We live in a digital universe where an increasing number of businesses are adopting enterprise cloud applications unleashing new waves of opportunity. However, the cloud also presents the biggest business threats challenging management to re-examine internal controls, information security, fraud protection, and data privacy. Management is suffering from “Audit Fatigue” as regulators worldwide impose stringent compliance requirements to ensure transparency and protect stakeholders.
Many organizations don’t have the advanced analytic capabilities required to arrange data and identify suspicious patterns and weaknesses – and if they do, their analysis is not fast enough to react appropriately. There’s too much data and not enough analytics!
Join our thought leaders Nicholas Stanoszek and Kara Smith, EY, and Adil Khan, SafePaaS as they discuss how you can propel your business forward with actionable insight and optimized processes.In this session, you’ll learn the following:
- How hidden bottlenecks, repetitions, and loopbacks in business processes can be tracked, exposed, and analyzed leading to increased efficiency
- How to streamline operations by adopting industry-specific best practices
- Gain actionable insight into processes for a timely response
Emma: Good morning, everyone, and welcome to today's session, “Prevent Financial Leakage with Advanced Transaction Analytics.” My name's Emma, for those of you who don't know me and I'm here on the Marketing team at SafePaaS. And I'm delighted to be joined by Kara and Nick from EY who will shortly introduce themselves and Adil, CEO here at SafePaaS. So just a few housekeeping items before we do get started. The session will be recorded for on-demand viewing. And if anybody has any questions for our speakers today, feel free to pop those in the control panel. So this is the agenda we’ll be following today. So, we'll start off with some brief introductions, and then we'll dive right into the session. So, Kara, if you'd like to briefly introduce yourself.
Kara: Absolutely. Hello, everyone, and thanks. I am not on-screen today because I'm having connectivity issues. I'm trying to minimize downs. For those of you who joined us, thank you for taking the time. My name is Kara Smith. I'm with EY’s Oracle Governance, Risk, and Compliance Practice. Been with the company for several years, and I'm delighted to talk to you about analytics, today. Nick?
Nick: Trying to share my screen here, or share my cameras, so you guys can all see me for a brief moment here at work. I’ve been with EY for about eight years. I've been doing risk and controls, though, for probably a little over 14 years. And, you know, one of my main focuses has been in Oracle Cloud. And it also has been around understanding how to control environments can be impacted by transactions. And so it's really kind of a good tie on today when we start to talk about these advanced transactions and analytics, and how it could improve your business performance. How you could reduce fraud, improve your control environment, you know, all those types of things. So I'm really excited to be here. I appreciate SafePaaS for having us here. And I'm looking forward to hopefully meeting all of you one day.
Emma: Thanks Nick and you Adil?
Adil: Yeah, thanks, Nick and Kara for joining us today. It's a really important topic for our customers that are kind of digitizing their business, and they're looking for a modern kind of governance platform from us at SafePaaS. And we need the advisory knowledge that EY brings to the table to help our customers get the most value out of SafePaaS as they transition into a digital platform. My experience has been risk and controls, for 25 years. I've written a book on governance risk and compliance many years ago and actively participate with customers and the marketplace in general through various professional organizations, webinars, and so forth.
Emma: So, Kara, why are we all here today?
Kara: So, we're here to talk about data and how to manage data and how to work through providing proactive insightful analysis using the data that your organization is producing to make good business decisions that are driven with the right data elements. One of the challenges that we see in the market today is that there's a huge amount of data. It's everywhere, and spreadsheets are everywhere. Lots of folks use a manual solution to try and manage their data, analyze their data, and make business decisions based on that manual analysis. And I'm sure that many of you on the call today, probably can really relate to that because, how many times have you had somebody call you and say, “Gee, I really want to know about, you know, this or that.” And you have to pull data from a bunch of different sources. Join it all together, and then try to figure out whether or not it's current, accurate, complete, and reliable so that you can then base your business decisions and your strategy upon it.
It also is extremely time-consuming, is a highly manual effort, and can be very error-prone, as you can see, from some of the numbers that we're looking at on the screen when you have 80% of a data analyst's time spent on just searching for data in order to help make decisions. And then, coming up with formulas in spreadsheets which may be error-prone or may not be replicable depending on whether or not you have different resources slicing and dicing that data in different ways.
