detecting fraud through vendor audits•where is the vendor located? •who are the owners, what...

© 2019 Association of Certified Fraud Examiners, Inc.

Detecting Fraud Through

Vendor Audits

Preparing for a Vendor Audit

© 2019 Association of Certified Fraud Examiners, Inc. 2 of 27

Determining the Purpose of the Audit

Process Compliance

Audit

Financial Compliance

Audit

Regulatory Compliance

Audit

Fraud Examination


Process Compliance Audit

▪ Designed to determine whether the vendor is

doing what it was hired to do

▪ Typically involves:

• Field visits

• Walk downs

• Process and procedure reviews

• Vendor surveillance

• Interviews with vendor employees and subcontractors


Financial Compliance Audit

▪ Designed to determine whether the vendor is

billing appropriately (i.e., billing for the agreed-

upon work at the agreed-upon rates)


• Similar procedures as process compliance audit

• Detailed analysis of financial records and supporting

documentation

• Either full transactional review or sampling methods


Regulatory Compliance Audit

▪ Designed to determine whether vendors are

following the laws and regulations that are

relevant to the goods and services they provide


• Comparing both process and financial compliance to

the applicable regulatory laws

• Detailed analysis of laws, regulations, statutes, and

standards and comparison to the goods and services

provided


Fraud Examination

▪ Encompasses some or all of the elements of

process, financial, and regulatory compliance

audits, with a primary focus on the financial

aspects and implications

▪ May be specifically undertaken, or may evolve

from any of the other types of vendor audits

▪ Goal is to determine whether the vendor

intentionally undertook any actions to defraud

the contracting organization


Developing Pre-Audit Support

▪ One of the most important

parts of preparing for a

vendor audit involves

obtaining management’s

buy-in and support for the

engagement.

▪ The audit team must also

explore and understand

fully the influence of the

vendor on the company.


Obtaining Support of Potential Stakeholders

▪ Operations management

▪ Legal services

▪ Procurement/supply

chain personnel

▪ Quality control and

assurance team

▪ Health, safety, and

environmental experts

▪ Regulatory affairs


Determining Audit Resources

▪ Depth and expertise of the internal staff

▪ Understanding of the infrastructure, operations,

and business records

▪ Potential benefits of hiring outside experts who

specialize in vendor audits

▪ Contract requirements

▪ Potential conflicts of interests

▪ Confidentiality concerns

▪ Defined scope of the audit


Collecting Pre-Audit

Background Information

▪ Much groundwork can be done before setting

foot on the vendor’s property.

▪ Research and analyze the backgrounds of the

relevant parties, relationships, processes, and

products/services.

▪ Information related to these factors can be

found in the audit team’s own organization or

through public records and Internet sources.


Understanding the Process and the Data

▪ Is the good or service easy to verify?

▪ How is it delivered?

▪ How are time, expense, and costs recorded?

▪ How do review, approval, and verification

occur?

▪ How are change orders obtained?

▪ Where are the documents and records housed?


Understanding the Players

Public Records and

Secretary of State

Information

• Where is the vendor

located?

• Who are the owners,

what other businesses

do they own, and are

they vendors as well?

• Does the vendor

operate under a DBA

or alias?

• How long has the

vendor been in

business?

• Does the vendor have

a history of OSHA

fines?

Court Case History

• Has the vendor been

sued civilly?

• Have the owners been

prosecuted criminally?

• Have there been

allegations of fraud or

contract disputes?


a history of suing

others?

Online Searches

• Are there negative

news stories on the

vendor?

• Is the vendor

mentioned favorably or

negatively on blogs

and social media?

• Is the vendor closely

aligned with employees

within the

organization?


a poor BBB rating?

• Is the vendor listed on

the Excluded Parties

Listing System?



▪ Employees at both the vendor and customer

organizations involved in the contracting or

purchasing process

▪ Other individuals involved

▪ Key sources of audit evidence



▪ Potential ethics or

operational issues to

consider during the audit

▪ Use of public records:

• Court case history

• Secretary of state or other

business records

• Online searches


Warning Signs of Conflicts of Interest

▪ Internal parties who:

• Vouch for the vendor’s products and services,

downplaying the need for an audit

• Are overly inquisitive about the underlying reason for

the audit.

• Are overly inquisitive regarding what the auditors will

be looking for

• Sound as if they work for the vendor and not the

company

• Create audit roadblocks


Assessing the Risk of Fraud

▪ Operating environment

▪ Goods or services involved

▪ Relationships between parties

▪ Backgrounds of the parties

▪ Specific contract terms and conditions

▪ Past fraud or misconduct

▪ Tips or complaints regarding the vendor


Assessing the Risk of Fraud

▪ Gaps or red flags in the

controls

▪ Incentives or pressures

that might lead individuals

to commit fraud

▪ Opportunities for collusion

▪ Methods of concealing

fraudulent activity


Notifying the Vendor

▪ Notification timing

▪ Notification method

▪ Who should send the notification?

• Procurement personnel

• Audit team

• Operations personnel

• Legal department


Notifying the Vendor—Red Flags

▪ Denial of the audit

▪ Sudden and unforeseen

catastrophes

▪ Hostility to mentions of

the audit

▪ Slow response to audit-

related requests

▪ Influence or leverage of

internal supporters


Requesting and Gathering Documents

Internal

audit

Accounting

and finance

Unrelated

or

supporting

parties

Procurement Operations Vendor

Order of document collection


Requesting Access to

Vendor Documentation

All

supporting

documents

available

while on-site

Specific

information

pulled and

available

while on-site

Vendor

forwards all

information

prior to audit

Vendor

forwards

specific

information

prior to audit


Requesting and Gathering Documents

▪ Internal or third-party gathering:

• When possible, gather data and records directly from

the system, file room, or location in which the data

resides.

▪ Requesting data in parallel:

• Identify trusted and unrelated points of contact who

can supply copies or secondary sets of data to be

used for comparison.