Process Control Optimization with SAP
The procure-to-pay cycle, which includes all activities from the procurement of goods and
services to receiving invoices and paying vendors, is a basic business process. It also presents
significant risks if all aspects are not managed effectively and monitored continuously.
Organizations that do not have optimal control over, and visibility into, their procure-to-pay
business cycle can face late fees, missed discounts, wasted time and loss of assets – as well as
noncompliance issues – due to inaccuracies or overlooked incidents of fraudulent activity.
Following are the three major phases of the procure-to-pay business cycle and some common
risks organizations face in each area due to a lack of effective controls and visibility:

Supplier management (vendor master file) – duplicate and unauthorized vendors,
unauthorized access to the vendor master file, and incorrect 1099 reporting

Purchasing – unauthorized purchases, inaccurate purchase order processing, and
unauthorized returns, adjustments and allowances

Accounts payable – incomplete or inaccurate payment information, duplicate
payments, liabilities and disbursements not recorded completely, and invoices that do
not represent goods and services actually received
One key reason organizations have difficulty managing and monitoring their procure-to-pay
process effectively is an overreliance on manual controls, which are prone to errors and can be
easily changed or circumvented. To make better use of automated controls and optimize their
overall control environment, more organizations are choosing to improve their knowledge of the
functionality within their enterprise resource planning (ERP) solutions, such as the SAP ERP
Central Component (ECC) 6.0. Companies are realizing significant cost and resource savings
by optimizing their ECC configuration and deploying governance, risk and compliance (GRC)
solutions like SAP BusinessObjects GRC.
SAP’s GRC solution performs critical monitoring of major business processes on a continuous
basis. Configurable and customized controls can be easily implemented and maintained in the
procure-to-pay cycle so that inaccuracies and inconsistencies, as well as potential incidents of
fraud and noncompliance, can be identified and addressed quickly. However, despite the
availability of tools like SAP BusinessObjects GRC, many organizations fail to take full
advantage of the procure-to-pay control options available in their SAP environment, primarily
because they are not aware of SAP ECC 6.0’s standard control functionality.
By implementing and maintaining optimized controls within SAP – and using the right mix of
both automated and manual controls to ensure all gaps in the procure-to-pay process are
closed – organizations can reduce the risk of fraudulent activity (both through prevention and
detection), ensure compliance with Sarbanes-Oxley, and generate significant cost savings.
The ideal control environment for managing risks effectively in the procure-to-pay cycle should
include the following six areas:

Configurable controls – these controls are designed to maintain the integrity of “master
data,” such as information in the vendor master file

Manual controls – these controls include approvals by authorized individuals (SAP
automated workflow also can be set up for approvals)

General IT controls – the computing controls and IT notifications process that reduce
the risk of unauthorized changes to SAP systems

Detective reports – SAP, for example, has many standard detective reports that do not
need to be customized to be used as control reports

Security – this includes clearly defining access rights and segregation of duties rules

