GRC Tuesdays: Governance, Risk and Compliance securing the Source-to-Pay process
I could have summarized the title with “GRC securing S2P” but I am not sure this would have been really clear so let me stay away from acronyms today for once.
If you regularly read these GRC Tuesdays blog, then I am sure you are already acutely aware of what Governance, Risk and Compliance covers. But you may not be as familiar with the end-to-end Source-to-Pay process, so let’s start by defining its scope before I can suggest ways of securing it to ensure that it stays on track.
What is Source-to-Pay?
Within the (Integrated) Intelligent Enterprise, Source-to-Pay is one of the key end-to-end processes designed to help companies manage procurement and spend like never before.
This process starts with finding what to buy, negotiating how to buy, contracting the supplier of goods whom to buy from, and culminates in final payment for those goods to who to pay.
There are of course intrinsic risks in all steps of the process, but, since I can’t be exhaustive in a short blog, allow me to focus only on some selected examples and then sharing my thoughts on how to mitigate these risks.
In this part of the process, the procurement team would identify, and source material or service needs and discover capable suppliers.
One of the risks here would be that the company gets involved with sanctioned parties which could lead to financial penalties, and even a potential loss of license to operate issued by the regulator or overseeing authority body.
Contracting & Forecasting
Once the list of suitable suppliers has been defined, starts the competitive events – standard negotiations, request for quotation, or even perhaps an auction. Based on the outcome, a preferred vendor is selected, and finally a contract is drawn up. In some cases, if there could be repeated purchases, a forecast for future commitments can also be defined.
The risks here are multiple, including financial of course, but there is a risk of breach of confidentiality with disclosure of confidential supplier information. Erroneous usage of sensitive data provided by suppliers could indeed lead to disclosure of confidential (including personal) data and potential impacts here could be resulting litigations, penalties and of course reputational damage to the brand.
Requesting & Ordering
In this step, employees trigger the request to purchase goods or services and the purchasing department – once agreeing to the purchasing needs, executes the purchases.
It all sounds perfectly logical and error proof, but what if a malicious employee was able to create a fictitious supplier and then create a purchase request for fictitious services? Not only would this mean potential overspend but would also constitute an internal fraud.
Receiving & Invoicing
Now the products and services have been ordered, it’s time to receive them and manage the invoices. This is usually performed by matching purchase orders, invoices, and receipts against expected terms. Nevertheless, without adequate controls in place, invoices could be posted without associated good receipt. This could lead to discrepancies in the inventory which could in turn impact manufacturing and production operations.
Invoicing Receipt & Processing
In this step, supplier invoices are processed, as well as credit memos and possibly early payment options applied. Here, there is a risk of duplicate invoices existing for the same purchase order and being processed. Depending on the sources, benchmarks refer to up to an average of 0.5% of invoices being paid in duplicate.
This could be a simple manual error and not a voluntary behaviour but would still lead to monetary losses due to cash leakage.
Finally, and this is probably the most straight forward step: paying the suppliers for contract performance and delivery.
If the process has been secured until now, then there’s no reason that compliance hasn’t been maintained throughout the Source-to-Pay cycle and that the company would therefore be paying a sanctioned party, for a fictitious delivery, or that it would be paying it for a second time… But there is a risk that manual changes to supplier payment details – approved or unapproved – might have been done by mistake which could lead to payment errors. This could also be more sinister in case these changes have been made willingly for fraud purposes.
Additional Underlying Risks
Supporting the end-to-end process is the Intelligent Enterprise. And there could also be risks. Technological risks in this instance.
An internal or external actor could get unauthorized access to the system via a brute force attack for instance by testing multiple logons until one is successful, and this would put in jeopardy the confidentiality, integrity and availability of the information.
The perpetrator could further decide to exfiltrate sensitive information – including to embargoed countries. The company could then face regulatory fines, and loss of trust from stakeholders at the very least.
SAP Cloud solutions for GRC to the rescue!
As established, at every step of the Source-to-Pay, there are ways in which breaks could form in the chain, either individually or in links between the various steps.
These breaks not only erode value, but also induce additional threats to the business.
The good news is that this is not a fatality and that there are ready to use Cloud Governance, Risk, and Compliance & Cybersecurity and Data Protection solutions that can be leveraged to prevent these risks from occurring. By implementing a proactive risk approach, companies could prevent cash or data leakage and increase the chances that the expected savings are delivered.
In the Sourcing phase, SAP Watch List Screening helps companies assess potential risks on an exception basis to avoid high-risk businesses, individuals, and entities. It does so by simplifying the screening of business partner process and therefore improves vendor compliance and reduces the cost and effort of third-party due diligence.
In the Contracting & Forecasting step, SAP Privacy Governance helps companies safeguard their business by simplifying security and privacy compliance and operationalizing privacy management. With this solution, customers can gain the governance, transparency, and monitoring capabilities they need to help the business stay compliant with data protection and privacy regulations around the world.
In Requesting & Ordering, SAP Identity Access Governance helps companies govern access authorizations with greater ease and minimize mistakes, misuse, and financial loss. It does so by streamlining identity and access management.
When it comes to Receiving & Invoicing, Processing Invoice Receipts and Payments, SAP Financial Compliance Management helps automate internal controls. With this solution, customers can minimize the risk of misstatements and fraud with a strong internal controls framework and system. They can also monitor and document inconsistencies in operating procedures and policy.
Finally, to secure the source systems themselves, SAP Data Custodian enables organizations to gain transparency and control over their Public Cloud resources and applications with capabilities such as data placement, movement, and access controls, or contextual access controls and SAP Enterprise Threat Detection is a security information and event management tool that helps customers identify, analyze, and neutralize cyberattacks in their SAP applications as they happen and before serious damage occurs.
What about you, how does your company ensure that its Source-to-Pay process is performing as expected and that there aren’t any “operational surprises” lurking in the shadows?
I look forward to reading your thoughts and comments either on this blog or on Twitter @TFrenehard