Process Control Optimization with SAP The procure-to-pay cycle, which includes all activities from the procurement of goods and services to receiving invoices and paying vendors, is a basic business process. It also presents significant risks if all aspects are not managed effectively and monitored continuously. Organizations that do not have optimal control over, and visibility into, their procure-to-pay business cycle can face late fees, missed discounts, wasted time and loss of assets – as well as noncompliance issues – due to inaccuracies or overlooked incidents of fraudulent activity.

Following are the three major phases of the procure-to-pay business cycle and some common risks organizations face in each area due to a lack of effective controls and visibility:

Supplier management (vendor master file) – duplicate and unauthorized vendors, unauthorized access to the vendor master file, and incorrect 1099 reporting

Purchasing – unauthorized purchases, inaccurate purchase order processing, and unauthorized returns, adjustments and allowances

Accounts payable – incomplete or inaccurate payment information, duplicate payments, liabilities and disbursements not recorded completely, and invoices that do not represent goods and services actually received

One key reason organizations have difficulty managing and monitoring their procure-to-pay process effectively is an overreliance on manual controls, which are prone to errors and can be easily changed or circumvented. To make better use of automated controls and optimize their overall control environment, more organizations are choosing to improve their knowledge of the functionality within their enterprise resource planning (ERP) solutions, such as the SAP ERP Central Component (ECC) 6.0. Companies are realizing significant cost and resource savings by optimizing their ECC configuration and deploying governance, risk and compliance (GRC) solutions like SAP BusinessObjects GRC.

SAP’s GRC solution performs critical monitoring of major business processes on a continuous basis. Configurable and customized controls can be easily implemented and maintained in the procure-to-pay cycle so that inaccuracies and inconsistencies, as well as potential incidents of fraud and noncompliance, can be identified and addressed quickly. However, despite the availability of tools like SAP BusinessObjects GRC, many organizations fail to take full advantage of the procure-to-pay control options available in their SAP environment, primarily because they are not aware of SAP ECC 6.0’s standard control functionality.

Protiviti | 2

By implementing and maintaining optimized controls within SAP – and using the right mix of both automated and manual controls to ensure all gaps in the procure-to-pay process are closed – organizations can reduce the risk of fraudulent activity (both through prevention and detection), ensure compliance with Sarbanes-Oxley, and generate significant cost savings.

The ideal control environment for managing risks effectively in the procure-to-pay cycle should include the following six areas:

Configurable controls – these controls are designed to maintain the integrity of “master data,” such as information in the vendor master file

Manual controls – these controls include approvals by authorized individuals (SAP automated workflow also can be set up for approvals)

General IT controls – the computing controls and IT notifications process that reduce the risk of unauthorized changes to SAP systems

Detective reports – SAP, for example, has many standard detective reports that do not need to be customized to be used as control reports

Security – this includes clearly defining access rights and segregation of duties rules

Policies and procedures – the rules that dictate how the organization controls, within its purchase cycle, which vendors will be used, what their limits are, and which people in the organization have the authority to approve invoices and purchase orders

There are many problems common to organizations that do not have optimized control of their procure-to-pay business cycle. The following are examples typically experienced in the supplier management, purchasing and accounts payable processes.

Supplier Management

For many businesses, especially large national or global companies working with a wide range of suppliers, the vendor master file can grow exponentially very quickly. This makes master data associated with the procure-to-pay process difficult to maintain efficiently, leaving the organization more susceptible to the risk of financial leakage and fraud.

Here is one example of what can happen when the supplier management process is not optimally controlled: Protiviti’s GRC and SAP experts recently examined the vendor master file of a large organization and discovered it had listings for more than 28,000 active suppliers, but 63 percent (or more than 17,700) had not had invoice or payment activity in longer than three years. Additionally, more than 1,700 vendors appeared to be duplicates, and more than 1,500 had invalid or incomplete information recorded in the vendor master file.

It is not unusual to find a number of suppliers in the vendor master file that have not been used recently, have not been marked for deletion, or have not been designated as “blocked” so that no further invoices related to those specific vendors can be processed. To ensure greater accuracy in this critical aspect of the procure-to-pay process, organizations should “clean house” in their vendor master file and apply more control over how their vendors are being set up in the system – and how they are being utilized.

Protiviti | 3

Purchasing

The purchase order process is one area that many businesses are working hard to optimize with better controls. Often, companies already have established a solid purchase order process and implemented strong controls within SAP or another ERP system, and are successfully using the three-way match (invoice, receipt, purchase order) to approve invoices automatically for payment. However, it is common to find that even the most organized and proactive businesses are not taking full advantage of the control optimization settings available in their SAP environment.

