how your vendor master file is critical to governance, risk management and compliance
DESCRIPTION
Jon Casher from Casher Associates, Inc & Al Nasser Khan from Control Layers Consulting explained why the Vendor Master File is Critical to Governance, Risk Management and Compliance, and how you can use Oracle GRC Advanced Controls to achieve your Vendor Master Goals, to minimize risks, and achieve much greater compliance and efficiency. You can learn more about this by downloading the presentationsTRANSCRIPT
Vendor Master ControlsHow they are Critical to Governance, Risk & Compliance
Jon CasherPresidentCasher Associates, Inc
Al Nasser KhanPresidentControl Layers Consulting
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
Safe Harbor Statement
The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
2
How Your Vendor Master Fileis Critical to
Governance, Risk Management and Compliance
Jon CasherPresident
Casher Associates, Inc.
Copyright © 2014 Casher Associates, Inc.
Permission to use granted to Oracle CorporationSlide 3
Serial Entrepreneur
Founded Casher Associates, Inc. in 1976 to design and develop custom financial systems and back office automation
Co-founded CM Associates in 1985 to provide financial industry software products
Co-founded RECAP, Inc., an A/P Audit firm, in 1988
Director of NASDAQ company from 2000-2006, head of the audit committee from 2002 until company went private in
2006
Current Focus
Consulting to Finance, AP, AR and Procure-to-Pay organizations and their service providers
Training, Certification, White Papers, Surveys, Workshops, Presentations
Contact Information
Snail Mail 110 Pond Brook Road, Newton MA 02467-2648
Web Site www.casherassociates.com
Email [email protected]
Phone 617-527-3927 or 877-527-3927
Jon CasherMy background and Contact Information
Copyright © 2014 Casher Associates, Inc.
Permission to use granted to Oracle CorporationSlide 4
Overview
Critical Vendor Master File Issues
Vendor Management Goals, Concerns and Challenges
Other Vendor Master File Issues
Vendor Master File Standards
Best and Appropriate Practices
Third Party Resources
Copyright © 2014 Casher Associates, Inc.
Permission to use granted to Oracle CorporationSlide 5
Critical Vendor Master File Issues
Copyright © 2014 Casher Associates, Inc.
Permission to use granted to Oracle CorporationSlide 6
Critical Vendor Master File Issues
Your Vendor File is a Strategic Resource
Other than investments, 30-70% of all funds that flow out of non-financial institutions go out through
Accounts Payable
Federal, state, international laws and regulations make it important to keep your vendor file accurate
Accurate and complete information is key to controlling transaction processing within the Procure-to-Pay
process
Accurate reporting and analysis is impossible without a clean vendor master file
Vendor Management ‘s GRC Challenges
Overcome Barriers to Compliance
Lack of Awareness of Regulatory Compliance and Reporting Requirements by
Purchasing and Accounts Payable
Product Managers and Developers of ERP and Financial Accounting Software
Technical Limitations of ERP and Financial Accounting software
Need to Manage Vendor Risk
Policy
Contract
RegulatoryCopyright © 2014 Casher Associates, Inc.
Permission to use granted to Oracle CorporationSlide 7
Well Documented and Tested Procedures Define the process for doing business with new vendors
Ensure that only authorized individuals can make changes, additions, deletions
Separation of Duties People allowed to make changes must not be able to process transactions such as issuing
purchase orders, posting invoices, disbursing funds or making accounting entries
Audit Trail of Changes All additions, changes and deletions should be logged, reported, reviewed and signed off by
someone in management other than the person posting updates
Reconcile and Synchronize If multiple systems have vendor information, reconcile common information
Owner should be responsible for Defining data requirements
Setting, maintaining and monitoring standards and data quality
Coordinating the activities of those who use, enter and update vendor information
Critical Vendor Master File Issues Access, Control and Ownership
Copyright © 2014 Casher Associates, Inc.
Permission to use granted to Oracle CorporationSlide 8
Vendor Management Goals, Concerns and Challenges
Copyright © 2014 Casher Associates, Inc.
Permission to use granted to Oracle CorporationSlide 9
Catch / reduce fraud
Know your vendors
Comply with laws and regulations
Know where you spend money
Reduce duplicate and other erroneous payments
Controls costs and save money
Make accurate and timely vendor payments
Vendor Management Goals, Concerns, ChallengesOverview
Copyright © 2014 Casher Associates, Inc.
Permission to use granted to Oracle CorporationSlide 10
Vendor Management Goals, Concerns, ChallengesCatch/Reduce Vendor Fraud
Main Types of Vendor Fraud Invoices with inflated prices
Requests that look like invoices or government forms with a filing fee
Invoices for goods not delivered or services not provided
Checks that sign you up for a service if you deposit them (may appear to be refunds, rebates or credits for a small amount)
Intentional double billing
Collusion with an employee, kickbacks, bribes
Fictitious companies
Bid rigging and price fixing
The Size of the Problem Kroll Global Fraud Report
19% of companies experienced vendor fraud in 2013 ACFE
5% of revenues lost due to fraud billing fraud is approx. 24% of the total monetary amount of fraud
Copyright © 2014 Casher Associates, Inc.