There's a lot of money being spent on manual models, you know, in time and labor, and analysis, and resources to try and organize information in a reliable, effective, efficient way. And, frankly, it causes a lot of challenges and produces a lot of repercussions if we make bad assumptions about the data or if it's coming from a source that we may not want it to if it's not traceable. So there's a high cost of compliance when you're going through a manual process. Now, when we look at something like SafePaaS’ transaction analytics, it becomes more reliable and more replicable simply because you can decide on how you want to slice and dice this data and it’s going to get pulled the same way, every time compiled in a way that you can then replicate, and you can refer to and have more comfort around what results are being produced so that you can then make critical business decisions.
It certainly helps you in terms of time savings and also, financially, if you're spending less time trying to simply assemble data or figure out where it came from or analyze it, you can spend more time making business decisions driven by that information.
So there's definitely some, there's some upside to automating a process in a way it is going to be easier to replicate. It is going to be reliable.
The other thing to keep in mind is that oftentimes, I mean, I'm not sure how many of you out there are nodding right now when you think about, you saw a spreadsheet a month ago, somebody put together, and you thought, Oh, this is really great. You’ve got to look for it again, and can't find it because it's not in a one source of truth type of location. You also spend a lot of time searching staff down or trying to find where things have landed, that you may be relying on or want to replicate in the future. So, you know, for reliability and efficiency's sake, thinking about having one source of truth is often something that, organizations, I work with are really trying to find answers like this one. How can I make better use of my people's time? How can I focus their energies where it makes the most sense for my organization? And how can I eliminate some of these errors and rework and, kind of spend more time doing administrative activities, rather than really driving the business forward and reaching our goals?
Nick: One thing to add here is when we think about the data that's coming out of these different systems. We'll talk specifically about Oracle. It's not, while it's a normalized database and data big data platform. The data that you're getting is also coming from multiple places. To get these transactions, you're going to need it from more than one, report 1 to 1 table, and what have you, And compiling all of that, to get it in a format that is digestible, is also challenging.
So aside from the fact that we have to have a spreadsheet or some type of tool that can do it, we'll talk about other tools that used to be around, and are mostly still in the market. First, you have to figure out where the data is, you have to get all the data into a specific format that is digestible by whatever tool you're using. Then, you have to create the analytics. So, whether it's a query, or what have you tried to get the data into an analytic way to get you the data that you want out. It's also challenging, so you have to figure out where the data is, first, before you can even get to the spreadsheets.
Also, again, it costs money to create spreadsheets. They contain errors. A lot of times, there's a lot of testing that goes along with it. There is a lot of ongoing testing to ensure that the data continues to be accurate, especially if you're going to rely on it as a part of a control. So, there are a lot of things to think about, And that's why, when we see what, well, we'll talk about case studies and things like that later on, But why transaction analytics is a really good tool to be able to fast pace your way into getting the data that you want out in a format that's digestible to help you support your control.
Emma: So we've talked about some of the challenges already, but what are other challenges that you're seeing with your customers, Nick and Kara?
Kara: So I'll jump back in here and thanks Nick for adding that context. One of the things that I am seeing fairly consistently throughout the market and the organizations that I work with is that there are delays. Inherent in having a more manual process like this where if we reach back to what Nick was talking about, sourcing the data, figuring out how you want to slice and dice it, creating that analysis. And then, publishing that to your audience. In order to help you make a decision, it is oftentimes, your analysis is going to be delayed because it's not a quick process. When you think about the many places that you could source data and try to pull it all together into something that is going to help you form an opinion and form a strategy, often takes a lot of time. So, timeliness becomes a real factor, especially in a market that moves very fast. If you need to make a quick decision, you may be held up by some of these activities. So it's not the most efficient way to do it and from a control perspective, your cost of compliance becomes much higher when you have these types of manual processes. Just kind of supporting all of that, making sure that you're maintaining the data in a way that is digestible, that you're disseminating it, that it isn't on demand. It really does take time. That cost of compliance becomes quite high in some cases, depending on what you're dealing with.
So when you think about those factors, creating efficiencies and having something that's more reliable is really a goal that a lot of the organizations and clients that I work with, are looking for. Time is money. We all want to spend less time crunching numbers on an Excel spreadsheet, and more time figuring out how we can be more successful in our objectives. So, as I look at this, organizations who really look for these things because it's burdensome.Nick, did you have any other insights?
