+ All Categories
Home > Documents > Keep Procure-to-Pay (P2P) Fraud at Bay with Fraud Detection Tools & Techniques · 2019-12-04 ·...

Keep Procure-to-Pay (P2P) Fraud at Bay with Fraud Detection Tools & Techniques · 2019-12-04 ·...

Date post: 18-Jun-2020
Category:
Upload: others
View: 1 times
Download: 0 times
Share this document with a friend
86
The Accounts Payable & Procure-To-Pay Conference & Expo is produced by: 3/31/2016 Keep Procure-to-Pay (P2P) Fraud at Bay with Fraud Detection Tools & Techniques Chris Doxey, CAPP, CCSA, CICA, CPC President, Doxey, Inc. 1
Transcript
Page 1: Keep Procure-to-Pay (P2P) Fraud at Bay with Fraud Detection Tools & Techniques · 2019-12-04 · 3/31/2016 About Payments Fraud (Continued) 2. ACH debit fraud is declining and preventable.

The Accounts Payable & Procure-To-Pay Conference & Expo is produced by: 3/31/2016

Keep Procure-to-Pay (P2P) Fraud at

Bay with Fraud Detection Tools &

Techniques Chris Doxey, CAPP, CCSA, CICA, CPC

President, Doxey, Inc.

1

Page 2: Keep Procure-to-Pay (P2P) Fraud at Bay with Fraud Detection Tools & Techniques · 2019-12-04 · 3/31/2016 About Payments Fraud (Continued) 2. ACH debit fraud is declining and preventable.

The Accounts Payable & Procure-To-Pay Conference & Expo is produced by: 2 3/31/2016

Chris Doxey, CAPP, CCSA, CICA, CPC spent most of her career implementing “top gun” leadership teams and

processes in her quest to fight fraud and implement internal controls at Digital Equipment Corporation, Compaq

Computer Corporation, and Hewlett Packard. She held senior finance and accounting positions which allowed her to

develop and implement standards of internal control for all aspects of financial operations – focusing on the procure to

pay (P2P) process.

She was recruited to assist WorldCom (MCI) with the implementation of internal controls, policies, and corporate

governance in 2003. She had an opportunity to work directly with the new CEO, CFO and Vice President of Business

Ethics. She developed a program for entity level internal controls, developed ethics training plans and programs,

implemented delegation of authority and segregation of duties policies, and systems access controls.

Chris holds a BA in English, a BS in Accounting, a Master’s in Business Administration, and a Graduate Certificate in

Project Management. She is a Certified Accounts Payable Professional (CAPP), holds a Certification in Controls Self-

Assessment (CSA), is a Certified Internal Controls Auditor (CICA), and is a Certified Professional Controller (CPC).

Page 3: Keep Procure-to-Pay (P2P) Fraud at Bay with Fraud Detection Tools & Techniques · 2019-12-04 · 3/31/2016 About Payments Fraud (Continued) 2. ACH debit fraud is declining and preventable.

The Accounts Payable & Procure-To-Pay Conference & Expo is produced by: 3 3/31/2016

Agenda • Introductions

• About P2P Fraud and the Psychology of Fraud

• Your Anti-Fraud Toolkit for the P2P Process

– The Types of Controls and the Three Critical Corporate Controls

– The Standards of Internal Control for the P2P Process

– The Top Twenty Controls for AP

• What Went Wrong: Case Study Analysis

– Procurement

– T&E

– P-Card

– AP

– Disbursements

• Q&A

Page 4: Keep Procure-to-Pay (P2P) Fraud at Bay with Fraud Detection Tools & Techniques · 2019-12-04 · 3/31/2016 About Payments Fraud (Continued) 2. ACH debit fraud is declining and preventable.

The Accounts Payable & Procure-To-Pay Conference & Expo is produced by: 3/31/2016

About P2P Fraud and the

Psychology of Fraud

4

Page 5: Keep Procure-to-Pay (P2P) Fraud at Bay with Fraud Detection Tools & Techniques · 2019-12-04 · 3/31/2016 About Payments Fraud (Continued) 2. ACH debit fraud is declining and preventable.

The Accounts Payable & Procure-To-Pay Conference & Expo is produced by: 5 3/31/2016

The Business Processes with Biggest Fraud Challenges

Source: 2014 Aberdeen Survey

Page 6: Keep Procure-to-Pay (P2P) Fraud at Bay with Fraud Detection Tools & Techniques · 2019-12-04 · 3/31/2016 About Payments Fraud (Continued) 2. ACH debit fraud is declining and preventable.

The Accounts Payable & Procure-To-Pay Conference & Expo is produced by: 6 3/31/2016

The Procure to Pay (P2P) Process Flow

Page 7: Keep Procure-to-Pay (P2P) Fraud at Bay with Fraud Detection Tools & Techniques · 2019-12-04 · 3/31/2016 About Payments Fraud (Continued) 2. ACH debit fraud is declining and preventable.

The Accounts Payable & Procure-To-Pay Conference & Expo is produced by: 7 3/31/2016

Why does so much fraud occur in the P2P process?

Page 8: Keep Procure-to-Pay (P2P) Fraud at Bay with Fraud Detection Tools & Techniques · 2019-12-04 · 3/31/2016 About Payments Fraud (Continued) 2. ACH debit fraud is declining and preventable.

The Accounts Payable & Procure-To-Pay Conference & Expo is produced by: 8 3/31/2016

Examples of PTP Internal Control Weaknesses

Source: 2014 Aberdeen Survey

Page 9: Keep Procure-to-Pay (P2P) Fraud at Bay with Fraud Detection Tools & Techniques · 2019-12-04 · 3/31/2016 About Payments Fraud (Continued) 2. ACH debit fraud is declining and preventable.

The Accounts Payable & Procure-To-Pay Conference & Expo is produced by: 9 3/31/2016

Types of P2P Fraud

• Collusion Between Procurement and Suppliers

• Embezzlement

– Check Fraud

– Diverting ACH Payments Intended for Suppliers

• Transactional Fraud

• Phony Suppliers

• Employees Posing as Suppliers

• Fraudulent and Scam Suppliers

• Suppliers on Government and Criminal “Watch Lists”

Page 10: Keep Procure-to-Pay (P2P) Fraud at Bay with Fraud Detection Tools & Techniques · 2019-12-04 · 3/31/2016 About Payments Fraud (Continued) 2. ACH debit fraud is declining and preventable.

The Accounts Payable & Procure-To-Pay Conference & Expo is produced by: 10 3/31/2016

The 2014 Association of Certified Fraud Examiners (ACFE) Report to the Nations

Source: http://www.acfe.com/rttn-summary.aspx

Survey participants estimated that the typical organization loses 5% of revenues

each year to fraud. If applied to the 2013 estimated Gross World Product, this

translates to a potential projected global fraud loss of nearly $3.7 trillion.

The median loss caused by the frauds in our study was $145,000. Additionally,

22% of the cases involved losses of at least $1 million.

The median duration - the amount of time from when the fraud commenced until it

was detected - for the fraud cases reported to us was 18 months.

The presence of anti-fraud controls is associated with reduced fraud losses and

shorter fraud duration. Fraud schemes that occurred at victim organizations that

had implemented any of several common anti-fraud controls were significantly

less costly and were detected much more quickly than frauds at organizations

lacking these controls.

Page 11: Keep Procure-to-Pay (P2P) Fraud at Bay with Fraud Detection Tools & Techniques · 2019-12-04 · 3/31/2016 About Payments Fraud (Continued) 2. ACH debit fraud is declining and preventable.

The Accounts Payable & Procure-To-Pay Conference & Expo is produced by: 11 3/31/2016

2015 Association for Finance Professionals (AFP) Payments Fraud and Control

Survey Key Findings

An overwhelming 62% of companies were subject to payments fraud

in 2014.

Larger companies are more likely to be attacked (65%), the number

of small businesses (less than $1 billion in revenue) who reported an

attempted fraud attack in 2014 was an astounding 56%.

Smaller businesses reported a 32% increase in fraud occurrences

over 2013.

Check fraud still leads the pack, with 77% of the total fraud attempts

considered check fraud.

Corporate Credit/Debit Card, Wire Transfers, ACH Debits and ACH

credits each accounted for less than 40% of the total fraud.

Source: http://community.epcor.org/blogs/jennifer-kirk/2015/11/03/interesting-finds-in-the-2015-afp-payments-fraud-and-control-survey

Page 12: Keep Procure-to-Pay (P2P) Fraud at Bay with Fraud Detection Tools & Techniques · 2019-12-04 · 3/31/2016 About Payments Fraud (Continued) 2. ACH debit fraud is declining and preventable.

The Accounts Payable & Procure-To-Pay Conference & Expo is produced by: 12 3/31/2016

The 2014 Association of Certified Fraud Examiners (ACFE) Report to the Nations

Frequency of Fraud Schemes Reported

Source: http://www.acfe.com/rttn-perpetrator-schemes.aspx

Corruption (All Cases) 36.8%

Billing 22.3%

Non - Cash 21.0%

Expense Reimbursement 13.8%

Cash on Hand 11.9%

Skimming 11.8%

Check Tampering 10.8%

Payroll 10.2%

Financial Statement Fraud 0.9%

Cash Larceny 0.9%

Cash Register Disbursements 0.3%

Page 13: Keep Procure-to-Pay (P2P) Fraud at Bay with Fraud Detection Tools & Techniques · 2019-12-04 · 3/31/2016 About Payments Fraud (Continued) 2. ACH debit fraud is declining and preventable.