Permission to use granted to Oracle CorporationSlide 11
Vendor Management Goals, Concerns, ChallengesKnow Your Vendors Name Changes
3%-7% of companies change their name every year
Out of approx. 15,000 US stock exchange listed companies
17 changed their names between 9/2/2014 and 9/5/2014 83 changed their name between 8/5/2014 and 9/1/2014 Over 200 were delisted or had trading suspended between 8/5/2014 and 9/4/2014
Some name changes are minor, some are significantly different
CVS Caremark changed its name to CVS Health Corporation on 9/4/2014 ICG Group, Inc changed its name to Actua Corporation on 8/12/2014
Some Types of Related Vendors Franchisees
Joint ventures
Subsidiaries
Affiliates
Vendors Operating Under Multiple Names
Copyright © 2014 Casher Associates, Inc.
Permission to use granted to Oracle CorporationSlide 12
Federal IRS Denied, Debarred and Excluded Parties Privacy Bribery Other
States Sales & Use Tax Abandoned Property / Escheatment Privacy Deadbeat Parents Withholding and Reporting
International Denied, Debarred and Excluded Parties Privacy Bribery Value Added Tax
Vendor Management Goals, Concerns, ChallengesComply with Laws & Regulations
Copyright © 2014 Casher Associates, Inc.
Permission to use granted to Oracle CorporationSlide 13
Comply with Laws & RegulationsFederal – IRS
Primary Forms
1099-MISC
1042-S for Non-Resident Aliens
W-9s, W-8s and FATCA (Foreign Account Tax Compliance Act)
Industry Specific Reporting
Regulations and Forms Change Often and are Complex
Penalties for Incorrect Filings Have Increased Dramatically
Electronic Deliver of 1099s to Payees is Allowed when Recipients agree to Receive Them
Tax Id masking (only showing last 4 digits) is Now Allowed
Copyright © 2014 Casher Associates, Inc. Permission to use granted to Oracle Corporation
Slide 14
US Department of Treasury Office of Foreign Assets Control (OFAC)
US Department of State Foreign Terrorist Organizations (FTO)
US Department of Commerce Bureau of Industry and Security (BIS)
All of the above maintain lists of organizations and individuals that you must not do business with
Do not buy from, sell to or disburse or receive funds from entities on these lists
Politically Exposed Persons (PEPs) who may be involved in money laundering or financing of terrorist organizations
Fines for violations can be substantial
Criminal penalties can include fines ranging from $50,000 to $10,000,000 and imprisonment ranging from 10 to 30 years for willful violations.
Civil penalties range from $250,000 or twice the amount of each underlying transaction for each violation
Over $1 billion fines recovered in each year since 2009
Comply with Laws & Regulations Federal – Denied, Debarred, Excluded Parties
Copyright © 2014 Casher Associates, Inc.
Permission to use granted to Oracle CorporationSlide 15
Health Insurance Portability and Accountability Act of 1996 (HIPAA)
Most of this act deals with privacy of medical records
However, can impact AP if medical payments are processed through AP
Pre-employment physical exams Drug testing Other – especially companies that self insure
Gramm Leach Bliley Act of 1999 (GLB)
Restricts disclosure of nonpublic personal information
Intended to protect individuals who are customers of financial institutions but has been expanded to other types of businesses
Can impact AP if customer refunds or garnishments are processed through AP More legislation is likely due to increasing number of security breaches and identity theft
Most states already have additional restrictions Payment Card Industry Data Security Standards (PCI-DSS)
While not a federal law, these are industry standards and guidelines
Comply with Laws & Regulations Federal – Privacy
Copyright © 2014 Casher Associates, Inc.
Permission to use granted to Oracle CorporationSlide 16
US Department of Justice (DOJ) Foreign Corrupt Practices Act of 1977 (FCPA)
Enforces accounting transparency requirements under the Securities Exchange Act of 1934 and bribery of foreign officials
Both US DOJ and Securities Exchange Commission enforce
Applies to US companies and foreign companies with US subsidiaries
Be aware of Politically Exposed Persons (PEPs)
Since 2007, number of investigations and enforcement actions has grown
Total fines and penalties have ranged from $260 million to $2 billion in each of the last 6 years (2008 - 2013) with the average settlement over $80 million in 2013
Currently, there are open investigations of approx. 100 very large + many other companies Almost half of the Dow 30 have paid fines since 2007 or are currently being investigated
Likely to see more investigation and prosecution of domestic bribery
Comply with Laws & RegulationsFederal – Bribery
Copyright © 2014 Casher Associates, Inc.