Policies and procedures – the rules that dictate how the organization controls, within
its purchase cycle, which vendors will be used, what their limits are, and which people in
the organization have the authority to approve invoices and purchase orders
There are many problems common to organizations that do not have optimized control of their
procure-to-pay business cycle. The following are examples typically experienced in the supplier
management, purchasing and accounts payable processes.
Supplier Management
For many businesses, especially large national or global companies working with a wide range
of suppliers, the vendor master file can grow exponentially very quickly. This makes master data
associated with the procure-to-pay process difficult to maintain efficiently, leaving the
organization more susceptible to the risk of financial leakage and fraud.
Here is one example of what can happen when the supplier management process is not
optimally controlled: Protiviti’s GRC and SAP experts recently examined the vendor master file
of a large organization and discovered it had listings for more than 28,000 active suppliers, but
63 percent (or more than 17,700) had not had invoice or payment activity in longer than three
years. Additionally, more than 1,700 vendors appeared to be duplicates, and more than 1,500
had invalid or incomplete information recorded in the vendor master file.
It is not unusual to find a number of suppliers in the vendor master file that have not been used
recently, have not been marked for deletion, or have not been designated as “blocked” so that
no further invoices related to those specific vendors can be processed. To ensure greater
accuracy in this critical aspect of the procure-to-pay process, organizations should “clean
house” in their vendor master file and apply more control over how their vendors are being set
up in the system – and how they are being utilized.
Protiviti | 2
Purchasing
The purchase order process is one area that many businesses are working hard to optimize
with better controls. Often, companies already have established a solid purchase order process
and implemented strong controls within SAP or another ERP system, and are successfully using
the three-way match (invoice, receipt, purchase order) to approve invoices automatically for
payment. However, it is common to find that even the most organized and proactive businesses
are not taking full advantage of the control optimization settings available in their SAP
environment.
One typical issue that can arise around the purchase order process (even in well-controlled
environments) is the invoice date appearing before the purchase order date in the system. This
usually occurs when an invoice is received before the purchase order is set up, making the
critical three-way match more of a formality than a control. Inadequate training and lack of
compliance to the process are often root causes. There also could be a significant delay
occurring between the time when the receipt is received and when it is processed against the
purchase order in the system.
Other problems in the procure-to-pay process commonly seen across organizations in relation
to purchase order processing include the following: a significant delay occurring between the
time when the receipt is received and when it is processed against the purchase order in the
system; a lack of compliance regarding what purchases require a purchase order; and a lack of
review of aged open purchase orders. These issues can occur when procedures to issue
purchase orders in a timely manner are inconsistent, proper approvals and controls for
assigning purchase orders do not exist, and management support is absent.
Accounts Payable
In the past two years, many companies have been working to optimize their working capital.
Some of these efforts have been motivated by recent economic conditions, while other
businesses simply want to make a more concerted effort toward managing their working capital
more efficiently. One way an SAP ERP system and effective GRC tools can support this type of
initiative is by ensuring the terms of contracts that have been negotiated are captured in the
procure-to-pay system, and that these terms cannot be overridden by unauthorized parties.
Close examination of the accounts payable process often reveals that contract terms negotiated
with a vendor do not appear on the purchase order or do not flow through to the invoice. This
can happen when information from a vendor contract or other relevant communication has not
been entered into the vendor master file. And if appropriate controls are not set up around the
ability to override at the invoice and purchase order level, the terms negotiated with a vendor
can easily be changed – which means potential abuse may go undetected. Organizations
should reinforce payment terms through ongoing training and compliance activities, as well as
increased collaboration between procurement and accounts payable teams.
The above are just some examples of common issues that can occur in an environment where
controls have not been optimized and there is an overreliance on manual processes. Following
are examples of how control optimization with GRC tools, such as SAP BusinessObjects GRC,
can help organizations mitigate risks throughout the procure-to-pay process.
Protiviti | 3
Risk Area: Vendor Maintenance
Duplicate vendor listings are not just an annoyance; they also present serious risk. If the same
vendor appears in the system twice, there is the potential for duplicate payments. Additionally, if
purchases are not associated with the correct vendor, the organization may miss national
volume discounts that have been arranged with that supplier.
To eliminate the risk of duplicate vendors, businesses should establish strong controls around
vendor request and approval processes. This includes ensuring that only an authorized person
(or persons) who does not process purchase orders or invoice payments can update the vendor
master file with new vendors or change data related to an existing vendor, such as updated
contract terms.
There are common optimization opportunities within these different steps that organizations can
utilize. These include the centralized vendor maintenance function (this may not be possible for
some organizations, such as smaller businesses that do not have a centralized function for
vendor maintenance), mandatory fields for vendor master, master data integrity checks, and
correct settings for duplicate checks (see Figure 1).
Figure 1: Examples of SAP controls that can be used to optimize the procure-to-pay process
and help minimize the risk of errors and fraud.
One example of an SAP control that helps businesses to achieve these optimization
opportunities in the SAP ECC 6.0 and ECC 5.0 environments is the configuration of vendor
master mandatory fields. This control helps ensure that purchases and purchase orders are
complete, and that during invoice processing, essential documents used for verification can be
compared fully. Without implementing this control, an organization can experience a breakdown
in both areas. And there is an additional benefit to having the same fields populated
consistently: It assists with other controls, such as the automated duplicate vendor check.
Protiviti | 4
Another SAP control is the dual authorization for sensitive fields, which protects extremely
sensitive vendor master data fields, such as bank account information. The dual authorization
requirement can help minimize risk of fraud. For instance, organizations can avoid the possibility
of having an “insider” change a vendor’s bank account number to that of their own account in
order to collect illegitimate payments from the business.
Duplicate vendor check fields help companies quickly identify duplicate vendors in the vendor
master file, which allows them to minimize spend, realize discounts and avoid fraudulent
activity. One way that companies work against themselves in this area, however, is to add too
many fields in the duplicate vendor check. They assume adding more fields can help identify
more duplicate vendor listings. But the more fields an organization indicates it would like to have
match in the system, the fewer warning messages appear; this is because all “checked” fields
must match 100 percent in order to generate a warning.
Protiviti works with businesses to help configure a good balance of “checked” fields so that just
the right number of warning messages is generated: enough to prevent duplicate vendors, but
not so many that the ERP system gets bogged down. An additional note: Although more
businesses have become diligent about setting up duplicate vendor checks in their SAP
environment, they often do not realize the full benefit of these controls because they fail to turn
on the warning or error message configuration.
Risk Area: Purchase Order and Invoice Processing
Within the purchase order and invoice processing cycle, there are three main areas where SAP
can help organizations achieve better automation:

Match the purchase order to the goods receipt – This feature allows organizations to
make sure they do not accept receipts for goods that they did not order.

