Process Control Optimisation with SAP

The procure-to-pay cycle, which includes all activities from the procurement of goods and
services to receiving invoices and paying vendors, is a basic business process. It also
presents significant risks if all aspects are not managed effectively and monitored
continuously. Organisations that do not have optimal control over, and visibility into, their
procure-to-pay business cycle can face late fees, missed discounts, wasted time and loss of
assets as well as noncompliance issues due to inaccuracies or overlooked incidents of
fraudulent activity.
Following are the three major phases of the procure-to-pay business cycle and some
common risks organisations face in each area due to a lack of effective controls and
visibility:
Supplier management (vendor master file) duplicate and unauthorised vendors,
unauthorised access to the vendor master file, and incorrect 1099 reporting
Purchasing unauthorised purchases, inaccurate purchase order processing, and
unauthorised returns, adjustments and allowances
Accounts payable incomplete or inaccurate payment information, duplicate
payments, liabilities and disbursements not recorded completely, and invoices that
do not represent goods and services actually received
One key reason organisations have difficulty managing and monitoring their procure-to-pay
process effectively is an overreliance on manual controls, which are prone to errors and can
be easily changed or circumvented. To make better use of automated controls and optimise
their overall control environment, more organisations are choosing to improve their
knowledge of the functionality within their enterprise resource planning (ERP) solutions, such
as the SAP ERP Central Component (ECC) 6.0. Companies are realising significant cost
and resource savings by optimising their ECC configuration and deploying governance, risk
and compliance (GRC) solutions like SAP BusinessObjects GRC.
SAPs GRC solution performs critical monitoring of major business processes on a
continuous basis. Configurable and customised controls can be easily implemented and
maintained in the procure-to-pay cycle so that inaccuracies and inconsistencies, as well as
potential incidents of fraud and noncompliance, can be identified and addressed quickly.
However, despite the availability of tools like SAP BusinessObjects GRC, many
organisations fail to take full advantage of the procure-to-pay control options available in
their SAP environment, primarily because they are not aware of SAP ECC 6.0s standard
control functionality.


Protiviti | 2
By implementing and maintaining optimised controls within SAP and using the right mix of
both automated and manual controls to ensure all gaps in the procure-to-pay process are
closed organisations can reduce the risk of fraudulent activity (both through prevention and
detection), ensure compliance with Sarbanes-Oxley, and generate significant cost savings.
The ideal control environment for managing risks effectively in the procure-to-pay cycle
should include the following six areas:
Configurable controls these controls are designed to maintain the integrity of
master data, such as information in the vendor master file
Manual controls these controls include approvals by authorised individuals (SAP
automated workflow also can be set up for approvals)
General IT controls the computing controls and IT notifications process that
reduce the risk of unauthorised changes to SAP systems
Detective reports SAP, for example, has many standard detective reports that do
not need to be customised to be used as control reports
Security this includes clearly defining access rights and segregation of duties rules
Policies and procedures the rules that dictate how the organisation controls,
within its purchase cycle, which vendors will be used, what their limits are, and which
people in the organisation have the authority to approve invoices and purchase
orders
There are many problems common to organisations that do not have optimised control of
their procure-to-pay business cycle. The following are examples typically experienced in the
supplier management, purchasing and accounts payable processes.
Supplier Management
For many businesses, especially large national or global companies working with a wide
range of suppliers, the vendor master file can grow exponentially very quickly. This makes
master data associated with the procure-to-pay process difficult to maintain efficiently,
leaving the organisation more susceptible to the risk of financial leakage and fraud.
Here is one example of what can happen when the supplier management process is not
optimally controlled: Protivitis GRC and SAP experts recently examined the vendor master
file of a large organisation and discovered it had listings for more than 28,000 active
suppliers, but 63 percent (or more than 17,700) had not had invoice or payment activity in
longer than three years. Additionally, more than 1,700 vendors appeared to be duplicates,
and more than 1,500 had invalid or incomplete information recorded in the vendor master
file.
It is not unusual to find a number of suppliers in the vendor master file that have not been
used recently, have not been marked for deletion, or have not been designated as blocked
so that no further invoices related to those specific vendors can be processed. To ensure
greater accuracy in this critical aspect of the procure-to-pay process, organisations should
clean house in their vendor master file and apply more control over how their vendors are
being set up in the system and how they are being utilised.