Permission to use granted to Oracle CorporationSlide 17
Law passed in response to accounting scandals
Applies to public companies in US
Five main areas
Auditor independence
Corporate responsibility
Improved financial disclosure
Analyst conflict of interest
Accountability for corporate fraud
Comply with Laws & RegulationsFederal – Sarbanes-Oxley Act of 2002
Copyright © 2014 Casher Associates, Inc.
Permission to use granted to Oracle CorporationSlide 18
Physician Payments Sunshine Act (Sunshine Act) which is part of the 2010 Affordable Care Act Requires manufacturers of drugs, medical devices and biologicals that participate in U.S.
federal health care programs to report to CMS certain payments and items of value given to physicians and teaching hospitals.
Any transfers of value or payments to physicians and hospitals greater than $10, including payments, traded services, stocks, or any other returned investments.
Gifts greater than $100 will be made public and published online as of September 30, 2014.
Supersedes Maine, Vermont, Massachusetts, Minnesota, West Virginia and DC laws
Securities and Exchange Commission reporting of payments to auditors, directors, etc. Public companies must report payments to directors and auditor in Annual 10K
Other federal agencies have specialized reporting Especially, if you are a government contractor, you must keep up to date on regulations
relevant to your industry
Comply with Laws & RegulationsFederal – Other
Copyright © 2014 Casher Associates, Inc.
Permission to use granted to Oracle CorporationSlide 19
States are increasing sales/use tax rates and some tax services Many states are doing sales/use tax audits
Marketplace Fairness Act passed US Senate but held up in US House
States are doing more aggressive abandoned property (escheat) audits and many use “bounty hunters” Most uncashed checks issued by AP should not have to be escheated
Rules depend on the state in which the vendor is located which may not be the state in which you are located or incorporated
More states are requiring withholding and/or reporting of payments to certain types of vendors as well as require deadbeat parent reporting
States are concerned about data breaches 47 states and DC have privacy laws and regulations
More states, municipalities and counties are requiring permits and filing fees
More municipalities and counties are doing personal property audits
Software packages typically do not have all needed functionality
Comply with Laws & RegulationsStates
Copyright © 2014 Casher Associates, Inc.
Permission to use granted to Oracle CorporationSlide 20
Countries are putting in place laws, rules and regulations similar to but different from those in the US
Primary Areas Addressed
Denied, Debarred and Excluded Parties Politically Exposed Foreign Persons Privacy Bribery Value Added Tax
Rarely or Never Addressed
Abandoned Property
Comply with Laws & Regulations International
Copyright © 2014 Casher Associates, Inc.
Permission to use granted to Oracle CorporationSlide 21
Who has the information
Purchasing thinks they know
A/P thinks they have the data
Both are partially correct
Ways you may want to analyze spend
By Vendor
By Commodity
By Dollar Amount
By Transaction Volume
Vendor Management Goals, Concerns, ChallengesKnow Where You Spend Your Money
Copyright © 2014 Casher Associates, Inc.
Permission to use granted to Oracle CorporationSlide 22
Duplicate and Erroneous Payments
Every major software package checks for duplicates based on Vendor Id and Invoice #
Duplicate check fails if Identical vendor under multiple vendor ids
Variation on vendor name System does not support multiple addresses
Vendor at different remit address is selected Vendor under previous or new name is selected Related vendor is selected
If duplicate vendors are eliminated, over 75% of $ associated with duplicate payments can be eliminated
Stops, Voids, Reissues and Uncashed Checks
Wrong vendor selected
Payment sent to wrong address
Payment never received
Payment received by wrong vendor
Vendor Management Goals, Concerns, ChallengesReduce Costs and Save Money
Copyright © 2014 Casher Associates, Inc.
Permission to use granted to Oracle CorporationSlide 23
“Appropriate Transaction” Attributes
Not /controlled by vendor master file data
Proper goods and/or services received/provided Sufficient invoice detail Correct amount(s) Appropriate approval(s) Correct accounting codes
Impacted/controlled by vendor master data
Who to pay How much to pay When to pay How to pay Where to send the payment
Vendor Management Goals, Concerns, ChallengesMake Accurate and Timely Payments
Copyright © 2014 Casher Associates, Inc.
Permission to use granted to Oracle CorporationSlide 24
Other Vendor Master File Issues
Copyright © 2014 Casher Associates, Inc.
Permission to use granted to Oracle CorporationSlide 25
Why Vendor Files Grow Name entered differently by your staff
Vendor changes its name
Street Address and/or Lock Box changes
Mergers
By your organization and by your vendors Acquisitions
By your organization and by your vendors Divestitures
By your vendors Purchasing and AP use Different Files and/or Multiple Systems
Data Quality and Consistency Missing
Non-standard
Invalid
Obsolete
Other Vendor Master File Issues
Copyright © 2014 Casher Associates, Inc.
