Mais conteúdo relacionado Semelhante a How your vendor master file is critical to governance, risk management and compliance (20) How your vendor master file is critical to governance, risk management and compliance1. Vendor Master Controls
How they are Critical to Governance, Risk & Compliance
Jon Casher
President
Casher Associates, Inc
Al Nasser Khan
President
Control Layers Consulting
Copyright © 2014,Oracle and/or its affiliates. All rights reserved. | 2. Copyright © 2014,Oracle and/or its affiliates. All rights reserved. |
Safe Harbor Statement
The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
2
3. How Your Vendor Master Fileis Critical toGovernance, Risk Management and Compliance
Jon Casher
President
Casher Associates, Inc.
Copyright © 2014 Casher Associates, Inc.
Permission to use granted to Oracle Corporation
Slide 3
4. Serial Entrepreneur
Founded Casher Associates, Inc. in 1976 to design and develop custom financial systems and back office automation
Co-founded CM Associates in 1985 to provide financial industry software products
Co-founded RECAP, Inc., an A/P Audit firm, in 1988
Director of NASDAQ company from 2000-2006, head of the audit committee from 2002 until company went private in 2006
Current Focus
Consulting to Finance, AP, AR and Procure-to-Pay organizations and their service providers
Training, Certification, White Papers, Surveys, Workshops, Presentations
Contact Information
Snail Mail110 Pond Brook Road, Newton MA 02467-2648
Web Sitewww.casherassociates.com
Emailjcasher@casherassociates.com
Phone617-527-3927 or 877-527-3927
Jon CasherMy background and Contact Information
Copyright © 2014 Casher Associates, Inc.
Permission to use granted to Oracle Corporation
Slide 4
5. Overview
Critical Vendor Master File Issues
Vendor Management Goals, Concerns and Challenges
Other Vendor Master File Issues
Vendor Master File Standards
Best and Appropriate Practices
Third Party Resources
Copyright © 2014 Casher Associates, Inc.
Permission to use granted to Oracle Corporation
Slide 5
6. Critical VendorMaster File Issues
Copyright © 2014 Casher Associates, Inc.
Permission to use granted to Oracle Corporation
Slide 6
7. Critical Vendor Master File Issues
Your Vendor File is a Strategic Resource
Other than investments, 30-70% of all funds that flow out of non-financial institutions go out through Accounts Payable
Federal, state, international laws and regulations make it important to keep your vendor file accurate
Accurate and complete information is key to controlling transaction processing within the Procure-to-Pay process
Accurate reporting and analysis is impossible without a clean vendor master file
Vendor Management ‘s GRC Challenges
Overcome Barriers to Compliance
Lack of Awareness of Regulatory Compliance and Reporting Requirements by
Purchasing and Accounts Payable
Product Managers and Developers of ERP and Financial Accounting Software
Technical Limitations of ERP and Financial Accounting software
Need to Manage Vendor Risk
Policy
Contract
Regulatory
Copyright © 2014 Casher Associates, Inc.
Permission to use granted to Oracle Corporation
Slide 7
8. Well Documented and Tested Procedures
Define the process for doing business with new vendors
Ensure that only authorized individuals can make changes, additions, deletions
Separation of Duties
People allowed to make changes must not be able to process transactions such as issuing purchase orders, posting invoices, disbursing funds or making accounting entries
Audit Trail of Changes
All additions, changes and deletions should be logged, reported, reviewed and signed off by someone in management other than the person posting updates
Reconcile and Synchronize
If multiple systems have vendor information, reconcile common information
Owner should be responsible for
Defining data requirements
Setting, maintaining and monitoring standards and data quality
Coordinating the activities of those who use, enter and update vendor information
Critical Vendor Master File Issues Access, Control and Ownership
Copyright © 2014 Casher Associates, Inc.
Permission to use granted to Oracle Corporation
Slide 8
9. Vendor Management Goals, Concerns and Challenges
Copyright © 2014 Casher Associates, Inc.
Permission to use granted to Oracle Corporation
Slide 9
10. Catch / reduce fraud
Know your vendors
Comply with laws and regulations
Know where you spend money
Reduce duplicate and other erroneous payments
Controls costs and save money
Make accurate and timely vendor payments
Vendor Management Goals, Concerns, ChallengesOverview
Copyright © 2014 Casher Associates, Inc.
Permission to use granted to Oracle Corporation
Slide 10
11. Vendor Management Goals, Concerns, ChallengesCatch/Reduce Vendor Fraud
Main Types of Vendor Fraud
Invoices with inflated prices
Requests that look like invoices or government forms with a filing fee
Invoices for goods not delivered or services not provided
Checks that sign you up for a service if you deposit them (may appear to be refunds, rebates or credits for a small amount)
Intentional double billing
Collusion with an employee, kickbacks, bribes
Fictitious companies
Bid rigging and price fixing
The Size of the Problem
Kroll Global Fraud Report
19% of companies experienced vendor fraud in 2013
ACFE
5% of revenues lost due to fraud
billing fraud is approx. 24% of the total monetary amount of fraud
Copyright © 2014 Casher Associates, Inc.