One typical issue that can arise around the purchase order process (even in well-controlled environments) is the invoice date appearing before the purchase order date in the system. This usually occurs when an invoice is received before the purchase order is set up, making the critical three-way match more of a formality than a control. Inadequate training and lack of compliance to the process are often root causes. There also could be a significant delay occurring between the time when the receipt is received and when it is processed against the purchase order in the system.

Other problems in the procure-to-pay process commonly seen across organizations in relation to purchase order processing include the following: a significant delay occurring between the time when the receipt is received and when it is processed against the purchase order in the system; a lack of compliance regarding what purchases require a purchase order; and a lack of review of aged open purchase orders. These issues can occur when procedures to issue purchase orders in a timely manner are inconsistent, proper approvals and controls for assigning purchase orders do not exist, and management support is absent.

Accounts Payable

In the past two years, many companies have been working to optimize their working capital. Some of these efforts have been motivated by recent economic conditions, while other businesses simply want to make a more concerted effort toward managing their working capital more efficiently. One way an SAP ERP system and effective GRC tools can support this type of initiative is by ensuring the terms of contracts that have been negotiated are captured in the procure-to-pay system, and that these terms cannot be overridden by unauthorized parties.

Close examination of the accounts payable process often reveals that contract terms negotiated with a vendor do not appear on the purchase order or do not flow through to the invoice. This can happen when information from a vendor contract or other relevant communication has not been entered into the vendor master file. And if appropriate controls are not set up around the ability to override at the invoice and purchase order level, the terms negotiated with a vendor can easily be changed – which means potential abuse may go undetected. Organizations should reinforce payment terms through ongoing training and compliance activities, as well as increased collaboration between procurement and accounts payable teams.

The above are just some examples of common issues that can occur in an environment where controls have not been optimized and there is an overreliance on manual processes. Following are examples of how control optimization with GRC tools, such as SAP BusinessObjects GRC, can help organizations mitigate risks throughout the procure-to-pay process.

Protiviti | 4

Risk Area: Vendor Maintenance

Duplicate vendor listings are not just an annoyance; they also present serious risk. If the same vendor appears in the system twice, there is the potential for duplicate payments. Additionally, if purchases are not associated with the correct vendor, the organization may miss national volume discounts that have been arranged with that supplier.

To eliminate the risk of duplicate vendors, businesses should establish strong controls around vendor request and approval processes. This includes ensuring that only an authorized person (or persons) who does not process purchase orders or invoice payments can update the vendor master file with new vendors or change data related to an existing vendor, such as updated contract terms.

There are common optimization opportunities within these different steps that organizations can utilize. These include the centralized vendor maintenance function (this may not be possible for some organizations, such as smaller businesses that do not have a centralized function for vendor maintenance), mandatory fields for vendor master, master data integrity checks, and correct settings for duplicate checks (see Figure 1).

Figure 1: Examples of SAP controls that can be used to optimize the procure-to-pay process and help minimize the risk of errors and fraud.

One example of an SAP control that helps businesses to achieve these optimization opportunities in the SAP ECC 6.0 and ECC 5.0 environments is the configuration of vendor master mandatory fields. This control helps ensure that purchases and purchase orders are complete, and that during invoice processing, essential documents used for verification can be compared fully. Without implementing this control, an organization can experience a breakdown in both areas. And there is an additional benefit to having the same fields populated consistently: It assists with other controls, such as the automated duplicate vendor check.

Protiviti | 5

Another SAP control is the dual authorization for sensitive fields, which protects extremely sensitive vendor master data fields, such as bank account information. The dual authorization requirement can help minimize risk of fraud. For instance, organizations can avoid the possibility of having an “insider” change a vendor’s bank account number to that of their own account in order to collect illegitimate payments from the business.

Duplicate vendor check fields help companies quickly identify duplicate vendors in the vendor master file, which allows them to minimize spend, realize discounts and avoid fraudulent activity. One way that companies work against themselves in this area, however, is to add too many fields in the duplicate vendor check. They assume adding more fields can help identify more duplicate vendor listings. But the more fields an organization indicates it would like to have match in the system, the fewer warning messages appear; this is because all “checked” fields must match 100 percent in order to generate a warning.

Protiviti works with businesses to help configure a good balance of “checked” fields so that just the right number of warning messages is generated: enough to prevent duplicate vendors, but not so many that the ERP system gets bogged down. An additional note: Although more businesses have become diligent about setting up duplicate vendor checks in their SAP environment, they often do not realize the full benefit of these controls because they fail to turn on the warning or error message configuration.