Permission to use granted to Oracle CorporationSlide 26
Other Vendor Master File IssuesMore Problems and Some Metrics
20% - 80% of vendors in current vendor master files have had no activity within the last 12 months
35% - 65% of “active” vendors are one-time vendors
3%-7% of vendors change their name annually
20% of vendors change their HQ address annually
Phone #(s), Contact Name(s), Email Addresses and Banking Information also change
The bigger your vendor file, the more duplicates you probably have
1-100 vendors - no duplicates
100 - 1,000 vendors - 1% - 3% redundant
1,000 - 10,000 - 2% - 6% redundant
10,000 - 100,000 - 4% - 10% redundant
> 100,000 - > 10% redundant
Copyright © 2014 Casher Associates, Inc.
Permission to use granted to Oracle CorporationSlide 27
Vendor Master File Standards
Copyright © 2014 Casher Associates, Inc.
Permission to use granted to Oracle CorporationSlide 28
Understand System(s) Features and Limitations Minimum and maximum field lengths Data types, default values and edit checks Number of name and address lines Various types of names such as Lookup name, Name on check, Legal/Tax name, Short
name, etc. Various types of addresses such as Buy From, Remit To, etc. Controls, audit trails, additions, changes and deletions How changes and deletions affect historical data Files and/or tables that may need changes and/or are affected by changes
Identify and Review for Vendors that are Your Own Company, Subsidiaries, Affiliates Employees Officers and Directors and Related Companies External Audit Firm(s) Sensitive Vendors and those that require special reporting Vendors Set Up or Referenced in Other Systems
Vendor Master File StandardsFirst Steps
Copyright © 2014 Casher Associates, Inc.
Permission to use granted to Oracle CorporationSlide 29
Identify Vendors in Special Classes for Possible Name Standardization
Federal Government Departments and Agencies
State Governments
Local Governments
Postal Service
Individuals
Telephone Companies and Utilities
Non-Governmental Organizations (NGOs)
Garnishments
Petty Cash
Other (e.g. Universities, Courts, Agents, Medical Service Providers)
Vendor Master File StandardsNames
Copyright © 2014 Casher Associates, Inc.
Permission to use granted to Oracle CorporationSlide 30
Address Problems and Issues
Name continuation and/or Name qualifiers in address fields
Attention (ATTN)
Internal addresses
Invalid, Missing or Inconsistent State and Zip Code
Punctuation and special characters
Improper Abbreviations
Numbers as Words
Dual Addresses
PO BOX Addresses
CMRAs (Commercial Mail Receiving Agencies)
“Bad” Addresses (many types of problems)
Vendor Master File StandardsAddresses
Copyright © 2014 Casher Associates, Inc.
Permission to use granted to Oracle CorporationSlide 31
Vendor Master File StandardsOther Fields
Phone Tax Identifiers
US – SSN, EIN, ITIN Canada – SIN, BIN European Union – VATIN (VAT Identification Number)
Payment Terms 1099 Type/Box Payment Terms and Default Discounts Bank Routing Code and Account Number Minority, Women Owned, Small Business, etc. Default G/L Code Classification Codes Certifications Insurance Certificates Email Addresses Web Sites
Copyright © 2014 Casher Associates, Inc.
Permission to use granted to Oracle CorporationSlide 32
Best and Appropriate Practices
Copyright © 2014 Casher Associates, Inc.
Permission to use granted to Oracle CorporationSlide 33
Vendor Verification and Authentication
Vendor Setup and Change Management
Vendor and Address Deactivation
Vendor Review and Controls
Best and Appropriate PracticesOverview
Copyright © 2014 Casher Associates, Inc.
Permission to use granted to Oracle CorporationSlide 34
Determine amount of checking based on Strategic importance of vendor
Amount and type of business expected to be done
Determine if vendor is already on file Dual Review
Name Qualifier
Common Abbreviation
Care Of or Agent
Minimize likelihood of fraud / Ensure that vendor is legitimate Check business history and length of time in business
Confirm street address especially if only address is a PO Box
Check third party directories
Check against Employee Data
Name, Address, Phone ,TIN, Bank Account match Check vendor address against your locations
Best and Appropriate PracticesVendor Verification and Authentication
Copyright © 2014 Casher Associates, Inc.
Permission to use granted to Oracle CorporationSlide 35
Best and Appropriate PracticesVendor Verification and Authentication (cont’d)
Validate basic vendor address information
US Vendors
Delivery Point Validation CMRA (Private Mail Box) PO Box
Non-US Vendors
Use UPU.INT and individual country postal web sites Phone
Directory Lookup(s) Call Vendor
Copyright © 2014 Casher Associates, Inc.
