How your vendor master file is critical to governance, risk management and compliance

Vendor Master Controls
How they are Critical to Governance, Risk & Compliance
Jon Casher
President
Casher Associates, Inc
Al Nasser Khan
President
Control Layers Consulting
Copyright © 2014,Oracle and/or its affiliates. All rights reserved. |

Safe Harbor Statement
The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
2

How Your Vendor Master Fileis Critical toGovernance, Risk Management and Compliance
Jon Casher
President
Casher Associates, Inc.
Copyright © 2014 Casher Associates, Inc.
Permission to use granted to Oracle Corporation
Slide 3

Serial Entrepreneur
Founded Casher Associates, Inc. in 1976 to design and develop custom financial systems and back office automation
Co-founded CM Associates in 1985 to provide financial industry software products
Co-founded RECAP, Inc., an A/P Audit firm, in 1988
Director of NASDAQ company from 2000-2006, head of the audit committee from 2002 until company went private in 2006
Current Focus
Consulting to Finance, AP, AR and Procure-to-Pay organizations and their service providers
Training, Certification, White Papers, Surveys, Workshops, Presentations
Contact Information
Snail Mail110 Pond Brook Road, Newton MA 02467-2648
Web Sitewww.casherassociates.com
Emailjcasher@casherassociates.com
Phone617-527-3927 or 877-527-3927
Jon CasherMy background and Contact Information
Slide 4

Overview
Critical Vendor Master File Issues
Vendor Management Goals, Concerns and Challenges
Other Vendor Master File Issues
Vendor Master File Standards
Best and Appropriate Practices
Third Party Resources
Slide 5

Critical VendorMaster File Issues
Slide 6

Critical Vendor Master File Issues
Your Vendor File is a Strategic Resource
Other than investments, 30-70% of all funds that flow out of non-financial institutions go out through Accounts Payable
Federal, state, international laws and regulations make it important to keep your vendor file accurate
Accurate and complete information is key to controlling transaction processing within the Procure-to-Pay process
Accurate reporting and analysis is impossible without a clean vendor master file
Vendor Management ‘s GRC Challenges
Overcome Barriers to Compliance
Lack of Awareness of Regulatory Compliance and Reporting Requirements by
Purchasing and Accounts Payable
Product Managers and Developers of ERP and Financial Accounting Software
Technical Limitations of ERP and Financial Accounting software
Need to Manage Vendor Risk
Policy
Contract
Regulatory
Slide 7

Well Documented and Tested Procedures
Define the process for doing business with new vendors
Ensure that only authorized individuals can make changes, additions, deletions
Separation of Duties
People allowed to make changes must not be able to process transactions such as issuing purchase orders, posting invoices, disbursing funds or making accounting entries
Audit Trail of Changes
All additions, changes and deletions should be logged, reported, reviewed and signed off by someone in management other than the person posting updates
Reconcile and Synchronize
If multiple systems have vendor information, reconcile common information
Owner should be responsible for
Defining data requirements
Setting, maintaining and monitoring standards and data quality
Coordinating the activities of those who use, enter and update vendor information
Critical Vendor Master File Issues Access, Control and Ownership
Slide 8

Vendor Management Goals, Concerns and Challenges
Slide 9

Catch / reduce fraud
Know your vendors
Comply with laws and regulations
Know where you spend money
Reduce duplicate and other erroneous payments
Controls costs and save money
Make accurate and timely vendor payments
Vendor Management Goals, Concerns, ChallengesOverview
Slide 10

Vendor Management Goals, Concerns, ChallengesCatch/Reduce Vendor Fraud
Main Types of Vendor Fraud
Invoices with inflated prices
Requests that look like invoices or government forms with a filing fee
Invoices for goods not delivered or services not provided
Checks that sign you up for a service if you deposit them (may appear to be refunds, rebates or credits for a small amount)
Intentional double billing
Collusion with an employee, kickbacks, bribes
Fictitious companies
Bid rigging and price fixing
The Size of the Problem
Kroll Global Fraud Report
19% of companies experienced vendor fraud in 2013
ACFE
5% of revenues lost due to fraud
billing fraud is approx. 24% of the total monetary amount of fraud
Slide 11

