Posts

Posts

  • Barry Greenhut
    Financials – Risk Management Cloud: OpenWorld Preview, 29 A...5.0
    Topic posted Yesterday by Barry GreenhutBronze Medal: 1,250+ Points, tagged Financials, Risk Management in Human Capital Management > Risk Management public
    Title:
    Financials – Risk Management Cloud: OpenWorld Preview, 29 August 2019, 9am PT
    Content:

    Tune in to our OpenWorld Preview to find out how you can learn from your fellow Risk users, get hands-on with the newest features, meet one-on-one with product managers, and more ... including CPE credit!

    Submit your questions here for the preview - we'll try to answer them all during the live event. Submit them by posting a new comment to this topic.

    Please submit your questions by Wednesday, 28 August 2019.

  • Christine Doxey
    Seven Best Practices to Reduce Risk in Your Supplier...5.0
    Topic posted August 13, 2019 by Christine DoxeyRed Ribbon: 250+ Points, tagged Advanced Controls, Compliance, Financial Reporting Compliance, Financial Transactions, Fraud, GRC, Risk Management, Tip in Human Capital Management > Risk Management public
    Title:
    Seven Best Practices to Reduce Risk in Your Supplier Onboarding Process
    Summary:
    In my last post, we discussed the development of a roadmap for your internal controls program. Now we’ll drill down to the Supplier Onboarding Process within the Procure-to-Pay (P2P) process.
    Content:

    Leading organizations recognize the importance of comprehensive supplier qualification processes but struggle to communicate qualification requirements to potential suppliers, and have difficulties creating a baseline for evaluating supplier risk levels.  Ardent Partners reports that 51% of the respondents in “The CPO’s Top Goals for Investing in Technology” survey report improving compliance as a goal.  The Hackett Group includes customizing supplier onboarding, identifying fraud and addressing internal policy non-compliance as the best practice tactics for a world class P2P organization.

    It’s a well-known global enterprises manage thousands of invoices, purchase requisitions, and purchase orders within the Procure-to-Pay (P2P) process.  Organizations may have disconnected purchasing and accounts payable processes and may depend upon third-party software and cumbersome spreadsheets. This results in countless hours of reconciliation resulting in payment errors, compliance and control issues.

    To support tax and regulatory compliance requirements, there are several best practices to consider when onboarding your suppliers. Here are seven best practices to consider which include the following details: Summary of Action, Benefits, and Suggested Audit Trail.

    1. TIN Matching

    Summary of Action:TIN Matching utilizes the functionality provided by the IRS.  You can convert your supplier master file into the proper format required by the IRS to get actionable results.

    • Ensures 1099 accuracy.
    • Eliminates B-Notices
    • Provides fraud prevention since the matching process ensures suppliers are “legitimate.”
    • The TIN Matching process can identify duplicate suppliers and can be a catalyst for cleaning up your supplier master file.

    Suggested Audit Trail:

    • TIN Matching Summary Report (Source: IRS)
    • TIN Matches (Source: IRS)
    • Non-Matching TIN Numbers (Source: IRS)
    • TIN Numbers Not Submitted
    1. W-8 and W-9 Document Acquisition

    Summary of Action:   The W-8 form is required for all foreign suppliers. There are many variations of the W-8 forms that include the W-8 BEN, W-8 BEN-E, W-8 ECI, W-8 EXP, and W-8 IMY.  The W-8 is an IRS form that grants a foreigner an exemption from certain U.S. information return reporting and backup withholding regulations.

    • Provides an audit trail for your supplier’s TIN information.
    • Provides proof of exemption from backup withholding.
    • Back-up documentation for an erroneous B-Notice.

    Suggested Audit Trail:

    • A file containing scanned copies of all W-8 and W-9 documents acquired.
    • All scanned copies will be linked to your supplier name and number.
    1. Compliance Screening and Reporting:

    Summary of Action:   Compliance screening is a key component of supplier validation. It’s also important to complete the due diligence process to ensure that an issue is acted upon. The due diligence process includes researching Better Business Bureau, State of Incorporation data, and other research based on specific supplier information.

