Anti-Fraud Management Example

In Accounts Payable
Michael Heckner
October 12, 2012
GRC
Top Reasons Customers Invest Today

Business Process Improvements

 Systematic, reliable processes
 Improve predictability and performance

Avoid “Negative” Business Issues

 Prevent irregularities such as fraud
 Prevent human errors
 Avoid financial losses
 Avoid damage to reputation

Compliance
 Comply with governmental regulations and legislation
 Comply with industry regulations
 Comply with internal company policies

© 2011 SAP AG. All rights reserved. 2

Economic Crime and Errors
What Is the Damage Caused by Fraud and Errors?

Economic Crime Employee Errors

 Average fraud loss: 5% of annual revenue  More frequent than “crime”?

One-fourth of the frauds caused at least $1 million in
losses  Insufficient controls can result in:
(“2010 Report to the Nation,” ©2010 by the Association of Certified
Fraud Examiners, Inc.)  Procurement Errors
 Overpayments to Vendors
 46% of organizations with 1000+ employees reported
suffering at least one significant economic crime in  Excessive Rebates to Customers
the past 12 months.  Changes to Payment Terms
In addition to direct financial impact there is indirect
or collateral damage incl. employee morale, business  Accidental Leakage of Intellectual Property
relations, reputation/brand, relations with regulators,  Etc.
share price, etc.
(PwC Global Economic Crime Survey Nov 2009)  Nearly impossible to track the total financial impact of
employee errors
 40% believe there is a greater risk of fraud in the
current economy.
“Staff reductions resulting in fewer resources
deployed on internal controls”.
(PwC Global Economic Crime Survey Nov 2009)

 Estimates are hard to get

 Grey zone of criminal behavior
 High number of unreported cases

© 2011 SAP AG. All rights reserved. 3

Overview SAP GRC
Top-down and bottom-up risk management/ compliance

SAP GRC Risk Management

Policy
SAP GRC Process Control
Management

Company Wide Procure to Pay Order to Cash IT (General) SAP GRC

Controls Controls Controls Controls Access Control

Internal Audit Management

© 2011 SAP AG. All rights reserved. 4

 Enterprise Risk Management
Business Risks Cause Majority of Losses

87% of risks are not financial

Head of
Risk Management

Legal & Compliance

Operational • Fraud Material risk events
• Hurricane Katrina • Product liability claims encountered in the past three
• Data center outage • Missed time line for legal changes years (for enterprises over
• Delivery risk • Embezzlement of parts
• Blast furnace cold run US$5 billion in revenue)
• Safety of goods or products
• ERP application crash
• Plant disaster causing production stoppage
Strategic
• Industry consolidation and globalization
Environmental/Health • Error-filled release of software upgrade
• West Nile Virus • Change in core product demand
• Safety crisis • Cancellation of major customer contracts
• Compliance with environmental standards • Performance standards and service quality
• Food sanitary management problem
• Climate change
• Environment pollution
Political/Geopolitical
Financial • Change of government – and minority governments
• Currency exchange rates • Grants and budget changes
• Interest issue and increasing reserves • Constant change of ministers
• Accuracy of realistic balance sheet • Federal Accountability Act
reporting • Terrorism
• Ability to manage cash
• Non-transparent markets
• Economic recession
• Energy and commodity costs Source: IBM Global Business Services, The Global CFO Study 2008.

© 2011 SAP AG. All rights reserved. 6

Examples of Enterprise Risks (Transportation Industry)

Examples of Enterprise Risks

Strategic Risks Financial Risks Operational Risks Compliance Risks
Freight Rates Liquidity Major Safety Human Rights
Incidents (OECD Standards)
Oil & Gas Prices Credit Risk Major Environ. Tax
Incidents
Political Risks Foreign Exchange War, terrorism or Anti-corruption,
piracy attack competition and
export control
Information Risk Insurance
(Self-Insurance)
Procedures and
Controls

© 2011 SAP AG. All rights reserved. 7

 Examples of Enterprise Risks

Governance Strategy and Planning Operations Compliance Reporting

Corp. Ethics Corp. External Planning Strategy Corp. Assets Finance Human Information Legal Product Sales, Supply Chain Compliance Reporting
Governance Responsab./ Factors Resources Technology Development Marketing &
Sustainab. Communic.
Board Effectiveness / Addressing Biodiversity Competition Business Continuity Alliances Facilities and Accounting Corporate Culture Architecture Bankruptcy Discontinuance and Branding and Planning Communication and Compliance with
Knowledge Allegations Management (BCM) Equipment Divestiture Reputation Training Accounting
Management Standards and
Policies

Board Structure and Communication Climate Change Credit Rating Capital Planning Business Intangible Assets Audit Quality Health and Welfare Asset Management Competition Innovation, Research Communication Sourcing Compliance Culture Financial Disclosures
Leadership Concentration Benefits and Development

Compensation / Corrective Actions Community Customer Demands Knowledge Business Model Personal Safety Capital Management Human Resources Business Continuity Contract Launch Customer Relations / Production Compliance Financial Information
Performance and Discipline Investment Management Policies and Management (BCM) Management Customer Support Information Availability
Incentives / Procedures Management
Alignment