Vendor Management Goals, Concerns, ChallengesKnow Your Vendors
Name Changes
3%-7% of companies change their name every year
Out of approx. 15,000 US stock exchange listed companies
17 changed their names between 9/2/2014 and 9/5/2014
83 changed their name between 8/5/2014 and 9/1/2014
Over 200 were delisted or had trading suspended between 8/5/2014 and 9/4/2014
Some name changes are minor, some are significantly different
CVS Caremark changed its name to CVS Health Corporation on 9/4/2014
ICG Group, Inc changed its name to Actua Corporation on 8/12/2014
Some Types of Related Vendors
Franchisees
Joint ventures
Subsidiaries
Affiliates
Vendors Operating Under Multiple Names
Slide 12

Federal
IRS
Denied, Debarred and Excluded Parties
Privacy
Bribery
Other
States
Sales & Use Tax
Abandoned Property / Escheatment
Privacy
Deadbeat Parents
Withholding and Reporting
International
Privacy
Bribery
Value Added Tax
Vendor Management Goals, Concerns, ChallengesComply with Laws & Regulations
Slide 13

Comply with Laws & RegulationsFederal –IRS
Primary Forms
1099-MISC
1042-S for Non-Resident Aliens
W-9s, W-8s and FATCA (Foreign Account Tax Compliance Act)
Industry Specific Reporting
Regulations and Forms Change Often and are Complex
Penalties for Incorrect Filings Have Increased Dramatically
Electronic Deliver of 1099s to Payees is Allowed when Recipients agree to Receive Them
Tax Id masking (only showing last 4 digits) is Now Allowed
Slide 14

US Department of Treasury Office of Foreign Assets Control (OFAC)
US Department of State Foreign Terrorist Organizations (FTO)
US Department of Commerce Bureau of Industry and Security (BIS)
All of the above maintain lists of organizations and individuals that you must not do business with
Do not buy from, sell to or disburse or receive funds from entities on these lists
Politically Exposed Persons (PEPs) who may be involved in money laundering or financing of terrorist organizations
Fines for violations can be substantial
Criminal penalties can include fines ranging from $50,000 to $10,000,000 and imprisonment ranging from 10 to 30 years for willful violations.
Civil penalties range from $250,000 or twice the amount of each underlying transaction for each violation
Over $1 billion fines recovered in each year since 2009
Comply with Laws & Regulations Federal –Denied, Debarred, Excluded Parties
Slide 15

Health Insurance Portability and Accountability Act of 1996 (HIPAA)
Most of this act deals with privacy of medical records
However, can impact AP if medical payments are processed through AP
Pre-employment physical exams
Drug testing
Other –especially companies that self insure
Gramm Leach Bliley Act of 1999 (GLB)
Restricts disclosure of nonpublic personal information
Intended to protect individuals who are customers of financial institutions but has been expanded to other types of businesses
Can impact AP if customer refunds or garnishments are processed through AP
More legislation is likely due to increasing number of security breaches and identity theft
Most states already have additional restrictions
Payment Card Industry Data Security Standards (PCI-DSS)
While not a federal law, these are industry standards and guidelines
Comply with Laws & Regulations Federal –Privacy
Slide 16

US Department of Justice (DOJ) Foreign Corrupt Practices Act of 1977 (FCPA)
Enforces accounting transparency requirements under the Securities Exchange Act of 1934 and bribery of foreign officials
Both US DOJ and Securities Exchange Commission enforce
Applies to US companies and foreign companies with US subsidiaries
Be aware of Politically Exposed Persons (PEPs)
Since 2007, number of investigations and enforcement actions has grown
Total fines and penalties have ranged from $260 million to $2 billion in each of the last 6 years (2008 -2013) with the average settlement over $80 million in 2013
Currently, there are open investigations of approx. 100 very large + many other companies
Almost half of the Dow 30 have paid fines since 2007 or are currently being investigated
Likely to see more investigation and prosecution of domestic bribery
Comply with Laws & RegulationsFederal –Bribery
Slide 17

Law passed in response to accounting scandals
Applies to public companies in US
Five main areas
Auditor independence
Corporate responsibility
Improved financial disclosure
Analyst conflict of interest
Accountability for corporate fraud
Comply with Laws & RegulationsFederal –Sarbanes-Oxley Act of 2002
Slide 18

