In my last blog, we discussed the challenges in managing risk in the supplier management process within the procure to pay (P2P) process. If we dive deeper into the day-to-day P2P transactional operations we find that that is virtually impossible to manually screen each supplier or invoice for fraudulent trends and anomalies, especially in “real time” risk management process. This is where a continuous controls monitoring (CCM) approach can be a helpful tool in a P2P professional’s risk mitigation toolkit.

According to Gartner, continuous controls monitoring (CCM) is defined as a set of technologies to reduce business losses through continuous monitoring and reducing the cost of audits through continuous auditing of the controls in financial and other transactional applications. CCM tests an existing control to determine whether it is operating correctly.

Now if we add continuous transaction monitoring (CTM) to our arsenal of P2P risk mitigation, we’re testing a transaction for integrity after it’s been processed. CTM determines if the transaction, such as an invoice, has been processed correctly. CTM can help a P2P professional design or re-design processes, policies, and specific controls. CTM also validates the adequacy of the transactional controls that are already in place and can assist with identifying stronger detective controls.

Increasingly, companies are turning to new cost-effective software applications that provide continuous monitoring of all data – not just a sample – and highlight problems before a disbursement is generated and revenue is lost.  These systems are specifically designed to analyze your supplier database and invoice activity for a variety of high-risk characteristics.   Reports can be generated on a daily basis (or any other interval you choose) so that you and your staff can follow up on suspect transactions and suppliers.

Companies use CCM and CTM automated tools in three ways as follows:

  1. Several companies utilize a supplier portal to ensure that all suppliers are full validated and screened before they entered in the master files.
  2. Many companies perform a retroactive audit to uncover duplicate and erroneous payments along with possible supplier fraudulent activity.
  3. Companies use their fraud prevention application on an ongoing basis after invoices are entered, but before the disbursements are generated – almost in a CTM environment.

P2P Risk Mitigation Hint 1: The greatest potential for fraud involves is found within the smaller dollar-valued invoice and this can be the largest volume of invoices in most companies. Lower spending limits where you’ll find the largest number of suppliers and invoices.  That means an effective supplier risk and fraud detection sampling will require an analysis of a relatively large data set. That’s why automated CCM and CTM approaches are critical to P2P risk mitigation.

P2P Risk Mitigation Hint 2:  When considering an automated CCM and CTM system, here are two levels of functionality to consider for the: 1) Supplier Master, and 2) The Invoice Process.

Supplier Master Functionality Examples:

  • Analyze a wide range of supplier and invoice attributes right out of the box, without costly software development.  Identify multiple suppliers who share the same address.
  • Compare your supplier data to lists maintained by the Office of Foreign Assets Control (OFAC), the Office of Inspector General (OIG), and the Bureau of Industry and Security (BIS), Interpol, and the FBI.
  •  Scan for prison addresses and look for Politically Exposed Persons (PEP) to ensure that your company is not paying bribes to foreign officials and violating the Foreign Corrupt Practices Act (FCPA).

Invoice Process Functionality Examples:

  • Automatically screen for consecutive invoice numbers, Benford’s Law, and whether the first payment amount is small relative to the average payment.
  • Check for invoices with for even-dollar amounts and for invoices for those issued by from suppliers with no credit history or purchase orders


The best approach when considering a P2P risk mitigation process is to be proactive using early detection techniques so you can prevent significant losses.  That means establishing strong internal controls as you set up suppliers and monitoring of your accounts payable activities on an ongoing basis. Keep in mind, though, that internal controls aren’t sufficient in and of themselves.  While they are a critical and necessary step, they can be easily side-stepped by an employee who gives in to temptation or by a dishonest supplier who is skilled at beating the system.

Consider adding CCM and CTM to your P2P risk mitigation toolkit to help you catch fraudulent activity that your internal controls program can’t eliminate. By taking both a proactive, CCM and CTM approach to combating P2P fraud, you can help your company be more efficient and avoid cash leakage.