    • Office of Foreign Asset Control (OFAC)
    • Bureau of Industry and Security (BIS)
    • Office of Inspector General (OIG) - For Healthcare Suppliers
    • Specially Designated Nationals (SDNs)

    Benefits:

    • Ensures compliance to OFAC and other regulatory requirements.
    • Avoids penalties due to non-compliance.

    Suggested Audit Trail:

    • Compliance Screening Reports
    • Supplier Master Screening Results Summary Report
    • Detail Per Record Match Screening Results
    • Due Diligence Process Results
    1. Supplier Master Data Review 

    Summary of Action:  To keep your supplier master in control, I recommend that your supplier master is scrubbed at least every year to alleviate duplicate suppliers, suppliers that haven’t been used in 18 months, suppliers with missing information, and suppliers that have duplicate records. 

    Benefits:

    • Provides enhanced internal controls for your vendor master.
    • Identifies duplicate and potentially fraudulent vendors.
    • Helps to prevent duplicate payments.

    Suggested Audit Trail:

    • Duplicate Supplier Names
    • Suppliers with Duplicate Street Addresses
    • Suppliers with Duplicate PO Boxes
    • Suppliers With Duplicate Phone or FAX Numbers
    • Suppliers With Duplicate TINs                      
    1. Supplier Master Reporting and Analytics

    Summary of Action: This best practice includes the analysis of accounts payable transactions by dollar distribution, and the stratification of spending levels. It’s a great way to look into your accounts payable data to determine if there opportunities to consolidate suppliers, change invoicing methods, identify spending anomalies, or implement a P-Card program for low spend purchases.

    Benefits:

    • Identifies transaction volumes and values of payments.
    • Highlights opportunities for invoice automation, summary billing, and the implementation of P-Cards.

    Recommended Audit Trail:

    • Top 30 Suppliers with Invoice Amounts of $0 - $150
      • Top 30 Suppliers with Invoice Amounts of $0 - $50
      • Top 30 Suppliers with Invoice Amounts of $50 - $100
      • Top 30 Suppliers with Invoice Amounts of $100 - $150
      • Invoice Payment Dollar Distribution
      • Accounts Payable Year to Year Analysis
      • Accounts Payable Transactions by Month
      • Top 50 Suppliers by Transaction
      • Top 50 Suppliers by Dollars

    6. ACH Account Validation

    Summary of Action:  The ACH account validation process is the most efficient if ACH account information is validated and maintained in the supplier master file. As a best practice, many companies contact either the supplier or the supplier's bank to validate the banking information. 

    Benefits:

    • Prevents payment fraud and ensures that funds are disbursed to the correct supplier bank account.
    • Provides an enhancement to current disbursement controls.

    Recommended Audit Trail:

    • A report that reflect the positive confirmation of ACH numbers.
    • All non-confirmed or accounts with issues should also be reported.
    1. Insurance Certificate Acquisition

    Overview of Action:  Validation of the insurance certificate provided by the supplier. 

    Benefits:

    • Validating the insurance certificate when you set up a supplier should be a key step in the onboarding process.

    Recommended Audit Trail:

    • A file containing scanned copies of all insurance certificates should be available for review. 

    In conclusion, these seven best practices support your supplier onboarding process and can help to ensure that the data is accurate in your supplier master. With correct supplier master data, invoicing and payment processes are accurate. This means that financial statements and cash management processes will be correct and there is confidence in your supplier data.

    If you have questions about these best practices or the supplier onboarding process, please post a comment below.

  • Christine Doxey
    Your Roadmap for Implementing an Internal Controls Program5.0
    Topic posted July 16, 2019 by Christine DoxeyRed Ribbon: 250+ Points, tagged Advanced Controls, Compliance, Financial Reporting Compliance, Financial Transactions, Financials, Fraud, Governance, GRC, Risk Management, Sarbanes Oxley in Human Capital Management > Risk Management public
    Title:
    Your Roadmap for Implementing an Internal Controls Program
    Summary:
    In my previous posts, I wrote about segregation of duties (SoD), risk based and compensating controls. This post provides the suggested steps for an internal controls roadmap.
    Content:

    We’ve defined internal controls as a critical component throughout business strategies, operations, and processes.  Operationally effective controls are the linchpin to assure that an organization can reliably achieve objectives while addressing uncertainty and acting with integrity. Where do we start the internal controls journey and how do we implement a strong internal controls program?