Physician Payments Sunshine Act (Sunshine Act) which is part of the 2010 Affordable Care Act
Requires manufacturers of drugs, medical devices and biologicals that participate in U.S. federal health care programs to report to CMS certain payments and items of value given to physicians and teaching hospitals.
Any transfers of value or payments to physicians and hospitals greater than $10, including payments, traded services, stocks, or any other returned investments.
Gifts greater than $100 will be made public and published online as of September 30, 2014.
Supersedes Maine, Vermont, Massachusetts, Minnesota, West Virginia and DC laws
Securities and Exchange Commission reporting of payments to auditors, directors, etc.
Public companies must report payments to directors and auditor in Annual 10K
Other federal agencies have specialized reporting
Especially, if you are a government contractor, you must keep up to date on regulations relevant to your industry
Comply with Laws & RegulationsFederal –Other
Slide 19

States are increasing sales/use tax rates and some tax services
Many states are doing sales/use tax audits
Marketplace Fairness Act passed US Senate but held up in US House
States are doing more aggressive abandoned property (escheat) audits and many use “bounty hunters”
Most uncashed checks issued by AP should not have to be escheated
Rules depend on the state in which the vendor is located which may not be the state in which you are located or incorporated
More states are requiring withholding and/or reporting of payments to certain types of vendors as well as require deadbeat parent reporting
States are concerned about data breaches
47 states and DC have privacy laws and regulations
More states, municipalities and counties are requiring permits and filing fees
More municipalities and counties are doing personal property audits
Software packages typically do not have all needed functionality
Comply with Laws & RegulationsStates
Slide 20

Countries are putting in place laws, rules and regulations similar to but different from those in the US
Primary Areas Addressed
Politically Exposed Foreign Persons
Privacy
Bribery
Value Added Tax
Rarely or Never Addressed
Abandoned Property
Comply with Laws & Regulations International
Slide 21

Who has the information
Purchasing thinks they know
A/P thinks they have the data
Both are partially correct
Ways you may want to analyze spend
By Vendor
By Commodity
By Dollar Amount
By Transaction Volume
Vendor Management Goals, Concerns, ChallengesKnow Where You Spend Your Money
Slide 22

Duplicate and Erroneous Payments
Every major software package checks for duplicates based on Vendor Id and Invoice #
Duplicate check fails if
Identical vendor under multiple vendor ids
Variation on vendor name
System does not support multiple addresses
Vendor at different remit address is selected
Vendor under previous or new name is selected
Related vendor is selected
If duplicate vendors are eliminated, over 75% of $ associated with duplicate payments can be eliminated
Stops, Voids, Reissues and Uncashed Checks
Wrong vendor selected
Payment sent to wrong address
Payment never received
Payment received by wrong vendor
Vendor Management Goals, Concerns, ChallengesReduce Costs and Save Money
Slide 23

“Appropriate Transaction” Attributes
Not /controlled by vendor master file data
Proper goods and/or services received/provided
Sufficient invoice detail
Correct amount(s)
Appropriate approval(s)
Correct accounting codes
Impacted/controlled by vendor master data
Who to pay
How much to pay
When to pay
How to pay
Where to send the payment
Vendor Management Goals, Concerns, ChallengesMake Accurate and Timely Payments
Slide 24

Other Vendor Master File Issues
Slide 25

Why Vendor Files Grow
Name entered differently by your staff
Vendor changes its name
Street Address and/or Lock Box changes
Mergers
By your organization and by your vendors
Acquisitions
By your organization and by your vendors
Divestitures
By your vendors
Purchasing and AP use Different Files and/or Multiple Systems
Data Quality and Consistency
Missing
Non-standard
Invalid
Obsolete
Other Vendor Master File Issues
Slide 26

Other Vendor Master File IssuesMore Problems and Some Metrics
20% -80% of vendors in current vendor master files have had no activity within the last 12 months
35% -65% of “active”vendors are one-time vendors
3%-7% of vendors change their name annually
20% of vendors change their HQ address annually
Phone #(s), Contact Name(s), Email Addresses and Banking Information also change
The bigger your vendor file, the more duplicates you probably have
1-100 vendors-no duplicates
100 -1,000 vendors-1% -3% redundant
1,000 -10,000-2% -6% redundant
10,000 -100,000-4% -10% redundant
> 100,000 -> 10% redundant
Slide 27