Nick: Yeah, another thing, this may not be necessarily a challenge. I know we're talking about challenges, But another sign of using transaction analytics is just a way to help you understand where their transactions are happening. It might help you support some type of a procedure down the road if you need to. If you have issues with controls, it just may help you from an operational perspective. Maybe you have an issue with duplicate paying invoices or duplicate invoices coming in, or multiple suppliers with the same name, but maybe different bank accounts. You know, whatever it might be. There are different ways that you can use this tool to get that information and be a little bit more proactive in the process. We've had clients that have done these things to help. It almost essentially pays for itself, because you're saving money on one side of the other regarding payments or invoices coming in, or whatever have you. So, it's not necessarily always challenges. It could help from an operational perspective as well.
Emma: OK, and here we have an example of Oracle, ERP Cloud Reporting. So, do Oracle ERP cloud customers face other challenges?
Nick: I think the biggest thing from our side, when we think about Oracle Cloud reporting, is just the complexity of building these queries. You have a query builder and whatnot, but just the complexity of getting this data into a format, first of all, second of all, then, you have to figure out what data you're looking for specifically as well. When we have the analytics side, it's helping us digest a little bit better because it's telling exactly what we need to look for and whatnot. So, I think, from our side, the biggest challenge here is just nailing down the specific data that you need. As you can see here, it's not in the most. I will call it the most English-readable format. So, you have to have somebody that understands this in order to be able to digest it and go forward. So, it's another person. And then you have to have somebody that understands the analytics side of it. And maybe they're a little bit more of a data person. So, I would say that's probably one of the bigger challenges, is just all the people that are involved, and being able to digest this, and know where to look for the information. I don't know if you have anything to add to that.
Kara: Oh, nothing to add there.
Emma: What about test scripts?
Nick: So, test scripts are another one. So we have, as you can see here, we have SQL-based queries and data dumps. Everybody probably on this call knows what SQL is. It's a pretty old-school query language. But there is some dependency on A Who can do it. Whether it's a DBA. So that IT dependency. It's specialized skill set, it's not something that everybody knows. While I would say probably a lot of folks that have been in the industry for a while can probably get their hands dirty with it. To be an expert at it is challenging, especially when you start to get into complex joins and things like that. It's not that straightforward. So again, IT dependency specialized skill set, and cloud, you're starting to go away from those DBAs, too. So we're in our old ERP world, our on-premise world. We used to have these DBAs who would have a lot of these skills. But we need a DBA to help maintain the database, and cloud, we're starting to move. But we were trying to migrate away from that, where we had that skill set. So it was a little bit of a replacement, because you don't have that database necessary. However, you have to have this specialty to be able to build some of these things. So, it's a little bit of a catch, 22 on that.
And then, as I said here, challenging to get it right. And a challenge, to make sure that you're doing it right. And then, it goes with ongoing testing, and so on. So, when we talk about SQL, it is definitely a big uptaking, and it's going to take some manual searches. Clearly, that's going to be a very labor-intensive process. Double checking things manually looking up, invoices, maybe, and so on and so forth. So, this manual control, when I think of manual searches, I think of manual controls at EY. Our goal is to get you as far away from manual as possible. We want to get you to that automated world where you have controls that are doing work for you versus you trying to do the controls over and over. We try to get to a 40 to 60% automated process. From a control perspective, we try to get to more preventative type controls that are going stop fraud from happening. They're going to stop risk. They're not going to detect risk, they're going to stop it from happening. That's what we're trying to get. So, again, manual is very labor intensive. It's inconsistent.
I do it one day, Kara does it another day. Maybe one day, I get distracted by an e-mail, and then I skip a step in the process, what have you. It could be any of those number of things. That's why manual controls are - I mean, they could be effective, but they're very challenging to do regularly, and ongoing. If it was once a year, maybe, But if it's a regular thing, it's going to definitely be a lot and to be consistent it’s time consuming and labor-intensive. But, again, from our world, and I would think that SafePaaS agrees here is that we want to get you into this preventative nature. We want to get you into this automated world. From an automation perspective, you have controls working for you versus you doing the controls to do something.