Protiviti | 3
Purchasing
The purchase order process is one area that many businesses are working hard to optimise
with better controls. Often, companies already have established a solid purchase order
process and implemented strong controls within SAP or another ERP system, and are
successfully using the three-way match (invoice, receipt, purchase order) to approve
invoices automatically for payment. However, it is common to find that even the most
organised and proactive businesses are not taking full advantage of the control optimisation
settings available in their SAP environment.
One typical issue that can arise around the purchase order process (even in well-controlled
environments) is the invoice date appearing before the purchase order date in the system.
This usually occurs when an invoice is received before the purchase order is set up, making
the critical three-way match more of a formality than a control. Inadequate training and lack
of compliance to the process are often root causes. There also could be a significant delay
occurring between the time when the receipt is received and when it is processed against
the purchase order in the system.
Other problems in the procure-to-pay process commonly seen across organisations in
relation to purchase order processing include the following: a significant delay occurring
between the time when the receipt is received and when it is processed against the
purchase order in the system; a lack of compliance regarding what purchases require a
purchase order; and a lack of review of aged open purchase orders. These issues can occur
when procedures to issue purchase orders in a timely manner are inconsistent, proper
approvals and controls for assigning purchase orders do not exist, and management support
is absent.
Accounts Payable
In the past two years, many companies have been working to optimise their working capital.
Some of these efforts have been motivated by recent economic conditions, while other
businesses simply want to make a more concerted effort toward managing their working
capital more efficiently. One way an SAP ERP system and effective GRC tools can support
this type of initiative is by ensuring the terms of contracts that have been negotiated are
captured in the procure-to-pay system, and that these terms cannot be overridden by
unauthorised parties.
Close examination of the accounts payable process often reveals that contract terms
negotiated with a vendor do not appear on the purchase order or do not flow through to the
invoice. This can happen when information from a vendor contract or other relevant
communication has not been entered into the vendor master file. And if appropriate controls
are not set up around the ability to override at the invoice and purchase order level, the
terms negotiated with a vendor can easily be changed which means potential abuse may
go undetected. Organisations should reinforce payment terms through ongoing training and
compliance activities, as well as increased collaboration between procurement and accounts
payable teams.
The above are just some examples of common issues that can occur in an environment
where controls have not been optimised and there is an overreliance on manual processes.
Following are examples of how control optimisation with GRC tools, such as SAP
BusinessObjects GRC, can help organisations mitigate risks throughout the procure-to-pay
process.


Protiviti | 4
Risk Area: Vendor Maintenance
Duplicate vendor listings are not just an annoyance; they also present serious risk. If the
same vendor appears in the system twice, there is the potential for duplicate payments.
Additionally, if purchases are not associated with the correct vendor, the organisation may
miss national volume discounts that have been arranged with that supplier.
To eliminate the risk of duplicate vendors, businesses should establish strong controls
around vendor request and approval processes. This includes ensuring that only an
authorised person (or persons) who does not process purchase orders or invoice payments
can update the vendor master file with new vendors or change data related to an existing
vendor, such as updated contract terms.
There are common optimisation opportunities within these different steps that organisations
can utilise. These include the centralised vendor maintenance function (this may not be
possible for some organisations, such as smaller businesses that do not have a centralised
function for vendor maintenance), mandatory fields for vendor master, master data integrity
checks, and correct settings for duplicate checks (see Figure 1).

Figure 1: Examples of SAP controls that can be used to optimise the procure-to-pay
process and help minimise the risk of errors and fraud.
One example of an SAP control that helps businesses to achieve these optimisation
opportunities in the SAP ECC 6.0 and ECC 5.0 environments is the configuration of
vendor master mandatory fields. This control helps ensure that purchases and purchase
orders are complete, and that during invoice processing, essential documents used for
verification can be compared fully. Without implementing this control, an organisation can
experience a breakdown in both areas. And there is an additional benefit to having the same
fields populated consistently: It assists with other controls, such as the automated duplicate
vendor check.


