Effective risk management and control of vendors and contracts in the procure-to-pay (P2P) process creates challenges for organisations in all sectors. Significant financial outlays when purchasing of goods and services, also present many opportunities for problems to occur in terms of fraud, waste, abuse and inefficiencies.
Finance managers are aware of these challenges and respond by assessing risks and implementing controls designed to reduce the likelihood of negative outcomes. But many issues remain. For example, how can those responsible be certain that all relevant controls are effective? What if certain types of risks have not even been considered and so no controls were established to prevent different types of fraud and abuse? Conversely, what if there are so many control procedures in place that processes become exceedingly slow and cumbersome, draining resources?
The right balance
The real challenge is to achieve a balanced approach to controls around procurement contracts and payment processes. One that is efficient and effective, while also minimizing the likelihood and scale of potential fraud, waste, abuse and regulatory non-compliance.
With many finance professionals relying on control configuration settings in their ERPs or financial applications to manage the control process, this is approach is often less than watertight. Certain ERP control settings are often turned off in order to make processes quicker and simpler. Or the settings that are relied upon may simply not be effective in addressing certain risk types. Of course, the reality is that no conventional control system is perfect. The real need is to find out what specific transactions and activities are problematic and need closer examination, so that they can be fixed, and more effective controls implemented.
The power of data analytics
This is where technology, specifically data analysis and continuous transaction and control monitoring, plays a huge role. What if all P2P activities are automatically analysed and tested to determine if the controls are effective and comply with controls and regulatory requirements and whether specific suspect transactions are identified? What if analytics-based testing and transaction monitoring becomes a more effective and efficient form of control and compliance enforcement?
Dealing with risks and controls in P2P processes involving a wide range of different vendors is not easy. Especially when the terms of individual contracts can be varied and complex. Fortunately, data analysis can be used to test all transactions against a broad range of risk, compliance and control issues, both commonplace ones and those that relate to specific contractual terms and regulations. Suites of analytic tests can be run as needed, or on an ongoing basis as a form of continuous monitoring. The advantage of automated tests is that issues are highlighted on a far timelier basis, which means problems can be addressed before they escalate and cause more damage.
In this post, the intent is to increase awareness of the potential for data analysis. In a future post, we will look at some specific ways that data analytics can improve risk and control practices, and specifically fraud prevention and detection, in procure-to-pay P2P systems. These can range from simple, but powerful forms of analytics, such as comparing expenditures for similar goods and services across multiple vendors, to those designed to identify instances of sophisticated vendor fraud.
Most financial managers responsible for risk and control processes have some awareness of the potential benefits of data analytics. What many of these managers may not be aware of is the best way to get going and implement analytics, and to do so in a sustainable and well-managed way. There are several areas we will address in subsequent blog posts, including: how to get started, how to obtain the best “bang-for-the-buck” and find the “low-hanging fruit,” and how to constantly make progress in the way that risk and control analytics are applied across P2P systems.