Anti-Fraud Management Example In Accounts Payable · PDF fileAnti-Fraud Management Example In...

Anti-Fraud Management Example

In Accounts Payable Michael Heckner

October 12, 2012

© 2011 SAP AG. All rights reserved. 2

GRC Top Reasons Customers Invest Today

Business Process Improvements

Systematic, reliable processes

Improve predictability and performance

Avoid “Negative” Business Issues

Prevent irregularities such as fraud

Prevent human errors

Avoid financial losses

Avoid damage to reputation

Compliance

Comply with governmental regulations and legislation

Comply with industry regulations

Comply with internal company policies


Average fraud loss: 5% of annual revenue One-fourth of the frauds caused at least $1 million in losses (“2010 Report to the Nation,” ©2010 by the Association of Certified Fraud Examiners, Inc.)

46% of organizations with 1000+ employees reported suffering at least one significant economic crime in the past 12 months. In addition to direct financial impact there is indirect or collateral damage incl. employee morale, business relations, reputation/brand, relations with regulators, share price, etc. (PwC Global Economic Crime Survey Nov 2009)

40% believe there is a greater risk of fraud in the current economy. “Staff reductions resulting in fewer resources deployed on internal controls”. (PwC Global Economic Crime Survey Nov 2009)

Estimates are hard to get

Grey zone of criminal behavior

High number of unreported cases

Economic Crime

More frequent than “crime”?

Insufficient controls can result in:

Procurement Errors

Overpayments to Vendors

Excessive Rebates to Customers

Changes to Payment Terms

Accidental Leakage of Intellectual Property

Etc.

Nearly impossible to track the total financial impact of employee errors

Employee Errors

Economic Crime and Errors What Is the Damage Caused by Fraud and Errors?


Overview SAP GRC Top-down and bottom-up risk management/ compliance

Company Wide

Controls

Procure to Pay

Controls

Order to Cash

Controls

IT (General)

Controls

SAP GRC

Access Control

SAP GRC Process Control

SAP GRC Risk Management

Internal Audit Management

Policy

Management


Material risk events

encountered in the past three

years (for enterprises over

US$5 billion in revenue)

Financial • Currency exchange rates

• Interest issue and increasing reserves

• Accuracy of realistic balance sheet

reporting

• Ability to manage cash

• Non-transparent markets

• Economic recession

• Energy and commodity costs

Political/Geopolitical • Change of government – and minority governments

• Grants and budget changes

• Constant change of ministers

• Federal Accountability Act

• Terrorism

Strategic • Industry consolidation and globalization

• Error-filled release of software upgrade

• Change in core product demand

• Cancellation of major customer contracts

• Performance standards and service quality

Environmental/Health • West Nile Virus

• Safety crisis

• Compliance with environmental standards

• Food sanitary management problem

• Climate change

• Environment pollution

Operational • Hurricane Katrina

• Data center outage

• Delivery risk

• Blast furnace cold run

• ERP application crash

• Plant disaster causing production stoppage

Legal & Compliance • Fraud

• Product liability claims

• Missed time line for legal changes

• Embezzlement of parts

• Safety of goods or products

Source: IBM Global Business Services, The Global CFO Study 2008.

Enterprise Risk Management Business Risks Cause Majority of Losses

Head of

Risk Management

87% of risks are not financial


Examples of Enterprise Risks (Transportation Industry)

Examples of Enterprise Risks

Strategic Risks Financial Risks Operational Risks Compliance Risks

Freight Rates Liquidity Major Safety

Incidents

Human Rights

(OECD Standards)

Oil & Gas Prices Credit Risk Major Environ.

Incidents

Tax

Political Risks Foreign Exchange War, terrorism or

piracy attack

Anti-corruption,

competition and

export control

Information Risk Insurance

(Self-Insurance)

Procedures and

Controls


Examples of Enterprise Risks

Governance Strategy and Planning Operations Compliance Reporting

Corp.

Governance

Ethics Corp.

Responsab./

Sustainab.

External

Factors

Planning Strategy Corp. Assets Finance Human

Resources

Information

Technology

Legal Product

Development Sales,

Marketing &

Communic.

