Why Coupa?Watch Now
Coupa is a company of talkers, passionate about sharing tips, tricks and advice for improving finance and procurement and saving companies of all sizes time and money. But we’re not the only people with opinions and ideas. We’d love to hear from you so join the conversation!
- September 14, 2017
- Markus Hornburg
- Finance & AP
We have talked in previous posts about best practices for implementing e-invoicing—assessing your organization, designing it as a P2P project, and bringing in a global project manager. But, even organizations who have done all of this can still run into one last hurdle that could cause the project to suffer from massive, costly delays or even a permanent stop: Compliance.
Most of these projects are set up either by people in procurement or AP, and they are focused on optimizing those processes. They forget to get those people in charge of compliance matters on board.
Why? It usually comes down to lack of awareness. The project owners may not realize that when they are buying a solution, they are outsourcing compliance to a third party. Internally, there may not be a compliance department, or anyone with compliance in their title, so it may not be obvious who, if anyone, is paying attention to this. Or, they may simply assume that if they are buying a solution, then of course the solution provider is compliant. And, maybe that is true.
However, even if you outsource compliance activities, you cannot outsource the responsibility for compliance. Legislation is very clear that if you are using a third party to handle different processes you are obliged to ascertain their compliance with all applicable legislation. The people in charge of compliance inside the company are going to want to see that for themselves before they sign on off on anything.
They will ask for details, and they will ask a lot of questions because their job is to protect the company, and themselves. They're personally responsible and accountable, and they will not risk penalties or fines or jail time. They're not going to be flexible, because they can't be. Compliance is binary. Either you are compliant, or you are not. They will not say yes just because you promised something to someone.
Creating an enemy
You need to figure out who these people are, and bring them in early in the vendor selection process because they will not let you proceed unless they're satisfied. The worst thing you can do is leave them out, even if it is inadvertently. Their knee jerk reaction, which is just human nature, will be to reject your project, because they are in fear. They have an existing process, which from their perspective is working. And now someone's coming in—someone who from their perspective has now demonstrated they have no knowledge about compliance--and wants to change that process. You will have created an enemy.
So, who are these people, and what do they need to know?
The first group are concerned with operational compliance, and that has mainly to do with data. Your global compliance people--the chief compliance officer, or chief governance officer--are going to be very interested in how well the vendor will be protecting the data that you are going to process. To satisfy them, the core data protection mechanisms need to be bulletproof.
They will want to know where the vendor processes and stores data. They will want to know what kind of mechanisms are in place to protect data against intrusion from inside the vendor organization. They will want to know how data in motion is protected, and where data can and cannot go. Many companies have rules about this.
For example, a company operating in Germany may have a rule that their data cannot leave the EU. In the absence of data protection agreements between different countries, the data could potentially leave the area that was guaranteed to the customer. Let’s say for example if a support person in India were to access data in the German data processing center, they could potentially download information to their local workstations. Is there a mechanism in place to prevent that? These are the kinds of details your global compliance people will need to know.
Fiscal and legal compliance
The second group of people will want to be assured of fiscal and legal compliance. This is a bit more complex. Data protection can be centrally controlled, and there are probably only a couple of people who need to be involve
But, when you're rolling out global P2P projects, in each country where you have a registered legal entity, there will be a fiscally responsible person that is responsible to the government of that country for the accuracy of the accounting. This requires compliance with each country’s rules governing the documents themselves, everything from what information is presented on a purchase order or an electronic invoice and how it is presented, to the storage of such documents.
If something's wrong with those processes and those documents being processed, the country level representative is responsible. They are the ones will be putting their signature on it--not their boss in HQ. You will not be able to roll out your project into all these countries until you bring those people on board.
For both data protection and fiscal and legal compliance, legislation requires you to make sure that you receive the vendor’s documentation on how they comply with the law. So, you need to know what their capabilities are. How deep is their investment? What are they doing in terms of certification? Your compliance people are the ones who are best positioned to ask those questions and evaluate solutions from a compliance perspective.
Paper thinking, if not paper processes
You may not think about it, but even in the paper world, where you send invoices through the mail, there is an element of compliance, in that the postal service has terms and conditions and limits of liability. It is ultimately your responsibility to make sure information is correct, travels safely to its destination and is stored in a manner that it is accessible to auditors, not the postal service’s. You have to think along those same lines as you transition to the electronic world.
And then very importantly, in your project design, much as you should bring the chief procurement officer and the chief financial officer into the boat, to receive their backing for your project, make sure that your colleagues from compliance are in the boat as well.
I’ve seen far too many instances where the project has been planned, the vendor has been selected, and money has been laid down, without any thoughts about compliance. Then a communication about the project goes out, which is the first that the compliance people are hearing of it, and they shut it down immediately. And they are right to do so, because they do not have enough information to determine if it is compliant. So, get them in the boat early, or you may find yourself up the creek with no paddle.
Markus Hornburg is vice president of global product compliance for Coupa. Prior to that, he held senior compliance roles at Tungsten Corporation and SAP.