As more and more organizations innovate and streamline their Purchase-to-Pay (“P2P”) processes and rely on new processes, job roles, and technologies, similar advancements are required within the related control structures.
On a recent webcast in the Peeriosity Accounts Payable research area, the topic of control monitoring and fraud prevention was discussed. As part of the webcast, participants responded to a poll in regards to implementing technology to continuously monitor transactions taking place within their companies’ P2P processes, as well as technology to identify possible fraudulent activity within P2P. The poll results indicate that this is an area that many have an interest in, but few have actually implemented. As the results below show, less than 20% have implemented it, between 30 and 40% are evaluating or considering it, and close to 50% are not considering or are not yet familiar with the technology.
The results indicate that there is a large opportunity to enhance controls in the P2P processes through the use of technology to monitor and report on activity:
Our feature company for the webcast has an advanced P2P process that includes a global center with process owners, as well as regional Shared Services centers that execute a standard process and support designated countries. The global center houses a team accountable for, among other things, P2P global policy and controls as part of the Shared Services organization.
One of their objectives is to develop a control model that includes a structured set of elements to manage risk. Similar to most controls structures there is a process to assess, identify, and mitigate risk, as well as an ongoing evaluation of controls. The key of the discussion was how to monitor the execution. In this regard, our feature company views control in two categories: Monitoring and Forensics.
Monitoring entails real-time controls that include:
- Potential duplicate payment identification prior to payment
- Verification of invoice vouchers (random sampling plus set criteria)
- Supplier validation
However, to go to the next level and reach the risk areas that can bypass monitoring, Forensic and Exception Reporting has been implemented. Forensics identifies potential irregularities by analyzing data and data relationships. It alerts the team with additional information that would not necessarily have been detected through monitoring. These irregularities may not constitute fraud or that control was bypassed, but meet criteria that suggest the transactions are unusual in nature.
Exception Reporting identifies specific instances in which a transaction is outside of set tolerances or an expected result and requires further investigation and investigation as to why the monitoring controls did not identify it.
By having ongoing monitoring controls supplemented by forensic and exception reporting, the global P2P process is control tested centrally on a continual basis. Some of the automated controls within the overall control structure give timely visibility to items such as:
- Multiple supplier invoices within a short time frame that are individually below the approver’s authorization limit
- Duplicate vendor/supplier payment attributes
- Master file edit trends
- Credit memo analysis by various attributes
- Non-PO missing approvers and related review
- Inactive supplier identification
- Alternative payments to blocked accounts
- Vendor risk analysis based on preset criteria
The webcast covered many specific applications of monitoring, forensics, and exception reporting. The conversation concluded with some key insights discussed by our feature and by other webcast attendees:
- Forensic and Exception reporting is the primary area of controls evolution and an opportunity for Shared Services and is part of a continuous control structure.
- Between monitoring, forensics, and exception reporting, the base and “seams” can be better covered. However, it needs to be a coordinated structure and part of the broader risk assessment and mitigation process (e.g. Sarbanes, Risk, and Control Assessments, Peer Reviews).
- The control structure can be managed globally and address global and local risks.
- The entire P2P process should be part of the structure to avoid gaps.
What initiatives are you currently working on to improve your control structure for the Purchase-to-Pay process?
Who are your peers and how are you collaborating with them?