more than 28,000 active suppliers, but 63 percent (or more than 17,700) had not had invoice or payment activity in longer than three years. Additionally, more than 1,700 vendors appeared to be duplicates, and more than 1,500 had invalid or incomplete information recorded in the vendor master file. It is not unusual to find a number of suppliers in the vendor master file that have not been used recently, have not been marked for deletion, or have not been designated as blocked so that no further invoices related to those specific vendors can be processed. To ensure greater accuracy in this critical aspect of the procure-to-pay process, organisations should clean house in their vendor master file and apply more control over how their vendors are being set up in the system and how they are being utilised. Protiviti 2

Purchasing The purchase order process is one area that many businesses are working hard to optimise with better controls. Often, companies already have established a solid purchase order process and implemented strong controls within SAP or another ERP system, and are successfully using the three-way match (invoice, receipt, purchase order) to approve invoices automatically for payment. However, it is common to find that even the most organised and proactive businesses are not taking full advantage of the control optimisation settings available in their SAP environment. One typical issue that can arise around the purchase order process (even in well-controlled environments) is the invoice date appearing before the purchase order date in the system. This usually occurs when an invoice is received before the purchase order is set up, making the critical three-way match more of a formality than a control. Inadequate training and lack of compliance to the process are often root causes. There also could be a significant delay occurring between the time when the receipt is received and when it is processed against the purchase order in the system. Other problems in the procure-to-pay process commonly seen across organisations in relation to purchase order processing include the following: a significant delay occurring between the time when the receipt is received and when it is processed against the purchase order in the system; a lack of compliance regarding what purchases require a purchase order; and a lack of review of aged open purchase orders. These issues can occur when procedures to issue purchase orders in a timely manner are inconsistent, proper approvals and controls for assigning purchase orders do not exist, and management support is absent. Accounts Payable In the past two years, many companies have been working to optimise their working capital. Some of these efforts have been motivated by recent economic conditions, while other businesses simply want to make a more concerted effort toward managing their working capital more efficiently. One way an SAP ERP system and effective GRC tools can support this type of initiative is by ensuring the terms of contracts that have been negotiated are captured in the procure-to-pay system, and that these terms cannot be overridden by unauthorised parties. Close examination of the accounts payable process often reveals that contract terms negotiated with a vendor do not appear on the purchase order or do not flow through to the invoice. This can happen when information from a vendor contract or other relevant communication has not been entered into the vendor master file. And if appropriate controls are not set up around the ability to override at the invoice and purchase order level, the terms negotiated with a vendor can easily be changed which means potential abuse may go undetected. Organisations should reinforce payment terms through ongoing training and compliance activities, as well as increased collaboration between procurement and accounts payable teams. The above are just some examples of common issues that can occur in an environment where controls have not been optimised and there is an overreliance on manual processes. Following are examples of how control optimisation with GRC tools, such as SAP BusinessObjects GRC, can help organisations mitigate risks throughout the procure-to-pay process. Protiviti 3

Risk Area: Vendor Maintenance Duplicate vendor listings are not just an annoyance; they also present serious risk. If the same vendor appears in the system twice, there is the potential for duplicate payments. Additionally, if purchases are not associated with the correct vendor, the organisation may miss national volume discounts that have been arranged with that supplier. To eliminate the risk of duplicate vendors, businesses should establish strong controls around vendor request and approval processes. This includes ensuring that only an authorised person (or persons) who does not process purchase orders or invoice payments can update the vendor master file with new vendors or change data related to an existing vendor, such as updated contract terms. There are common optimisation opportunities within these different steps that organisations can utilise. These include the centralised vendor maintenance function (this may not be possible for some organisations, such as smaller businesses that do not have a centralised function for vendor maintenance), mandatory fields for vendor master, master data integrity checks, and correct settings for duplicate checks (see Figure 1). Figure 1: Examples of SAP controls that can be used to optimise the procure-to-pay process and help minimise the risk of errors and fraud. One example of an SAP control that helps businesses to achieve these optimisation opportunities in the SAP ECC 6.0 and ECC 5.0 environments is the configuration of vendor master mandatory fields. This control helps ensure that purchases and purchase orders are complete, and that during invoice processing, essential documents used for verification can be compared fully. Without implementing this control, an organisation can experience a breakdown in both areas. And there is an additional benefit to having the same fields populated consistently: It assists with other controls, such as the automated duplicate vendor check. Protiviti 4