Corporate Ethical Culture / Tone Energy Management Economic Conditions Operational Planning Customers Physical Security Credit Implications of Change Management Corporate Liability Distribution Delivery Compliance Financial Statement
Responsibility & at the Top and Alternative / Industry Trends Significant Events Investigations Organization Fraud
Sustainability Sourcing

Reputation / Ethics Reporting Fair Trade External Fraud Performance Extended Enterprise Process Management Financial Asset Labor Relations Contracting and Environmental, Product Design / E-Commerce / Returns Compliance Management
Shareholder Certification Management Management Outsourcing Health and Safety Quality Internet Strategy Reporting Reporting
Relations

Risk Oversight Investigation Natural Resource Geopolitical Scenario Planning Growth Taxation Insurance and Organization Information Security Finance and Production Investor Relations Controls and Regulatory Reporting
Utilization and Hedging Structure Accounting Monitoring
Accounting

Transparency & Monitoring and Philanthropy Hazards / Innovation Utilization Liquidity Payroll Operations Government Substitution Marketing Programs Policies and Reporting Quality
Financial Integrity Auditing Catastrophic Loss Investigations Procedures

Policies and Project Financing Laws and Markets Pensions Performance / Talent Physical and Intellectual Property Technology Market Research Risk Assessment Statutory Reporting
Procedures Regulations Management and Environmental Obsolescence
Compensation

Program Assessment Resource Scarcity Markets Mergers / Planning / Budgeting Retirement Programs Privacy and Data Labor and Testing Marketing Strategy Supervision Sustainability
and Evaluation Acquisitions / / Forecasting Protection Employment Issues Reporting
Divestitures

Structure and Sustainability Third Party / Joint Outsourcing Taxation Talent Pipeline / Problem Legal and Regulatory Timing Public Relations Tax Reporting
Oversight Strategy Venture Recruitment Management Compliance
Requirements

Training Sustainable Water Policy Training and Project Management Legal Entity Planning Sales Strategy
Quality Development

Waste Reduction and Pricing Records Litigation and

Closed Loop Management Dispute Resolution
Production

Technology Technology Privacy and Security

Licensing Laws

Vision, Mission, and Records Information

Values Management

© 2011 SAP AG. All rights reserved. 8 2009

Source: Deloitte Risk Intelligence Map,
SAP Risk Management
Heatmap

Fraudulent AP activities

© 2011 SAP AG. All rights reserved. 9

Risk “Fraudulent Accounts Payable”
Chief Security Officer / IT

Prevent
Accounts Payable risk
(errors and fraud)

© 2011 SAP AG. All rights reserved. 10

Risk “Fraudulent Accounts Payable”
Chief Security Officer / IT

Prevent
Accounts Payable risk
(errors and fraud)

1st Risk Driver:

Lack of SoD

© 2011 SAP AG. All rights reserved. 11

Risk “Fraudulent Accounts Payable”
Chief Security Officer / IT

Prevent
Accounts Payable risk
(errors and fraud)
(resulting from lack of SoD)

1st First Driver:

Lack of SoD

© 2011 SAP AG. All rights reserved. 12

Risk “Fraudulent Accounts Payable”
Chief Security Officer / IT

Prevent
Accounts Payable
errors and fraud
(resulting from lack
of SoD)

Access
Control

© 2011 SAP AG. All rights reserved. 13

Risk “Fraudulent Accounts Payable” Head of Internal Controls
Chief Security Officer / IT
Head of Compliance

Question:Prevent
Are Accounts Payable
SoD violations the
errors and
only risk to the fraud
(resulting
“Accounts from lack
Payable”
of SoD)
Process ???

IT General
Control 1:
Access
Control

© 2011 SAP AG. All rights reserved. 14

Risk “Fraudulent Accounts Payable” Head of Internal Audit,
Chief Security Officer / IT
Controls, Compliance

Example:
What about abuse
of “one time vendor
accounts”
???

Process-Level IT General
Control 1: Control 1:
Accounts Access
Payable Control

© 2011 SAP AG. All rights reserved. 15

Risk “Fraudulent Accounts Payable” Head of Internal Audit,
Chief Security Officer / IT
Controls, Compliance

Example:
What about abuse
of “one time vendor
accounts”
???
Payments

Date Vendor Amount

1.10. ABC Chemicals 1,599.- Process-Level IT General

Control 1: Control 1:
2.10. Anonymous1 1,000.-
Accounts Access
2.10. Northstar Energy 563.- Payable Control
5.10. Anonymous1 10,000.-

9.10. Hardware Central 23,618.-

© 2011 SAP AG. All rights reserved. 16

Risk “Fraudulent Accounts Payable” Head of Internal Audit,
Chief Security Officer / IT
Controls, Compliance

Example:
What about other
process level risks
in Accounts
Payable ???