Permission to use granted to Oracle Corporation
Slide 11
12. Vendor Management Goals, Concerns, ChallengesKnow Your Vendors
Name Changes
3%-7% of companies change their name every year
Out of approx. 15,000 US stock exchange listed companies
17 changed their names between 9/2/2014 and 9/5/2014
83 changed their name between 8/5/2014 and 9/1/2014
Over 200 were delisted or had trading suspended between 8/5/2014 and 9/4/2014
Some name changes are minor, some are significantly different
CVS Caremark changed its name to CVS Health Corporation on 9/4/2014
ICG Group, Inc changed its name to Actua Corporation on 8/12/2014
Some Types of Related Vendors
Franchisees
Joint ventures
Subsidiaries
Affiliates
Vendors Operating Under Multiple Names
Copyright © 2014 Casher Associates, Inc.
Permission to use granted to Oracle Corporation
Slide 12
13. Federal
IRS
Denied, Debarred and Excluded Parties
Privacy
Bribery
Other
States
Sales & Use Tax
Abandoned Property / Escheatment
Privacy
Deadbeat Parents
Withholding and Reporting
International
Denied, Debarred and Excluded Parties
Privacy
Bribery
Value Added Tax
Vendor Management Goals, Concerns, ChallengesComply with Laws & Regulations
Copyright © 2014 Casher Associates, Inc.
Permission to use granted to Oracle Corporation
Slide 13
14. Comply with Laws & RegulationsFederal –IRS
Primary Forms
1099-MISC
1042-S for Non-Resident Aliens
W-9s, W-8s and FATCA (Foreign Account Tax Compliance Act)
Industry Specific Reporting
Regulations and Forms Change Often and are Complex
Penalties for Incorrect Filings Have Increased Dramatically
Electronic Deliver of 1099s to Payees is Allowed when Recipients agree to Receive Them
Tax Id masking (only showing last 4 digits) is Now Allowed
Copyright © 2014 Casher Associates, Inc.
Permission to use granted to Oracle Corporation
Slide 14
15. US Department of Treasury Office of Foreign Assets Control (OFAC)
US Department of State Foreign Terrorist Organizations (FTO)
US Department of Commerce Bureau of Industry and Security (BIS)
All of the above maintain lists of organizations and individuals that you must not do business with
Do not buy from, sell to or disburse or receive funds from entities on these lists
Politically Exposed Persons (PEPs) who may be involved in money laundering or financing of terrorist organizations
Fines for violations can be substantial
Criminal penalties can include fines ranging from $50,000 to $10,000,000 and imprisonment ranging from 10 to 30 years for willful violations.
Civil penalties range from $250,000 or twice the amount of each underlying transaction for each violation
Over $1 billion fines recovered in each year since 2009
Comply with Laws & Regulations Federal –Denied, Debarred, Excluded Parties
Copyright © 2014 Casher Associates, Inc.
Permission to use granted to Oracle Corporation
Slide 15
16. Health Insurance Portability and Accountability Act of 1996 (HIPAA)
Most of this act deals with privacy of medical records
However, can impact AP if medical payments are processed through AP
Pre-employment physical exams
Drug testing
Other –especially companies that self insure
Gramm Leach Bliley Act of 1999 (GLB)
Restricts disclosure of nonpublic personal information
Intended to protect individuals who are customers of financial institutions but has been expanded to other types of businesses
Can impact AP if customer refunds or garnishments are processed through AP
More legislation is likely due to increasing number of security breaches and identity theft
Most states already have additional restrictions
Payment Card Industry Data Security Standards (PCI-DSS)
While not a federal law, these are industry standards and guidelines
Comply with Laws & Regulations Federal –Privacy
Copyright © 2014 Casher Associates, Inc.
Permission to use granted to Oracle Corporation
Slide 16
17. US Department of Justice (DOJ) Foreign Corrupt Practices Act of 1977 (FCPA)
Enforces accounting transparency requirements under the Securities Exchange Act of 1934 and bribery of foreign officials
Both US DOJ and Securities Exchange Commission enforce
Applies to US companies and foreign companies with US subsidiaries
Be aware of Politically Exposed Persons (PEPs)
Since 2007, number of investigations and enforcement actions has grown
Total fines and penalties have ranged from $260 million to $2 billion in each of the last 6 years (2008 -2013) with the average settlement over $80 million in 2013
Currently, there are open investigations of approx. 100 very large + many other companies
Almost half of the Dow 30 have paid fines since 2007 or are currently being investigated
Likely to see more investigation and prosecution of domestic bribery
Comply with Laws & RegulationsFederal –Bribery
Copyright © 2014 Casher Associates, Inc.
