Effective risk management and control of vendors and contracts in the procure-to-pay (P2P) process creates challenges for organizations in all sectors, but particularly for local and national governements. Public infrastructure projects, facilities maintenance, IT systems and large-scale purchasing of goods and services involve significant financial outlays. These projects can also present many opportunities for problems to occur in terms of fraud, waste, abuse and inefficiencies.
Government finance and control managers are well aware of these challenges and respond by assessing risks and implementing controls designed to reduce the likelihood of negative outcomes. But many issues still remain. For example, how can those responsible be certain that all relevant controls are effective? What if certain types of risks have not even been considered and so no controls were established to prevent different types of fraud and abuse? Conversely, what if there are so many control procedures in place that processes become exceedingly slow and cumbersome, draining resources?
Finding the right balance
The real challenge is to achieve a balanced approach to controls around procurement contracts and payment processes—one that is efficient and effective, while also minimizing the likelihood and scale of potential fraud, waste, abuse and regulatory non-compliance.
Many government departments and agencies rely on control configuration settings in their ERPs or financial applications to manage the control process; but this is approach is often less than watertight. Certain ERP control settings are often turned off in order to make processes quicker and simpler. Or the settings that are relied upon may simply not be effective in addressing certain risk types. Of course, the reality is that no conventional control system is perfect. The real need is to find out what specific transactions and activities are problematic and need closer examination—so that they can be fixed and more effective controls implemented.
The power of data analytics
This is where technology—specifically data analysis and continuous transaction and control monitoring—plays a huge role. What if all P2P activities are automatically analyzed and tested to determine if the controls are effective and comply with controls and regulatory requirements, and whether or not specific suspect transactions are identified? What if analytics-based testing and transaction monitoring actually becomes a more effective and efficient form of control and compliance enforcement?
Dealing with risks and controls in P2P processes involving a wide range of different vendors is not easy—particularly when the terms of individual contracts can be varied and complex. Fortunately, data analysis can be used to test all transactions against a broad range of risk, compliance and control issues, both commonplace ones and those that relate to specific contractual terms and regulations. Suites of analytic tests can be run as needed, or on an ongoing basis as a form of continuous monitoring. The advantage of automated tests is that issues are highlighted on a far more timely basis, which means problems can be addressed before they escalate and cause more damage.
This is just the beginning
In this post, the intent is to increase awareness of the potential for data analysis. In a future post, we will look at some specific ways that data analytics can improve risk and control practices (and specifically fraud prevention and detection) in government P2P systems. These can range from simple (but powerful) forms of analytics, such as comparing expenditures for similar goods and services across multiple vendors, to those designed to identify instances of sophisticated vendor fraud.
Most managers responsible for risk and control processes in government systems have at least some awareness of the potential benefits of data analytics. What many of these managers may not be aware of is the best way to get going and actually implement analytics— and to do so in a sustainable and well-managed way. So there are a number of areas we will address in subsequent blog posts, including: how to get started, how to obtain the best “bang-for-the-buck” and find the “low-hanging fruit,” and how to constantly make progress in the way that risk and control analytics are applied across P2P systems.