The Accounts Payable & Procure-To-Pay Conference & Expo is produced by: 13 3/31/2016

About Payments Fraud

A close look at the results of the 2015 AFP Payments Fraud and Control Survey reveals at least three reasons for optimism.

1. Check fraud is on the decline. Checks are and always have been the top target of fraudsters because they're easy to obtain, alter, and counterfeit. – In 2014, 77% of organizations that experienced actual or attempted fraud were victims of

check fraud.

– But that number is down from 90% in 2009.

– Check fraud is on a fairly steady decline that corresponds with the decline in check use.

– As more businesses switch more payments from checks to electronic methods, expect the decline in check fraud to continue.

Source: https://treasuryinsights.wellsfargotreasury.com/?elqPURLPage=2151

Page 14: Keep Procure-to-Pay (P2P) Fraud at Bay with Fraud Detection Tools & Techniques · 2019-12-04 · 3/31/2016 About Payments Fraud (Continued) 2. ACH debit fraud is declining and preventable.

The Accounts Payable & Procure-To-Pay Conference & Expo is produced by: 14 3/31/2016

About Payments Fraud (Continued)

2. ACH debit fraud is declining and preventable.

– ACH debit fraud hit 25% of organizations in 2014, but that's down from 27% in 2012.

Of the organizations that lost money, 40% attributed the loss to not using ACH debit

blocks or filters — bank services that are inexpensive and readily available.

– Nearly 28% cited the cause as untimely account reconciliation and 40% cited untimely

ACH returns.

– Businesses' commitment to timely action and use of ACH fraud fighting tools would

help prevent and speed the decline of ACH debit fraud.

Source: https://treasuryinsights.wellsfargotreasury.com/?elqPURLPage=2151

Page 15: Keep Procure-to-Pay (P2P) Fraud at Bay with Fraud Detection Tools & Techniques · 2019-12-04 · 3/31/2016 About Payments Fraud (Continued) 2. ACH debit fraud is declining and preventable.

The Accounts Payable & Procure-To-Pay Conference & Expo is produced by: 15 3/31/2016

About Payments Fraud (Continued)

3. Companies are fighting back. Headline-making data breaches of big name

brands including Target and Neiman Marcus may have been a wake-up call.

To guard against these breaches, organizations either have adopted or plan

to adopt additional security measures as follows. – Nearly 70% of organizations now reconcile transactions daily, which should lead to quick discovery of account

takeover fraud.

– Two out of five organizations are upgrading the authentication procedures and devices used to access their

networks.

– Half are requiring a stronger form of authentication or adding layers of security for access to bank services.

– These moves should help to deter hackers and cyber attackers looking for easy marks.

Source: https://treasuryinsights.wellsfargotreasury.com/?elqPURLPage=2151

Page 16: Keep Procure-to-Pay (P2P) Fraud at Bay with Fraud Detection Tools & Techniques · 2019-12-04 · 3/31/2016 About Payments Fraud (Continued) 2. ACH debit fraud is declining and preventable.

The Accounts Payable & Procure-To-Pay Conference & Expo is produced by: 16 3/31/2016

The Fraud Triangle

Page 17: Keep Procure-to-Pay (P2P) Fraud at Bay with Fraud Detection Tools & Techniques · 2019-12-04 · 3/31/2016 About Payments Fraud (Continued) 2. ACH debit fraud is declining and preventable.

The Accounts Payable & Procure-To-Pay Conference & Expo is produced by: 17 3/31/2016

• Internal controls are weak or lacking

including:

o Approvals

o Access Controls

o Reviews

• Insufficient segregation of duties or

lack of job rotations

OPPORTUNITY

The Fraud Triangle - Opportunity

Page 18: Keep Procure-to-Pay (P2P) Fraud at Bay with Fraud Detection Tools & Techniques · 2019-12-04 · 3/31/2016 About Payments Fraud (Continued) 2. ACH debit fraud is declining and preventable.

The Accounts Payable & Procure-To-Pay Conference & Expo is produced by: 18 3/31/2016

• Financial pressures

• Debt

• Loss of Income

• Need to maintain social status

The Fraud Triangle - Need

Page 19: Keep Procure-to-Pay (P2P) Fraud at Bay with Fraud Detection Tools & Techniques · 2019-12-04 · 3/31/2016 About Payments Fraud (Continued) 2. ACH debit fraud is declining and preventable.

The Accounts Payable & Procure-To-Pay Conference & Expo is produced by: 19 3/31/2016

• “Get even” mentality

• Overlooked for a promotion

• Reduction in benefits

• Funds are “borrowed” and will be

“paid back”

• Employee favoritism and other

poor management practices

The Fraud Triangle - Justification

Page 20: Keep Procure-to-Pay (P2P) Fraud at Bay with Fraud Detection Tools & Techniques · 2019-12-04 · 3/31/2016 About Payments Fraud (Continued) 2. ACH debit fraud is declining and preventable.

The Accounts Payable & Procure-To-Pay Conference & Expo is produced by: 20 3/31/2016

The Fraud Diamond

Incentive Opportunity

Rationalization Capability

Note: The fraud diamond was introduced by David T. Wolfe and Dana R. Hermanson in 2004.

Page 21: Keep Procure-to-Pay (P2P) Fraud at Bay with Fraud Detection Tools & Techniques · 2019-12-04 · 3/31/2016 About Payments Fraud (Continued) 2. ACH debit fraud is declining and preventable.

The Accounts Payable & Procure-To-Pay Conference & Expo is produced by: 3/31/2016

Your Anti-Fraud Toolkit for the P2P

Process

21

Page 22: Keep Procure-to-Pay (P2P) Fraud at Bay with Fraud Detection Tools & Techniques · 2019-12-04 · 3/31/2016 About Payments Fraud (Continued) 2. ACH debit fraud is declining and preventable.

The Accounts Payable & Procure-To-Pay Conference & Expo is produced by: 3/31/2016

The Types of Controls and Three

Critical Corporate Controls

22

Page 23: Keep Procure-to-Pay (P2P) Fraud at Bay with Fraud Detection Tools & Techniques · 2019-12-04 · 3/31/2016 About Payments Fraud (Continued) 2. ACH debit fraud is declining and preventable.

The Accounts Payable & Procure-To-Pay Conference & Expo is produced by: 23 3/31/2016

The Standard Types of Internal Controls

Control Activity Type

Examples

1. Preventative Control mechanism that prevents control issues or problems from occurring.

(e.g., house lock)

2. Detective Manual reconciliations, review of authorized signatures, credit checks and

approvals that are performed “after the fact.”

3. Manual Any manual control activity that may include the detective controls noted above.

Examples are manual reconciliations or a manual review of authorizations.

4. Systematic Three way match of invoices for payment, batch control totals, field level

edits/validations

Page 24: Keep Procure-to-Pay (P2P) Fraud at Bay with Fraud Detection Tools & Techniques · 2019-12-04 · 3/31/2016 About Payments Fraud (Continued) 2. ACH debit fraud is declining and preventable.

The Accounts Payable & Procure-To-Pay Conference & Expo is produced by: 24 3/31/2016

The Three Critical Corporate Controls

The three most critical internal controls for any company can be established by

corporate policies should be "operationalized" into your company's business

processes and monitored by the applicable internal control programs. These controls

are:

1. Segregation of Duties

2. Delegation of Authority

3. System Access

Page 25: Keep Procure-to-Pay (P2P) Fraud at Bay with Fraud Detection Tools & Techniques · 2019-12-04 · 3/31/2016 About Payments Fraud (Continued) 2. ACH debit fraud is declining and preventable.

The Accounts Payable & Procure-To-Pay Conference & Expo is produced by: 25 3/31/2016

1) Segregation of Duties The Segregation of Duties (SoD) control is most of the most important controls that your company can have.

Adequate segregation of duties reduces the likelihood that errors (intentional or unintentional) will remain undetected by

providing for separate processing by different individuals at various stages of a transaction and for independent reviews of

the work performed.

The SoD control provides four primary benefits:

1) The risk of a deliberate fraud is mitigated as the collusion of two or more persons would be required in order to

circumvent controls

2) The risk of legitimate errors is mitigated as the likelihood of detection is increased.

3) The cost of corrective actions is mitigated as errors are generally detected relatively earlier in their lifecycle.

4) The organization’s reputation for integrity and quality is enhanced through a system of checks and balances.

Page 26: Keep Procure-to-Pay (P2P) Fraud at Bay with Fraud Detection Tools & Techniques · 2019-12-04 · 3/31/2016 About Payments Fraud (Continued) 2. ACH debit fraud is declining and preventable.