Vendor Master File Standards
Slide 28

Understand System(s) Features and Limitations
Minimum and maximum field lengths
Data types, default values and edit checks
Number of name and address lines
Various types of names such as Lookup name, Name on check, Legal/Tax name, Short name, etc.
Various types of addresses such as Buy From, Remit To, etc.
Controls, audit trails, additions, changes and deletions
How changes and deletions affect historical data
Files and/or tables that may need changes and/or are affected by changes
Identify and Review for Vendors that are
Your Own Company, Subsidiaries, Affiliates
Employees
Officers and Directors and Related Companies
External Audit Firm(s)
Sensitive Vendors and those that require special reporting
Vendors Set Up or Referenced in Other Systems
Vendor Master File StandardsFirst Steps
Slide 29

Identify Vendors in Special Classes for Possible Name Standardization
Federal Government Departments and Agencies
State Governments
Local Governments
Postal Service
Individuals
Telephone Companies and Utilities
Non-Governmental Organizations (NGOs)
Garnishments
Petty Cash
Other (e.g. Universities, Courts, Agents, Medical Service Providers)
Vendor Master File StandardsNames
Slide 30

Address Problems and Issues
Name continuation and/or Name qualifiers in address fields
Attention (ATTN)
Internal addresses
Invalid, Missing or Inconsistent State and Zip Code
Punctuation and special characters
Improper Abbreviations
Numbers as Words
Dual Addresses
PO BOX Addresses
CMRAs (Commercial Mail Receiving Agencies)
“Bad”Addresses (many types of problems)
Vendor Master File StandardsAddresses
Slide 31

Vendor Master File StandardsOther Fields
Phone
Tax Identifiers
US –SSN, EIN, ITIN
Canada –SIN, BIN
European Union –VATIN (VAT Identification Number)
Payment Terms
1099 Type/Box
Payment Terms and Default Discounts
Bank Routing Code and Account Number
Minority, Women Owned, Small Business, etc.
Default G/L Code
Classification Codes
Certifications
Insurance Certificates
Email Addresses
Web Sites
Slide 32

Best and Appropriate Practices
Slide 33

Vendor Verification and Authentication
Vendor Setup and Change Management
Vendor and Address Deactivation
Vendor Review and Controls
Best and Appropriate PracticesOverview
Slide 34

Determine amount of checking based on
Strategic importance of vendor
Amount and type of business expected to be done
Determine if vendor is already on file
Dual Review
Name Qualifier
Common Abbreviation
Care Of or Agent
Minimize likelihood of fraud / Ensure that vendor is legitimate
Check business history and length of time in business
Confirm street address especially if only address is a PO Box
Check third party directories
Check against Employee Data
Name, Address, Phone ,TIN, Bank Account match
Check vendor address against your locations
Best and Appropriate PracticesVendor Verification and Authentication
Slide 35

Best and Appropriate PracticesVendor Verification and Authentication (cont’d)
Validate basic vendor address information
US Vendors
Delivery Point Validation
CMRA (Private Mail Box)
PO Box
Non-US Vendors
Use UPU.INT and individual country postal web sites
Phone
Directory Lookup(s)
Call Vendor
Slide 36

Regulatory
Ensure that you are not doing business with a prohibited party on the OFAC, FTO and BIS lists or other lists of denied, debarred, excluded or restricted parties
Check GSA System for Awards Management
Verify that information for regulatory reporting is correct
Get W-9s for US vendors and appropriate W-8 for non-US vendors
Use IRS TIN Matching
Check State of Incorporation or Local Jurisdiction
Secretary of State or Office of Corporations
Determine State Reporting Requirements
State Withholding and “1099” Reporting
Office of Child Support for Deadbeat Parent
Check Industry Specific lists
Slide 37

Other
Check Vendor’s Web Site
Check Ownership of Vendor’s Web Site (who.is)
Validate Email Addresses
Send test messages
Validate Routing Code and Account Numbers
Initiate test transactions and obtain confirmations
Check Third Party Data
Corporate Affiliations
ChoicePoint
D&B
Experian
Intelius
Slide 38