Process-Level Process-Level IT General

Control 1: Control n: Control 1:
Accounts … Accounts Access
Payable Payable Control

© 2011 SAP AG. All rights reserved. 17

Risk “Fraudulent Accounts Payable” Head of Internal Audit,
Chief Security Officer / IT
Controls, Compliance

Business Necessity:
Process and Access
Level Controls
to protect AP process

Process-Level IT General
Controls 1-n: Control 1:
Accounts Access
Payable Control

© 2011 SAP AG. All rights reserved. 18

Other Risks?
In Other Processes? At the IT-Level? Head of Internal Audit,
Controls, Compliance
Chief Security Officer / IT

What about
other processes
and their controls?

Process 1: Process n: IT General IT General

Control 1:
Procure to Pay … Order to Cash Access … Control n:
Controls Controls Control Controls

© 2011 SAP AG. All rights reserved. 19

 Other Risks?
In Other Processes? At the IT-Level? Head of Internal Audit,
Chief Security Officer / IT
Controls, Compliance

Group/Entity: Group/Entity: Process 1: Process n: IT General IT Control n:

Control 1:
Company Wide…Company Wide Procure to Pay … Order to Cash Access … (IT General)
Controls Controls Controls Controls Control Controls

© 2011 SAP AG. All rights reserved. 20

 SAP Process Control
Control at all levels Head of Internal Audit,
Controls, Compliance
Chief Security Officer / IT

SAP Process Control

Group/Entity: Group/Entity: Process 1: Process n: IT General IT Control n:

Control 1:
Company Wide…Company Wide Procure to Pay … Order to Cash Access … (IT General)
Controls Controls Controls Controls Control Controls

© 2011 SAP AG. All rights reserved. 21

 Risk-based Approach
to Internal Controls Head of
Risk Management
Head of Internal Audit,
Controls, Compliance
Chief Security Officer / IT

SAP Risk Management

SAP Process Control

Group/Entity: Group/Entity: Process 1: Process n: IT General IT Control n:

Control 1:
Company Wide…Company Wide Procure to Pay … Order to Cash Access … (IT General)
Controls Controls Controls Controls Control Controls

© 2011 SAP AG. All rights reserved. 22

Continuous Monitoring Example
Accounts Payable Manager - Dashboard

© 2011 SAP AG. All rights reserved. 23

Continuous Monitoring Example
Accounts Payable Manager: Issues Report

© 2011 SAP AG. All rights reserved. 24

Continuous Monitoring Example
Drill-Down into One-Time Vendor Issue

© 2011 SAP AG. All rights reserved. 25

Continuous Monitoring Example
Accounts Payable Manager: Issues Report

© 2011 SAP AG. All rights reserved. 26

Continuous Monitoring Example
Drill down into Segregation of Duties Issue

© 2011 SAP AG. All rights reserved. 27

Achieving Higher Confidence

# controls

Manual Controls

time

Today

© 2011 SAP AG. All rights reserved. 28

Achieving Higher Confidence
Lower Cost

Cost Reduction
# controls

Less Manual Labor

Less Pushback from the Business
Lower Cost of Preparing for an Audit

Automated
Manual Controls

Manual Controls
time

Today Maturity Level 1

© 2011 SAP AG. All rights reserved. 29

Achieving Higher Confidence
Lower Cost and Business Process Improvement

Cost Reduction and Process Improvement

# controls

More controls
More granularity
Less Manual Labor
Higher frequency of checks
Less Pushback from the Business
Consistency
Lower Cost of Preparing for an Audit

Automated

Automated
Manual Controls

Manual Controls Manual Controls

time

Today Maturity Level 1 Maturity Level 2

© 2011 SAP AG. All rights reserved. 30

Achieving Higher Confidence
Lower Cost and Business Process Improvement

Cost Reduction and Process Improvement

# Controls

Automated Assurance

Automated
Manual Controls

Manual Controls Manual Controls Cost

Time

Today Maturity Level 1

Maturity Level 2

© 2011 SAP AG. All rights reserved. 31

Managing Risk and Compliance
SAP GRC Solutions

Managing Risk and Compliance ensures all categories of risk across the
organization are aggregated at the enterprise level and managed holistically
CEO / CFO

Head of Head of Compliance/ Head of Internal Audit/ Head of Internal Audit

Risk Management Controls / Internal Audit Chief Security Officer

Enterprise Risk Risk-Based Internal

Access Management Audit Management
Management Controls

Risk
Planning

Risk
SAP GRC Solution
Identification
SAP
Risk
Analysis
SAP
Document Compliance
SAP
SAP
NetWeaver
Risk Mgmt Process Control
Initiatives Access Control
Access Planning
Audit Mgmt
Audit Planning

Risk
Response Access
Risk Plan and Remediate Analysis &
Monitoring Perform Issues and Response Access
Assessments Certify Monitoring
Manage Audit
and Tests Results Remediation
Engagements

© 2011 SAP AG. All rights reserved. 32

Questions?

Michael Heckner
Sr. Director,
EMEA Solutions Business Development

Phone +49 (170) 8 555 125

Michael . Heckner @ sap . com
www.sap.com/grc

© 2011 SAP AG. All rights reserved. 33

Thank You!

Contact information:

Michel Heckner
Sr. Director, EMEA Solution Business Development (GRC)
Zeppelinstrasse 2
85399 Hallbergmoos/München
+ 49 6227 – 7 – 54143