The Accounts Payable & Procure-To-Pay Conference & Expo is produced by: 26 3/31/2016

1) Segregation of Duties (Cont.)

Best Practice: One of the most common "root causes" of fraud is the lack of SoD controls, weak SoD

controls, inappropriate compensating controls, or failure to update SoD controls when responsibilities

change.

• As a best practice, many organizations review their SoD controls on a quarterly basis as part of

their control self-assessment (CSA) process.

• As a result of this review, the applicable SoD controls are updated in a timely manner

Page 27: Keep Procure-to-Pay (P2P) Fraud at Bay with Fraud Detection Tools & Techniques · 2019-12-04 · 3/31/2016 About Payments Fraud (Continued) 2. ACH debit fraud is declining and preventable.

The Accounts Payable & Procure-To-Pay Conference & Expo is produced by: 27 3/31/2016

2) Delegation of Authority

Delegation of Authority (DoA): The purpose of the DoA is to ensure the efficient operation of the company

while maintaining fiscal integrity and adherence to policy.

• Accountability for the overall management of the property, assets, financial, and human resources of the

company rests with the Chief Executive Officer (CEO).

• In many cases the "governance" of the DoA is the responsibility of the controller. Individuals that have been

assigned authority under the terms of the DoA must safeguard company resources by establishing and

maintaining internal controls that deter and detect any potential misuse of resources.

Best Practice: Many companies assign levels of authority to the job grades or levels within the organization

and apply workflow to streamline the approval process. If an individual is promoted or moves to another

department, his or her level of authority is automatically updated in the employee master file.

Page 28: Keep Procure-to-Pay (P2P) Fraud at Bay with Fraud Detection Tools & Techniques · 2019-12-04 · 3/31/2016 About Payments Fraud (Continued) 2. ACH debit fraud is declining and preventable.

The Accounts Payable & Procure-To-Pay Conference & Expo is produced by: 28 3/31/2016

3) Systems Access

System Access: The principle of segregation of duties in an information system environment is also

critical as it ensures the separation of different functions such as transaction entry, on-line approval of

the transactions, master file initiation, master file maintenance, system access rights, and the review

of transactions.

In the context of application and access level controls, this means that one individual should not

have access rights which permit them to enter, approve and review transactions.

• Assigning different security profiles to various individuals supports the principle of segregation of

duties.

• As an example, operational or process segregation of duties within an accounts payable

department will determine the system access rights that should be granted for each associate

based on roles and responsibilities.

Page 29: Keep Procure-to-Pay (P2P) Fraud at Bay with Fraud Detection Tools & Techniques · 2019-12-04 · 3/31/2016 About Payments Fraud (Continued) 2. ACH debit fraud is declining and preventable.

The Accounts Payable & Procure-To-Pay Conference & Expo is produced by: 29 3/31/2016

3) Systems Access (Cont.)

Best Practice: System access rights are reviewed on a periodic basis (usually

monthly or quarterly) to ensure that system access capabilities are appropriate for

current staff members and reflect any changes in responsibilities or movements to

other departments.

Page 30: Keep Procure-to-Pay (P2P) Fraud at Bay with Fraud Detection Tools & Techniques · 2019-12-04 · 3/31/2016 About Payments Fraud (Continued) 2. ACH debit fraud is declining and preventable.

The Accounts Payable & Procure-To-Pay Conference & Expo is produced by: 30 3/31/2016

How many review their system access controls on a

regular basis?

Page 31: Keep Procure-to-Pay (P2P) Fraud at Bay with Fraud Detection Tools & Techniques · 2019-12-04 · 3/31/2016 About Payments Fraud (Continued) 2. ACH debit fraud is declining and preventable.

The Accounts Payable & Procure-To-Pay Conference & Expo is produced by: 3/31/2016

Standards of Internal Control for

the Procure to Pay (P2P) Process

31

Page 32: Keep Procure-to-Pay (P2P) Fraud at Bay with Fraud Detection Tools & Techniques · 2019-12-04 · 3/31/2016 About Payments Fraud (Continued) 2. ACH debit fraud is declining and preventable.

The Accounts Payable & Procure-To-Pay Conference & Expo is produced by: 32 3/31/2016

The Procure to Pay (P2P) Process Flow

Page 33: Keep Procure-to-Pay (P2P) Fraud at Bay with Fraud Detection Tools & Techniques · 2019-12-04 · 3/31/2016 About Payments Fraud (Continued) 2. ACH debit fraud is declining and preventable.

The Accounts Payable & Procure-To-Pay Conference & Expo is produced by: 33 3/31/2016

About Standards of Internal Control

Page 34: Keep Procure-to-Pay (P2P) Fraud at Bay with Fraud Detection Tools & Techniques · 2019-12-04 · 3/31/2016 About Payments Fraud (Continued) 2. ACH debit fraud is declining and preventable.

The Accounts Payable & Procure-To-Pay Conference & Expo is produced by: 34 3/31/2016

What is the Purpose of Standards of Internal Control?

• Determine the risk that is being mitigated;

• Define the set of internal controls to properly address the risk;

• Are updated when:

– There is a change to a P2P process, or system environment;

– A fraud has been perpetrated;

– The cost of the control is not in line with the benefit to the

organization; or when

– A business process has recently been automated

Page 35: Keep Procure-to-Pay (P2P) Fraud at Bay with Fraud Detection Tools & Techniques · 2019-12-04 · 3/31/2016 About Payments Fraud (Continued) 2. ACH debit fraud is declining and preventable.

The Accounts Payable & Procure-To-Pay Conference & Expo is produced by: 35 3/31/2016

Have you ever had a fraud your P2P process?

Page 36: Keep Procure-to-Pay (P2P) Fraud at Bay with Fraud Detection Tools & Techniques · 2019-12-04 · 3/31/2016 About Payments Fraud (Continued) 2. ACH debit fraud is declining and preventable.

The Accounts Payable & Procure-To-Pay Conference & Expo is produced by: 36 3/31/2016

Standards of Internal Control for the P2P Process

1) Supplier

Selection and

Management

2) Purchasing

and

Ordering

3) Disbursements 4) P-Card

Page 37: Keep Procure-to-Pay (P2P) Fraud at Bay with Fraud Detection Tools & Techniques · 2019-12-04 · 3/31/2016 About Payments Fraud (Continued) 2. ACH debit fraud is declining and preventable.

The Accounts Payable & Procure-To-Pay Conference & Expo is produced by:

Standards of Internal Control for Supplier Selection and

Management

37

Page 38: Keep Procure-to-Pay (P2P) Fraud at Bay with Fraud Detection Tools & Techniques · 2019-12-04 · 3/31/2016 About Payments Fraud (Continued) 2. ACH debit fraud is declining and preventable.

The Accounts Payable & Procure-To-Pay Conference & Expo is produced by:

Supplier Selection and Management: Fraud Risks

SSR-1 A purchase may be made from an unapproved or phony supplier.

SSR-2 Export control violations, related party transactions, or conflict of interest situations may occur. The potential for errors and

irregularities is substantially increased. The company may pay significant fines and may suffer significant damage to it’s reputation.

SSR-3 Goods purchased may not meet quality standards. Unauthorized prices or terms may be accepted.

SSR-4 The company will not have sufficient information to conduct meaningful negotiations and utilize its full purchasing power.

SSR-5 Materials may be received early or late resulting in business interruption or excess levels of inventory.

SSR-6 Lose opportunity to revise supplier base to better meet the needs of the company.

38

Page 39: Keep Procure-to-Pay (P2P) Fraud at Bay with Fraud Detection Tools & Techniques · 2019-12-04 · 3/31/2016 About Payments Fraud (Continued) 2. ACH debit fraud is declining and preventable.

The Accounts Payable & Procure-To-Pay Conference & Expo is produced by: 39

Supplier Selection and Management: Standards of Internal Control (Cont.)

C.1.1 Purchasing Strategies. Sourcing strategies, supplier selections and contract negotiations processes should be developed and documented.

Fraud Risks Mitigated: SSR-1, SSR-2, SSR-3, SSR-4

C.1.2 Documented Supplier Selection. Purchasing has established and follows documented policies and procedures to qualify and evaluate suppliers

based on established criteria prior to becoming approved.

Fraud Risks Mitigated: SSR-1, SSR-2, SSR-3, SSR-4, SSR-5

C.1.3 Purchasing from Approved Suppliers. Purchases must be made from an approved supplier database/list in accordance with local procedures. A

formal process should be in place to approve purchases from suppliers not on the approved database. The supplier database must be reviewed, updated,

and purged of inactive suppliers (i.e., suppliers with no activity for 18-24 months) at least annually. Suppliers should be added to the supplier database

upon completion of supplier selection process and financial review.

Fraud Risks Mitigated: SSR-1, SSR-2, SSR-3, SSR-4

Page 40: Keep Procure-to-Pay (P2P) Fraud at Bay with Fraud Detection Tools & Techniques · 2019-12-04 · 3/31/2016 About Payments Fraud (Continued) 2. ACH debit fraud is declining and preventable.