Match goods receipt quantity to invoice – The business can ensure it is not paying for
goods that have not been received.

Automatically approve invoice for payment – If a three-way match (purchase order,
goods receipt and invoice) is confirmed, the system will automatically issue a payment to
the vendor, saving time and avoiding human error or fraud.
Optimized Purchase Order and Invoice Processing Controls
SAP also provides the ability to set “tolerances” for the processing of invoices that relate to a
particular purchase order. Tolerances are designed to help streamline the procure-to-pay
process and minimize the number of inaccurate disbursements while reducing the number of
blocked payments due to unmatched invoices.
In many cases, there may be a valid reason for differentiation in purchase price between the
original purchase order and the invoice. Instead of blocking the payment outright, within SAP,
the organization can choose to accept allowable tolerances of price differences to streamline
the payment process and prevent any manual investigation, which can be both time- and
resource-intensive. So if a price difference falls into the acceptable tolerance range and is within
the organization’s risk appetite, the payment can be made on that invoice.
Protiviti | 5
Another tolerance check is the quantity differences between a purchase order or invoice and a
goods receipt. These tolerances help ensure that the company cannot receive something it did
not order or does not pay for something it did not receive. The item amount check determines
whether SAP blocks invoice items when their value exceeds a predefined amount in the system.
For example, if the business has ordered 100 items, but has only received 99, payment can still
be approved. But if the organization receives 101 items, this quantity may exceed set tolerances
and the payment will be blocked.
Within a three-way match in the procure-to-pay process, there are up to 15 SAP settings that
can be configured and customized, depending on an organization’s various payment and
purchase order scenarios. The results of control optimization in the procure-to-pay cycle are the
use of more automated processes, a reduction in the risk of human error and fraud, and the
realization of the full ERP functionality purchased with SAP.
Within SAP, which is a complete ERP system, there are configurable controls available for a
wide range of major business processes beyond the procure-to-pay cycle. Protiviti has a listing
of more than 400 configurable controls that can be utilized within all the various processes that
are depicted in Figure 2 below.
Figure 2: Standard SAP ECC 6.0 functionality provides hundreds of configuration
settings that can be automated and optimized for operational and financial
reporting processes.
Protiviti | 6
Once Protiviti has helped an organization configure its controls and optimize its environment,
SAP can provide additional solutions – such as its SAP BusinessObjects Process Controls –
that will help monitor the health of the configurations designed and set during implementation
and make sure they do not change without proper authorization. Continuous monitoring with
SAP GRC Process Control streamlines a company’s ongoing Sarbanes-Oxley compliance
efforts.
How Companies Have Optimized Their SAP Environment
The life cycle of an SAP control optimization project includes three phases:

Analyze – The organization evaluates the current state of its SAP
environment to identify and understand any vulnerabilities and weaknesses.

Standardize and Automate – Weaknesses are prioritized and gaps are
closed with automated processes (in some cases, manual processes may
also be implemented).