Supply Chain Compliance Reporting

Board Effectiveness /

Knowledge

Management

Addressing

Allegations

Biodiversity Competition Business Continuity

Management (BCM)

Alliances Facilities and

Equipment

Accounting Corporate Culture Architecture Bankruptcy Discontinuance and

Divestiture

Branding and

Reputation

Planning Communication and

Training

Compliance with

Accounting

Standards and

Policies

Board Structure and

Leadership

Communication Climate Change Credit Rating Capital Planning Business

Concentration

Intangible Assets Audit Quality Health and Welfare

Benefits

Asset Management Competition Innovation, Research

and Development

Communication Sourcing Compliance Culture Financial Disclosures

Compensation /

Performance

Incentives /

Alignment

Corrective Actions

and Discipline

Community

Investment

Customer Demands Knowledge

Management

Business Model Personal Safety Capital Management Human Resources

Policies and

Procedures

Business Continuity

Management (BCM)

Contract

Management

Launch Customer Relations /

Customer Support

Production Compliance

Information

Management

Financial Information

Availability

Corporate

Responsibility &

Sustainability

Ethical Culture / Tone

at the Top

Energy Management

and Alternative

Sourcing

Economic Conditions

/ Industry Trends

Operational Planning Customers Physical Security Credit Implications of

Significant Events

Change Management Corporate

Investigations

Liability Distribution Delivery Compliance

Organization

Financial Statement

Fraud

Reputation /

Shareholder

Relations

Ethics Reporting Fair Trade

Certification

External Fraud Performance

Management

Extended Enterprise Process Management Financial Asset

Management

Labor Relations Contracting and

Outsourcing

Environmental,

Health and Safety

Product Design /

Quality

E-Commerce /

Internet Strategy

Returns Compliance

Reporting

Management

Reporting

Risk Oversight Investigation Natural Resource

Utilization and

Accounting

Geopolitical Scenario Planning Growth Taxation Insurance and

Hedging

Organization

Structure

Information Security Finance and

Accounting

Production Investor Relations Controls and

Monitoring

Regulatory Reporting

Transparency &

Financial Integrity

Monitoring and

Auditing

Philanthropy Hazards /

Catastrophic Loss

Innovation Utilization Liquidity Payroll Operations Government

Investigations

Substitution Marketing Programs Policies and

Procedures

Reporting Quality

Policies and

Procedures

Project Financing Laws and

Regulations

Markets Pensions Performance / Talent

Management and

Compensation

Physical and

Environmental

Intellectual Property Technology

Obsolescence

Market Research Risk Assessment Statutory Reporting

Program Assessment

and Evaluation

Resource Scarcity Markets Mergers /

Acquisitions /

Divestitures

Planning / Budgeting

/ Forecasting

Retirement Programs Privacy and Data

Protection

Labor and

Employment Issues

Testing Marketing Strategy Supervision Sustainability

Reporting

Structure and

Oversight

Sustainability

Strategy

Third Party / Joint

Venture

Requirements

Outsourcing Taxation Talent Pipeline /

Recruitment

Problem

Management

Legal and Regulatory

Compliance

Timing Public Relations Tax Reporting

Training Sustainable Water

Quality

Policy Training and

Development

Project Management Legal Entity Planning Sales Strategy

Waste Reduction and

Closed Loop

Production

Pricing Records

Management

Litigation and

Dispute Resolution

Technology Technology

Licensing

Privacy and Security

Laws

Vision, Mission, and

Values

Records Information

Management

Source: Deloitte Risk Intelligence Map, 2009


SAP Risk Management Heatmap

Fraudulent AP activities


Risk “Fraudulent Accounts Payable”

Prevent

Accounts Payable risk

(errors and fraud)

Chief Security Officer / IT



Prevent


(errors and fraud)


1st Risk Driver:

Lack of SoD



Prevent


(errors and fraud)

(resulting from lack of SoD)


1st First Driver:

Lack of SoD



Access Control

Prevent

Accounts Payable

errors and fraud

(resulting from lack

of SoD)



Prevent

Accounts Payable

errors and fraud

(resulting from lack

of SoD)

Question:

Are SoD violations the

only risk to the

“Accounts Payable”

Process ???


IT General Control 1: Access Control

Head of Internal Controls Head of Compliance




Process-Level

Control 1:

Accounts

Payable


Example:

What about abuse

of “one time vendor

accounts”

???

Head of Internal Audit, Controls, Compliance




Process-Level

Control 1:

Accounts

Payable


Example:

What about abuse

of “one time vendor

accounts”

???


Payments

Date Vendor Amount

1.10. ABC Chemicals 1,599.-

2.10. Anonymous1 1,000.-

2.10. Northstar Energy 563.-

5.10. Anonymous1 10,000.-

9.10. Hardware Central 23,618.-




Process-Level

Control n:

Accounts

Payable


Example:

What about other

process level risks

in Accounts

Payable ???