The Accounts Payable & Procure-To-Pay Conference & Expo is produced by: 40 3/31/2016

C.1.4 Global and Regional Contracts. Where global, regional, or geographic contracts are in place (e.g., Information Technology), that contract will be

leveraged by all affected operating units.

Risks Mitigated: SSR-1, SSR-2, SSR-3, SSR-4

C.1.5 Business Interruption Contingency Plans. Supplier and sourcing strategies must take into consideration contingency plans to address or

minimize risk of business interruption. These plans should be regularly reviewed and simulated.

Risks Mitigated: SSR-6

C.1.6 Supplier Performance Monitoring. Suppliers must be periodically monitored in accordance with Business Unit policy to ensure that actual

performance meets the Quality, Delivery, Product/Technology, Service & Support and Cost expectations.

Risks Mitigated: SSR-3, SSR-6, SSR-7

C.1.7 Supplier Database/List Updates. The actual update of approved supplier master/lists must be performed by individuals not involved in supplier

selection process.

Risks Mitigated: SSR-1, SSR-2, SSR-3, SSR-5

Supplier Selection and Management: Standards of Internal Control (Cont.)

Page 41: Keep Procure-to-Pay (P2P) Fraud at Bay with Fraud Detection Tools & Techniques · 2019-12-04 · 3/31/2016 About Payments Fraud (Continued) 2. ACH debit fraud is declining and preventable.

The Accounts Payable & Procure-To-Pay Conference & Expo is produced by:

Standards of Internal Control for Purchasing and Ordering

41

Page 42: Keep Procure-to-Pay (P2P) Fraud at Bay with Fraud Detection Tools & Techniques · 2019-12-04 · 3/31/2016 About Payments Fraud (Continued) 2. ACH debit fraud is declining and preventable.

The Accounts Payable & Procure-To-Pay Conference & Expo is produced by: 42 3/31/2016

Purchasing and Ordering: Fraud Risks

POR-1 A purchase order may be:

a. Unauthorized or improperly authorized.

b. Made from an unauthorized supplier.

c. Ordered and received by an unauthorized individual.

POR-2 Import and export control violations, related party transactions, or conflict of interest situations may occur. The potential for errors

and irregularities is substantially increased.

POR-3 Rather than being returned or refused, the following items may be received and ultimately paid for:

a. Unordered goods or services.

b. Excessive quantities or incorrect items.

c. Canceled or duplicated orders.

POR-4 Records may be lost or destroyed.

POR-5 Records may be misused or altered by unauthorized personnel to the detriment of the company and its suppliers.

POR-6 Goods and services may be received but not reported or reported inaccurately. Unrecorded liabilities and misstated inventory and

cost of sales may occur

Page 43: Keep Procure-to-Pay (P2P) Fraud at Bay with Fraud Detection Tools & Techniques · 2019-12-04 · 3/31/2016 About Payments Fraud (Continued) 2. ACH debit fraud is declining and preventable.

The Accounts Payable & Procure-To-Pay Conference & Expo is produced by: 43 3/31/2016

Purchasing and Ordering: Fraud Risks (Cont.)

POR-7 Goods purchased may not meet quality standards. Unauthorized prices or terms may be accepted.

POR-8 Materials may be received early or late resulting in business interruption or excess levels of inventory.

POR-9 Duplicate payments may occur, or payments may be made for the wrong amount or to unauthorized or nonexistent suppliers.

POR-10 Records may not be available for external legal, tax, or audit purposes.

POR-11 Purchases and/or disbursements may be recorded at the incorrect amount, to the wrong account, or in the wrong period.

POR-12 Payment may be made for goods or services never received.

POR-13 Loss of intellectual property

POR-14 A purchase order may be received by an unauthorized individual

Page 44: Keep Procure-to-Pay (P2P) Fraud at Bay with Fraud Detection Tools & Techniques · 2019-12-04 · 3/31/2016 About Payments Fraud (Continued) 2. ACH debit fraud is declining and preventable.

The Accounts Payable & Procure-To-Pay Conference & Expo is produced by: 44 3/31/2016

Purchasing and Ordering: Standards of Internal Controls (Cont.)

C.2.1 Segregation of Duties. All purchasing (ordering) responsibilities must be segregated from accounts payable/disbursement, receiving and

accounting activities.

Fraud Risks Mitigated: POR-1, POR-2, POR-5, POR-6, POR-7, POR-9, POR-11, POR-12

C.2.2 Written Purchasing Policies. Purchasing policies and procedures are established, communicated and followed.

Fraud Risks Mitigated: POR-1, POR-2, POR-4, POR-6, POR-7, POR-9, POR-10, POR-11

C.2.3 Access Controls. All purchase orders or access to input screens must be safeguarded and internal control procedures for processing and

approval must be in place to prevent unauthorized use.

Fraud Risks Mitigated: POR-1, POR-2, POR-4, POR-5, POR-6, POR-9, POR-10, POR-12

C.2.4 Purchase Price Negotiation. To assure the company’s competitive advantage, prices will be negotiated through cost analysis (e.g., target costing),

bidding or industry cost benchmarking.

Fraud Risks Mitigated: POR-2, POR-5, POR-7

Page 45: Keep Procure-to-Pay (P2P) Fraud at Bay with Fraud Detection Tools & Techniques · 2019-12-04 · 3/31/2016 About Payments Fraud (Continued) 2. ACH debit fraud is declining and preventable.

The Accounts Payable & Procure-To-Pay Conference & Expo is produced by: 45 3/31/2016

Purchasing and Ordering: Standards of Internal Controls (Cont.)

C.2.5 Conduct Prior to Supplier Selection Process. Oral or written contracts, memorandums of understanding, and statements of intent that may

financially obligate the company must not be done prior to the completion of the selection process without proper approvals.

Fraud Risks Mitigated: POR-1, POR-2, POR-5, POR-6, POR-7, POR-9, POR-10

C.2.6 Advance Payments. Payment in advance should be avoided if possible. A procedure should be established and followed when it is necessary to

make payments in advance of the shipment or receipt of material to prevent overpayment. No advance payments can be made unless they are part of the

purchase order terms.

Fraud Risks Mitigated: POR-6, POR-9, POR-11

C.2.7 Order Audit Trail. All orders/transactions must be uniquely identifiable and traceable and periodically accounted for.

Fraud Risks Mitigated: POR-3, POR-4, POR-5, POR-6, POR-9, POR-10, POR-11, POR-12

C.2.9 Invoice Forwarding. Purchase orders/ transactions must instruct suppliers to forward their billings directly to Accounts Payable.

Fraud Risks Mitigated: POR-3, POR-4, POR-5, POR-6, POR-9, POR-10, POR-1

Page 46: Keep Procure-to-Pay (P2P) Fraud at Bay with Fraud Detection Tools & Techniques · 2019-12-04 · 3/31/2016 About Payments Fraud (Continued) 2. ACH debit fraud is declining and preventable.

The Accounts Payable & Procure-To-Pay Conference & Expo is produced by:

C.2.9 Purchase Order Distribution. Purchase order information must be made available to the Receiving and Accounts Payable departments. Accounts

Payable and Receiving must be notified of changed or canceled purchase orders timely.

Fraud Risks Mitigated: POR-3, POR-5, POR-6, POR-7, POR-8, POR-9, POR-11, POR-12, POR-14

C.2.10 Product Return Procedures. Procedures must be established to ensure proper approval, recording and follow up of all return items (due to poor

quality, improper specifications, etc.).

Fraud Risks Mitigated: POR-4, POR-5, POR-7, POR-9, POR-10, POR-11, POR-12

C.2.11 Evaluation of Purchasing Process. Purchasing process should be evaluated consistent with the supply management.

Fraud Risks Mitigated: POR-7, POR-8

C.2.12 Safeguarding Intellectual Property. Procedures governing the review and approval of contracts should address the safeguarding of the

company’s intellectual property including patents and trademarks.

Fraud Risks Mitigated: POR-4, POR-5, POR-10, POR-12, POR-13

Purchasing and Ordering: Standards of Internal Controls (Cont.)

46

Page 47: Keep Procure-to-Pay (P2P) Fraud at Bay with Fraud Detection Tools & Techniques · 2019-12-04 · 3/31/2016 About Payments Fraud (Continued) 2. ACH debit fraud is declining and preventable.

The Accounts Payable & Procure-To-Pay Conference & Expo is produced by: 47 3/31/2016

Purchasing and Ordering: Standards of Internal Controls (Cont.)

C.2.13 Blanket Purchase Orders. A “not to exceed” limit and duration must be specified on each blanket purchase order.

Fraud Risks Mitigated: POR-8

C.2.14 Independence and Purchasing. Independence between purchasing agent/buyer and supplier must be maintained. This can be accomplished through

periodic buyer rotation, or participation in corporate contracts, or use of commodity teams. The company’s code of conduct should be distributed to all suppliers.

Fraud Risks Mitigated: POR-1, POR-2, POR-3, POR-4, POR-5, POR-7

C.2.15 Requisitioning Procedures. Purchase requirements (e.g., purchase orders, blanket orders, contracts, etc.) must be initiated by the requesting department

and be properly approved, within approver’s limits, before a purchase request is made. Purchase orders must not be split to get around approval limits.