Monitor – Once the environment has been optimized, continuous
monitoring is enabled. This is where SAP BusinessObjects GRC solutions
can help the organization maintain the optimized control environment it has
designed.
Case Study: SAP Controls and Sarbanes-Oxley Compliance
Many organizations are making better use of SAP process controls to help them achieve more
cost-effective Sarbanes-Oxley compliance. To determine where automation can be achieved in
the internal control framework, Protiviti’s GRC and SAP experts will assess an organization’s
current SAP environment, “ignoring” existing manual processes, and using Protiviti’s library of
more than 400 configurable controls to determine which Sarbanes-Oxley risks SAP controls can
help to mitigate. From here, it can be determined where Sarbanes-Oxley risks are not
adequately mitigated by automated SAP controls and where manual controls may be necessary
to close any gaps preventing Sarbanes-Oxley compliance.
In one recent engagement, Protiviti was able to transform a company’s internal control
framework, which included multiple legacy applications, from primarily manual controls (53
percent) to primarily automated and semi-automated controls (80 percent) by optimizing
configurable controls during the SAP implementation. The organization already had mature
Sarbanes-Oxley compliance efforts, but there was still room for control rationalization,
automation and optimization, particularly in the purchase-to-pay cycle.
After making these improvements to the Sarbanes-Oxley process, Protiviti guided the company
through control optimization for all of its major business processes, including order to cash,
human resources and general ledger. By implementing SAP ECC 6.0 and fully optimizing
available SAP configurable controls, Protiviti was able to help the company primarily automate
or semi-automate 64 percent of its controls in its overall internal control framework; previously,
68 percent of these controls were manual (see Figure 3).
Protiviti | 7
Figure 3: Protiviti’s SAP and GRC experts helped one organization transform its overall
internal control framework from primarily manual (68 percent) to primarily automated
and semi-automated controls (64 percent).
Additionally, the organization experienced a 40 percent reduction in controls due to increased
reliance on new, automated controls within SAP and the decommissioning of older legacy
applications. By optimizing its control environment, the company realized more than
US$500,000 in annual savings just in its Sarbanes-Oxley compliance efforts.
To determine potential annual cost savings from a control optimization project for SarbanesOxley compliance using SAP, businesses will need to conduct both a return on investment
calculation and a cost-benefit analysis. Depicted in Figure 4 are formulas for estimating control
performance cost savings (e.g., determining who in the organization handles manual controls
and how many times they must do it each year, how many hours it takes, and what their internal
rate is) and Sarbanes-Oxley control testing cost savings (e.g., how many manual controls
currently exist, how long it takes to test those controls, and what the testing rate is).
Protiviti | 8
Figure 4:
Formulas to determine potential control performance cost savings and SarbanesOxley control testing cost savings through control optimization with SAP.
Other indirect cost savings not documented above, including reduced training costs for new staff
on control performance procedures, can be realized when controls are primarily automated.
Organizations also may experience reduced re-testing costs for failed controls because
automated controls typically have a much higher passing rate than manual controls. Moreover,
many companies that optimize their control environment, not only in the procure-to-pay process
but also in other major business processes, typically see an overall increase in the productivity
of operations personnel because those employees are no longer required to perform manual
control activities.
By leveraging assessment tools to understand process improvement opportunities, gaining
more insight into business processes and underlying technology that can help to optimize an
ERP implementation such as SAP, and using solutions and tools that enable continuous
monitoring of the optimized control environment, organizations of all types are likely to
experience significant savings in both costs and resources.
About Protiviti
Protiviti (www.protiviti.com) is a global business consulting and internal audit firm composed of
experts specializing in risk, advisory and transaction services. We help solve problems in
finance and transactions, operations, technology, litigation, governance, risk, and compliance.
Our highly trained, results-oriented professionals provide a unique perspective on a wide range
of critical business issues for clients in the Americas, Asia-Pacific, Europe and the Middle East.
Protiviti has more than 60 locations worldwide and is a wholly owned subsidiary of Robert Half
International Inc. (NYSE symbol: RHI). Founded in 1948, Robert Half International is a member
of the S&P 500 index.
Protiviti | 9
As the world’s leading provider of business software, SAP delivers products and services that
enable enterprises of all sizes to improve their business operations. SAP facilitates a company’s
effort to manage risk and compliance while optimizing efficiency, strategy and growth with a
single integrated financial management platform. Addressing business processes in more than
25 industries, SAP has maintained its role as the authority on business software.
Protiviti and SAP are actively working together to help clients improve their capability in this
important area by implementing and effectively utilizing the full SAP BusinessObjects suite of
GRC and EPM solutions to enhance their integrated enterprisewide risk mitigation and
compliance efforts. For more information, visit http://www.protiviti.com/enUS/Solutions/Information-Technology/Managing%20Applications/Pages/default.aspx.
Our Information Technology Effectiveness and Control Solutions
We partner with chief information officers, chief financial officers and other executives to ensure
their organizations maximize the return on information systems investments while at the same
time minimize their risks. Using strong IT governance to ensure alignment with business
strategies, we drive excellence through the IT infrastructure and into the supporting applications,
data analytics and security. We also facilitate the selection and development of software,
manage the risk of implementation, implement configurable controls on large ERP installations,
and implement governance, risk and compliance (GRC) software applications.
For additional information about the issues reviewed in this white paper or Protiviti’s services,
please contact:
ATLANTA
Aric Quinones
Associate Director
+1.404.240.8376
[email protected]
CHICAGO
Gordon Braun
Director
+1.913.661.7406
[email protected]
HOUSTON
John Harrison
Managing Director
+1.713.314.4996
[email protected]
LOS ANGELES
Steve Cabello
Managing Director
+1.213.327.1470
[email protected]
NEW YORK
Carol Raimo
Managing Director
+1.212.603.8371
[email protected]
SAN FRANCISCO
Ronan O’Shea
Managing Director
+1.415.402.3639
[email protected]
© 2011 Protiviti Inc. An Equal Opportunity Employer.
Protiviti is not licensed or registered as a public accounting firm and does not
issue opinions on financial statements or offer attestation services.