Protiviti | 5
Another SAP control is the dual authorisation for sensitive fields, which protects
extremely sensitive vendor master data fields, such as bank account information. The dual
authorisation requirement can help minimise risk of fraud. For instance, organisations can
avoid the possibility of having an insider change a vendors bank account number to that of
their own account in order to collect illegitimate payments from the business.
Duplicate vendor check fields help companies quickly identify duplicate vendors in the
vendor master file, which allows them to minimise spend, realise discounts and avoid
fraudulent activity. One way that companies work against themselves in this area, however,
is to add too many fields in the duplicate vendor check. They assume adding more fields can
help identify more duplicate vendor listings. But the more fields an organisation indicates it
would like to have match in the system, the fewer warning messages appear; this is because
all checked fields must match 100 percent in order to generate a warning.
Protiviti works with businesses to help configure a good balance of checked fields so that
just the right number of warning messages is generated: enough to prevent duplicate
vendors, but not so many that the ERP system gets bogged down. An additional note:
Although more businesses have become diligent about setting up duplicate vendor checks in
their SAP environment, they often do not realise the full benefit of these controls because
they fail to turn on the warning or error message configuration.
Risk Area: Purchase Order and Invoice Processing
Within the purchase order and invoice processing cycle, there are three main areas where
SAP can help organisations achieve better automation:
Match the purchase order to the goods receipt This feature allows organisations
to make sure they do not accept receipts for goods that they did not order.
Match goods receipt quantity to invoice The business can ensure it is not
paying for goods that have not been received.
Automatically approve invoice for payment If a three-way match (purchase
order, goods receipt and invoice) is confirmed, the system will automatically issue a
payment to the vendor, saving time and avoiding human error or fraud.
Optimised Purchase Order and Invoice Processing Controls
SAP also provides the ability to set tolerances for the processing of invoices that relate to a
particular purchase order. Tolerances are designed to help streamline the procure-to-pay
process and minimise the number of inaccurate disbursements while reducing the number of
blocked payments due to unmatched invoices.
In many cases, there may be a valid reason for differentiation in purchase price between the
original purchase order and the invoice. Instead of blocking the payment outright, within
SAP, the organisation can choose to accept allowable tolerances of price differences to
streamline the payment process and prevent any manual investigation, which can be both
time- and resource-intensive. So if a price difference falls into the acceptable tolerance
range and is within the organisations risk appetite, the payment can be made on that
invoice.


Protiviti | 6
Another tolerance check is the quantity differences between a purchase order or invoice and
a goods receipt. These tolerances help ensure that the company cannot receive something it
did not order or does not pay for something it did not receive. The item amount check
determines whether SAP blocks invoice items when their value exceeds a predefined
amount in the system. For example, if the business has ordered 100 items, but has only
received 99, payment can still be approved. But if the organisation receives 101 items, this
quantity may exceed set tolerances and the payment will be blocked.
Within a three-way match in the procure-to-pay process, there are up to 15 SAP settings that
can be configured and customised, depending on an organisations various payment and
purchase order scenarios. The results of control optimisation in the procure-to-pay cycle are
the use of more automated processes, a reduction in the risk of human error and fraud, and
the realisation of the full ERP functionality purchased with SAP.
Within SAP, which is a complete ERP system, there are configurable controls available for a
wide range of major business processes beyond the procure-to-pay cycle. Protiviti has a
listing of more than 400 configurable controls that can be utilised within all the various
processes that are depicted in Figure 2 below.

Figure 2: Standard SAP ECC 6.0 functionality provides hundreds of configuration
settings that can be automated and optimised for operational and financial
reporting processes.


Protiviti | 7
Once Protiviti has helped an organisation configure its controls and optimise its environment,
SAP can provide additional solutions such as its SAP BusinessObjects Process Controls
that will help monitor the health of the configurations designed and set during
implementation and make sure they do not change without proper authorisation. Continuous
monitoring with SAP GRC Process Control streamlines a companys ongoing Sarbanes-
Oxley compliance efforts.


Case Study: SAP Controls and Sarbanes-Oxley Compliance
Many organisations are making better use of SAP process controls to help them achieve
more cost-effective Sarbanes-Oxley compliance. To determine where automation can be
achieved in the internal control framework, Protivitis GRC and SAP experts will assess an
organisations current SAP environment, ignoring existing manual processes, and using
Protivitis library of more than 400 configurable controls to determine which Sarbanes-Oxley
risks SAP controls can help to mitigate. From here, it can be determined where Sarbanes-
Oxley risks are not adequately mitigated by automated SAP controls and where manual
controls may be necessary to close any gaps preventing Sarbanes-Oxley compliance.
In one recent engagement, Protiviti was able to transform a companys internal control
framework, which included multiple legacy applications, from primarily manual controls (53
percent) to primarily automated and semi-automated controls (80 percent) by optimising
configurable controls during the SAP implementation. The organisation already had mature
Sarbanes-Oxley compliance efforts, but there was still room for control rationalisation,
automation and optimisation, particularly in the purchase-to-pay cycle.
After making these improvements to the Sarbanes-Oxley process, Protiviti guided the
company through control optimisation for all of its major business processes, including order
to cash, human resources and general ledger. By implementing SAP ECC 6.0 and fully
optimising available SAP configurable controls, Protiviti was able to help the company
primarily automate or semi-automate 64 percent of its controls in its overall internal control
framework; previously, 68 percent of these controls were manual (see Figure 3).
How Companies Have Optimised Their SAP Environment
The life cycle of an SAP control optimisation project includes three phases:
Analyse The organisation evaluates the current state of its SAP
environment to identify and understand any vulnerabilities and weaknesses.
Standardise and Automate Weaknesses are prioritised and gaps are
closed with automated processes (in some cases, manual processes may
also be implemented).
Monitor Once the environment has been optimised, continuous
monitoring is enabled. This is where SAP BusinessObjects GRC solutions
can help the organisation maintain the optimised control environment it has
designed.

