Best in Class Controls for AP
description
Transcript of Best in Class Controls for AP
Best in Class Controls for AP
The Institute of Financial OperationsIndiana – Southern Illinois Chapter
June 15, 2011Sherry DePew
About The Speaker
Sherry DePew, Vice President of Account Management for Lavante
• 14 years at Boise Cascade, Director of Global Shared Services
• President and founding member of Idaho IAPP Chapter
• President: Oracle/PeopleSoft Accounts Payable Product User Group
• President Oracle Supplier Relationship Management User Group
• Co-founder and Board member of Oracle
• Featured AP and P2P writer and blogger for several on-line resources
Agenda
Segregation of DutiesBenefit of Segregation of DutiesFinancial System Access ControlsElectronic Data Management (EDM)ACH/EFT vs. CheckNew Vendor’sVendor ChangesPurchase to Pay Control Continuum
Controls - Segregation of Duties
• Persons establishing vendors should not write, process or approve PO’s, receipts or invoices.
• Persons making changes to vendor data should not write, process or approve PO’s, receipts or invoices.
• Persons with access to add or change vendor information should not handle payments of any type.
• Persons with authority to request a check or payment should not approve, sign or handle payments.
• The person(s) issuing checks should not not reconcile bank accounts.
• Ensure reconciling of accounts is done by different people within cost centers.
• Establish a separate post office box for returned checks. • Replace your company name and address on disbursement
envelopes with a simple post office box number.
Benefits of Segregation of Duties
One of the most difficult & complex set of controls to implement, monitor and manage.
Mitigates Risk of Deliberate FraudMitigates Risk of legitimate errorsMitigates Cost of Corrective ActionOrganization’s Reputation for Integrity and Quality Enhanced
Control of Security Object Privileges
Screens
Pages
Read vs. Change Access
Control of Multiple Security Profiles
Access to add users and change their security profiles
Controls - Financial System Access
Controls for the Tracking and Storage of Electronic DocumentsControls Often Reside in Enterprise Departments Responsible for Emails, Documents & FilesPurchase to Pay workflow with Images and ApprovalsMake sure that images of approvals, exceptions and original documents can be accessed for External Audit and SOX Control Testing
Controls - Data Management (EDM)
Controls - ACH/EFT vs. Paper Checks
Mitigate Risk for Paper Checks• Positive Pay
• Reverse Positive Pay
• Check Stock Handling
• Void Check Process
Mitigate Risk for ACH or EFT• Handling of file sent to Bank, Clearing House or Outsource Provider
• Access and Protection of payment file
• Bank Account Design
• Funding Process
Controls – Establishing/On-Boarding a New Vendor
Most Critical Control for Fraud Prevention
• IRS TIN - Name Consistency• Verify Name and TIN against IRS data
• OFAC and FTO Checks• Check vendors against OFAC / FTO list and other lists
• Utilize 3rd Party Databases• Add D&B Numbers
• Add SIC or NAICS codes
• Add Credit Information
• Obtain W-9 or Substitute
• Obtain Minority Owned Business, Women Owned Business status, etc.
Controls – Vendor Changes
Same or Greater Risk than On-Boarding a New Vendor
Vendors Must be Participative in Changes• Controls that are no longer effective
• Banks Accounts Changes (Treasury?)
• Merging Vendors
• Vendor Name Changes
Controls – Purchase to Pay Control Continuum
Procurement
InvoiceProcessing
Accounting
CheckRequests
Vendor FileManagement
GoodsReceipt
AP is Part of a ContinuousProcure to Pay Cycle WithA Great Potential for Risk.Separation of Duties Should Look Across the Entire Cycle