It's going to be a sampling. So, when we think about manually look ups, or even SQL, it's going be sample-based. You're not going to have a hundred percent coverage, because it's labor intensive. When we talk about analytics here, from SafePaaS, it's ongoing. This thing is going to keep going, it's going to find that stuff for you, and it's going to work for you, So think of it as another human times 100, because they're going to just continually work every single day, every single night, whether we're working or not.
Then, lastly, no alert monitoring, it’s point in time. And it's not, let's just say, I do a manual search. It's at that given time. And then, I may not look again for another week, two weeks, three weeks, whatever it might be, But, it's at that given time based on a sample, and then alert monitoring that very what I was speaking to, is more effective.When we talk about SafePaaS, it's going to alert us. It's going to say, “hey, over here, there's an issue. There is a duplicate payment, three duplicate payments,” whatever it is. And that could save a lot effort, but it also going to save a lot of money too. That's just one example. So again, test scripts for big data, it's costly, it's unreliable. It's inconsistent. It's very labor intensive. And it's based on this sample across the board.
Emma: Do you want to add anything there, Adil?
Adil: I agree with all that, I'm just thinking about how we solve these problems. So I'll just add that most of the time when we talk to our customers, the pain points that we're hearing from Kara and Nick are the pain points our customers have. They bring in SQL scripts to us. They bring in spreadsheets to us and, we appreciate working with customers that are already out of control centric. They're running good controls that are governing their business. And they bring all that to us, and our job begins where the solution begins. People just light up when we say, “you don't have to do all of that. No spreadsheets anymore!” Now you'll have a system that does it for you, that is SOC-certified, so you don't have to constantly look over shoulders and take screenshots whether the data is good or not.
Emma: And what about ACL scripts? People are probably not familiar with these, either.
Nick: Yeah, to be honest with you, it was so funny when we were putting this deck together. I asked, “What is ACL?” and that's how long it's been since I've been around ACL. I think the last time I've been around ACL was probably 2006 or 2007, maybe. So, it's been quite a while. and it's ineffective. In the first line here - it's ineffective for complex ERP models. When we talk about complex ERP models, the data is in so many different places and there are so many different ways to get the information that it's challenging. Aside from that, we talked about in the last slide, this dependency on IT or the dependency on a specific skillset. It's the same concept here. It’s another type of language that you have to be familiar with. You have to have this skill set to be able to use these ACL scripts, so I don't know if you have anything to add to that. But this is the way I look at ACL.
Adil: I think this is the two early two thousands way of managing data, in a way to get analytics out. Today, there are so many more ways to do it through automation and that's where SafePaaS comes into play. Companies we've talked to have invested in resources, educating them on SQL, ACL, and all that. So, they have been doing some sort of controls. But, I think Kara said that earlier. This is time you spend on extracting and compiling data, versus focusing on your objectives and how you can be successful, is a challenge. It's been around for a long time. I started many years ago in the business, where, this was the tool that I had to learn, to be able to do audits. That was a great start, just like SQL was. But with the data growing as we saw earlier, it's just becoming more and more impractical. You can't run ACL against cloud applications like you were talking about. So, Nick, that's where these are old technologies, but people have them, and we appreciate that they've been using them. But, it's time to move on to the digital platforms.
Emma: What are the benefits of using advanced analytics?
So, I'll touch on this briefly here. So, business benefit. So in the beginning, we talked about all the data, tons of data. What do you do with the data. Everybody knows, and understands controls. And being able to do reconciliations or maybe it's approvals. Now we're talking about actual transactions that are occurring - things that are happening in real-time. So the business benefit here is that you're going to start to understand those transactions, understand your flow of data, and then detect potential fraud as it's happening. Or detect it enough that it's soon enough that you can go and retract from whatever happened. Maybe it's a duplicate payment or something like this, or where you can then start to follow up on that.
Before you didn’t have these types of things, that, unless it's manual to go and figure out if we already paid this invoice twice. Whatever it might be. The benefit here, is that you're going to be able to track that data. So that first one here, we talk about Payment processing, duplicate, or incorrect, payment. That's massive. I had a client once that has, I think, over one million dollars in duplicate payments that were saved through a query, from transactions. So very, very powerful tool to prevent that from happening.
Granted, they may have a lot of payments, but, again, when you think about the one million dollars and savings payments, that pays for the tool itself.