Fraud Risks Mitigated: POR-1, POR-2, POR-3, POR-5

C.2.16 Low Value Requisitions. Authorization limits must be established for individuals making low value purchases through special procurement processes (e.g.,

P-Cards, catalogs, procurement cards, etc.).

Fraud Risks Mitigated: POR-1, POR-3, POR-5

Page 48: Keep Procure-to-Pay (P2P) Fraud at Bay with Fraud Detection Tools & Techniques · 2019-12-04 · 3/31/2016 About Payments Fraud (Continued) 2. ACH debit fraud is declining and preventable.

The Accounts Payable & Procure-To-Pay Conference & Expo is produced by: 48 3/31/2016

Purchasing and Ordering: Standards of Internal Controls (Cont.)

C.2.17 Purchase Order Revisions. Purchase order revisions for price or quantity that cause increases that exceed buyer’s approval level must be

approved in compliance with local procedures.

Fraud Risks Mitigated: POR-1, POR-2, POR-3, POR-5, POR-7, POR-8

C.2.18 After-The-Fact Purchase Orders. After-the-fact PO’s are identified, tracked and followed-up on regularly.

Fraud Risks Mitigated POR-1, POR-3, POR-5, POR-7, POR-8

Page 49: Keep Procure-to-Pay (P2P) Fraud at Bay with Fraud Detection Tools & Techniques · 2019-12-04 · 3/31/2016 About Payments Fraud (Continued) 2. ACH debit fraud is declining and preventable.

The Accounts Payable & Procure-To-Pay Conference & Expo is produced by:

Standards of Internal Control for the Disbursement Process

49

Page 50: Keep Procure-to-Pay (P2P) Fraud at Bay with Fraud Detection Tools & Techniques · 2019-12-04 · 3/31/2016 About Payments Fraud (Continued) 2. ACH debit fraud is declining and preventable.

The Accounts Payable & Procure-To-Pay Conference & Expo is produced by: 50 3/31/2016

DR-1 Controls may be bypassed allowing the potential for theft or error.

DR-2 Purchases or services may be ordered and received by an unauthorized individual.

DR-3 Items or services may be received but not reported, or reported inaccurately. Unrecorded liabilities, misstated inventories, and over/under

payments to suppliers may result.

DR-4 Duplicate payments may occur, or payments may be made for the wrong amount or to unauthorized or nonexistent suppliers.

DR-5 Financial statements, records, and operating reports may be misstated. Critical decisions may be based upon erroneous information.

DR-6 Purchases or services may be unauthorized, recorded for the wrong amount or in the wrong period, and/or payment made to the wrong supplier.

DR-7 Items may be recorded and payment made for goods or services not received.

DR-8 Operations may be adversely affected as suppliers may refuse future business with the company.

DR-9 Cash utilization may not be optimized or may be misappropriated.

DR-10 Fines or penalties may be imposed if required supporting documents are not available.

Disbursements: Fraud Risks

Page 51: Keep Procure-to-Pay (P2P) Fraud at Bay with Fraud Detection Tools & Techniques · 2019-12-04 · 3/31/2016 About Payments Fraud (Continued) 2. ACH debit fraud is declining and preventable.

The Accounts Payable & Procure-To-Pay Conference & Expo is produced by: 51 3/31/2016

C.5.1 Segregation of Duties. The function of disbursing cash or its equivalent must be segregated from the following functions:

Receiving;

Purchasing;

Invoice processing;

Accounts payable;

General ledger reconciliation;

Supplier master set-up and changes.

Fraud Risks Mitigated: DR-1, DR-2, DR-3, DR-7

C.5.2 Payment Reconciliations. All payments and other disbursement activities must be traceable, uniquely identifiable, and reconciled (contents are

known and status is current) with general ledger and bank statements on a monthly basis.

Fraud Risks Mitigated: DR-l, DR-4

C.5.3 Supporting Documentation. Requests for checks, electronic funds transfers, and bank transfers must be supported by approved purchase

orders, receiving transactions or original invoices. This documentation will be provided to the signers for their review as part of the approval process.

Fraud Risks Mitigated: DR-2, DR-3, DR-4, DR-7

Disbursements: Standards of Internal Control (Cont.)

Page 52: Keep Procure-to-Pay (P2P) Fraud at Bay with Fraud Detection Tools & Techniques · 2019-12-04 · 3/31/2016 About Payments Fraud (Continued) 2. ACH debit fraud is declining and preventable.

The Accounts Payable & Procure-To-Pay Conference & Expo is produced by: 52 3/31/2016

C.5.4 Payment Approval. Approved payments must be aged and made in accordance with corporate policy or within the agreed terms and conditions.

Fraud Risks Mitigated: DR-8

C.5.5 Supplier Discounts. All eligible supplier discounts should be taken whenever favorable to the company.

Fraud Risks Mitigated: DR-5, DR-9

C.5.6 Recording in Accounting Records. All disbursements must be recorded in the period payment was made. Expenses must be properly and

accurately recorded in the accounting period in which the liability was incurred.

Fraud Risks Mitigated: DR-3, DR-5, DR-6, DR-9

C.5.7 Bearer Checks. Checks must not be made payable to cash or bearer.

Fraud Risks Mitigated: DR-1, DR-3, DR-7

Disbursements: Standards of Internal Control (Cont.)

52

Page 53: Keep Procure-to-Pay (P2P) Fraud at Bay with Fraud Detection Tools & Techniques · 2019-12-04 · 3/31/2016 About Payments Fraud (Continued) 2. ACH debit fraud is declining and preventable.

The Accounts Payable & Procure-To-Pay Conference & Expo is produced by: 53 3/31/2016

C.5.8 Blank Check Storage. Blank checks must be safeguarded from destruction or unauthorized use. The supply of blank checks must be

numerically controlled and regularly accounted for as issued, voided, or unused. Employees that have access to unissued checks must be

independent of the check signing and voucher preparation functions.

Fraud Risks Mitigated: DR-l, DR-3, DR-4, DR-7

C.5.9 Voided and Canceled Checks. Spoiled, voided, and canceled checks must be altered or voided immediately. These checks must be accounted

for and protected. They may be destroyed, provided the destruction is witnessed, and documented by an additional individual.

Fraud Risks Mitigated: DR-1, DR-7

C.5.10 Bank Account Limits. Specific limits of signing authority for checks, promissory notes, and bank transfers must be established and approved

according to an appropriate Board of Director’s banking resolution and communicated to the disbursing entity and the appropriate bank(s).

Fraud Risks Mitigated: DR-1, DR-3, DR-7

Disbursements: Standards of Internal Control(Cont.)

Page 54: Keep Procure-to-Pay (P2P) Fraud at Bay with Fraud Detection Tools & Techniques · 2019-12-04 · 3/31/2016 About Payments Fraud (Continued) 2. ACH debit fraud is declining and preventable.

The Accounts Payable & Procure-To-Pay Conference & Expo is produced by: 54 3/31/2016

C.5.11 Positive Pay/Payee Controls/Debit Blocks and Debit Filters. Checking accounts must be provided with “match pay” or “positive pay or

payee” controls that permit a preview of checks presented to the bank for payment. If such controls are not practical, bank accounts must be subject

to activity limits and dual signatory controls.

Fraud Risks Mitigated: DR-1, DR-4, DR-7

C.5.12 Records Management. Documents or electronic data supporting expenditures must be safeguarded from loss or destruction and must be in

a retrievable format. Such records must be retained and maintained in accordance within the company’s record’s management policy.

Fraud Risks Mitigated: DR-5, DR-10

C.5.13 Wire Transfers. Where practical, payments by wire transfer must be made only to designated bank accounts. Where practical, recurring wire

payments should be established as repetitive payments within the wire transfer system. Non-repetitive wires require independent review and

approval.

Fraud Risks Mitigated: DR-1, DR-4, DR-6, DR-7, DR-8

Disbursements: Standards of Internal Control (Cont.)

Page 55: Keep Procure-to-Pay (P2P) Fraud at Bay with Fraud Detection Tools & Techniques · 2019-12-04 · 3/31/2016 About Payments Fraud (Continued) 2. ACH debit fraud is declining and preventable.

The Accounts Payable & Procure-To-Pay Conference & Expo is produced by:

Standards of Internal Control for the P-Card Process

55

Page 56: Keep Procure-to-Pay (P2P) Fraud at Bay with Fraud Detection Tools & Techniques · 2019-12-04 · 3/31/2016 About Payments Fraud (Continued) 2. ACH debit fraud is declining and preventable.

The Accounts Payable & Procure-To-Pay Conference & Expo is produced by: 56 3/31/2016

R-1 Controls may be bypassed allowing the potential for theft or error.

R-2 Expenditures or services may be ordered and received by an unauthorized individual.

R-3 Duplicate payments may occur, or payments may be made for the wrong amount or to unauthorized or nonexistent suppliers

R-4 Purchases or services may be unauthorized, recorded for the wrong amount or in the wrong period, and/or payment made to the

wrong person.

R-5 Items may be recorded and payment made for goods or services not received.