Permission to use granted to Oracle CorporationSlide 36
Best and Appropriate PracticesVendor Verification and Authentication (cont’d)
Regulatory
Ensure that you are not doing business with a prohibited party on the OFAC, FTO and BIS lists or other lists of denied, debarred, excluded or restricted parties
Check GSA System for Awards Management
Verify that information for regulatory reporting is correct
Get W-9s for US vendors and appropriate W-8 for non-US vendors Use IRS TIN Matching Check State of Incorporation or Local Jurisdiction
Secretary of State or Office of Corporations Determine State Reporting Requirements
State Withholding and “1099” Reporting Office of Child Support for Deadbeat Parent
Check Industry Specific lists
Copyright © 2014 Casher Associates, Inc.
Permission to use granted to Oracle CorporationSlide 37
Best and Appropriate PracticesVendor Verification and Authentication (cont’d)
Other
Check Vendor’s Web Site
Check Ownership of Vendor’s Web Site (who.is)
Validate Email Addresses
Send test messages Validate Routing Code and Account Numbers
Initiate test transactions and obtain confirmations Check Third Party Data
Corporate Affiliations ChoicePoint D&B Experian Intelius
Copyright © 2014 Casher Associates, Inc. Permission to use granted to Oracle Corporation
Slide 38
Best and Appropriate PracticesVendor Setup
Have general conventions and standards
Use a new vendor form with field names and positions similar to where they are in your vendor setup screens
Require names and signatures of requestor, person doing setup and person reviewing and verifying correct setup information
Standardize how vendor names are entered
Insist that the guidelines be followed – verify periodically Punctuation Abbreviations Name Prefixes and Suffixes Name Qualifiers
Copyright © 2014 Casher Associates, Inc. Permission to use granted to Oracle Corporation
Slide 39
Use postal guidelines for addressing standards
Punctuation
Abbreviations
Between Name and Delivery Address Line
Name Qualifiers Internal Addresses
Delivery Address Line
7 Components Last Line
City State ZIP Non-US
Best and Appropriate PracticesVendor Setup (cont’d)
Copyright © 2014 Casher Associates, Inc.
Permission to use granted to Oracle CorporationSlide 40
Have guidelines for how other fields are formatted and/or valid values
Vendor Type and/or Class
1099 Type (Box)
Phone Numbers
Taxpayer Identifiers
Payment Terms
ACH, P-Card, EDI, etc.
Women Owned, Minority Owned, Small Business, Veteran, Disabled Veteran, etc.
Insurance Certificate(s)
Tax Certificate(s)
Certifications
Contacts
Email addresses and web sites
Best and Appropriate PracticesVendor Setup (cont’d)
Copyright © 2014 Casher Associates, Inc.
Permission to use granted to Oracle CorporationSlide 41
Best and Appropriate PracticesVendor Setup (cont’d)
Flag Special and Sensitive Vendors
Vendors that are your company’s audit firm(s)
Your company’s offices, directors and their affiliated companies
Employees
Vendors subject to other regulatory checking and reporting
Based on your company’s lines of business Based on the types of good or services to be provided Subject to state withholding and/or reporting
Mask or Restrict Access to Sensitive data
Restrict access to TIN, Bank and Card information
Mask TIN, Bank and Card information
Redact information on Source Documents
Link and/or combine duplicate and some related vendors
Promptly review all additions to the vendor master file
Copyright © 2014 Casher Associates, Inc. Permission to use granted to Oracle Corporation
Slide 42
Provide to Vendors
Send out a welcome letter and information packet that identifies:
What to do to get paid When a contract or Purchase Order is required Whom to contact regarding issues Optionally, ethics and dispute resolution guidelines
Best and Appropriate PracticesVendor Setup (cont’d)
Copyright © 2014 Casher Associates, Inc.
Permission to use granted to Oracle CorporationSlide 43
Best and Appropriate PracticesVendor and Address Deactivation
Decide when/how to purge or block inactive vendors and addresses
15 – 18 months of inactivity is a typical rule
Deal with Open Items
POs Invoices Disbursements
Copyright © 2014 Casher Associates, Inc.
Permission to use granted to Oracle CorporationSlide 44
Best and Appropriate PracticesVendor Review and Controls
Promptly review all additions and changes to the vendor master file
Check vendor name and address when checks are uncashed for more than 30 days
Check endorsement on first check sent to a PO Box for a new vendor
Check vendor name and address for all mailed items returned by the postal service
Check vendor against OFAC and other denied party lists before issuing a contract, cutting a PO or disbursing funds
Check deadbeat reporting requirements
Ensure separation of duties
Periodically check Vendor Master File against lists for
Name changes
Duplicates
Copyright © 2014 Casher Associates, Inc.