Permission to use granted to Oracle Corporation
Slide 17
18. Law passed in response to accounting scandals
Applies to public companies in US
Five main areas
Auditor independence
Corporate responsibility
Improved financial disclosure
Analyst conflict of interest
Accountability for corporate fraud
Comply with Laws & RegulationsFederal –Sarbanes-Oxley Act of 2002
Copyright © 2014 Casher Associates, Inc.
Permission to use granted to Oracle Corporation
Slide 18
19. Physician Payments Sunshine Act (Sunshine Act) which is part of the 2010 Affordable Care Act
Requires manufacturers of drugs, medical devices and biologicals that participate in U.S. federal health care programs to report to CMS certain payments and items of value given to physicians and teaching hospitals.
Any transfers of value or payments to physicians and hospitals greater than $10, including payments, traded services, stocks, or any other returned investments.
Gifts greater than $100 will be made public and published online as of September 30, 2014.
Supersedes Maine, Vermont, Massachusetts, Minnesota, West Virginia and DC laws
Securities and Exchange Commission reporting of payments to auditors, directors, etc.
Public companies must report payments to directors and auditor in Annual 10K
Other federal agencies have specialized reporting
Especially, if you are a government contractor, you must keep up to date on regulations relevant to your industry
Comply with Laws & RegulationsFederal –Other
Copyright © 2014 Casher Associates, Inc.
Permission to use granted to Oracle Corporation
Slide 19
20. States are increasing sales/use tax rates and some tax services
Many states are doing sales/use tax audits
Marketplace Fairness Act passed US Senate but held up in US House
States are doing more aggressive abandoned property (escheat) audits and many use “bounty hunters”
Most uncashed checks issued by AP should not have to be escheated
Rules depend on the state in which the vendor is located which may not be the state in which you are located or incorporated
More states are requiring withholding and/or reporting of payments to certain types of vendors as well as require deadbeat parent reporting
States are concerned about data breaches
47 states and DC have privacy laws and regulations
More states, municipalities and counties are requiring permits and filing fees
More municipalities and counties are doing personal property audits
Software packages typically do not have all needed functionality
Comply with Laws & RegulationsStates
Copyright © 2014 Casher Associates, Inc.
Permission to use granted to Oracle Corporation
Slide 20
21. Countries are putting in place laws, rules and regulations similar to but different from those in the US
Primary Areas Addressed
Denied, Debarred and Excluded Parties
Politically Exposed Foreign Persons
Privacy
Bribery
Value Added Tax
Rarely or Never Addressed
Abandoned Property
Comply with Laws & Regulations International
Copyright © 2014 Casher Associates, Inc.
Permission to use granted to Oracle Corporation
Slide 21
22. Who has the information
Purchasing thinks they know
A/P thinks they have the data
Both are partially correct
Ways you may want to analyze spend
By Vendor
By Commodity
By Dollar Amount
By Transaction Volume
Vendor Management Goals, Concerns, ChallengesKnow Where You Spend Your Money
Copyright © 2014 Casher Associates, Inc.
Permission to use granted to Oracle Corporation
Slide 22
23. Duplicate and Erroneous Payments
Every major software package checks for duplicates based on Vendor Id and Invoice #
Duplicate check fails if
Identical vendor under multiple vendor ids
Variation on vendor name
System does not support multiple addresses
Vendor at different remit address is selected
Vendor under previous or new name is selected
Related vendor is selected
If duplicate vendors are eliminated, over 75% of $ associated with duplicate payments can be eliminated
Stops, Voids, Reissues and Uncashed Checks
Wrong vendor selected
Payment sent to wrong address
Payment never received
Payment received by wrong vendor
Vendor Management Goals, Concerns, ChallengesReduce Costs and Save Money
Copyright © 2014 Casher Associates, Inc.
Permission to use granted to Oracle Corporation
Slide 23
24. “Appropriate Transaction” Attributes
Not /controlled by vendor master file data
Proper goods and/or services received/provided
Sufficient invoice detail
Correct amount(s)
Appropriate approval(s)
Correct accounting codes
Impacted/controlled by vendor master data
Who to pay
How much to pay
When to pay
How to pay
Where to send the payment
Vendor Management Goals, Concerns, ChallengesMake Accurate and Timely Payments
Copyright © 2014 Casher Associates, Inc.
Permission to use granted to Oracle Corporation
Slide 24
25. Other Vendor Master File Issues
Copyright © 2014 Casher Associates, Inc.
Permission to use granted to Oracle Corporation
Slide 25
26. Why Vendor Files Grow
Name entered differently by your staff
Vendor changes its name
Street Address and/or Lock Box changes
Mergers
By your organization and by your vendors
Acquisitions
By your organization and by your vendors
Divestitures
By your vendors
Purchasing and AP use Different Files and/or Multiple Systems
Data Quality and Consistency
Missing
Non-standard
Invalid
Obsolete
Other Vendor Master File Issues
Copyright © 2014 Casher Associates, Inc.