R-6 Operations may be adversely affected as suppliers may refuse future business with the company.

R-7 Cash utilization may not be optimized.

P-Cards – Risks

P-Cards – Fraud Risks

Page 57: Keep Procure-to-Pay (P2P) Fraud at Bay with Fraud Detection Tools & Techniques · 2019-12-04 · 3/31/2016 About Payments Fraud (Continued) 2. ACH debit fraud is declining and preventable.

The Accounts Payable & Procure-To-Pay Conference & Expo is produced by: 57 3/31/2016

C.1 Delegation of Authority (DOA) Approval and Review. Management with Delegation of Authority (DOA) is responsible for 100% audit of

cardholder’s statement and supporting documentation/receipts. Additionally, management’s DOA signature approval required on cardholder’s statement

(DOA applies to each transaction on the statement, not the statement total).

Fraud Risks Mitigated: R-l, R-2, R-3, R-4, R-5, R-6, R-7

C.2 P-Card Statement Submission and Tracking.

1. The Cardholder submits statement with supporting documentation for each transaction.

2. The P-Card Administrator reviews spending activity in credit card on-line recording and reporting system.

3. The P-Card Administrator reviews every statement upon receipt to ensure that it is:

• Date stamped with date received in A/P.

• Verified for appropriate management Delegation of Authority (DOA).

4. The P-Card Administrator tracks each statements on P-card audit log:

• Used to monitor submission of statements.

• Follow up on outstanding statements.

• Document audit activity.

Fraud Risks Mitigated: R-l, R-2, R-3, R-4, R-5, R-6, R-7

P-Cards – Standards of Internal Control

Page 58: Keep Procure-to-Pay (P2P) Fraud at Bay with Fraud Detection Tools & Techniques · 2019-12-04 · 3/31/2016 About Payments Fraud (Continued) 2. ACH debit fraud is declining and preventable.

The Accounts Payable & Procure-To-Pay Conference & Expo is produced by: 58 3/31/2016

P-Cards: Standards of Internal Control (Cont.)

C.3 Random Audits. Conduct a minimum of 10% of the total cardholder population; however, on average audit 20 – 30% of all statement. The random

audit process should include the following components.

• Supplier Review – Appropriateness of purchase.

• Misuse of Card – Personal purchases.

• Justification – Documentation/explanation for unusual purchases and pre-approvals if applicable.

Fraud Risks Mitigated: R-l, R-2, R-3, R-4, R-5

C.4 Targeted Audits: Targeted audits should be conducted in addition to random audits and are specific to cardholder, general ledger account and

supplier spend. The following components should be addressed:

• Review all charges over a designated dollar amount. Examples are $10,000.00, $15,000.00 or $20,000.00 Note: This amount is usually determined

by your company’s PO policy,

• Preferred supplier spend on office supplies.

• Look for any charitable contributions.

• Review 100% of statements for retail or restaurant spending to identify misuse or unusual purchases.

• Use credit card on-line reporting tools and reports to assist with audit and review spend activity.

• Review all payments to foreign suppliers.

• Review payments to employees.

Fraud Risks Mitigated: R-l, R-2, R-3, R-4, R-5

Page 59: Keep Procure-to-Pay (P2P) Fraud at Bay with Fraud Detection Tools & Techniques · 2019-12-04 · 3/31/2016 About Payments Fraud (Continued) 2. ACH debit fraud is declining and preventable.

The Accounts Payable & Procure-To-Pay Conference & Expo is produced by: 59

C.5 P-Card Policy and Training. The policy should state clearly what the P-card can and cannot be used to purchase. The policy also should identify

the disciplinary action for accidental misuse versus intentional misuse. The policy contains a P-Card cardholder agreement and specifics the training

requirements for the cardholder and their manager.

Risks Mitigated: R-l, R-2, R-3, R-4, R-5

C.6 Segregation of Duties. The P-Card Administrator should be allowed to make decisions on the company’s P-Card program. Additionally, the P-Card

Administrator should not be granted physical or system access to accounts payable suppliers or purchasing information.

Risks Mitigated: R-l, R-2, R-3, R-4, R-5, R-6, R-7

P-Cards: Standards of Internal Control (Cont.)

Page 60: Keep Procure-to-Pay (P2P) Fraud at Bay with Fraud Detection Tools & Techniques · 2019-12-04 · 3/31/2016 About Payments Fraud (Continued) 2. ACH debit fraud is declining and preventable.

The Accounts Payable & Procure-To-Pay Conference & Expo is produced by: 60 3/31/2016

Sample P-Card

Holder Agreement

Agreed and accepted this day of 20 .

Cardholder:

Signature: Date:

Print Name: Phone:

Entity/Department:

Organization/Company P-Card Administrator:

Signature: Date:

Print Name: Phone:

Page 61: Keep Procure-to-Pay (P2P) Fraud at Bay with Fraud Detection Tools & Techniques · 2019-12-04 · 3/31/2016 About Payments Fraud (Continued) 2. ACH debit fraud is declining and preventable.

The Accounts Payable & Procure-To-Pay Conference & Expo is produced by: 3/31/2016

The Top 20 Controls for AP

61

Page 62: Keep Procure-to-Pay (P2P) Fraud at Bay with Fraud Detection Tools & Techniques · 2019-12-04 · 3/31/2016 About Payments Fraud (Continued) 2. ACH debit fraud is declining and preventable.

The Accounts Payable & Procure-To-Pay Conference & Expo is produced by: 62 3/31/2016

The Top 20

Controls for AP

1. AP adheres to the company’s “Tone at the Top”.

2. AP adheres to the company’s Code of Conduct and reports all unethical actions.

3. A Segregation of Duties policy is established in the accounts payable organization.

4. A Delegation of Authority policy is in place for all company commitments and expenditures.

5. Record to record (R2R) policies and procedures are in place which include monthly accruals, account reconciliation, journal entry

controls and transaction review.

6. System Access Controls are reviewed on a monthly basis.

7. AP managers are responsible for integrating effective internal controls the operation.

8. AP managers of public companies adhere to all SOX requirements.

9. Costs and expenses of the AP department is maintained under budgetary control.

10. AP must develop a system of internal controls to ensure that the assets and records of the company are adequately protected

from loss, destruction, theft, alteration, or unauthorized access.

Page 63: Keep Procure-to-Pay (P2P) Fraud at Bay with Fraud Detection Tools & Techniques · 2019-12-04 · 3/31/2016 About Payments Fraud (Continued) 2. ACH debit fraud is declining and preventable.

The Accounts Payable & Procure-To-Pay Conference & Expo is produced by: 63 3/31/2016

The Top 20

Controls for AP (Cont.)

11. Critical transactions within the AP business processes must be traceable, authorized, authenticated, have integrity, and be

retained in accordance with established policy such as the Delegation of Authority Policy.

12. Background checks are conducted for all employees and contractors that support the AP process.

13. The business records for AP must be maintained and retained in accordance with established records retention policies.

14. Accounts AP is considered confidential. Adequate security must also be maintained when disposing of this information.

15. All computer systems and/or software applications that may impact the operation of the AP process must have the adequacy of

internal controls verified through the user acceptance process prior to implementation.

16. Legal should review and approve all contracts and legally binding documents. Right-to-audit clauses should be included in the

contracts where appropriate.

Page 64: Keep Procure-to-Pay (P2P) Fraud at Bay with Fraud Detection Tools & Techniques · 2019-12-04 · 3/31/2016 About Payments Fraud (Continued) 2. ACH debit fraud is declining and preventable.

The Accounts Payable & Procure-To-Pay Conference & Expo is produced by: 64 3/31/2016

17. All suppliers are validated before they are entered into the system of record. The validation process includes:

• Requiring a W-9

• Performing TIN Matching

• Compliance Screening (OFAC, BIS, SAMS, PEP, OIG)

• Verify Vender Address.

• Utilize a Database for Vendor Phone Number Verification

• Company Website Validation

18. All disbursements over a certain dollar amount are reviewed and approved with special attention to large international payments

and wires. (The dollar amount to be reviewed will depend upon the size of the company.)

19. The Employee Master is compared to the Supplier Master File on an annual basis. Comparisons include a review of:

• Name

• Address

• SSN/EIN/TIN

• Bank Account

20. All P-Cards and Corporate Credit Cards should have cardholder agreements in place in which the cardholder clearly understands

their roles and responsibilities along with the consequences of non-compliance.

The Top 20

Controls for AP (Cont.)

Page 65: Keep Procure-to-Pay (P2P) Fraud at Bay with Fraud Detection Tools & Techniques · 2019-12-04 · 3/31/2016 About Payments Fraud (Continued) 2. ACH debit fraud is declining and preventable.

The Accounts Payable & Procure-To-Pay Conference & Expo is produced by: 3/31/2016

What Went Wrong?

“Real Life” P2P Case Study Analysis

1. Procurement 2. T&E 3. P-Card 4. AP 5. Disbursements

65

Page 66: Keep Procure-to-Pay (P2P) Fraud at Bay with Fraud Detection Tools & Techniques · 2019-12-04 · 3/31/2016 About Payments Fraud (Continued) 2. ACH debit fraud is declining and preventable.