Permission to use granted to Oracle CorporationSlide 45
Best and Appropriate PracticesVendor Review and Controls (cont’d)
Communicate regularly with vendors
Prepare a document that explains how a vendor should conduct business with your firm
Require vendors to sign a business practices statement
Use email intelligently
Accept electronic input
Provide sufficient remittance information to vendors so that they can properly apply payments
Provide on-line inquiry and self service capability (Vendor Portal)
Monitor vendor performance – accuracy and timeliness of invoices
Consider having “Service Level Agreements” with your strategic vendors
Copyright © 2014 Casher Associates, Inc.
Permission to use granted to Oracle CorporationSlide 46
Third Party Resources
Copyright © 2014 Casher Associates, Inc.
Permission to use granted to Oracle CorporationSlide 47
Third Party ResourcesUS Government Web Sites
US Department of Treasury - IRS
www.irs.gov
US Department of Treasury - OFAC
www.treas.gov/offices/enforcement/ofac
US Department of State - FTO
See OFAC
US Department of Commerce – Lists of Parties of Concern
www.bis.doc.gov/index.php/policy-guidance/lists-of-parties-of-concern
US Department of Health & Human Services
www.acf.hhs.gov/programs/css
www.acf.hhs.gov/programs/css/resource/state-and-tribal-child-support-agency-contacts
US General Services Administration – System for Awards Management
www.sam.gov
Copyright © 2014 Casher Associates, Inc.
Permission to use granted to Oracle CorporationSlide 48
Third Party ResourcesNon-US Web Sites
Australia DFAT List
www.dfat.gov.au
Bank of England List (BOE)
www.bankofengland.co.uk/publications/financialsanctions/index.htm
Canada OSFI List
www.osfi-bsif.gc.ca/osfi/index_e.aspx?DetailID=525
European Union (EU) Consolidated List
ec.europa.eu/external_relations/cfsp/sanctions/list/consol-list.htm
Copyright © 2014 Casher Associates, Inc.
Permission to use granted to Oracle CorporationSlide 49
Third Party ResourcesNon-US Web Sites (cont’d)
Guernsey Financial Services Commission (GFSC)
http://www.gfsc.gg/
Hong Kong Monetary Authority Lists (HKMA)
www.info.gov.hk/hkma/eng/bank/three_tier/three_tier_f.htm
Interpol
www.interpol.int
Access to the Interpol Terrorism Watch list is restricted to authorized police agencies
Copyright © 2014 Casher Associates, Inc.
Permission to use granted to Oracle CorporationSlide 50
Third Party ResourcesStandards and Guidelines
TIN Matching, 1099-MISC, 1042-S, etc.
Internal Revenue Service - www.irs.gov
Standard Country Names and Codes
International Standards Organization - www.iso.org
en.wikipedia.org/wiki/ISO_3166-1
US Addressing Standards
United States Postal Service - www.usps.com
pe.usps.gov/text/pub28/welcome.htm
Canada Addressing Standards
Canada Post - Postes Canada - www.canadapost.ca
www.canadapost.ca/tools/pg/manual/default-e.asp
International Addressing Standards
Universal Postal Union - www.upu.int
Copyright © 2014 Casher Associates, Inc. Permission to use granted to Oracle Corporation
Slide 51
Third Party ResourcesStandards and Guidelines (cont’d)
Telephone Number Formats
International Telecommunications Union - www.itu.int
en.wikipedia.org/wiki/National_conventions_for_writing_telephone_numbers
Name Changes
OTC Markets - www.otcmarkets.com
Corporate Affiliations - www.corporateaffiliations.com
Fraud
Kroll Global Fraud Reports - fraud.kroll.com/report-archive
Association of Certified Fraud Examiners Report to the Nations - www.acfe.com/rttn/docs/2014-report-to-nations.pdf
Search wikipedia.org for other resources
Copyright © 2014 Casher Associates, Inc.
Permission to use granted to Oracle CorporationSlide 52
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
Comprehensive Risk & Controls Mgmt.