    Many organizations take an approach to internal control management that has defined intersections with risk, compliance, and audit processes and use a set of standards.  But typically, all organizations face the following challenges with building and maintaining an internal controls program.

    • Providing an integrated strategy and view of financial and operational controls across the organization.
    • Defining a common language for risk and control.
    • Increasing confidence in ongoing risk coverage throughout all business processes.
    • Establishing Overall Responsibility for a company’s internal controls program to ensure consistency and to avoid duplication of effort.
    • Capturing business changes with updated and changing controls.
    • Combining finance and operational control teams and revamping processes to address a controls weakness.
    • Prioritizing the key controls for a business process that can truly mitigate risk.
    • Managing the human element in controls management.
    • Expanding and reacting to the ongoing regulatory requirements for internal control management.
    • Addressing a lack of resources while being tasked with more internal control responsibilities across controls.
    • Keeping controls aligned with business processes and a changing environment.
    • Implementing a system and technology to manage all controls across the organization.
    • Developing Transparency, reporting, and monitoring
    • Integrating controls into daily workflow particularly when staff transitions occur.

    So how does a company establish a roadmap to build an internal controls program to address these challenges?  Here are some steps to consider when establishing or enhancing your internal controls program.

    1. Define the Organization and Process Context: For most organizations, inefficiencies from an internal controls program fragmentation are so great that huge savings are possible by taking the simple step of eliminating silos and operating on a common context and structure with well-defined responsibilities. Which business process is your focus? Which process has a known control weakness, an identified audit finding or a detected fraudulent activity? The outcome of these efforts will enable an organization to:
    • Establish priorities and focus of coverage. 
    • Coordinate planning across all business units.
    • Eliminate gaps and duplication in coverage.
    • Decrease time spent by business process owners.
    • Increase ability to spot control issues and trends as they develop.
    • Utilize a single strategy and methodology for risk mitigation.
    1. Establish a Common Language for Risks and Controls: Without a standard naming convention or common methodology for determining or classifying risks and controls, business process owners are unable to share information. The benefits of utilizing a common language for risks and controls include:
    • Improved reporting throughout the organization.
    • Audit and control issues are embedded in your program and are promptly assigned and corrected. 
    • Consistent coverage—all risks are considered but there is a focus on the risk of material misstatement.
    • Improved business performance—risks explain performance gaps.
    • Better decision making—decisions are risk based.
    • Less external oversight and audits—controls are standardized using a common methodology.
    1. Implement a Consistent Reliable Methodology: Without a consistent methodology for your internal controls program, the cost of controls can be expenses with incomplete coverage and inaccurate results. Examples of a consistent methodology include:
    • The top-down risk criteria is established with consistent risk identification.
    • The risks are properly accessed by appropriate internal controls.
    • The risks that require a response are identified.
    • The risk responses that require remediation are prioritized.
    1. Focus on Transparency, Reporting and Monitoring: All information on the status of risks and controls should be available for continuous reporting. If implemented effectively, communication between management and the board of directors is in place with a focus on risk mitigation and the achievement of business objectives.  The benefits of a consistent and disciplined reporting structure include:
    • Availability of accurate and consistent reports.
    • Positive knowledge and reporting of risks and controls across the company.
    • Information sharing across business processes.
    • Confidence of the reliability of all risk and control information.
    1. Leverage Technology: By eliminating information silos and redundant data entry, and taking a unique holistic approach to regulatory challenges, technology provides greater efficiency, improves collaboration, and reduces the time and resource costs.  Additional benefits that can be gained by utilizing a defined technology solution for internal controls include:
    • A single universe of all risk and controls data called "The Internal Controls Universe."
    • Elimination of duplicate documentation. 
    • The implementation of a controls self-assessment process.
    • More processes, risks, controls can be assessed and properly prioritized.
    • Increase in management accountability.
    • Consolidated and reliable reporting.
    • The ability to produce metrics and analytics for your internal controls program.