The Accounts Payable & Procure-To-Pay Conference & Expo is produced by: 66 3/31/2016

What Can Go Wrong?

Page 67: Keep Procure-to-Pay (P2P) Fraud at Bay with Fraud Detection Tools & Techniques · 2019-12-04 · 3/31/2016 About Payments Fraud (Continued) 2. ACH debit fraud is declining and preventable.

The Accounts Payable & Procure-To-Pay Conference & Expo is produced by: 67 3/31/2016

Case Study 1- Procurement: Brenda Belton and Washington

DC Charter Schools

• Belton, 61, convicted of stealing and illegally steering more than $800,000 in school system money, was

begging for mercy in the same courthouse where another corruption case is playing out, involving the alleged

theft by two other D.C. government employees of $20 million or more from city tax collections.

• Belton, who was responsible for monitoring 17 charter schools for the D.C. Board of Education from 2003 to

2006, pleaded guilty in August to theft and tax evasion. Prosecutors said she cheated the system throughout

her tenure as chief executive of the board's Office of Charter School Oversight.

• Prosecutors said Belton steered about $446,000 in no-bid contracts to friends and a cousin and stole

$203,000 by directing school money to a fictitious company. At the same time, she received $180,000 in

illegal payments and kickbacks from friends for whom she helped win school business.

Source: http://www.washingtonpost.com/wp-dyn/content/article/2007/06/05/AR2007060500797.html

Page 68: Keep Procure-to-Pay (P2P) Fraud at Bay with Fraud Detection Tools & Techniques · 2019-12-04 · 3/31/2016 About Payments Fraud (Continued) 2. ACH debit fraud is declining and preventable.

The Accounts Payable & Procure-To-Pay Conference & Expo is produced by: 68 3/31/2016

Case Study 1- Procurement: Brenda Belton and the

Washington, DC Charter Schools (Cont.)

• As part of her plea agreement, Belton promised to pay restitution of $384,000, the amount she was

accused of pocketing in the scheme.

• Prosecutors say at least seven others participated in the embezzlement, but no charges have been filed

against them. Authorities said Belton was the driving force behind the thefts and diversion of contracts.

Source: http://www.washingtonpost.com/wp-dyn/content/article/2007/06/05/AR2007060500797.html

Page 69: Keep Procure-to-Pay (P2P) Fraud at Bay with Fraud Detection Tools & Techniques · 2019-12-04 · 3/31/2016 About Payments Fraud (Continued) 2. ACH debit fraud is declining and preventable.

The Accounts Payable & Procure-To-Pay Conference & Expo is produced by: 69 3/31/2016

Case Study 1 – Procurement: Brenda Belton and the

Washington, DC Charter Schools (Cont.)

The Major Issues

The following major control infrastructure items were lacking:

– Tone at the Top

– P2P Internal Controls Program

– Disbursement Controls

– Bank Reconciliations

– Random Audits

Missing Critical Corporate Controls

– Segregation of Duties Policies (Collusion)

– Systems Access

– Delegation of Authority Policies (Lack of Approvals)

Page 70: Keep Procure-to-Pay (P2P) Fraud at Bay with Fraud Detection Tools & Techniques · 2019-12-04 · 3/31/2016 About Payments Fraud (Continued) 2. ACH debit fraud is declining and preventable.

The Accounts Payable & Procure-To-Pay Conference & Expo is produced by: 70 3/31/2016

• According to Scott Sunbury, CPA, CFE, a T&E fraud prevention specialist with Connecticut-based CJS Group,

LLC, companies must be especially alert to such T&E schemes as overstated or "over-purchased" expenses.

• Example: A consulting firm specializing in international trade had numerous clients in Asia and other distant

locations.

• The cost of round-trip business-class airfare -- which the company's T&E policy did permit for trans-Pacific trips -

- from New York to Hong Kong was $4,000. The same flight in economy class was only $1,500.

• Each consultant was responsible for arranging his or her own travel with the airlines, billing the charges to a

corporate American Express card. One day, a consultant with several Hong Kong-based clients changed his

travel plans at the last minute, moving up his departure date by a day. On that day, business-class for the earlier

flight was already fully booked. Instead, the airline booked the consultant in economy class and issued a $2,500

refund directly to him.

Case Study 2 - T&E: Flying Business Class

Page 71: Keep Procure-to-Pay (P2P) Fraud at Bay with Fraud Detection Tools & Techniques · 2019-12-04 · 3/31/2016 About Payments Fraud (Continued) 2. ACH debit fraud is declining and preventable.

The Accounts Payable & Procure-To-Pay Conference & Expo is produced by: 71 3/31/2016

• Problem: The original credit card receipt still said $4,000, and this is what the consultant submitted with his

next expense report. The Hong Kong client, in turn, was billed for the full fare.

• The $2,500 fraud went unnoticed by the consulting firm…until the dishonest traveler boasted about his trick to

colleagues, "justifying" it by arguing that he should be allowed to spend his travel "allowance" any way he

pleased.

• A tip from one of the consultant's more ethical colleagues brought the instance to the attention of senior

management who confronted the offender and ultimately terminated him.

Case Study 2 – T&E: Flying Business Class (Cont.)

Page 72: Keep Procure-to-Pay (P2P) Fraud at Bay with Fraud Detection Tools & Techniques · 2019-12-04 · 3/31/2016 About Payments Fraud (Continued) 2. ACH debit fraud is declining and preventable.

The Accounts Payable & Procure-To-Pay Conference & Expo is produced by: 72 3/31/2016

Case Study 2 – T&E: Flying Business Class (Cont.)

The Major Issues

The following major control infrastructure items were lacking:

– Business Ethics and Training

– T&E Policy

• Roles and Responsibilities

• Use of a Travel Agency

– International Travel Policy

Missing Critical Corporate Controls

– Delegation of Authority

Page 73: Keep Procure-to-Pay (P2P) Fraud at Bay with Fraud Detection Tools & Techniques · 2019-12-04 · 3/31/2016 About Payments Fraud (Continued) 2. ACH debit fraud is declining and preventable.

The Accounts Payable & Procure-To-Pay Conference & Expo is produced by: 73 3/31/2016

Case Study 3 – P-Cards: Ex-Hanford manager sentenced to

3 years, 10 months in P-Card Fraud (2/16/12)

• A former Hanford manager was sentenced to three years and 10 months in prison after a federal judge

questioned his truthfulness Wednesday.

• Paul Kempf, former operations manager of the Hanford 222-S Laboratory, admitted in a plea agreement

that he used a federal credit card issued for government purchases to embezzle $487,000 from

September 2000 through September 2005.

• But then he told the court in a sentencing document filed later in the Eastern Washington District U.S.

Court that there was no evidence to suggest the $487,000 worth of products in question charged to his

P-card had not been delivered to Hanford.

Source: http://www.tri-cityherald.com/2012/02/16/1828326/ex-hanford-manager-sentenced-to.html#storylink=cpy

Page 74: Keep Procure-to-Pay (P2P) Fraud at Bay with Fraud Detection Tools & Techniques · 2019-12-04 · 3/31/2016 About Payments Fraud (Continued) 2. ACH debit fraud is declining and preventable.

The Accounts Payable & Procure-To-Pay Conference & Expo is produced by: 74 3/31/2016

• Kempf is the last of seven defendants accused in spring 2010 of diverting government money with Hanford credit cards to be sentenced, and he received the harshest sentence.

• He is accused of using his federal credit card -- called a purchase card or P-card -- to make purchases from his wife's home business that never were delivered.

• He admitted in the plea agreement to spending $50,000 of the embezzled money to renovate a 1966 Chevrolet Nova, $63,000 on auto and boat expenses, $105,000 in personal checks made out to his wife and $17,000 on home improvements, among other uses.

Source: http://www.tri-cityherald.com/2012/02/16/1828326/ex-hanford-manager-sentenced-to.html#storylink=cpy

Case Study 3 – P-Cards: Ex-Hanford manager sentenced to

3 years, 10 months in P-Card Fraud (2/16/12) (Cont.)

Page 75: Keep Procure-to-Pay (P2P) Fraud at Bay with Fraud Detection Tools & Techniques · 2019-12-04 · 3/31/2016 About Payments Fraud (Continued) 2. ACH debit fraud is declining and preventable.

The Accounts Payable & Procure-To-Pay Conference & Expo is produced by: 75 3/31/2016

• When caught, he lied to federal investigators and altered business checks to hide the fact that they were used

to divert money from Hanford to his personal use, according to the U.S. Attorneys Office.

• Kempf argued in court documents filed after the plea agreement that many products ordered from his wife's

home business, AMG Marketing in West Richland, were delivered to the laboratory. Two of his children filed

statements with the court saying they had helped deliver products.

• "I think he presented to the court a completely inaccurate position, one he knows is false," said assistant U.S.

attorney Jill Bolton.

Source: http://www.tri-cityherald.com/2012/02/16/1828326/ex-hanford-manager-sentenced-to.html#storylink=cpy

Source: http://www.tri-cityherald.com/2012/02/16/1828326/ex-hanford-

manager-sentenced-to.html#storylink=cpy

Case Study 3 – P- Cards: Ex-Hanford manager sentenced to

3 years, 10 months in P-Card Fraud (2/16/12) (Cont.)