Best and Appropriate PracticesVendor Setup
Have general conventions and standards
Use a new vendor form with field names and positions similar to where they are in your vendor setup screens
Require names and signatures of requestor, person doing setup and person reviewing and verifying correct setup information
Standardize how vendor names are entered
Insist that the guidelines be followed –verify periodically
Punctuation
Abbreviations
Name Prefixes and Suffixes
Name Qualifiers
Slide 39

Use postal guidelines for addressing standards
Punctuation
Abbreviations
Between Name and Delivery Address Line
Name Qualifiers
Internal Addresses
Delivery Address Line
7 Components
Last Line
City State ZIP
Non-US
Best and Appropriate PracticesVendor Setup (cont’d)
Slide 40

Have guidelines for how other fields are formatted and/or valid values
Vendor Type and/or Class
1099 Type (Box)
Phone Numbers
Taxpayer Identifiers
Payment Terms
ACH, P-Card, EDI, etc.
Women Owned, Minority Owned, Small Business, Veteran, Disabled Veteran, etc.
Insurance Certificate(s)
Tax Certificate(s)
Certifications
Contacts
Email addresses and web sites
Slide 41

Flag Special and Sensitive Vendors
Vendors that are your company’s audit firm(s)
Your company’s offices, directors and their affiliated companies
Employees
Vendors subject to other regulatory checking and reporting
Based on your company’s lines of business
Based on the types of good or services to be provided
Subject to state withholding and/or reporting
Mask or Restrict Access to Sensitive data
Restrict access to TIN, Bank and Card information
Mask TIN, Bank and Card information
Redact information on Source Documents
Link and/or combine duplicate and some related vendors
Promptly review all additions to the vendor master file
Slide 42

Provide to Vendors
Send out a welcome letter and information packet that identifies:
What to do to get paid
When a contract or Purchase Order is required
Whom to contact regarding issues
Optionally, ethics and dispute resolution guidelines
Slide 43

Best and Appropriate PracticesVendor and Address Deactivation
Decide when/how to purge or block inactive vendors and addresses
15 –18 months of inactivity is a typical rule
Deal with Open Items
POs
Invoices
Disbursements
Slide 44

Best and Appropriate PracticesVendor Review and Controls
Promptly review all additions and changes to the vendor master file
Check vendor name and address when checks are uncashed for more than 30 days
Check endorsement on first check sent to a PO Box for a new vendor
Check vendor name and address for all mailed items returned by the postal service
Check vendor against OFAC and other denied party lists before issuing a contract, cutting a PO or disbursing funds
Check deadbeat reporting requirements
Ensure separation of duties
Periodically check Vendor Master File against lists for
Name changes
Duplicates
Slide 45

Best and Appropriate PracticesVendor Review and Controls (cont’d)
Communicate regularly with vendors
Prepare a document that explains how a vendor should conduct business with your firm
Require vendors to sign a business practices statement
Use email intelligently
Accept electronic input
Provide sufficient remittance information to vendors so that they can properly apply payments
Provide on-line inquiry and self service capability (Vendor Portal)
Monitor vendor performance –accuracy and timeliness of invoices
Consider having “Service Level Agreements” with your strategic vendors
Slide 46

Third Party Resources
Slide 47

Third Party ResourcesUS Government Web Sites
US Department of Treasury -IRS
www.irs.gov
US Department of Treasury -OFAC
www.treas.gov/offices/enforcement/ofac
US Department of State -FTO
See OFAC
US Department of Commerce –Lists of Parties of Concern
www.bis.doc.gov/index.php/policy-guidance/lists-of-parties-of-concern
US Department of Health & Human Services
www.acf.hhs.gov/programs/css
www.acf.hhs.gov/programs/css/resource/state-and-tribal-child-support-agency-contacts
US General Services Administration –System for Awards Management
www.sam.gov
Slide 48

Third Party ResourcesNon-US Web Sites
Australia DFAT List
www.dfat.gov.au
Bank of England List (BOE)
www.bankofengland.co.uk/publications/financialsanctions/index.htm
Canada OSFI List
www.osfi-bsif.gc.ca/osfi/index_e.aspx?DetailID=525
European Union (EU) Consolidated List
ec.europa.eu/external_relations/cfsp/sanctions/list/consol-list.htm
Slide 49

