1. Best in Class Controls for AP The Institute of Financial Operations Indiana – Southern Illinois Chapter June 15, 2011 Sherry DePew

2. About The Speaker Sherry DePew, Vice President of Account Management for Lavante 14 years at Boise Cascade, Director of Global Shared Services President and founding member of Idaho IAPP Chapter President: Oracle/PeopleSoft Accounts Payable Product User Group President Oracle Supplier Relationship Management User Group Co-founder and Board member of Oracle Featured AP and P2P writer and blogger for several on-line resources

3. Agenda Segregation of Duties Benefit of Segregation of Duties Financial System Access Controls Electronic Data Management (EDM) ACH/EFT vs. Check New Vendor’s Vendor Changes Purchase to Pay Control Continuum

4. Controls - Segregation of Duties Persons establishing vendors should not write, process or approve PO’s, receipts or invoices. Persons making changes to vendor data should not write, process or approve PO’s, receipts or invoices. Persons with access to add or change vendor information should not handle payments of any type. Persons with authority to request a check or payment should not approve, sign or handle payments. The person(s) issuing checks should not not reconcile bank accounts. Ensure reconciling of accounts is done by different people within cost centers. Establish a separate post office box for returned checks. Replace your company name and address on disbursement envelopes with a simple post office box number.

5. Benefits of Segregation of Duties One of the most difficult & complex set of controls to implement, monitor and manage. Mitigates Risk of Deliberate Fraud Mitigates Risk of legitimate errors Mitigates Cost of Corrective Action Organization’s Reputation for Integrity and Quality Enhanced

6. Control of Security Object Privileges Screens Pages Read vs. Change Access Control of Multiple Security Profiles Access to add users and change their security profiles Controls - Financial System Access

7. Controls for the Tracking and Storage of Electronic Documents Controls Often Reside in Enterprise Departments Responsible for Emails, Documents & Files Purchase to Pay workflow with Images and Approvals Make sure that images of approvals, exceptions and original documents can be accessed for External Audit and SOX Control Testing Controls - Data Management (EDM)

8. Controls - ACH/EFT vs. Paper Checks Mitigate Risk for Paper Checks Positive Pay Reverse Positive Pay Check Stock Handling Void Check Process Mitigate Risk for ACH or EFT Handling of file sent to Bank, Clearing House or Outsource Provider Access and Protection of payment file Bank Account Design Funding Process

9. Controls – Establishing/On-Boarding a New Vendor Most Critical Control for Fraud Prevention IRS TIN - Name Consistency Verify Name and TIN against IRS data OFAC and FTO Checks Check vendors against OFAC / FTO list and other lists Utilize 3rd Party Databases Add D&B Numbers Add SIC or NAICS codes Add Credit Information Obtain W-9 or Substitute Obtain Minority Owned Business, Women Owned Business status, etc.

10. Controls – Vendor Changes Same or Greater Risk than On-Boarding a New Vendor Vendors Must be Participative in Changes Controls that are no longer effective Banks Accounts Changes (Treasury?) Merging Vendors Vendor Name Changes

11. Controls – Purchase to Pay Control Continuum Procurement Invoice Processing Accounting Check Requests Vendor File Management Goods Receipt AP is Part of a Continuous Procure to Pay Cycle With A Great Potential for Risk. Separation of Duties Should Look Across the Entire Cycle