Permission to use granted to Oracle Corporation
Slide 26
27. Other Vendor Master File IssuesMore Problems and Some Metrics
20% -80% of vendors in current vendor master files have had no activity within the last 12 months
35% -65% of “active”vendors are one-time vendors
3%-7% of vendors change their name annually
20% of vendors change their HQ address annually
Phone #(s), Contact Name(s), Email Addresses and Banking Information also change
The bigger your vendor file, the more duplicates you probably have
1-100 vendors-no duplicates
100 -1,000 vendors-1% -3% redundant
1,000 -10,000-2% -6% redundant
10,000 -100,000-4% -10% redundant
> 100,000 -> 10% redundant
Copyright © 2014 Casher Associates, Inc.
Permission to use granted to Oracle Corporation
Slide 27
28. Vendor Master File Standards
Copyright © 2014 Casher Associates, Inc.
Permission to use granted to Oracle Corporation
Slide 28
29. Understand System(s) Features and Limitations
Minimum and maximum field lengths
Data types, default values and edit checks
Number of name and address lines
Various types of names such as Lookup name, Name on check, Legal/Tax name, Short name, etc.
Various types of addresses such as Buy From, Remit To, etc.
Controls, audit trails, additions, changes and deletions
How changes and deletions affect historical data
Files and/or tables that may need changes and/or are affected by changes
Identify and Review for Vendors that are
Your Own Company, Subsidiaries, Affiliates
Employees
Officers and Directors and Related Companies
External Audit Firm(s)
Sensitive Vendors and those that require special reporting
Vendors Set Up or Referenced in Other Systems
Vendor Master File StandardsFirst Steps
Copyright © 2014 Casher Associates, Inc.
Permission to use granted to Oracle Corporation
Slide 29
30. Identify Vendors in Special Classes for Possible Name Standardization
Federal Government Departments and Agencies
State Governments
Local Governments
Postal Service
Individuals
Telephone Companies and Utilities
Non-Governmental Organizations (NGOs)
Garnishments
Petty Cash
Other (e.g. Universities, Courts, Agents, Medical Service Providers)
Vendor Master File StandardsNames
Copyright © 2014 Casher Associates, Inc.
Permission to use granted to Oracle Corporation
Slide 30
31. Address Problems and Issues
Name continuation and/or Name qualifiers in address fields
Attention (ATTN)
Internal addresses
Invalid, Missing or Inconsistent State and Zip Code
Punctuation and special characters
Improper Abbreviations
Numbers as Words
Dual Addresses
PO BOX Addresses
CMRAs (Commercial Mail Receiving Agencies)
“Bad”Addresses (many types of problems)
Vendor Master File StandardsAddresses
Copyright © 2014 Casher Associates, Inc.
Permission to use granted to Oracle Corporation
Slide 31
32. Vendor Master File StandardsOther Fields
Phone
Tax Identifiers
US –SSN, EIN, ITIN
Canada –SIN, BIN
European Union –VATIN (VAT Identification Number)
Payment Terms
1099 Type/Box
Payment Terms and Default Discounts
Bank Routing Code and Account Number
Minority, Women Owned, Small Business, etc.
Default G/L Code
Classification Codes
Certifications
Insurance Certificates
Email Addresses
Web Sites
Copyright © 2014 Casher Associates, Inc.
Permission to use granted to Oracle Corporation
Slide 32
33. Best and Appropriate Practices
Copyright © 2014 Casher Associates, Inc.
Permission to use granted to Oracle Corporation
Slide 33
34. Vendor Verification and Authentication
Vendor Setup and Change Management
Vendor and Address Deactivation
Vendor Review and Controls
Best and Appropriate PracticesOverview
Copyright © 2014 Casher Associates, Inc.
Permission to use granted to Oracle Corporation
Slide 34
35. Determine amount of checking based on
Strategic importance of vendor
Amount and type of business expected to be done
Determine if vendor is already on file
Dual Review
Name Qualifier
Common Abbreviation
Care Of or Agent
Minimize likelihood of fraud / Ensure that vendor is legitimate
Check business history and length of time in business
Confirm street address especially if only address is a PO Box
Check third party directories
Check against Employee Data
Name, Address, Phone ,TIN, Bank Account match
Check vendor address against your locations
Best and Appropriate PracticesVendor Verification and Authentication
Copyright © 2014 Casher Associates, Inc.
Permission to use granted to Oracle Corporation
Slide 35
36. Best and Appropriate PracticesVendor Verification and Authentication (cont’d)
Validate basic vendor address information
US Vendors
Delivery Point Validation
CMRA (Private Mail Box)
PO Box
Non-US Vendors
Use UPU.INT and individual country postal web sites
Phone
Directory Lookup(s)
Call Vendor
Copyright © 2014 Casher Associates, Inc.