Third Party ResourcesNon-US Web Sites (cont’d)
Guernsey Financial Services Commission (GFSC)
http://www.gfsc.gg/
Hong Kong Monetary Authority Lists (HKMA)
www.info.gov.hk/hkma/eng/bank/three_tier/three_tier_f.htm
Interpol
www.interpol.int
Access to the Interpol Terrorism Watch list is restricted to authorized police agencies
Slide 50

Third Party ResourcesStandards and Guidelines
TIN Matching, 1099-MISC, 1042-S, etc.
Internal Revenue Service -www.irs.gov
Standard Country Names and Codes
International Standards Organization -www.iso.org
en.wikipedia.org/wiki/ISO_3166-1
US Addressing Standards
United States Postal Service -www.usps.com
pe.usps.gov/text/pub28/welcome.htm
Canada Addressing Standards
Canada Post -PostesCanada -www.canadapost.ca
www.canadapost.ca/tools/pg/manual/default-e.asp
International Addressing Standards
Universal Postal Union -www.upu.int
Slide 51

Third Party ResourcesStandards and Guidelines (cont’d)
Telephone Number Formats
International Telecommunications Union -www.itu.int
en.wikipedia.org/wiki/National_conventions_for_writing_telephone_numbers
Name Changes
OTC Markets -www.otcmarkets.com
Corporate Affiliations -www.corporateaffiliations.com
Fraud
Kroll Global Fraud Reports -fraud.kroll.com/report-archive
Association of Certified Fraud Examiners Report to the Nations -www.acfe.com/rttn/docs/2014- report-to-nations.pdf
Search wikipedia.org for other resources
Slide 52

Comprehensive Risk & Controls Mgmt.
Detect and Fix Issues
Continuous Improvement and Monitoring
Assess Risk & Compliance
Close the
LOOP
Identification
Analysis
Evaluate
1. BUSINESS RISKS
Document
Assessments
Reviews
2. CONTROL OBJECTIVES
Author
Execute
Investigate
3. CONTINUOUS MONITORS

Custom or Legacy Applications
Enterprise Risk and Controls Foundation
One Unified Platform
Flexible
•Graphical Authoring
•Detect and Prevent
•Access, Transactions, Setups
Data Driven
•100% of Transactions
•Manage by Exception
•Pattern Analysis
Comprehensive
•Multiple GRC Projects
•From Documentation to Test
•Closed Loop Approach
Enterprise Risk & Controls FoundationDashboards, Reports and AlertsNotificationsWorklistsEmailPerspectivesSearchRisk, Controls & Compliance ManagementReviewsDocumentationAssessmentsRemediationSurveysContinuous Controls & Risk MonitoringSetupsAccessMaster DataAudit TestsTransactionsUser Authored ControlsData ConnectorsFraud & Error Patterns Role Based Access SecurityWeb Services & APIs

Nasser Khan, CISA, MBA
Nasser Khan is a Governance, Risk & Compliance Solutions Architect
Over 28 years of global experience in business process management that range from Financials, Supply Chain and Human Capital Management. Nasser has executed several process transformation initiatives through ERP implementations, I.T. auditing, and audit process automation
Bringing vast experience working globally with manufacturing, healthcare and public sector clients, Nasser Khan specializes in assisting clients to realize business gains by enterprise risk management
Delivered consulting services in PeopleSoft, Oracle, and Deloitte

Grcystems.com
Introduction
ControlLayersis a service line of NHI GRCystems
A business technology systems’ risk consulting practice dedicatedto thought leadership and implementation, management, automation, and enforcement of business process and technology controls
High caliber advisory and implementation services
Consultants provide deep domain expertise in enforcing internal controls in enterprise businessprocessesand security functions
Assists clients in managing operational, regulatory compliance, and privacy-related risksby providing strategy, roadmap and tools to ensure effective and continuous compliance utilizing itspartner’stools and its own proprietary service offerings
57