Page 76: Keep Procure-to-Pay (P2P) Fraud at Bay with Fraud Detection Tools & Techniques · 2019-12-04 · 3/31/2016 About Payments Fraud (Continued) 2. ACH debit fraud is declining and preventable.

The Accounts Payable & Procure-To-Pay Conference & Expo is produced by: 76 3/31/2016

• Statements submitted to the court showed the P-card system under Kempf's two Hanford employers -- former

contractors Fluor Hanford and CH2M Hill Hanford Group -- was poorly controlled.

• Fluor Hanford since has made a $4 million settlement with the federal government, and CH2M Hill made a $1.5 million

settlement, Thompson said.

• "So in a way, the federal government has received what is due and owing in a way," he said.

• Other defendants have received lesser sentences, including Suzie Zuniga, who was sentenced to 20 months in prison

after embezzling $564,000 through P-card fraud, he said.

• Kempf tearfully told the judge he loved his wife and has always "worked hard and not asked for anything extra." He

volunteers at Water Follies and discounts work for churches and private schools at the flooring company he started

after losing his Hanford job.

Source: http://www.tri-cityherald.com/2012/02/16/1828326/ex-hanford-manager-sentenced-to.html#storylink=cpy

Case Study 3 – P-Cards: Ex-Hanford manager sentenced to

3 years, 10 months in P-Card Fraud (2/16/12) (Cont.)

Page 77: Keep Procure-to-Pay (P2P) Fraud at Bay with Fraud Detection Tools & Techniques · 2019-12-04 · 3/31/2016 About Payments Fraud (Continued) 2. ACH debit fraud is declining and preventable.

The Accounts Payable & Procure-To-Pay Conference & Expo is produced by: 77 3/31/2016

• He requested home detention rather than a prison term so he could continue to support his wife and his

youngest child. That would save the government upwards of $100,000, according to court documents.

• In addition to 46 months incarceration, Whaley sentenced Kempf to three years of probation and ordered to

repay $487,000 jointly with Gust. Kempf must turn over 10 percent of his income each month. The federal

government already has filed documents to seize the 1966 Nova and any parts.

Source: http://www.tri-cityherald.com/2012/02/16/1828326/ex-hanford-manager-sentenced-to.html#storylink=cpy

Case Study 3 – P-Cards: Ex-Hanford manager sentenced to

3 years, 10 months in P-Card Fraud (2/16/12) (Cont.)

Page 78: Keep Procure-to-Pay (P2P) Fraud at Bay with Fraud Detection Tools & Techniques · 2019-12-04 · 3/31/2016 About Payments Fraud (Continued) 2. ACH debit fraud is declining and preventable.

The Accounts Payable & Procure-To-Pay Conference & Expo is produced by: 78 3/31/2016

The Major Issues

The following major control infrastructure items were lacking:

– Tone at the Top and Business Ethics

– P-Card Administrator

– P-Card Agreement

– PO Policies or Enforcements

– P-Card Internal Controls Program

– Cash Management Controls

Missing Critical Corporate Controls

– Segregation of Duties

– Delegation of Authority

– System Access

Case Study 3 – P-Cards: Ex-Hanford manager sentenced to

3 years, 10 months in P-Card Fraud (2/16/12) (Cont.)

Page 79: Keep Procure-to-Pay (P2P) Fraud at Bay with Fraud Detection Tools & Techniques · 2019-12-04 · 3/31/2016 About Payments Fraud (Continued) 2. ACH debit fraud is declining and preventable.

The Accounts Payable & Procure-To-Pay Conference & Expo is produced by: 79 3/31/2016

Case Study 4 - AP: Too Much Systems Access

• A large company enlisted a group of finance process subject matter experts to help test the installation of a

new enterprise resource planning (ERP) system.

• In order to fully test the integration of transaction processing to the general ledger, the team was given full

systems access to all the master files, transactional interfaces, and accounting functionality of the system.

• After the system was implemented, members of the team were sent to other departments as managers or

senior financial analysts; however, the system access rights that they were granted for testing purposes was

not removed.

Page 80: Keep Procure-to-Pay (P2P) Fraud at Bay with Fraud Detection Tools & Techniques · 2019-12-04 · 3/31/2016 About Payments Fraud (Continued) 2. ACH debit fraud is declining and preventable.

The Accounts Payable & Procure-To-Pay Conference & Expo is produced by: 80 3/31/2016

Case Study 4 - AP: Too Much Systems Access (Cont.)

• One former accounts payable manager found that she still had the system access rights to set up a vendor,

pay an invoice, and void the transaction – even though she was in another department.

• An internal audit found this significant issue and determined that the individual had embezzled nearly

$300,000.00 in company funds.

• The employee was terminated and paid back the funds.

• The review of system access rights was immediately added to all audit and internal control programs.

Page 81: Keep Procure-to-Pay (P2P) Fraud at Bay with Fraud Detection Tools & Techniques · 2019-12-04 · 3/31/2016 About Payments Fraud (Continued) 2. ACH debit fraud is declining and preventable.

The Accounts Payable & Procure-To-Pay Conference & Expo is produced by: 81 3/31/2016

Case Study 4 – AP: Two Much Systems Access (Cont.)

The Major Issues

The following major control infrastructure items were lacking:

– Timely Bank Account and Clearing Account Reconciliations

– Journal Entry Controls

– General Ledger Reconciliations

Critical Corporate Controls

– Segregation of Duties

– Delegation of Authority

– System Access

Page 82: Keep Procure-to-Pay (P2P) Fraud at Bay with Fraud Detection Tools & Techniques · 2019-12-04 · 3/31/2016 About Payments Fraud (Continued) 2. ACH debit fraud is declining and preventable.

The Accounts Payable & Procure-To-Pay Conference & Expo is produced by: 82 3/31/2016

Case Study 5 – Disbursements: Foster Law Offices

• Kimberly Kurka, a 35-year-old employee of Foster Law Offices, has been accused of stealing $141,000 from

her employer over a two-year period. During her employment, her duties included managing payroll, accounts

receivable, accounts payable and business related to the trust and operating accounts. She also had access

and passwords to the businesses’ online accounts.

• Police reported that a forensic fraud examination of the law office’s accounting records showed that Kurka

was misappropriating funds as early as 2008 and continuing through 2012. The fraud was conducted through

checks, money transfers between accounts, credit cards and cash payments from clients.

• According to the Iowa City Press-Citizen, “Kurka allegedly wrote herself additional paychecks, inflated her

payroll, converted credit card access checks to funds for the operating account and stole cash payments from

clients.”

• Kurka has been arrested and faces one count of first-degree theft, a Class C felony.

Source: http://recordsforce.wordpress.com/2012/08/29/a-serious-case-of-accounts-payable-fraud/

Page 83: Keep Procure-to-Pay (P2P) Fraud at Bay with Fraud Detection Tools & Techniques · 2019-12-04 · 3/31/2016 About Payments Fraud (Continued) 2. ACH debit fraud is declining and preventable.

The Accounts Payable & Procure-To-Pay Conference & Expo is produced by: 83 3/31/2016

Case Study 5 – Disbursements: Foster Law Offices (Cont.)

The Major Issues

The following major control infrastructure items were lacking:

– Business Ethics

– Timely Bank Account Reconciliations

– Journal Entry Controls

– Disbursement Controls

Critical Corporate Controls

– Multiple Segregation of Duties Issues

– Systems Access

Page 84: Keep Procure-to-Pay (P2P) Fraud at Bay with Fraud Detection Tools & Techniques · 2019-12-04 · 3/31/2016 About Payments Fraud (Continued) 2. ACH debit fraud is declining and preventable.

The Accounts Payable & Procure-To-Pay Conference & Expo is produced by: 84 3/31/2016

1. Do not take action yourself

2. Call your Ethics Hotline

3. If appropriate, speak with your manager and/or the next highest level of authority

4. Involve Internal Audit and/or Corporate Security

5. Do not tell anyone else about your suspicions

6. Never confront the employee

7. Make sure you have all the facts!

What to do if you suspect a fraud..

Page 85: Keep Procure-to-Pay (P2P) Fraud at Bay with Fraud Detection Tools & Techniques · 2019-12-04 · 3/31/2016 About Payments Fraud (Continued) 2. ACH debit fraud is declining and preventable.

The Accounts Payable & Procure-To-Pay Conference & Expo is produced by: 85 3/31/2016

Questions and Discussion

Page 86: Keep Procure-to-Pay (P2P) Fraud at Bay with Fraud Detection Tools & Techniques · 2019-12-04 · 3/31/2016 About Payments Fraud (Continued) 2. ACH debit fraud is declining and preventable.

The Accounts Payable & Procure-To-Pay Conference & Expo is produced by: 86 3/31/2016

My Contact Information Is:

Chris Doxey, CAPP, CCSA, CICA, CPC

President, Doxey, Inc.

[email protected]

571-267-9107


Recommended