Permission to use granted to Oracle Corporation
Slide 36
37. Best and Appropriate PracticesVendor Verification and Authentication (cont’d)
Regulatory
Ensure that you are not doing business with a prohibited party on the OFAC, FTO and BIS lists or other lists of denied, debarred, excluded or restricted parties
Check GSA System for Awards Management
Verify that information for regulatory reporting is correct
Get W-9s for US vendors and appropriate W-8 for non-US vendors
Use IRS TIN Matching
Check State of Incorporation or Local Jurisdiction
Secretary of State or Office of Corporations
Determine State Reporting Requirements
State Withholding and “1099” Reporting
Office of Child Support for Deadbeat Parent
Check Industry Specific lists
Copyright © 2014 Casher Associates, Inc.
Permission to use granted to Oracle Corporation
Slide 37
38. Best and Appropriate PracticesVendor Verification and Authentication (cont’d)
Other
Check Vendor’s Web Site
Check Ownership of Vendor’s Web Site (who.is)
Validate Email Addresses
Send test messages
Validate Routing Code and Account Numbers
Initiate test transactions and obtain confirmations
Check Third Party Data
Corporate Affiliations
ChoicePoint
D&B
Experian
Intelius
Copyright © 2014 Casher Associates, Inc.
Permission to use granted to Oracle Corporation
Slide 38
39. Best and Appropriate PracticesVendor Setup
Have general conventions and standards
Use a new vendor form with field names and positions similar to where they are in your vendor setup screens
Require names and signatures of requestor, person doing setup and person reviewing and verifying correct setup information
Standardize how vendor names are entered
Insist that the guidelines be followed –verify periodically
Punctuation
Abbreviations
Name Prefixes and Suffixes
Name Qualifiers
Copyright © 2014 Casher Associates, Inc.
Permission to use granted to Oracle Corporation
Slide 39
40. Use postal guidelines for addressing standards
Punctuation
Abbreviations
Between Name and Delivery Address Line
Name Qualifiers
Internal Addresses
Delivery Address Line
7 Components
Last Line
City State ZIP
Non-US
Best and Appropriate PracticesVendor Setup (cont’d)
Copyright © 2014 Casher Associates, Inc.
Permission to use granted to Oracle Corporation
Slide 40
41. Have guidelines for how other fields are formatted and/or valid values
Vendor Type and/or Class
1099 Type (Box)
Phone Numbers
Taxpayer Identifiers
Payment Terms
ACH, P-Card, EDI, etc.
Women Owned, Minority Owned, Small Business, Veteran, Disabled Veteran, etc.
Insurance Certificate(s)
Tax Certificate(s)
Certifications
Contacts
Email addresses and web sites
Best and Appropriate PracticesVendor Setup (cont’d)
Copyright © 2014 Casher Associates, Inc.
Permission to use granted to Oracle Corporation
Slide 41
42. Best and Appropriate PracticesVendor Setup (cont’d)
Flag Special and Sensitive Vendors
Vendors that are your company’s audit firm(s)
Your company’s offices, directors and their affiliated companies
Employees
Vendors subject to other regulatory checking and reporting
Based on your company’s lines of business
Based on the types of good or services to be provided
Subject to state withholding and/or reporting
Mask or Restrict Access to Sensitive data
Restrict access to TIN, Bank and Card information
Mask TIN, Bank and Card information
Redact information on Source Documents
Link and/or combine duplicate and some related vendors
Promptly review all additions to the vendor master file
Copyright © 2014 Casher Associates, Inc.
Permission to use granted to Oracle Corporation
Slide 42
43. Provide to Vendors
Send out a welcome letter and information packet that identifies:
What to do to get paid
When a contract or Purchase Order is required
Whom to contact regarding issues
Optionally, ethics and dispute resolution guidelines
Best and Appropriate PracticesVendor Setup (cont’d)
Copyright © 2014 Casher Associates, Inc.
Permission to use granted to Oracle Corporation
Slide 43
44. Best and Appropriate PracticesVendor and Address Deactivation
Decide when/how to purge or block inactive vendors and addresses
15 –18 months of inactivity is a typical rule
Deal with Open Items
POs
Invoices
Disbursements
Copyright © 2014 Casher Associates, Inc.
Permission to use granted to Oracle Corporation
Slide 44
45. Best and Appropriate PracticesVendor Review and Controls
Promptly review all additions and changes to the vendor master file
Check vendor name and address when checks are uncashed for more than 30 days
Check endorsement on first check sent to a PO Box for a new vendor
Check vendor name and address for all mailed items returned by the postal service
Check vendor against OFAC and other denied party lists before issuing a contract, cutting a PO or disbursing funds
Check deadbeat reporting requirements
Ensure separation of duties
Periodically check Vendor Master File against lists for
Name changes
Duplicates
Copyright © 2014 Casher Associates, Inc.