Grcystems.com
Client Profiles
Major healthcare and other service providers in North America averaging over 100 business units all over North America
On average, over 130,000 employees
Master Data Management is key risk mitigation control with large data entry and management teams
Over 8,000 unique vendors supply sources
Purchasing spend in excess of $ 100 million
Significant PeopleSoft clients of Oracle globally
Highly regulated environments
Stakeholders need higher degree of assurance from internal controls over financial reporting
58

Grcystems.com
Challenges at clients
Ambitious business transformation initiatives involving PeopleSoft FSCM 9.1, HCM 9.1 and OBIEE (centralized reporting)
Financial transformation processes include GL, AP, AR, AM, KK, PC and Supply Chain transformed by deploying PO, IN, and Vendors, Contracts and Items
Over 100 business units purchasing from over 8000 vendors
59

Grcystems.com
Challenges at clients
One vendor (name) may have many subsidiaries dealing with totally different items, pricing models, payment terms, lead times
Consistent and accurate data needed to be entered based against stringent standards
Same name vendor may have different subsidiary at same location or same city
Distributed purchasing at BU level, conflicting and sometimes unfavorable contract terms were in force
Receiving and matching challenges occurred on many levels
Vendor approvals not structured, inactive or blocked vendors could get paid (OIG of Dept. of HHS)
60

Grcystems.com
Key Needs and Control Gaps
Needed at critical system to provide operating effectiveness of application-based controls in Procure to Pay on a continuousbasis
Duplicate Vendor report in PeopleSoft had limitations(only on short name) and does not provide real-time validations
Financial Sanctions Validation was not enabled in PeopleSoft, an independentvalidation methods needed to be used based on data from anothersource
Comparison of address history in PeopleSoft, was again, not real-time.
Needed to map controls in source system conveniently with the control framework to assist in operational and compliance audits
No Control
PS Control
PS Control
No Control
PS Control
Manual
Control
No
Control
Manual
Control
No
Control
Manual
Control
61

Grcystems.com
Actual Vs. Desired Controls Landscape
62

Grcystems.com
Why did we need Advanced Controls?
•Audit coverage, confidence, reporting
•Incident investigation, whistle-blower support
•Continuous Process Monitoring
Improve Audit Efficiency
•Fictitious vendors
•Overstated invoices
•Receiving discrepancies
Minimize Fraud and Abuse
•Overpayment, duplicate payment
•Payment timing, discounts
•Reduce cost of manual controls-Incorrect vendor paid
Reduce Error and Leakage
•Preventative and detective segregation of duties policy enforcement
•Access appropriateness reporting
•Mapping users to transactions and providing audit trails of actions
Secure
Systems Down
63

Grcystems.com
Main Vendor Management Goals
Increase buying leverage significantly and get the volume discounts based on collective purchasing power of all entities across operations
Improve many procure-to-pay sub processes
Uniquely identify vendor operating across service geographies
Standardize payment methods and terms of payment
Reduce incorrect PO issuance, check issuance, late payment penalties, and overheads in managing the vendor landscape
Ensure vendors or their banks are not on OIG or OFAC lists
Make Item and Catalog administration structured and clear
64

Grcystems.com
Advanced Transaction Controls
65

Grcystems.com
Found this value in Oracle Advanced Controls
Continuous Monitoring-Transaction Controls Governor
Pre-seeded best practice controls for PeopleSoft Vendor management
Scalableto add more automated controls
Pre-seeded controls for Procure-to-Pay use gave perspective on vendor information being reported
Continuousmonitoring and schedulable alerts for exceptions
Independent ‘Witness System’ to hold evidence data should external auditor or regulator need it
66

Grcystems.com
Key Transaction Controls Deployed
Duplicatevendors entries
Duplicateinvoice payments
Vendor address similarto employee address
Payments made to blockedvendors
More than one vendor, similaraddresses
Payments beyond norm, outliers
Monitor for approval of payments to vendors which were created by the same user
67

Grcystems.com
TCG Model Setup: Is Vendor Overpaid?
68

Grcystems.com
TCG-Managing Incidents
69

Grcystems.com
Remediation
Similar names
Unapproved Vendor not setup correctly
70
As part of remediation, user would likely merge if same vendor
has been created with more than one similar names.
Vendor setup may have inconsistency which
would need remediation