Improvements in the incident investigation process by establishing business roles to assign incidents based on risk level and so on. This one is nice because now we have specific incidents that happen and then it's going to allow us to tie somebody to that, to be able to look into that incident. Similarly, when we think about SafePaaS - we're now looking and tagging violations, the people to look into, or maybe it's recertification, or whatever, now, tagging X specific incidents that are happening, at a transactional level, to specific people, to look into, and research. And then it tracks it for audit purposes and whatnot.
The one thing here I like, too, is that you can start to tie these controls, then these types of transaction controls to physical business process controls. So, that way, there's some type of backup data to be able to support the business process control, Management, visibility, and independent oversight to monitor, approved or rejected payments. That's just one example, but it just provides that visibility into what's going on at a transaction level.
That's just, again, that rejected approved and rejected payments. Just one example of that, but it gives that independent oversight. It gives somebody the ability to see what's happening in the data and the transactions on a regular basis.
Again, this goes hand in tandem with your business process controls. It's not one or the other. I think this goes in tandem, 1000%. Sometimes, you might have a little bit more operational-type stuff related to transactions, but I think it can definitely go on eliminating contradictory actions produced by auditors, by providing structured investigation processes, again, when I talk about look back procedures may be right or controls that are supported by transactions to be able to show things that are happening and how effective this control might be. Hey, we have this control. We've improved the control, because we realized that we were making duplicate payments, and our transactions were caught. So, now, we improve the controls and we have this data to support those changes, and in all of that. So, again, it eliminates those inconsistencies and contradictory actions by auditors.
So, reducing your cost. Optimize, recover audit processes, business processes, with integration to the ERP system for vendor management and payment processing. Again, it's tied into the business. It's going to have vendor management. We are going to be able to see, how did we pay them? Have we paid them already? Did we pay them as a duplicate vendor? Do they have a different bank account on that duplicate vendor, which is where it's coming important with that payment processing. So it's optimizing those recovery abilities.
Mitigates financial misstatement risk. I think that is straightforward with any control across the board that we're going to try to implement. Our goal at EY is to give you controls that, are going to mitigate financial statement misstatement risk. That is our ultimate goal when we design controls. How do we reduce risk? How do we mitigate risk? How do we eliminate risk? Whatever it is, that is our ultimate goal. So, that's the same thing that goes here.
And then it will streamline your financial flows, processes, and reporting. That same thing with any control as well. Our goal is to give you controls so that there's no questions at the end of the day about the transactions that happened. Whether it's approvals and whatnot - you have all this data to support your transactions and the integrity of those transactions throughout the month to help you streamline those processes.
Adil: You covered it well.
Emma: And finally, we're going to move on to a case study. Adil do you want to walk us through how a leading footwear company was able to control costs with advanced analytics?
Adil: It's one of the companies I worked with. It's been a few years now but I worked very closely with their audit, vice president of audit. They had an ERP system. They had a retail management system. And so our initial work was really related to helping them, as Nick was saying with compliance. That's how we usually get pulled in, “hey, we want to improve our ability to test controls, automate controls.” We looked at controls across the board. It’s a global company with 50 plus warehouses around the world, probably bigger, now. And, I think 500 plus stores around the world. They have a very complex supply chain with Asia Pacific, Latin America, basically a global supply chain. The design is done in the US, but manufacturing is done in all these regions around the world. So, a complex business with multiple systems, and they had a number of concerns around profitability and productivity. And so, some challenges, as we've talked about - they were using tools like ACL. They were using spreadsheets, but they just weren't able to catch things in time. And because you're in a fast-moving market, got a global supply chain, it's difficult, by the time you compile your data and take it to the person responsible for making a decision. The money has left the bank so they say. So that was the challenge. Even though they were getting information, it wasn’t coming at the right time, it was delayed. It was stale. There was frustration on the audit side of the house, but also senior management. They tried using third-party auditors that, there's a whole industry out there of recovery auditors that will go in, dump the data in Excel and build it. And they take 30% of whatever they collect on average. So, they tried that as well. It got mixed results, and, being a global company, they had all the tools in the world. They did invest in reporting tools. They had BI tools, data extraction tools, ETL tools, but they didn’t have the approach that Kara and Nick talked about coming from an audit perspective. What is a good control design, and how do you make controls effective. Then they tried third party consulting firms and so forth. Systems, integrators we call them.