Permission to use granted to Oracle Corporation
Slide 45
46. Best and Appropriate PracticesVendor Review and Controls (cont’d)
Communicate regularly with vendors
Prepare a document that explains how a vendor should conduct business with your firm
Require vendors to sign a business practices statement
Use email intelligently
Accept electronic input
Provide sufficient remittance information to vendors so that they can properly apply payments
Provide on-line inquiry and self service capability (Vendor Portal)
Monitor vendor performance –accuracy and timeliness of invoices
Consider having “Service Level Agreements” with your strategic vendors
Copyright © 2014 Casher Associates, Inc.
Permission to use granted to Oracle Corporation
Slide 46
47. Third Party Resources
Copyright © 2014 Casher Associates, Inc.
Permission to use granted to Oracle Corporation
Slide 47
48. Third Party ResourcesUS Government Web Sites
US Department of Treasury -IRS
www.irs.gov
US Department of Treasury -OFAC
www.treas.gov/offices/enforcement/ofac
US Department of State -FTO
See OFAC
US Department of Commerce –Lists of Parties of Concern
www.bis.doc.gov/index.php/policy-guidance/lists-of-parties-of-concern
US Department of Health & Human Services
www.acf.hhs.gov/programs/css
www.acf.hhs.gov/programs/css/resource/state-and-tribal-child-support-agency-contacts
US General Services Administration –System for Awards Management
www.sam.gov
Copyright © 2014 Casher Associates, Inc.
Permission to use granted to Oracle Corporation
Slide 48
49. Third Party ResourcesNon-US Web Sites
Australia DFAT List
www.dfat.gov.au
Bank of England List (BOE)
www.bankofengland.co.uk/publications/financialsanctions/index.htm
Canada OSFI List
www.osfi-bsif.gc.ca/osfi/index_e.aspx?DetailID=525
European Union (EU) Consolidated List
ec.europa.eu/external_relations/cfsp/sanctions/list/consol-list.htm
Copyright © 2014 Casher Associates, Inc.
Permission to use granted to Oracle Corporation
Slide 49
50. Third Party ResourcesNon-US Web Sites (cont’d)
Guernsey Financial Services Commission (GFSC)
http://www.gfsc.gg/
Hong Kong Monetary Authority Lists (HKMA)
www.info.gov.hk/hkma/eng/bank/three_tier/three_tier_f.htm
Interpol
www.interpol.int
Access to the Interpol Terrorism Watch list is restricted to authorized police agencies
Copyright © 2014 Casher Associates, Inc.
Permission to use granted to Oracle Corporation
Slide 50
51. Third Party ResourcesStandards and Guidelines
TIN Matching, 1099-MISC, 1042-S, etc.
Internal Revenue Service -www.irs.gov
Standard Country Names and Codes
International Standards Organization -www.iso.org
en.wikipedia.org/wiki/ISO_3166-1
US Addressing Standards
United States Postal Service -www.usps.com
pe.usps.gov/text/pub28/welcome.htm
Canada Addressing Standards
Canada Post -PostesCanada -www.canadapost.ca
www.canadapost.ca/tools/pg/manual/default-e.asp
International Addressing Standards
Universal Postal Union -www.upu.int
Copyright © 2014 Casher Associates, Inc.
Permission to use granted to Oracle Corporation
Slide 51
52. Third Party ResourcesStandards and Guidelines (cont’d)
Telephone Number Formats
International Telecommunications Union -www.itu.int
en.wikipedia.org/wiki/National_conventions_for_writing_telephone_numbers
Name Changes
OTC Markets -www.otcmarkets.com
Corporate Affiliations -www.corporateaffiliations.com
Fraud
Kroll Global Fraud Reports -fraud.kroll.com/report-archive
Association of Certified Fraud Examiners Report to the Nations -www.acfe.com/rttn/docs/2014- report-to-nations.pdf
Search wikipedia.org for other resources
Copyright © 2014 Casher Associates, Inc.
Permission to use granted to Oracle Corporation
Slide 52
53. Copyright © 2014,Oracle and/or its affiliates. All rights reserved. |
Comprehensive Risk & Controls Mgmt.