Detect and Fix Issues
Continuous Improvement and Monitoring
Assess Risk & Compliance
Close the LOOP
Identification
Analysis
Evaluate
1. BUSINESS RISKS
Document
Assessments
Reviews
2. CONTROL OBJECTIVES
Author
Execute
Investigate
3. CONTINUOUS MONITORS
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
Custom or Legacy Applications
Enterprise Risk and Controls FoundationOne Unified Platform
Flexible
• Graphical Authoring• Detect and Prevent• Access, Transactions, Setups
Data Driven
• 100% of Transactions• Manage by Exception• Pattern Analysis
Comprehensive
• Multiple GRC Projects• From Documentation to Test• Closed Loop Approach
Enterprise Risk & Controls Foundation
Dashboards, Reports and Alerts
NotificationsWorklists Email PerspectivesSearch
Risk, Controls & Compliance Management
ReviewsDocumentation Assessments RemediationSurveys
Continuous Controls & Risk Monitoring
SetupsAccess Master Data Audit TestsTransactions
User Authored ControlsData Connectors Fraud & Error Patterns
Ro
le B
ased
Acc
ess
Secu
rity
Web
Se
rvic
es
& A
PIs
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
Nasser Khan, CISA, MBA
Nasser Khan is a Governance, Risk & Compliance Solutions Architect
Over 28 years of global experience in business process management that range from Financials, Supply Chain and Human Capital Management. Nasser has executed several process transformation initiatives through ERP implementations, I.T. auditing, and audit process automation
Bringing vast experience working globally with manufacturing, healthcare and public sector clients, Nasser Khan specializes in assisting clients to realize business gains by enterprise risk management
Delivered consulting services in PeopleSoft, Oracle, and Deloitte
Grcystems.com
IntroductionControlLayers is a service line of NHI GRCystems
A business technology systems’ risk consulting practice dedicated to
thought leadership and implementation, management, automation, and
enforcement of business process and technology controls
High caliber advisory and implementation services
Consultants provide deep domain expertise in enforcing internal controls
in enterprise business processes and security functions
Assists clients in managing operational, regulatory compliance, and
privacy-related risks by providing strategy, roadmap and tools to ensure
effective and continuous compliance utilizing its partner’s tools and its
own proprietary service offerings
57
Grcystems.com
Client Profiles
Major healthcare and other service providers in North America averaging over 100 business units all over North America
On average, over 130,000 employees
Master Data Management is key risk mitigation control with large data entry and management teams
Over 8,000 unique vendors supply sources
Purchasing spend in excess of $ 100 million
Significant PeopleSoft clients of Oracle globally
Highly regulated environments
Stakeholders need higher degree of assurance from internal controls over financial reporting
58
Grcystems.com
Challenges at clients
Ambitious business transformation initiatives involving PeopleSoft
FSCM 9.1, HCM 9.1 and OBIEE (centralized reporting)
Financial transformation processes include GL, AP, AR, AM, KK,
PC and Supply Chain transformed by deploying PO, IN, and
Vendors, Contracts and Items
Over 100 business units purchasing from over 8000 vendors
59
Grcystems.com
Challenges at clients
One vendor (name) may have many subsidiaries dealing with totally different items, pricing models, payment terms, lead times
Consistent and accurate data needed to be entered based against stringent standards
Same name vendor may have different subsidiary at same location or same city
Distributed purchasing at BU level, conflicting and sometimes unfavorable contract terms were in force
Receiving and matching challenges occurred on many levels
Vendor approvals not structured, inactive or blocked vendors could get paid (OIG of Dept. of HHS)
60
Grcystems.com
Key Needs and Control Gaps
Needed at critical system to provide operating effectiveness of application-based controls in Procure to Pay on a continuousbasis
Duplicate Vendor report in PeopleSoft had limitations (only on short name) and does not provide real-time validations
Financial Sanctions Validation was not enabled in PeopleSoft, an independentvalidation methods needed to be used based on data from another source
Comparison of address history in PeopleSoft, was again, not real-time.
Needed to map controls in source system conveniently with the control framework to assist in operational and compliance audits
No Control
PS Control
PS Control
No Control
PS Control
Manual Control
No Control
Manual Control
No Control
Manual Control
61
Grcystems.com
Actual Vs. Desired Controls Landscape
62
Grcystems.com
Why did we need Advanced Controls?
• Audit coverage, confidence, reporting
• Incident investigation, whistle-blower support
• Continuous Process Monitoring
Improve Audit Efficiency
• Fictitious vendors
• Overstated invoices
• Receiving discrepancies
Minimize Fraud and Abuse
• Overpayment, duplicate payment
• Payment timing, discounts
• Reduce cost of manual controls-Incorrect vendor paid
Reduce Error and Leakage
• Preventative and detective segregation of duties policy enforcement
• Access appropriateness reporting
• Mapping users to transactions and providing audit trails of actions
Secure Systems Down
63
Grcystems.com
Main Vendor Management Goals
Increase buying leverage significantly and get the volume discounts based on collective purchasing power of all entities across operations
Improve many procure-to-pay sub processes
Uniquely identify vendor operating across service geographies
Standardize payment methods and terms of payment
Reduce incorrect PO issuance, check issuance, late payment penalties, and overheads in managing the vendor landscape
Ensure vendors or their banks are not on OIG or OFAC lists
Make Item and Catalog administration structured and clear
64
Grcystems.com
Advanced Transaction Controls
65
Grcystems.com
Found this value in Oracle Advanced Controls
Continuous Monitoring-Transaction Controls Governor
Pre-seeded best practice controls for PeopleSoft Vendor management
Scalable to add more automated controls
Pre-seeded controls for Procure-to-Pay use gave perspective on vendor
information being reported
Continuous monitoring and schedulable alerts for exceptions
Independent ‘Witness System’ to hold evidence data should external
auditor or regulator need it
66
Grcystems.com
Key Transaction Controls Deployed
Duplicate vendors entries
Duplicate invoice payments
Vendor address similar to employee address
Payments made to blocked vendors
More than one vendor, similar addresses
Payments beyond norm, outliers
Monitor for approval of payments to vendors which were
created by the same user
67
Grcystems.com
TCG Model Setup: Is Vendor Overpaid?