    In conclusion, the success of an internal controls strategy is dependent upon communication, well-defined roles and responsibilities, standards of internal control, technology and reporting. To address the challenges of a viable and ongoing internal controls program, standards of internal control are available.

     If you have questions about these standards or the implementation of an internal controls program, please post a comment below.

     

  • Kim Puls
    History Tab not viewable in Contracts Module13.0
    Topic posted June 10, 2019 by Kim PulsSilver Medal: 2,000+ Points, tagged Risk Management in Human Capital Management > Risk Management public
    Title:
    History Tab not viewable in Contracts Module
    Content:

    We have witnessed this behavior in PPM and are not seeing it in Contracts.

    Contract Management > Contracts > Search for an Active # and open the contract. You can click on all tabs and get a result until you click on History...you get a blank screen and can't navigate anywhere else.

    Is anyone else having this issue?

    Thanks - Kim

    University of Wyoming

    Version:
    R13-19B
  • Barry Greenhut
    Keeping up with Risk Management5.0
    Topic posted April 8, 2019 by Barry GreenhutBronze Medal: 1,250+ Points, tagged Advanced Controls, Compliance, ERP, Financial Reporting Compliance, Financial Transactions, Financials, Fraud, Governance, GRC, Public Sector, Risk Management, Sarbanes Oxley, Security, Separation of Duties, SOX in Human Capital Management > Risk Management public
    Title:
    Keeping up with Risk Management
    Content:

    Each quarter we update your environments with new and improved functionality. To prepare, check out What's New - it describes significant changes and tells you how to get ready:

    For Advanced Controls, pre-built content is now available within a content library inside the product, Advanced Access control analyses automatically exclude results based on procurement agent configuration, transaction data synchronization performance is enhanced by eliminating redundant language related data, assessment completion page in Financial Reporting Compliance is enhanced, and a lot more...

    To keep up with us, make this page a Favorite (the button's above on the right) - we'll update it each time we publish a new edition of What's New, and you'll get a notification.

  • Barry Greenhut
    Get support for Risk Management4.7
    Topic posted April 8, 2019 by Barry GreenhutBronze Medal: 1,250+ Points, tagged Advanced Controls, Compliance, ERP, Financial Reporting Compliance, Financial Transactions, Financials, Fraud, Governance, GRC, Public Sector, Risk Management, Sarbanes Oxley, Security, Separation of Duties, SOX in Human Capital Management > Risk Management public
    Title:
    Get support for Risk Management
    Content:

    My Oracle Support offers quick references to accelerate your work:

  • Rajendra Verma
    Regarding Grouping when using Similar Filter15.0
    Topic posted March 28, 2019 by Rajendra VermaGreen Ribbon: 100+ Points, tagged Advanced Controls, Risk Management in Human Capital Management > Risk Management public
    Title:
    Regarding Grouping when using Similar Filter
    Summary:
    Explains the usage of “Generate Results for Similar Groups” option for Similar Filter
    Content:

    Scenario:

    Model Logic with following filters:
    1. UDO Approved PO totals.Supplier ID(1) Equals UDO Approved PO totals.Supplier ID(1)
    2. Similar filter Equals[UDO Approved PO totals.Supplier ID(1)] Created Date]  Similar Within (+/-) Days 30

    Output shows following:

    UDO Approved PO totals.Supplier Name UDO Approved PO totals.Number(1) UDO Approved PO totals.Created Date UDO Approved PO totals.Supplier ID(1) Similar[Equals[UDO Approved PO totals.Supplier ID(1)].Created Date] Group Grouping Value
    Art Of Food 2110002487 10/30/2018 20945 10/30/2018 Equals[UDO Approved PO totals.Supplier ID(1)] AND Similar[Equals[UDO Approved PO totals.Supplier ID(1)].Created Date] 20945 AND 10/30/2018
    Art Of Food 2110002488 10/30/2018 20945 10/30/2018 Equals[UDO Approved PO totals.Supplier ID(1)] AND Similar[Equals[UDO Approved PO totals.Supplier ID(1)].Created Date] 20945 AND 10/30/2018
    Art Of Food 2110002567 11/27/2018 20945 10/30/2018 Equals[UDO Approved PO totals.Supplier ID(1)] AND Similar[Equals[UDO Approved PO totals.Supplier ID(1)].Created Date] 20945 AND 10/30/2018
    Art Of Food 2110002568 11/27/2018 20945 10/30/2018 Equals[UDO Approved PO totals.Supplier ID(1)] AND Similar[Equals[UDO Approved PO totals.Supplier ID(1)].Created Date] 20945 AND 10/30/2018
    Art Of Food 2110002567 11/27/2018 20945 12/14/2018 Equals[UDO Approved PO totals.Supplier ID(1)] AND Similar[Equals[UDO Approved PO totals.Supplier ID(1)].Created Date] 20945 AND 12/14/2018
    Art Of Food 2110002568 11/27/2018 20945 12/14/2018 Equals[UDO Approved PO totals.Supplier ID(1)] AND Similar[Equals[UDO Approved PO totals.Supplier ID(1)].Created Date] 20945 AND 12/14/2018
    Art Of Food 2110002631 12/14/2018 20945 12/14/2018 Equals[UDO Approved PO totals.Supplier ID(1)] AND Similar[Equals[UDO Approved PO totals.Supplier ID(1)].Created Date] 20945 AND 12/14/2018

     

    Question:

    Record value for row 3 and 4 and same as row 5 and 6, and they belong to two different group. Why?
     

    Answer:

    This is expected behavior if Similar filter has “Generate Results for Similar Groups” checked under Advanced options. If requirement is to have records included into only single group then have the “Generate Results for Similar Groups” unchecked under Advanced options for Similar filter in TCG Model logic.

  • Lana Prout
    Oracle ERP EPM Cloud Focus Group Luncheon at Modern Business...
    Announcement posted March 8, 2019 by Lana ProutGreen Ribbon: 100+ Points, tagged Announcements, Financials, Procurement, Project Portfolio Management, Public Sector, Risk Management in ERP Members > Financials Announcements public
    Title:
    Oracle ERP EPM Cloud Focus Group Luncheon at Modern Business Experience
    Announcement:
     
    Oracle Cloud Customer Connect
    Announcement

    Oracle ERP EPM Cloud Focus Group Luncheon at Modern Business Experience

    revenue%20mgmt.png

    Date and Time:     

    Tuesday, March 19, 2019
    11:30am – 12:45pm (check in 11:15am)

    Location:     

    Mandalay Bay Resort and Casino: Mariner B
    3950 S. Las Vegas Boulevard
    Las Vegas, NV 89119

    We want to hear from you! Join us for an exclusive focus group and luncheon for finance customers (director level and above) to engage with fellow industry leaders and discuss how emerging technologies can help you build a new, more agile finance operating model.

    Register Today

    MBXbanner.jpg

    Integrated Cloud Applications & Platform Services
     
  • Barry Greenhut
    Design and export your own Risk Management reports24.8
    Topic posted March 6, 2019 by Barry GreenhutBronze Medal: 1,250+ Points, tagged Advanced Controls, Compliance, ERP, Financial Reporting Compliance, Financial Transactions, Financials, Fraud, Governance, GRC, Public Sector, Risk Management, Sarbanes Oxley, Security, Separation of Duties, SOX in Human Capital Management > Risk Management public
    Title:
    Design and export your own Risk Management reports
    Content:

    When you subscribe to Risk Management, you get complimentary access to tools that let you design reports, pivot, analyze and export data, and much more.

    We're thrilled to share two new videos by Stephanie Golly, our product manager in charge of this topic. She'll show you how to create and export your own analyses of user access and transactions - an Access Incident Details Extract report (AIDE) and Transaction Incident Details Extract report (TIDE).

    And don't miss Lakshmi Rajamohan's master class in Financial Reporting Compliance reports and dashboards - part of our Hands-On series!

  • Christine Doxey
    Compensating Controls to Mitigate Risk5.0
    Topic posted February 20, 2019 by Christine DoxeyRed Ribbon: 250+ Points, tagged Advanced Controls, Compliance, Financial Transactions, Fraud, GRC, Risk Management, Sarbanes Oxley, Separation of Duties, SOX in Human Capital Management > Risk Management public
    Title:
    Compensating Controls to Mitigate Risk
    Summary:
    Learn about compensating controls as an additional risk management tool.
    Content:

    Introduction

    Segregation of duties promotes the use of sound business practices and supports the achievement of a business process objective.  When designing segregation of duties controls for a business or financial process, most business process owners start with identifying incompatible functions and then define the segregation of duties and systems access controls. However, the segregation of duties control cannot always be achieved in certain situations due to staffing limitations.