Risk Area: Purchase Order and Invoice Processing

Within the purchase order and invoice processing cycle, there are three main areas where SAP can help organizations achieve better automation:

Match the purchase order to the goods receipt – This feature allows organizations to make sure they do not accept receipts for goods that they did not order.

Match goods receipt quantity to invoice – The business can ensure it is not paying for goods that have not been received.

Automatically approve invoice for payment – If a three-way match (purchase order, goods receipt and invoice) is confirmed, the system will automatically issue a payment to the vendor, saving time and avoiding human error or fraud.

Optimized Purchase Order and Invoice Processing Controls

SAP also provides the ability to set “tolerances” for the processing of invoices that relate to a particular purchase order. Tolerances are designed to help streamline the procure-to-pay process and minimize the number of inaccurate disbursements while reducing the number of blocked payments due to unmatched invoices.

In many cases, there may be a valid reason for differentiation in purchase price between the original purchase order and the invoice. Instead of blocking the payment outright, within SAP, the organization can choose to accept allowable tolerances of price differences to streamline the payment process and prevent any manual investigation, which can be both time- and resource-intensive. So if a price difference falls into the acceptable tolerance range and is within the organization’s risk appetite, the payment can be made on that invoice.

Protiviti | 6

Another tolerance check is the quantity differences between a purchase order or invoice and a goods receipt. These tolerances help ensure that the company cannot receive something it did not order or does not pay for something it did not receive. The item amount check determines whether SAP blocks invoice items when their value exceeds a predefined amount in the system. For example, if the business has ordered 100 items, but has only received 99, payment can still be approved. But if the organization receives 101 items, this quantity may exceed set tolerances and the payment will be blocked.

Within a three-way match in the procure-to-pay process, there are up to 15 SAP settings that can be configured and customized, depending on an organization’s various payment and purchase order scenarios. The results of control optimization in the procure-to-pay cycle are the use of more automated processes, a reduction in the risk of human error and fraud, and the realization of the full ERP functionality purchased with SAP.

Within SAP, which is a complete ERP system, there are configurable controls available for a wide range of major business processes beyond the procure-to-pay cycle. Protiviti has a listing of more than 400 configurable controls that can be utilized within all the various processes that are depicted in Figure 2 below.

Figure 2: Standard SAP ECC 6.0 functionality provides hundreds of configuration settings that can be automated and optimized for operational and financial reporting processes.

Protiviti | 7

Once Protiviti has helped an organization configure its controls and optimize its environment, SAP can provide additional solutions – such as its SAP BusinessObjects Process Controls – that will help monitor the health of the configurations designed and set during implementation and make sure they do not change without proper authorization. Continuous monitoring with SAP GRC Process Control streamlines a company’s ongoing Sarbanes-Oxley compliance efforts.

Case Study: SAP Controls and Sarbanes-Oxley Compliance

Many organizations are making better use of SAP process controls to help them achieve more cost-effective Sarbanes-Oxley compliance. To determine where automation can be achieved in the internal control framework, Protiviti’s GRC and SAP experts will assess an organization’s current SAP environment, “ignoring” existing manual processes, and using Protiviti’s library of more than 400 configurable controls to determine which Sarbanes-Oxley risks SAP controls can help to mitigate. From here, it can be determined where Sarbanes-Oxley risks are not adequately mitigated by automated SAP controls and where manual controls may be necessary to close any gaps preventing Sarbanes-Oxley compliance.

In one recent engagement, Protiviti was able to transform a company’s internal control framework, which included multiple legacy applications, from primarily manual controls (53 percent) to primarily automated and semi-automated controls (80 percent) by optimizing configurable controls during the SAP implementation. The organization already had mature Sarbanes-Oxley compliance efforts, but there was still room for control rationalization, automation and optimization, particularly in the purchase-to-pay cycle.

After making these improvements to the Sarbanes-Oxley process, Protiviti guided the company through control optimization for all of its major business processes, including order to cash, human resources and general ledger. By implementing SAP ECC 6.0 and fully optimizing available SAP configurable controls, Protiviti was able to help the company primarily automate or semi-automate 64 percent of its controls in its overall internal control framework; previously, 68 percent of these controls were manual (see Figure 3).

How Companies Have Optimized Their SAP Environment

The life cycle of an SAP control optimization project includes three phases:

Analyze – The organization evaluates the current state of its SAP environment to identify and understand any vulnerabilities and weaknesses.

Standardize and Automate – Weaknesses are prioritized and gaps are closed with automated processes (in some cases, manual processes may also be implemented).