68
Grcystems.com
TCG-Managing Incidents
69
Grcystems.com
Remediation
Similar names
Unapproved Vendor not
setup correctly
70
As part of remediation, user would likely merge if same vendorhas been created with more than one similar names.
Vendor setup may have inconsistency which would need remediation
Grcystems.com
Advanced Access Controls
71
Grcystems.com
Access Controls: Segregation of Duties
For the User Activity, we utilized the Oracle Advanced Controls application Application Access Controls Governor (AACG) that flagged if same user who created a vendor, also approved vendors, for example.
72
Grcystems.com
Access Remediation
73
Remove the SOD conflicts
Grcystems.com
Advanced Configuration Controls
74
Grcystems.com
Found this value in Oracle Advanced Controls
Master data entry exception detection-Configuration Controls
Governor
Reduced manual data entry controls that included daily checking of
vendor and vendor-related entries. With CCG, only changes were
needed to be analyzed selectively
Incorrect vendor on POs and reqs
Payments term changes and incorrect terms on PO
Bank account or Address changes
User data quality improvements
Leverage CCG-reported data to educate user in good practices and
process improvement
75
Grcystems.com
Key Configuration Change Controls Deployed
For change management, we used CCG Change Tracking. Daily notifications of high risk field changes
CCG allowed to report daily on who changed, what, when and where
Limit performance impact on PeopleSoft on PeopleSoft due to audit data build up
On event, and at certain financial period ends, took Snapshots of configuration sets for a point-in-time picture
Combined front-end Vendor setup procedures like use of one entry per vendor and designate it as ‘Primary Vendor’ and then use address sequencing to identify multiple locations of fulfillment by vendors
76
Grcystems.com
Configuration Change Tracking
Create Queries to track changers
77
Grcystems.com
Setup Alerts on Vendor Changes
Specify what actions to be notified of, date range, backend or frontend, table object etc. We took a risk-based approach on only were interested on specific fields on tables
78
Grcystems.com
Who changed from frontend?
Type of change?
Table name?
For what key values & What the change?
When?Who changed from
Backend?
Oracle Advanced Controls (Configuration)
79
Grcystems.com
Goals Vs. Value Realized
80
Goals Value Realized
Increase buying leverage significantly and get the volume discounts based on collective purchasing power of all entities across operations
Reduced spend significantly enough to justify the initial effort and opex of centralized vendor data management staff
Improve many procure-to-pay sub processes The exercise gave structure to work methods ensuring accurate and timely processing of vendor payments
Uniquely identify vendor operating across service geographies Reduced duplicate vendor situations to almost zero and allowed benchmarking of prices for all locations for same items
Standardize payment methods and terms of payment Cleanup gave clarity and ability to demand same terms for vendors of same or similar items. Brought all vendors on standard terms thus helped avoid payment delays and PayCycle processing
Reduce incorrect PO issuance, check issuance, and overheads in managing the vendor landscape
Vendor entry errors went down from 40% to less than 5%. Reduced need for exception Purchase Orders and helped setup priority vendors
Make Item and Catalog administration structured and clear
Grcystems.com 81
Lessons learned
Effective Controls with Low Resource Cost PeopleSoft is a vastly-configurable ERP system. Having additional controls configured in it, or queries built, places a burden
on it. The Oracle Advanced Controls (OAC) applications proved to be an effective companion system for controls.
Early Gap Identification for Effective Design Assess PeopleSoft and explore complimentary resolution of gaps by OAC early in implementations
Embed Controls within the Process Treat OAC as part of ‘your daily diet’ business process flows and not add-ons to achieve process control, completeness and
effectiveness
Automate Controls for Efficiency Adopt the mantra of ‘automated’ versus ‘manual’ and chips will fall in place
Highlight Root Causes by Identifying Control Points Identifying control points as ‘after thoughts’ results in band-aids. Instead, have business process flows nailed down first
Layered Controls=Deeper Defense
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
Follow Us & join the conversation .
Oracle GRC Advanced Controls Group
@OracleAdvCntrls
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | 83
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
Safe Harbor Statement
The preceding is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
84