Best in Class Controls for AP

The Institute of Financial OperationsIndiana – Southern Illinois Chapter

June 15, 2011Sherry DePew

About The Speaker

Sherry DePew, Vice President of Account Management for Lavante

• 14 years at Boise Cascade, Director of Global Shared Services

• President and founding member of Idaho IAPP Chapter

• President: Oracle/PeopleSoft Accounts Payable Product User Group

• President Oracle Supplier Relationship Management User Group

• Co-founder and Board member of Oracle

• Featured AP and P2P writer and blogger for several on-line resources

Agenda

Segregation of DutiesBenefit of Segregation of DutiesFinancial System Access ControlsElectronic Data Management (EDM)ACH/EFT vs. CheckNew Vendor’sVendor ChangesPurchase to Pay Control Continuum

Controls - Segregation of Duties

• Persons establishing vendors should not write, process or approve PO’s, receipts or invoices.

• Persons making changes to vendor data should not write, process or approve PO’s, receipts or invoices.

• Persons with access to add or change vendor information should not handle payments of any type.

• Persons with authority to request a check or payment should not approve, sign or handle payments.

• The person(s) issuing checks should not not reconcile bank accounts.

• Ensure reconciling of accounts is done by different people within cost centers.

• Establish a separate post office box for returned checks. • Replace your company name and address on disbursement

envelopes with a simple post office box number.

Benefits of Segregation of Duties

One of the most difficult & complex set of controls to implement, monitor and manage.

Mitigates Risk of Deliberate FraudMitigates Risk of legitimate errorsMitigates Cost of Corrective ActionOrganization’s Reputation for Integrity and Quality Enhanced

Control of Security Object Privileges

Screens

Pages

Read vs. Change Access

Control of Multiple Security Profiles

Access to add users and change their security profiles

Controls - Financial System Access

Controls for the Tracking and Storage of Electronic DocumentsControls Often Reside in Enterprise Departments Responsible for Emails, Documents & FilesPurchase to Pay workflow with Images and ApprovalsMake sure that images of approvals, exceptions and original documents can be accessed for External Audit and SOX Control Testing

Controls - Data Management (EDM)

Controls - ACH/EFT vs. Paper Checks

Mitigate Risk for Paper Checks• Positive Pay

• Reverse Positive Pay

• Check Stock Handling

• Void Check Process

Mitigate Risk for ACH or EFT• Handling of file sent to Bank, Clearing House or Outsource Provider

• Access and Protection of payment file

• Bank Account Design

• Funding Process

Controls – Establishing/On-Boarding a New Vendor

Most Critical Control for Fraud Prevention

• IRS TIN - Name Consistency• Verify Name and TIN against IRS data

• OFAC and FTO Checks• Check vendors against OFAC / FTO list and other lists

• Utilize 3rd Party Databases• Add D&B Numbers

• Add SIC or NAICS codes

• Add Credit Information

• Obtain W-9 or Substitute

• Obtain Minority Owned Business, Women Owned Business status, etc.

Controls – Vendor Changes

Same or Greater Risk than On-Boarding a New Vendor

Vendors Must be Participative in Changes• Controls that are no longer effective

• Banks Accounts Changes (Treasury?)

• Merging Vendors

• Vendor Name Changes

Controls – Purchase to Pay Control Continuum

Procurement

InvoiceProcessing

Accounting

CheckRequests

Vendor FileManagement

GoodsReceipt

AP is Part of a ContinuousProcure to Pay Cycle WithA Great Potential for Risk.Separation of Duties Should Look Across the Entire Cycle