Detect and Fix Issues
Continuous Improvement and Monitoring
Assess Risk & Compliance
Close the
LOOP
Identification
Analysis
Evaluate
1. BUSINESS RISKS
Document
Assessments
Reviews
2. CONTROL OBJECTIVES
Author
Execute
Investigate
3. CONTINUOUS MONITORS 54. Copyright © 2014,Oracle and/or its affiliates. All rights reserved. |
Custom or Legacy Applications
Enterprise Risk and Controls Foundation
One Unified Platform
Flexible
•Graphical Authoring
•Detect and Prevent
•Access, Transactions, Setups
Data Driven
•100% of Transactions
•Manage by Exception
•Pattern Analysis
Comprehensive
•Multiple GRC Projects
•From Documentation to Test
•Closed Loop Approach
Enterprise Risk & Controls FoundationDashboards, Reports and AlertsNotificationsWorklistsEmailPerspectivesSearchRisk, Controls & Compliance ManagementReviewsDocumentationAssessmentsRemediationSurveysContinuous Controls & Risk MonitoringSetupsAccessMaster DataAudit TestsTransactionsUser Authored ControlsData ConnectorsFraud & Error Patterns Role Based Access SecurityWeb Services & APIs 55. Copyright © 2014,Oracle and/or its affiliates. All rights reserved. |
Nasser Khan, CISA, MBA
Nasser Khan is a Governance, Risk & Compliance Solutions Architect
Over 28 years of global experience in business process management that range from Financials, Supply Chain and Human Capital Management. Nasser has executed several process transformation initiatives through ERP implementations, I.T. auditing, and audit process automation
Bringing vast experience working globally with manufacturing, healthcare and public sector clients, Nasser Khan specializes in assisting clients to realize business gains by enterprise risk management
Delivered consulting services in PeopleSoft, Oracle, and Deloitte 56. Grcystems.com
Introduction
ControlLayersis a service line of NHI GRCystems
A business technology systems’ risk consulting practice dedicatedto thought leadership and implementation, management, automation, and enforcement of business process and technology controls
High caliber advisory and implementation services
Consultants provide deep domain expertise in enforcing internal controls in enterprise businessprocessesand security functions
Assists clients in managing operational, regulatory compliance, and privacy-related risksby providing strategy, roadmap and tools to ensure effective and continuous compliance utilizing itspartner’stools and its own proprietary service offerings
57
57. Grcystems.com
Client Profiles
Major healthcare and other service providers in North America averaging over 100 business units all over North America
On average, over 130,000 employees
Master Data Management is key risk mitigation control with large data entry and management teams
Over 8,000 unique vendors supply sources
Purchasing spend in excess of $ 100 million
Significant PeopleSoft clients of Oracle globally
Highly regulated environments
Stakeholders need higher degree of assurance from internal controls over financial reporting
58
58. Grcystems.com
Challenges at clients
Ambitious business transformation initiatives involving PeopleSoft FSCM 9.1, HCM 9.1 and OBIEE (centralized reporting)
Financial transformation processes include GL, AP, AR, AM, KK, PC and Supply Chain transformed by deploying PO, IN, and Vendors, Contracts and Items
Over 100 business units purchasing from over 8000 vendors
59
59. Grcystems.com
Challenges at clients
One vendor (name) may have many subsidiaries dealing with totally different items, pricing models, payment terms, lead times
Consistent and accurate data needed to be entered based against stringent standards
Same name vendor may have different subsidiary at same location or same city
Distributed purchasing at BU level, conflicting and sometimes unfavorable contract terms were in force
Receiving and matching challenges occurred on many levels
Vendor approvals not structured, inactive or blocked vendors could get paid (OIG of Dept. of HHS)
60
60. Grcystems.com
Key Needs and Control Gaps
Needed at critical system to provide operating effectiveness of application-based controls in Procure to Pay on a continuousbasis
Duplicate Vendor report in PeopleSoft had limitations(only on short name) and does not provide real-time validations
Financial Sanctions Validation was not enabled in PeopleSoft, an independentvalidation methods needed to be used based on data from anothersource
Comparison of address history in PeopleSoft, was again, not real-time.
Needed to map controls in source system conveniently with the control framework to assist in operational and compliance audits
No Control
PS Control
PS Control
No Control
PS Control
Manual
Control
No
Control
Manual
Control
No
Control
Manual
Control
61
62. Grcystems.com
Why did we need Advanced Controls?