They were really leaking cash, and that impacts margin and what the big driver for them was to move forward with us, was that we showed them that every dollar they lose on the bottom line costs them $10 to re-earn. Because when you lose net income or net profit you have to sell a lot more shoes or apparel to be able to earn that extra dollar back. In their case, it was 10 times. And so, it was a really strong business case, the benefits that you just heard here today, applied to this company. So, they chose us to help them implement advanced analytics.
Now, when we implement advanced analytics, I want to talk a little bit about what that means to you, because it sounds like a big black box. So, what we do is we usually come with best practices, catalog, and partners like EY, that have a tremendous amount of resources and experience in doing this work. So we'll sit down with our customers, with CFOs and the CIOs and the and Line managers in this case, all the way down to procurement, paid payables, and so forth. You basically look at, what controls do they have in place, how do you assess them, how effective they are, and which of those controls can be automated. Obviously, not 100% of controls can be automated. That's our mission goal, and one day that will be possible as organizations become more digitized, but some things are still done in spreadsheets and we have some tools to help automate those, as well. But, anyway, so they had a big chunk of controls in their controls catalog that were good candidates for automation, and some of them were SOX controls, key controls. Some of them were operational controls, which we’re focusing on today. They usually fall into the category of recovery, audit or operational controls. And Procure to Pay, as I mentioned, was the big area.
So, we were able to take, I think, 30 to 50. The range of controls that we have in our catalog. And basically, deploy them. So, you don't require them to go into this analysis, which is what customers fear. They don't want to take on huge projects that just don't have any end in sight and it takes forever to get the ROI. We're expected to produce results in this quarter, this month, this week. So, that's what they were looking for - show me the proof. And then I'll do more with you. So, that's the approach we took. We picked some of the controls that are if you've been in the procure to pay controls business as Nick mentioned. So, duplicate invoices, split POs, hierarchies is another thing. We look at a number of those transaction controls. I think we settled on about 25 of those controls, and these controls were then deployed.
The way we deploy controls. And that's maybe interesting to you as well, to know how we do that. So, once you select the controls, basically, SafePaaS being a cloud platform has connection capabilities that supports all major protocols of all major ERP systems, because that's where most of the money gets transacted in the world. So, you're thinking about the top 10 ERP systems like Oracle, SAP, PeopleSoft, Workday. So, those are the systems that SafePaaS automatically connects with. Or let’s say in this case, they had a warehousing system that was home-grown. So, we were able to connect to that system. And why was that important? Because we found there was, everything from fraud to inventory losses that were happening in the warehouses. And I'll explain that in a minute.
We basically connected to their systems. It's not just about extracting data from one source to one spreadsheet, and you know that, if you have been in the enterprise world it's about really taking the data from multiple data sources where the data is being meshed together to provide useful information. So SafePaaS, being a platform where it can take data from multiple sources through many protocols, and I won't go into too much technical jargon. But those of you that are more IT-oriented REST and SOAP for the Cloud applications and JDBC and flat files, and all those formats for the on-premise applications. So we have, basically, all these formats and we're able to take data from cloud, from on premise applications, and then mesh it together into these, data lakes is the term I think people use to define what you do. So we're able to create these repositories of data.
Extracting data has many challenges. One is, that was mentioned earlier as completeness and accuracy. So, an auditor must rely on that data to ensure that the conclusions and observations that are drawn from that data are accurate. So for that purpose, to rely on that data, the way SafePaaS works is it has the capabilities where we look at the source and target. So, you can be confident that, whether you're an auditor or control owner, a compliance manager, an IT security expert, or an IT manager, All of these people that get involved in these types of initiatives in a company all want to be ensured that data is a single source of truth, I think, is what Kara said earlier - so you build that single source of truth. And once you have that data, then you can easily put analytics on it instead of writing complex scripts, you can drag and drop elements of data in plain English.
So one of the things we were able to do is, there's the, basically four or five categories of controls that we built for them. So first, we started with the merchandising losses.
It is called Inventory shrinkage in the industry. So we started - I'm going to pick on the second item since I'm talking about that. So that merchandise audit was basically looking at shrinkage in the inventory, which has many reasons - sometimes, it's basic shoplifting, sometimes damaged merchandise that is received into a warehouse.