Another SAP control is the dual authorisation for sensitive fields, which protects extremely sensitive vendor master data fields, such as bank account information. The dual authorisation requirement can help minimise risk of fraud. For instance, organisations can avoid the possibility of having an insider change a vendor s bank account number to that of their own account in order to collect illegitimate payments from the business. Duplicate vendor check fields help companies quickly identify duplicate vendors in the vendor master file, which allows them to minimise spend, realise discounts and avoid fraudulent activity. One way that companies work against themselves in this area, however, is to add too many fields in the duplicate vendor check. They assume adding more fields can help identify more duplicate vendor listings. But the more fields an organisation indicates it would like to have match in the system, the fewer warning messages appear; this is because all checked fields must match 100 percent in order to generate a warning. Protiviti works with businesses to help configure a good balance of checked fields so that just the right number of warning messages is generated: enough to prevent duplicate vendors, but not so many that the ERP system gets bogged down. An additional note: Although more businesses have become diligent about setting up duplicate vendor checks in their SAP environment, they often do not realise the full benefit of these controls because they fail to turn on the warning or error message configuration. Risk Area: Purchase Order and Invoice Processing Within the purchase order and invoice processing cycle, there are three main areas where SAP can help organisations achieve better automation: Match the purchase order to the goods receipt This feature allows organisations to make sure they do not accept receipts for goods that they did not order. Match goods receipt quantity to invoice The business can ensure it is not paying for goods that have not been received. Automatically approve invoice for payment If a three-way match (purchase order, goods receipt and invoice) is confirmed, the system will automatically issue a payment to the vendor, saving time and avoiding human error or fraud. Optimised Purchase Order and Invoice Processing Controls SAP also provides the ability to set tolerances for the processing of invoices that relate to a particular purchase order. Tolerances are designed to help streamline the procure-to-pay process and minimise the number of inaccurate disbursements while reducing the number of blocked payments due to unmatched invoices. In many cases, there may be a valid reason for differentiation in purchase price between the original purchase order and the invoice. Instead of blocking the payment outright, within SAP, the organisation can choose to accept allowable tolerances of price differences to streamline the payment process and prevent any manual investigation, which can be both time- and resource-intensive. So if a price difference falls into the acceptable tolerance range and is within the organisation s risk appetite, the payment can be made on that invoice. Protiviti 5

Another tolerance check is the quantity differences between a purchase order or invoice and a goods receipt. These tolerances help ensure that the company cannot receive something it did not order or does not pay for something it did not receive. The item amount check determines whether SAP blocks invoice items when their value exceeds a predefined amount in the system. For example, if the business has ordered 100 items, but has only received 99, payment can still be approved. But if the organisation receives 101 items, this quantity may exceed set tolerances and the payment will be blocked. Within a three-way match in the procure-to-pay process, there are up to 15 SAP settings that can be configured and customised, depending on an organisation s various payment and purchase order scenarios. The results of control optimisation in the procure-to-pay cycle are the use of more automated processes, a reduction in the risk of human error and fraud, and the realisation of the full ERP functionality purchased with SAP. Within SAP, which is a complete ERP system, there are configurable controls available for a wide range of major business processes beyond the procure-to-pay cycle. Protiviti has a listing of more than 400 configurable controls that can be utilised within all the various processes that are depicted in Figure 2 below. Figure 2: Standard SAP ECC 6.0 functionality provides hundreds of configuration settings that can be automated and optimised for operational and financial reporting processes. Protiviti 6

Once Protiviti has helped an organisation configure its controls and optimise its environment, SAP can provide additional solutions such as its SAP BusinessObjects Process Controls that will help monitor the health of the configurations designed and set during implementation and make sure they do not change without proper authorisation. Continuous monitoring with SAP GRC Process Control streamlines a company s ongoing Sarbanes- Oxley compliance efforts. How Companies Have Optimised Their SAP Environment The life cycle of an SAP control optimisation project includes three phases: Analyse The organisation evaluates the current state of its SAP environment to identify and understand any vulnerabilities and weaknesses. Standardise and Automate Weaknesses are prioritised and gaps are closed with automated processes (in some cases, manual processes may also be implemented). Monitor Once the environment has been optimised, continuous monitoring is enabled. This is where SAP BusinessObjects GRC solutions can help the organisation maintain the optimised control environment it has designed. Case Study: SAP Controls and Sarbanes-Oxley Compliance Many organisations are making better use of SAP process controls to help them achieve more cost-effective Sarbanes-Oxley compliance. To determine where automation can be achieved in the internal control framework, Protiviti s GRC and SAP experts will assess an organisation s current SAP environment, ignoring existing manual processes, and using Protiviti s library of more than 400 configurable controls to determine which Sarbanes-Oxley risks SAP controls can help to mitigate. From here, it can be determined where Sarbanes- Oxley risks are not adequately mitigated by automated SAP controls and where manual controls may be necessary to close any gaps preventing Sarbanes-Oxley compliance. In one recent engagement, Protiviti was able to transform a company s internal control framework, which included multiple legacy applications, from primarily manual controls (53 percent) to primarily automated and semi-automated controls (80 percent) by optimising configurable controls during the SAP implementation. The organisation already had mature Sarbanes-Oxley compliance efforts, but there was still room for control rationalisation, automation and optimisation, particularly in the purchase-to-pay cycle. After making these improvements to the Sarbanes-Oxley process, Protiviti guided the company through control optimisation for all of its major business processes, including order to cash, human resources and general ledger. By implementing SAP ECC 6.0 and fully optimising available SAP configurable controls, Protiviti was able to help the company primarily automate or semi-automate 64 percent of its controls in its overall internal control framework; previously, 68 percent of these controls were manual (see Figure 3). Protiviti 7

