Procure to Pay: The hidden truths about your ERP

ERP is an essential business tool that plays many vital roles. However, because ERP capabilities are so varied, they can often be relied on for things that they shouldn’t be. Your ERP can do a lot – but not everything.

For example, an ERP is not reliable for ongoing protection and independent assurance across your procurement function. There are multiple points in the Procure-to-Pay process that are susceptible to error, oversights, and fraud that an ERP can’t monitor – nor should it be expected to.

As procurement continues to be one of the most prominent areas of fraud, it’s important to understand how oversights or scams occur and what measures can be implemented to identify and prevent them.

How pervasive is fraud in the Procure to Pay process?

Based on ACFE’s 2022 report, procurement fraud accounted for 11% of all reported fraud cases. Procure to Pay fraud and errors also cost organisations 2.5% of their annual spend. These statistics are only expected to climb.

The cost and regularity of errors might not seem extensive on a case-by-case basis – but as they accumulate, the impact can be massive.

Here’s a look at what we’re seeing within our customer base:

Even with an ERP that is configured to enable procurement processes, you are still at risk of:

• Errors and oversight
• Policy and control breaches
• Control failures
• Fraud
• Policy changes

This is due to two major factors: The Accounts Payable Invoice Process (which presents many opportunities for error and fraud) and the quality of master data that exists within your ERP.

Potential issues behind each step of the Accounts Payable Invoice Process

Invoice receipt and entry

An organisation typically receives invoices in electronic or paper format, either directly from the vendor or through a supplier portal. Once the invoice is received, the data is entered into the accounts payable system either manually or through an automated upload or scanning to capture important invoice information.

Common issues include:

1. Multiple invoices sent by vendors due to the delayed payment
2. Multiple invoices sent by vendors due to the updated invoice details
3. Incorrect vendor/invoice information (incorrect invoice/GST amount due to typos/scanning, due date instead of invoice date, etc.)
4. Missing information (e.g., purchase order numbers not captured or raised after the invoice)
5. Turned off controls for automated uploads (resulting in multiple uploads)
6. Multiple invoice entry (e.g., manually and through scanning)

Approval

The AP team checks that the invoices have been approved for payment by the appropriate authority, such as a manager or budget holder. This may involve checking for accuracy, verifying that goods or services were received, and confirming the correct invoice amount.

The approval process is a great control designed to catch potential duplication or overpayments and can be done manually or through an automated workflow system. However, it can be undermined by short payment terms and delays in invoice processing, allowing people to bypass fraud checks (sometimes intentionally).

Common issues include:

1. Vendor and invoice created by the same person
2. Invoice raised and approved by the same person
3. PO and invoice raised by the same person

Matching

After approval, the invoice is matched against the purchase order and/or receiving report to ensure that the invoice is for the correct goods or services and that the correct amount was charged. This step helps to catch any discrepancies and prevent overpayment.

Very often, this is a labour- and time-intensive manual process. It can be challenging to accumulate the required information from different departments, which can delay payments. These can lead to people skipping steps, making manual processes less reliable.

Many businesses implement automated three-way matching solutions. However, some transactions that cause automated matching failures get excluded and require manual investigation of discrepancies.

Common issues include:

1. Excluding small-dollar invoices from three-way matching, leading to a large number of small duplicate invoices, which can add up to a significant amount
2. Excluding recurring invoices from the matching requirement, leading to duplications in recurring invoices
3. POs are not always raised or raised late, making three-way matching impossible
4. Invoices from different sources are not included in the matching process

Payment

Once the invoice has been approved and matched, it is ready for payment. Even at this point in the process, things can go wrong.

Common issues include:

1. Invoice paid to the incorrect bank account
2. Invoice paid to the fraudulent bank account

Why you can’t assume data quality or integrity

When we talk about vendor master data quality, we’re checking if our data has all the right attributes, making sure the vendor master file is:

• Complete: The data available covers a significant portion of the total amount required.
• Unique: Unique Datasets do not contain unnecessary or redundant entries.
• Valid: Data aligns with the syntax and structure outlined by the business requirements.
• Timely: Data is current enough to serve its intended purpose.
• Consistent: Data is uniformly presented in a standardised manner across the entire dataset.

Possessing high-quality data alone doesn’t guarantee its effectiveness for an organisation. Without additional supporting data providing context about these suppliers and their relationship with your company, the database may not reach its full potential. This is where the concept of data integrity becomes essential.

Data Integrity:

While data quality ensures our data is accurate and reliable, data integrity takes it to the next level. It’s not just about data being precise and trustworthy; it’s also about ensuring data is complete, accurate, consistent, and fits into the big picture. Data integrity requires integration with supporting sets to provide context and mitigate risks.

Some examples include.

• GST or VAT Status – Cross-checking the vendor master file with relevant, publicly available data such as the New Zealand Business Number (NZBN) or Australian Business Number (ABN) to ensure tax compliance.
• Credit Risk status – Ensuring your suppliers have not had any significant negative change in their credit risk score or have moved into administration by cross-checking with 3rd party data sets such as CreditorWatch.
• Electronic Bank Account Verification – Ensuring the bank account details (Account Name, BSB and Number) are correct and using the Commonwealth Bank of Australia’s NameCheck technology.

Prevention vs. recovery

Recovering lost funds due to errors or fraud is rarely easy or fast, which is why preventing these incidents from happening is more efficient and financially effective.

Focusing efforts on the earlier steps of the invoice processing to capture potential issues as early as possible will reduce the time spent rectifying issues (cancelling/reversing invoices instead of recovering the money paid off).

Similarly, implementing continuous monitoring across the Procure to Pay process can help identify data discrepancies. Vendor Master data is continuously changing.  Each day, new vendors are added, existing vendors’ details are changed, or the vendors’ circumstances change. Ensuring data integrity at a point in time is not enough.

While it might be possible to use basic analytic tools to do a once-off review of data integrity, organisations need to implement best practice, such as automated monitoring applications, to continuously monitor the data integrity.

Best practice monitoring applications should have the following attributes:

• ERP connectivity – Either by direct connection or by ingesting of files.
• 3^rd-party data integration – The ability to ingest multiple data sets automatically.
• Rule-based and AI analytics – Enabling the output to produce the highest probable exception, reducing the number of false positives.
• Case management and exception workflow – To ensure all exceptions are followed up on time and record issue, action and root cause.
• Real-time dashboards – to provide management with an overview of what issues are occurring, what actions have been taken and a root cause analysis. This will assist in the identification and then improvement of controls and processes to reduce the number of future exceptions.

The benefits of proactive action & continuous monitoring

Preventative action through continuous monitoring can both prevent losses from occurring and help recoup historical losses that have gone unnoticed. It also enables continuous improvement, helping to reduce instances of error or fraud in the long term by identifying process gaps or weaknesses.

While ERP systems can provide many of the needed controls, these are often inadequate to provide the assurance required for peace of mind.

Here are some outcomes from real clients who have engaged in continuous business and financial monitoring with Satori:

• $600K of duplicate payments uncovered in one year for a Real Estate company (even though they mandated POs for every invoice!)
• $1m in commission overpayments to agents discovered at a Telecom company
• $1.2 million in GST fraud and false invoicing identified at a Mining company
• $10m in overpayments identified over three years at a Government entity
• $3m overpayment/miscalculation uncovered by 4-way match check at a Government entity
• Loss of money prevented by monitoring suppliers who were failing to meet financial commitments

Satori offers automated, continuous monitoring over all accounts payable transactions and vendor master files. Each exception is investigated and closed out with a defined issue, action, and root cause.  For more information on protecting your Procure to Pay process or on the Satori platform, click here.