There are shipping and receiving control challenges, where, you're shipping all these latest running shoes for golf shoes for the Christmas season that people It's the hottest product in the market. You're spending a ton of money promoting that on channels. And people walk out with that from your warehousing, because people that can ship products, can also receive products. We often see that, and as an SoD conflict, and that materializes into an audit risk.
From a merchandising perspective we were able to find a significant amount the inventory. By significant, I mean, of two to 3% - it was above the industry tolerance levels. Where it was a victim to these merchandising losses, and inventory you live and die. If you're in manufacturing and distribution, you live and die with your inventory, That's an asset. So we were able to dig into that by going into warehousing systems, and comparing that against the ERP system, where you had bills received from the suppliers. And there was something interesting that we found, and it's called freight audit, which is kind of related to Merchandising audit. And the freight, what we found is that they had contracts which have FOB terms but they were getting billed twice. So even though they had negotiated a contract where merchandise was shipped, from Asia into California, and the suppliers were supposed to carry the expense, but that expense was actually getting billed separately by the frieght company on top of this and they had been paying and being a good, bonafide company. They had been paying those bills, not recognizing that there are different departments in procurement and payables that weren't connected. So we found some integration issues in their existing systems. So that's kind of the merchandising story, the freight story, and so if you're in a business that does any of supply chain, you should talk to our partners, like EY and us on how we can help you with that. As I said, our focus with more on operational risk today. We do a lot of work on the financial risks, too. But that's an example of your money leaving the bank where transaction monitoring really helps.
So when we implement transaction monitoring, like we did for this customer, they were able to reconcile their merchandise against their contracts. It took us some effort, Obviously, they had some contracts - now they're all online, but some contracts were offline and they had to get those online. Or at least the terms of the contracts in the database. So once we had all the data in there, now we can reconcile the terms of the contract against the freight charges. And we were able to prevent that from happening.
So we would go in, our system would interact with the ERP system, and send a notification to put that payment on hold till one of their responsible managers could go in and verify if it's truly a contract issue. Or if there's an exception to the contract. Because you don't want to stop the supply chain. So you want to have that flexibility to release holds when that occurs. And so, that's an example from merchandising and freight perspective.
What SafePaaS can do is help you streamline these controls by automating the process, so that we extract data from multiple sources. And you can set the frequency, You can do it once a day, every hour, once a month, or whatever you're comfortable with, and your business depends on how you want to design the control. And that's where EY can help you guys and advise you on what's the right level of frequency of a control, what's the right kind of design of a control.
So once you design that control, you don't have to do the technical heavy lifting. The SafePaaS objects, control Objects, will do that for you. So they will link all your data together and produce the results.
So, these are what you're seeing on the top left quadrant. There is an example of how the objects that I was describing come in. So these objects are basically imported into, let's say a conference room pilot, if you use that approach. Bring in your elements from across different data sources, and then you can describe, you can assign those, based on your thresholds. You can add rules logic to it. For example, if the invoices are 99% similar. In other words, the invoice number matches, The date matches and amount is within one penny, or you can say 100% matches exactly. You can define that in that top left quadrant that we're seeing on the screen here. And that's an example of an ERP customer we're working with.
On the bottom left, you can see the details of the object that I was describing. So, what sources that data comes from. So you can, it's very tiny to see, but if we get these slides to you in the distribution that Emma does, you'll be able to expand on it. But you can see there are different types of data sources. It could be cloud, JDBC, different formats, different types of data, or even flat file. So that data is coming in from across sources and is feeding into that object SafePaaS provides you.
And then the top right side, what you're seeing is the actual assignment of that risk to someone responsible to manage that risk. As I mentioned in my freight example - let's say you have an issue and the warehouse manager needs to know about it that we have an inventory. Shipping and receiving problems are received X amount and only she sent out zero point nine X. So, we have a 10% gap, so let's say that's one of your controls, or same thing with the freight, you have and you've been billed twice. You can define what conditions under which an alert should be sent.