Process-Level

Control 1:

Accounts

Payable

Example:

What about other

process level risks

in Accounts

Payable ???

…




Process-Level

Controls 1-n:

Accounts

Payable


Business Necessity:

Process and Access

Level Controls

to protect AP process

Chief Security Officer / IT Head of Internal Audit, Controls, Compliance


Other Risks? In Other Processes? At the IT-Level?

Process 1:

Procure to Pay

Controls

Process n:

Order to Cash

Controls


IT General

Control n:

Controls … …

What about

other processes

and their controls?



Other Risks? In Other Processes? At the IT-Level?

Process 1:

Procure to Pay

Controls

Process n:

Order to Cash

Controls


IT Control n:

(IT General)

Controls … …

Group/Entity:

Company Wide

Controls …

Group/Entity:

Company Wide

Controls



SAP Process Control Control at all levels

Process 1:

Procure to Pay

Controls

Process n:

Order to Cash

Controls


SAP Process Control

IT Control n:

(IT General)

Controls … …

Group/Entity:

Company Wide

Controls …

Group/Entity:

Company Wide

Controls



SAP Risk Management

Risk-based Approach

to Internal Controls

Process 1:

Procure to Pay

Controls

Process n:

Order to Cash

Controls


SAP Process Control

IT Control n:

(IT General)

Controls … …

Group/Entity:

Company Wide

Controls …

Group/Entity:

Company Wide

Controls

Chief Security Officer / IT Head of Risk Management Head of Risk Management



Continuous Monitoring Example Accounts Payable Manager - Dashboard


Continuous Monitoring Example Accounts Payable Manager: Issues Report


Continuous Monitoring Example Drill-Down into One-Time Vendor Issue


Continuous Monitoring Example Accounts Payable Manager: Issues Report


Continuous Monitoring Example Drill down into Segregation of Duties Issue


Achieving Higher Confidence

Manual Controls

Today

time

# controls


Achieving Higher Confidence Lower Cost

Cost Reduction

Manual Controls

Today

Manual Controls

Automated

Maturity Level 1

time

# controls

Less Manual Labor

Less Pushback from the Business

Lower Cost of Preparing for an Audit


Achieving Higher Confidence Lower Cost and Business Process Improvement

Cost Reduction and Process Improvement

Manual Controls

Manual Controls

Automated

Today Maturity Level 1

Manual Controls

Automated

Maturity Level 2

time

# controls

More controls

More granularity

Higher frequency of checks

Consistency

Less Manual Labor

Less Pushback from the Business

Lower Cost of Preparing for an Audit


Achieving Higher Confidence

Lower Cost and Business Process Improvement

Cost Reduction and Process Improvement

Manual Controls

Manual Controls

Automated

Today Maturity Level 1

Manual Controls

Automated

Maturity Level 2

Time

# Controls

Cost

Assurance


Managing Risk and Compliance SAP GRC Solutions

Managing Risk and Compliance ensures all categories of risk across the

organization are aggregated at the enterprise level and managed holistically

Head of Compliance/ Controls / Internal Audit

Head of Internal Audit Head of Risk Management

Head of Internal Audit/ Chief Security Officer

Risk-Based Internal Controls

Enterprise Risk Management

Access Management

Risk Response

Risk Monitoring

Risk Planning

Risk Identification

Risk Analysis

Plan and Perform

Assessments and Tests

Remediate Issues and

Certify Results

Access Planning

Access Analysis & Response Access

Monitoring

Document Compliance Initiatives

SAP

Risk Mgmt

SAP

Process Control

SAP

Access Control

Manage Audit

Engagements

CEO / CFO

Audit Planning

Remediation

Audit Management

SAP

NetWeaver

Audit Mgmt

SAP GRC Solution


Questions?

Michael Heckner Sr. Director,

EMEA Solutions Business Development

Phone +49 (170) 8 555 125

Michael . Heckner @ sap . com

www.sap.com/grc

Thank You!

Contact information:

Michel Heckner

Sr. Director, EMEA Solution Business Development (GRC)

Zeppelinstrasse 2

85399 Hallbergmoos/München

+ 49 6227 – 7 – 54143

Anti-Fraud Management Example In Accounts Payable · PDF fileAnti-Fraud Management Example In...

Documents

Transcript of Anti-Fraud Management Example In Accounts Payable · PDF fileAnti-Fraud Management Example In...