Protiviti | 8

Figure 3: Protivitis SAP and GRC experts helped one organisation transform its overall
internal control framework from primarily manual (68 percent) to primarily
automated and semi-automated controls (64 percent).
Additionally, the organisation experienced a 40 percent reduction in controls due to
increased reliance on new, automated controls within SAP and the decommissioning of older
legacy applications. By optimising its control environment, the company realised more than
US$500,000 in annual savings just in its Sarbanes-Oxley compliance efforts.
To determine potential annual cost savings from a control optimisation project for Sarbanes-
Oxley compliance using SAP, businesses will need to conduct both a return on investment
calculation and a cost-benefit analysis. Depicted in Figure 4 are formulas for estimating
control performance cost savings (e.g., determining who in the organisation handles manual
controls and how many times they must do it each year, how many hours it takes, and what
their internal rate is) and Sarbanes-Oxley control testing cost savings (e.g., how many
manual controls currently exist, how long it takes to test those controls, and what the testing
rate is).


Protiviti | 9

Figure 4: Formulas to determine potential control performance cost savings and
Sarbanes-Oxley control testing cost savings through control optimisation with
SAP.
Other indirect cost savings not documented above, including reduced training costs for new
staff on control performance procedures, can be realised when controls are primarily
automated. Organisations also may experience reduced re-testing costs for failed controls
because automated controls typically have a much higher passing rate than manual controls.
Moreover, many companies that optimise their control environment, not only in the procure-
to-pay process but also in other major business processes, typically see an overall increase
in the productivity of operations personnel because those employees are no longer required
to perform manual control activities.
By leveraging assessment tools to understand process improvement opportunities, gaining
more insight into business processes and underlying technology that can help to optimise an
ERP implementation such as SAP, and using solutions and tools that enable continuous
monitoring of the optimised control environment, organisations of all types are likely to
experience significant savings in both costs and resources.


2011 Protiviti Inc. An Equal Opportunity Employer.
Protiviti is not licensed or registered as a public accounting firm and does not
issue opinions on financial statements or offer attestation services.



About Protiviti
Protiviti (www.protiviti.com) is a global business consulting and internal audit firm composed of
experts specialising in risk, advisory and transaction services. We help solve problems in
finance and transactions, operations, technology, litigation, governance, risk, and compliance.
Our highly trained, results-oriented professionals provide a unique perspective on a wide range
of critical business issues for clients in the Americas, Asia-Pacific, Europe and the Middle East.
Protiviti has more than 60 locations worldwide and is a wholly owned subsidiary of Robert Half
International Inc. (NYSE symbol: RHI). Founded in 1948, Robert Half International is a member
of the S&P 500 index.

As the worlds leading provider of business software, SAP delivers products and services that
enable enterprises of all sizes to improve their business operations. SAP facilitates a companys
effort to manage risk and compliance while optimising efficiency, strategy and growth with a
single integrated financial management platform. Addressing business processes in more than
25 industries, SAP has maintained its role as the authority on business software.
Protiviti and SAP are actively working together to help clients improve their capability in this
important area by implementing and effectively utilising the full SAP BusinessObjects suite of
GRC and EPM solutions to enhance their integrated enterprisewide risk mitigation and
compliance efforts. For more information, visit http://www.protiviti.com/en-
US/Solutions/Information-Technology/Managing%20Applications/Pages/default.aspx.
Our Information Technology Effectiveness and Control Solutions
We partner with chief information officers, chief financial officers and other executives to ensure
their organisations maximise the return on information systems investments while at the same
time minimise their risks. Using strong IT governance to ensure alignment with business
strategies, we drive excellence through the IT infrastructure and into the supporting applications,
data analytics and security. We also facilitate the selection and development of software,
manage the risk of implementation, implement configurable controls on large ERP installations,
and implement governance, risk and compliance (GRC) software applications.
For additional information about the issues reviewed in this white paper or Protivitis services,
please contact:
Jonathan Wyatt
Managing Director
+44.207.0247.522
jonathan.wyatt@protiviti.co.uk