Monitor – Once the environment has been optimized, continuous monitoring is enabled. This is where SAP BusinessObjects GRC solutions can help the organization maintain the optimized control environment it has designed.

Protiviti | 8

Figure 3: Protiviti’s SAP and GRC experts helped one organization transform its overall internal control framework from primarily manual (68 percent) to primarily automated and semi-automated controls (64 percent).

Additionally, the organization experienced a 40 percent reduction in controls due to increased reliance on new, automated controls within SAP and the decommissioning of older legacy applications. By optimizing its control environment, the company realized more than US$500,000 in annual savings just in its Sarbanes-Oxley compliance efforts.

To determine potential annual cost savings from a control optimization project for Sarbanes-Oxley compliance using SAP, businesses will need to conduct both a return on investment calculation and a cost-benefit analysis. Depicted in Figure 4 are formulas for estimating control performance cost savings (e.g., determining who in the organization handles manual controls and how many times they must do it each year, how many hours it takes, and what their internal rate is) and Sarbanes-Oxley control testing cost savings (e.g., how many manual controls currently exist, how long it takes to test those controls, and what the testing rate is).

Protiviti | 9

Figure 4: Formulas to determine potential control performance cost savings and Sarbanes-Oxley control testing cost savings through control optimization with SAP.

Other indirect cost savings not documented above, including reduced training costs for new staff on control performance procedures, can be realized when controls are primarily automated. Organizations also may experience reduced re-testing costs for failed controls because automated controls typically have a much higher passing rate than manual controls. Moreover, many companies that optimize their control environment, not only in the procure-to-pay process but also in other major business processes, typically see an overall increase in the productivity of operations personnel because those employees are no longer required to perform manual control activities.

By leveraging assessment tools to understand process improvement opportunities, gaining more insight into business processes and underlying technology that can help to optimize an ERP implementation such as SAP, and using solutions and tools that enable continuous monitoring of the optimized control environment, organizations of all types are likely to experience significant savings in both costs and resources.

About Protiviti

Protiviti (www.protiviti.com) is a global business consulting and internal audit firm composed of experts specializing in risk, advisory and transaction services. We help solve problems in finance and transactions, operations, technology, litigation, governance, risk, and compliance. Our highly trained, results-oriented professionals provide a unique perspective on a wide range of critical business issues for clients in the Americas, Asia-Pacific, Europe and the Middle East.

Protiviti has more than 60 locations worldwide and is a wholly owned subsidiary of Robert Half International Inc. (NYSE symbol: RHI). Founded in 1948, Robert Half International is a member of the S&P 500 index.

© 2011 Protiviti Inc. An Equal Opportunity Employer. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services.

As the world’s leading provider of business software, SAP delivers products and services that enable enterprises of all sizes to improve their business operations. SAP facilitates a company’s effort to manage risk and compliance while optimizing efficiency, strategy and growth with a single integrated financial management platform. Addressing business processes in more than 25 industries, SAP has maintained its role as the authority on business software.

Protiviti and SAP are actively working together to help clients improve their capability in this important area by implementing and effectively utilizing the full SAP BusinessObjects suite of GRC and EPM solutions to enhance their integrated enterprisewide risk mitigation and compliance efforts. For more information, visit http://www.protiviti.com/en-US/Solutions/Information-Technology/Managing%20Applications/Pages/default.aspx.

Our Information Technology Effectiveness and Control Solutions

We partner with chief information officers, chief financial officers and other executives to ensure their organizations maximize the return on information systems investments while at the same time minimize their risks. Using strong IT governance to ensure alignment with business strategies, we drive excellence through the IT infrastructure and into the supporting applications, data analytics and security. We also facilitate the selection and development of software, manage the risk of implementation, implement configurable controls on large ERP installations, and implement governance, risk and compliance (GRC) software applications.

For additional information about the issues reviewed in this white paper or Protiviti’s services, please contact:

ATLANTA

Aric Quinones Associate Director +1.404.240.8376 aric.quinones@protiviti.com

CHICAGO

Gordon Braun Director +1.913.661.7406 gordon.braun@protiviti.com

HOUSTON

John Harrison Managing Director +1.713.314.4996 john.harrison@protiviti.com

LOS ANGELES

Steve Cabello Managing Director +1.213.327.1470 steve.cabello@protiviti.com

NEW YORK

Carol Raimo Managing Director +1.212.603.8371 carol.raimo@protiviti.com

SAN FRANCISCO

Ronan O’Shea Managing Director +1.415.402.3639 ronan.oshea@protiviti.com