Figure 3: Protiviti s SAP and GRC experts helped one organisation transform its overall internal control framework from primarily manual (68 percent) to primarily automated and semi-automated controls (64 percent). Additionally, the organisation experienced a 40 percent reduction in controls due to increased reliance on new, automated controls within SAP and the decommissioning of older legacy applications. By optimising its control environment, the company realised more than US$500,000 in annual savings just in its Sarbanes-Oxley compliance efforts. To determine potential annual cost savings from a control optimisation project for Sarbanes- Oxley compliance using SAP, businesses will need to conduct both a return on investment calculation and a cost-benefit analysis. Depicted in Figure 4 are formulas for estimating control performance cost savings (e.g., determining who in the organisation handles manual controls and how many times they must do it each year, how many hours it takes, and what their internal rate is) and Sarbanes-Oxley control testing cost savings (e.g., how many manual controls currently exist, how long it takes to test those controls, and what the testing rate is). Protiviti 8

Figure 4: Formulas to determine potential control performance cost savings and Sarbanes-Oxley control testing cost savings through control optimisation with SAP. Other indirect cost savings not documented above, including reduced training costs for new staff on control performance procedures, can be realised when controls are primarily automated. Organisations also may experience reduced re-testing costs for failed controls because automated controls typically have a much higher passing rate than manual controls. Moreover, many companies that optimise their control environment, not only in the procureto-pay process but also in other major business processes, typically see an overall increase in the productivity of operations personnel because those employees are no longer required to perform manual control activities. By leveraging assessment tools to understand process improvement opportunities, gaining more insight into business processes and underlying technology that can help to optimise an ERP implementation such as SAP, and using solutions and tools that enable continuous monitoring of the optimised control environment, organisations of all types are likely to experience significant savings in both costs and resources. Protiviti 9

About Protiviti Protiviti (www.protiviti.com) is a global business consulting and internal audit firm composed of experts specialising in risk, advisory and transaction services. We help solve problems in finance and transactions, operations, technology, litigation, governance, risk, and compliance. Our highly trained, results-oriented professionals provide a unique perspective on a wide range of critical business issues for clients in the Americas, Asia-Pacific, Europe and the Middle East. Protiviti has more than 60 locations worldwide and is a wholly owned subsidiary of Robert Half International Inc. (NYSE symbol: RHI). Founded in 1948, Robert Half International is a member of the S&P 500 index. As the world s leading provider of business software, SAP delivers products and services that enable enterprises of all sizes to improve their business operations. SAP facilitates a company s effort to manage risk and compliance while optimising efficiency, strategy and growth with a single integrated financial management platform. Addressing business processes in more than 25 industries, SAP has maintained its role as the authority on business software. Protiviti and SAP are actively working together to help clients improve their capability in this important area by implementing and effectively utilising the full SAP BusinessObjects suite of GRC and EPM solutions to enhance their integrated enterprisewide risk mitigation and compliance efforts. For more information, visit http://www.protiviti.com/en- US/Solutions/Information-Technology/Managing%20Applications/Pages/default.aspx. Our Information Technology Effectiveness and Control Solutions We partner with chief information officers, chief financial officers and other executives to ensure their organisations maximise the return on information systems investments while at the same time minimise their risks. Using strong IT governance to ensure alignment with business strategies, we drive excellence through the IT infrastructure and into the supporting applications, data analytics and security. We also facilitate the selection and development of software, manage the risk of implementation, implement configurable controls on large ERP installations, and implement governance, risk and compliance (GRC) software applications. For additional information about the issues reviewed in this white paper or Protiviti s services, please contact: Jonathan Wyatt Managing Director +44.207.0247.522 jonathan.wyatt@protiviti.co.uk 2011 Protiviti Inc. An Equal Opportunity Employer. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information