Because there's tolerance levels you can accept. If it's maybe under 2%, you just have those relationships with your suppliers, depending on the supplier, you will accept that as long as suppliers are liable and they ship the product. You can select the tolerance level, you can select who should be informed. You can also set escalation policies. So maybe the procurement manager received the first alert, and then it goes to their supervisor. And eventually, it goes to the CFO. If you want to have that type of hierarchy, and then the other thing that our friends at EY and others have mentioned, is, it's OK to send alerts, but we don't know what people did with that risk. Did they just look at it and shrug their shoulders, or did they go and fix the problem? Because there's a big difference. Is the control operating effectively or not?
So, we give you these dashboards where you can manage, as you can see in the bottom right side, where you can see risk by process and drill down into these levels of incident details. We provide you with what we call a closed-loop analysis of your risk. So, it's not just sending the alert, it's what remediation or corrective action that the person responsible who was assigned this risk took. So, did they shrug their shoulders and just accept the risk? Or, did they, in fact, go and investigate that and resolve that problem, and also have prevented it from happening in the future by enabling a preventive control within SafePaaS or their ERP system?
So, now, you've got this dashboard where you can drill down into the risk. So closing the loop. Now you can go to what Kara said as she laid out the vision, where you're not chasing spreadsheets, you're focusing on success. You're taking that information by process, looking at the incident risk, and this makes your auditors happy who tend to be independent of this. So, the external auditors are coming in and they're saying, “How do we know that this process is working?”
You may have independent auditors within your organization. In this case, this is a case study I'm talking about the VP of Audit had independence from the operations.So, we worked very closely with operations. But in a nutshell, what the VP of Audit was looking for was a dashboard where they can go and drill down and see, “What can I rely on here to ensure that my financial statements are reliable at the end of the day. My CFO can sign on off on the 404. And so, that really helped them. And that's why I just picked on one example. It’ll take several hours to explain all of the work we did there. But that same thing applies, so I picked on the procure to pay I picked on merchandising because this was a retail account for us. But you can apply that same logic to a government agency. We have a Treasury Department of a state that worked with us where they have a contract and they have to pay on settlements they have to pay on. So you can apply the same technology. Do the processes that are important to you as a company, the significant process in your business. Some examples of dashboards that they were able to receive in real time, that this is something they could pull in every day, when the VP of audit walked in, which had experience in recovery audit, as well. These are the dashboards They're all user-defined dashboards, so they're not hard coded. We provide this, so now your data, I'll take a step back and say, look, it's easy to draw graphs from any graphical tool these days, or design but is that data to Kara’s point, a single source of truth in real-time? So as your AP systems are being updated as are your warehousing system and merchandising system, as your retail systems are interacting, you want to be able to see what's happening.
So when you go into the board meeting and your CFO’s explaining performances from last month this month, this quarter, the next quarter, they're just disclosing that in a 10 K and an annual report that they can rely on this data to make sure and most importantly, they can be proactive about it. So, you're not looking at it as - we had some losses, and too bad, they're saying, here's what we're doing as senior management to govern our business better. And so, you can see, we provided them claims data around the world. You know, the ratio of claims in different regions, and they could see the control behavior in different markets. And the reason behind this, because I worked with them, rolled up my sleeves, is that they had different different systems. So there were different merchandising systems in Asia versus Americas.
And you can see that they had an opportunity to improve controls in certain systems, and they took a kind of a risk-based approach. So, where the risk was higher, and the impact was higher, that's where they then moved to. There were also able to get a better feel for their vendors or suppliers. So, I mentioned the suppliers that were duplicate billing them. They obviously were eliminated from the supply chain or given stern warnings depending on the severity. And so, they were able to really look at this every day. And, they were able to score their suppliers better. And, these days, we have even expanded that capability. We've all heard in the last couple of years, where SolarWinds was the poster child, Unfortunately, a company here in Texas, where I am, where they were essentially, taken advantage of on the security side. So, now, that risk, even progressed beyond managing the suppliers from a performance perspective, into security and cybersecurity. So, all of those scoring methodologies are available to you, where you can score your suppliers. You may have digital suppliers these days, so you can score them, and that gives your procurement team the confidence to do business in this very complex supply chain. So, I mean, in a nutshell, what I would close by saying is that, working with platforms like SafePaaS eliminates a lot of those challenges. You're spending more time focusing on success, but I think you need an approach that comes from people's practitioners. Like, Nick and Kara have demonstrated today - that you bring folks like them in who understand SafePaaS. They’ve worked with it for a long time, and they can help you prioritize where you can get the biggest bang for your buck.