    In some cases, an employee will perform all activities within a process. In this scenario, segregation of duties does not exist and risk cannot be identified nor mitigated in a timely manner. As a result, the implementation of additional compensating controls should be considered.

    Definition of Compensating Controls

    A compensating control reduces the vulnerabilities in ineffectively segregated functions.  A compensating control can reduce the risk of errors, omissions, irregularities and deficiencies,  which can improve the overall business process.

    Compensating Controls, CSA and CCM

    However, it should be noted that many companies include compensating controls in their internal controls programs as additional measures to reduce risk. These controls can be embedded in continuous controls monitoring (CCM) and controls self-assessment (CSA) processes.

    Continuous controls monitoring (CCM) refers to the use of automated tools and various technologies to ensure the continuous monitoring of financial transactions and other types of transactional applications to reduce and mitigate risk. A CCM process includes the validation of authorizations, systems access, system configurations and business process settings.

    Examples of Compensating Controls

    1. Skim through detailed transactions report: A manager should consider performing a high level review of detailed report of transactions completed by an employee that performs incompatible duties.  As an example, a manager may simply skim through the report sections that contain high risk transactions or account and may review specific payment types or amounts before the payment is made.
    1. Review sample of transactions:  Using a CSA or CCM process, a manager may select a few sample of transactions, request for the supporting documents and review the documents to ensure that they are complete, appropriate, and accurately processed. In addition to detecting errors, the knowledge of a periodic review could create a disincentive (that is, reduce the opportunity) for the person performing the incompatible duties to process unauthorized or fraudulent transactions. This review identifies transactional anomalies which can be used as a flag to indicate collusion.  As an example, unchanged pricing and using the same suppliers for several years can indicate possible collusion between a buyers and suppliers.
    1. Review system reports: Applications that support business or office operations have embedded reporting capabilities that enable the generation of reports based on pre-determined or user defined criteria. A review of relevant system exception reports can provide good compensating controls for an environment that lacks adequate segregation of duties. As an example, I suggest a review of report of deleted or duplicated transactions, report of changes to data sets and report of transactions exceeding a specific dollar amount on a quarterly basis.
    1. Perform analytical reviews: Another example of compensating control is the comparison of different records with predictable relationships and the analysis of identified unusual trends. For example, a budget vs. actual expenditure comparison or current year vs. prior year subscription fees analysis or comparison of selected asset records to actual physical count of asset might indicate unusual variances or discrepancies that may need to be investigated.  In this review, an analytical review should occur on a monthly basis.  
    1. Reassign reconciliation: If there is an opportunity to reassign one activity from the person performing incompatible function to another employee, a manager may consider re-assigning the reconciliation activity. As an example, reassigning the bank account reconciliation function to someone other than the person receiving cash and depositing it to the bank could improve the quality of internal controls in the cash receipt process. Reconciliations should occur monthly as a standard of internal control.
    1. Increase supervisory oversight: Other forms of activities a manager may perform as compensating control are observation and inquiry. Where appropriate, increasing supervisory reviews through the observation of processes performed in certain functions and making inquiries of employees are good administrative controls that may help to identify and address areas of concerns before a transaction is finalized.
    1. Rotate jobs: Many companies rotate jobs in the finance and accounting department every 1-2 years. This creates an environment of control and can prevent collusion. As example, accounts payable processors should be rotated on a regular basis so that they don’t become too involved with specific suppliers. And as noted above a buyer’s responsibility should be rotated within the purchasing organization.

    Conclusion

    Effective compensating controls can reduce the risk for a process that has limited or inadequate segregation of duties and ultimately can provide reasonable assurance to management that the anticipated objective(s) of a process or a department will be achieved.  As a detective risk management technique, compensating controls tend to look at the accuracy of a transaction after it has occurred but can be used as preventive controls within CSA and CCM processes.