Grcystems.com
Advanced Access Controls
71

Grcystems.com
Access Controls: Segregation of Duties
For the User Activity, we utilized the Oracle Advanced Controls application
Application Access Controls Governor (AACG)
that flagged if same user who createda vendor, also approvedvendors, for example.
72

Grcystems.com
Access Remediation
73
Remove the SOD conflicts

Grcystems.com
Advanced Configuration Controls
74

Grcystems.com
Found this value in Oracle Advanced Controls
Master data entry exception detection-Configuration Controls Governor
Reduced manual data entry controls that included daily checking of vendor and vendor-related entries. With CCG, only changes were needed to be analyzed selectively
Incorrectvendor on POs and reqs
Payments term changes and incorrectterms on PO
Bank account or Address changes
User data quality improvements
Leverage CCG-reported data to educateuser in good practices and process improvement
75

Grcystems.com
Key Configuration Change Controls Deployed
For change management, we used CCG Change Tracking. Daily notifications of high risk field changes
CCG allowed to report daily on whochanged, what, when andwhere
Limit performance impact on PeopleSoft onPeopleSoft due to audit data build up
On event, and at certain financial period ends, took Snapshotsof configuration sets for a point-in-time picture
Combined front-end Vendor setup procedures like use of one entry per vendor and designate it as ‘Primary Vendor’ and then use address sequencing to identify multiple locations of fulfillment by vendors
76

Grcystems.com
Configuration Change Tracking
Create Queries to track changers
77

Grcystems.com
Setup Alerts on Vendor Changes
Specify what actions to be notified of, date range, backend or frontend, table object etc. We took a risk-based approach on only were interested on specific fields on tables
78

Grcystems.com
Who changed from frontend?
Type of change?
Table name?
For what key values & What the change?
When?
Who changed from Backend?
Oracle Advanced Controls (Configuration)
79

Grcystems.com
Goals Vs. Value Realized
80
Goals
Value Realized
Increase buying leverage significantly and get the volume discounts based on collective purchasing power of all entities across operations
Reduced spend significantlyenough to justify the initial effort and opex of centralized vendor data management staff
Improve many procure-to-pay sub processes
The exercise gave structure to work methodsensuring accurate and timely processing of vendor payments
Uniquely identify vendor operating across service geographies
Reduced duplicate vendor situations to almost zero and allowed benchmarking of prices for all locations for same items
Standardize payment methods and terms of payment
Cleanup gave clarity and ability to demand same terms for vendors of same or similar items. Broughtall vendors on standard terms thus helped avoid payment delays and PayCycle processing
Reduce incorrect PO issuance, check issuance, and overheads in managing the vendor landscape
Vendor entry errors went down from 40% to less than 5%. Reduced need for exception PurchaseOrders and helped setup priority vendors
Make Item and Catalog administration structured and clear

Grcystems.com 81
Lessons learned
Effective Controls with Low Resource Cost
PeopleSoft is a vastly-configurable ERP system. Having additional controls configured in it, or queries built, places a burden on it. The Oracle Advanced Controls (OAC) applications proved to be an effective companion system for controls.
Early Gap Identification for Effective Design
Assess PeopleSoft and explore complimentary resolution of gaps by OAC early in implementations
Embed Controls within the Process
Treat OAC as part of ‘your daily diet’ business process flows and not add-ons to achieve process control, completeness and effectiveness
Automate Controls for Efficiency
Adopt the mantra of ‘automated’ versus ‘manual’ and chips will fall in place
Highlight Root Causes by Identifying Control Points
Identifying control points as ‘after thoughts’ results in band-aids. Instead, have business process flows nailed down first
Layered Controls=Deeper Defense

Follow Us & join the conversation .
Oracle GRC Advanced Controls Group
@OracleAdvCntrls

Safe Harbor Statement
The preceding is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
84

How your vendor master file is critical to governance, risk management and compliance

How your vendor master file is critical to governance, risk management and compliance

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

Similaire à How your vendor master file is critical to governance, risk management and compliance

Similaire à How your vendor master file is critical to governance, risk management and compliance (20)

Plus de Oracle

Plus de Oracle (15)

Dernier

Dernier (20)

How your vendor master file is critical to governance, risk management and compliance