•Audit coverage, confidence, reporting
•Incident investigation, whistle-blower support
•Continuous Process Monitoring
Improve Audit Efficiency
•Fictitious vendors
•Overstated invoices
•Receiving discrepancies
Minimize Fraud and Abuse
•Overpayment, duplicate payment
•Payment timing, discounts
•Reduce cost of manual controls-Incorrect vendor paid
Reduce Error and Leakage
•Preventative and detective segregation of duties policy enforcement
•Access appropriateness reporting
•Mapping users to transactions and providing audit trails of actions
Secure
Systems Down
63
63. Grcystems.com
Main Vendor Management Goals
Increase buying leverage significantly and get the volume discounts based on collective purchasing power of all entities across operations
Improve many procure-to-pay sub processes
Uniquely identify vendor operating across service geographies
Standardize payment methods and terms of payment
Reduce incorrect PO issuance, check issuance, late payment penalties, and overheads in managing the vendor landscape
Ensure vendors or their banks are not on OIG or OFAC lists
Make Item and Catalog administration structured and clear
64
65. Grcystems.com
Found this value in Oracle Advanced Controls
Continuous Monitoring-Transaction Controls Governor
Pre-seeded best practice controls for PeopleSoft Vendor management
Scalableto add more automated controls
Pre-seeded controls for Procure-to-Pay use gave perspective on vendor information being reported
Continuousmonitoring and schedulable alerts for exceptions
Independent ‘Witness System’ to hold evidence data should external auditor or regulator need it
66
66. Grcystems.com
Key Transaction Controls Deployed
Duplicatevendors entries
Duplicateinvoice payments
Vendor address similarto employee address
Payments made to blockedvendors
More than one vendor, similaraddresses
Payments beyond norm, outliers
Monitor for approval of payments to vendors which were created by the same user
67
69. Grcystems.com
Remediation
Similar names
Unapproved Vendor not setup correctly
70
As part of remediation, user would likely merge if same vendor
has been created with more than one similar names.
Vendor setup may have inconsistency which
would need remediation 71. Grcystems.com
Access Controls: Segregation of Duties
For the User Activity, we utilized the Oracle Advanced Controls application
Application Access Controls Governor (AACG)
that flagged if same user who createda vendor, also approvedvendors, for example.
72
74. Grcystems.com
Found this value in Oracle Advanced Controls
Master data entry exception detection-Configuration Controls Governor
Reduced manual data entry controls that included daily checking of vendor and vendor-related entries. With CCG, only changes were needed to be analyzed selectively
Incorrectvendor on POs and reqs
Payments term changes and incorrectterms on PO
Bank account or Address changes
User data quality improvements
Leverage CCG-reported data to educateuser in good practices and process improvement
75
75. Grcystems.com
Key Configuration Change Controls Deployed
For change management, we used CCG Change Tracking. Daily notifications of high risk field changes
CCG allowed to report daily on whochanged, what, when andwhere
Limit performance impact on PeopleSoft onPeopleSoft due to audit data build up
On event, and at certain financial period ends, took Snapshotsof configuration sets for a point-in-time picture
Combined front-end Vendor setup procedures like use of one entry per vendor and designate it as ‘Primary Vendor’ and then use address sequencing to identify multiple locations of fulfillment by vendors
76
77. Grcystems.com
Setup Alerts on Vendor Changes
Specify what actions to be notified of, date range, backend or frontend, table object etc. We took a risk-based approach on only were interested on specific fields on tables
78
78. Grcystems.com
Who changed from frontend?
Type of change?
Table name?
For what key values & What the change?
When?
Who changed from Backend?
Oracle Advanced Controls (Configuration)
79
79. Grcystems.com
Goals Vs. Value Realized
80
Goals
Value Realized
Increase buying leverage significantly and get the volume discounts based on collective purchasing power of all entities across operations
Reduced spend significantlyenough to justify the initial effort and opex of centralized vendor data management staff
Improve many procure-to-pay sub processes
The exercise gave structure to work methodsensuring accurate and timely processing of vendor payments
Uniquely identify vendor operating across service geographies
Reduced duplicate vendor situations to almost zero and allowed benchmarking of prices for all locations for same items
Standardize payment methods and terms of payment
Cleanup gave clarity and ability to demand same terms for vendors of same or similar items. Broughtall vendors on standard terms thus helped avoid payment delays and PayCycle processing
Reduce incorrect PO issuance, check issuance, and overheads in managing the vendor landscape
Vendor entry errors went down from 40% to less than 5%. Reduced need for exception PurchaseOrders and helped setup priority vendors
Make Item and Catalog administration structured and clear 80. Grcystems.com 81
Lessons learned
Effective Controls with Low Resource Cost
PeopleSoft is a vastly-configurable ERP system. Having additional controls configured in it, or queries built, places a burden on it. The Oracle Advanced Controls (OAC) applications proved to be an effective companion system for controls.
Early Gap Identification for Effective Design
Assess PeopleSoft and explore complimentary resolution of gaps by OAC early in implementations
Embed Controls within the Process
Treat OAC as part of ‘your daily diet’ business process flows and not add-ons to achieve process control, completeness and effectiveness
Automate Controls for Efficiency
Adopt the mantra of ‘automated’ versus ‘manual’ and chips will fall in place
Highlight Root Causes by Identifying Control Points
Identifying control points as ‘after thoughts’ results in band-aids. Instead, have business process flows nailed down first
Layered Controls=Deeper Defense 81. Copyright © 2014,Oracle and/or its affiliates. All rights reserved. |
Follow Us & join the conversation .
Oracle GRC Advanced Controls Group
@OracleAdvCntrls 83. Copyright © 2014,Oracle and/or its affiliates. All rights reserved. |
Safe Harbor Statement
The preceding is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
84