internal audit procurement policies and controlsdownload.icpas.org.sg/comm/icpas breakfast talk -...

©2012 Deloitte & Touche LLP

Internal Audit Procurement Policies and Controls

Melissa Aw Yong

10 October 2012SAA Global Education Centre Pte Ltd

Seminar 6/7

111 Somerset Road, #06-01/02 TripleOne Somerset Sing apore 238164


Agenda

1

• Opening

• Key components of Procurement• Identify and discuss key components in Procurement cycle

• Key Risks• Discuss key risks and associated internal controls in the Procurement cycle

• Audit Steps of the Procurement cycle• Brief discussion on the audit steps - develop strategy and plan, audit scoping, audit

execution, delivering insights

• Challenges & Resources• Discuss common challenges in review of Procurement cycle• Discuss tools and resources to meet these challenges

• Practical suggested improvements to Procurement Process• Common findings and recommendations to strengthen the internal controls of

Procurement process

• Closing

Opening

©2012 Deloitte & Touche LLP3

Learning objectives

• Understanding of the key components and risks in the procurement cycle, audit steps, common challenges during the audit and resources to meet these challenges, suggested recommendations to strengthen controls over procurement process.

3


Attendees introduction

4


Speaker introduction

Melissa Aw Yong serves as a Director with the Risk Consulting practice of Deloitte, providing governance, risk and compliance services, specialising in the Hospitality and Real Estate industries. She also serves as the President of the Singapore Chapter of the Association of Certified Fraud Examiners.

Prior to Deloitte, she gained valuable work experience in internal audit, risk management, compliance and fraud investigations with professional firms, multi-national corporations and government linked companies.

These multi-national corporations included one of the largest international hotels management groups, where she contributed to the establishment of their internal audit presence in Asia Pacific, designing of their anti-fraud framework and establishment of their inaugural brand compliance management process.

In her most recent corporate experience, she served as the Head of Internal Audit in a leading real estate company, engaged in business of management of development, project, property, estate and funds in Asia.

Melissa gained her Bachelor of Accountancy from Nanyang Technological University. She is a Certified Internal Auditor (IIA), a Certified Fraud Examiner (ACFE), a Certified Public Accountant (ICPAS) and has also received a Certification in Control Self-Assessment (CCSA).5

Key components of Procurement


Key components of Procurement

Purchase Requisition Evaluation Selection

Delivery Receipt

Payment Matching Disbursement

Key Risks


Key risks

Considerations for Risk Identification includes, bu t not limited to:

• Collusion between employees and vendors?

• Vendors defrauding the company?

• Collusion among vendors within an industry?

• Employees defrauding their employers?

• Is a process established?

• Is there segregation of duties?

• Are requestors authorised?

• Are the evaluation and selection criteria fair and transparent?

• Are the evaluators independent?

• Are receivers qualified / trained / equipped?

• Are transaction recorded?

• Are transactions in the systems accurate, valid, authorised, monitored?

Audit steps of the Procurement cycle


Audit steps of the Procurement cycle

Audit steps

1. Understand the Business Objectives, Control Environment, Management Control, Industry, Regulatory Environment, Economic Issues

2. Recommend strategies for addressing the relevant issues identified in the risk profile and the resources required

3. Obtain Senior Management and Audit Committee approval.

4. Identify business objectives, risks, controls and exposures

5. Incorporate insights of specialists

6. Prepare detailed internal audit project workplan.

7. Perform detailed process/transaction/ systems

8. Walkthrough (process mapping) and documentation of results

9. Perform and document detailed testing, benchmarking to best practices and analysis

10. Evaluate results and collaborate with management

11. Draft report and solicit management responses

12. Issue final report

13. Follow-up and track key recommendations

Challenges & Resources


Volume Of Data SamplingAbility to verify

Receipt Of Services

Relationships matters

Challenges

Resources – Whistle Blowing


Whistle Blowing

15

Source: Association of Certified Fraud Examiners 20 12 Report to the Nations on Occupational Fraud and Abuse


Whistle Blowing

• Employees

• Customers

• Vendors

• Competitors

• Agents, distributors, etc…

Resources - Power of Analytics


The Old Way vs. The New Way

18


Data analytics uses data to drive business strategy and performance.

• Looking backward to evaluate what happened in the past

• Forward-looking approaches like scenario planning and predictive modelling.

• To see it; see what it means; what it can do.

What is your data trying to tell you?


Art or Science…?

Science Art

• Fact-based • Data extraction and cleansing• Statistical analysis and modeling

• Trending, statistical analysis and data classifications

• Data analysis techniques to perform queries and analyze data in support of a specific objective

• Technological tools and software• basic and advanced MS Excel

functions, Structured Query Language (SQL) and statistical models, among others

• Multi-dimension and multi-cross referencing of data

• Behavior and common practices• Presentation of analysis and models• Insights derived from multi-faceted

interpretations and perspectives

Data Analytics is the science and art of examining r aw data with the purpose of identifying patterns and relationships t o draw conclusions and

insights from it.


The Value of Data


The value of Data

22

Resources - Methodology


Auditing your business differently

Aspect Typical Internal Audit Internal Audit with Analy tics

Work Flow

Testing Random sampling 100% analysis and focused sampling

Correlating dataData correlation from different sources is manually-intensive, almost impossible

Ensures data from different sources are correlated and supports conclusion

Audit findingsHigher possibility of being arbitrary, ambiguous and subjective

Fact-based and data driven (incontestable) resulting in more insightful recommendations

Audit errors Higher risk of human errors Reduces risk of human errors

Identify Audit findings

Test sample/s

Focused sampling

Perform Data Analysis

Understand the Data

Understand the business

Data Analytics in audit allows 100% review of the population size unlike sample testing in traditional audits.

Identify Audit findings

Test samples

Random sampling

Understand the business


Unlocking data value

25


Data analytics methodology

Resources - Case study - To utilize analytics in the Procurement to Payment Process


Thought process

28

• What are the main processes andsub-process?

• What data is captured in each step?

• Is data captured in the system or onpaper?

• Is the system-captured data useful?

• Can data be extracted from thesystem?

• Is data cleansing needed? Can it becleaned?

• Can analytics be employed?

Purchase Requisition Evaluation Selection

Delivery Receipt

Payment Matching Disbursement


Build Analytical Data Set (ADS)

The ADS is a list of all records (transactions) that will be analyzed. It takes into account all data from various data sources and puts them together in one area to ensure consistency of analysis. Each transaction from each data source should have a connection to another transaction in another data source (Foreign key relationships).

An ADS can range from having just 10 columns to hundreds of columns, depending on the amount of data.

ADSInvoice listings

Purchase order

listings

System access rights

Approved vendor

list Vendor details

Payment listings

…


Identify data that may contribute to risk

VendorApproved

VendorAmount Paid Payment Date

Person Posting Payment

Vendor 1 Yes 152.26 14 Apr 2011 Person 1

Vendor 2 Yes 43.00 17 Feb 2011 Person 1

Vendor 3 Yes 20.90 31 May 2011 Person 1

Vendor 4 Yes 651.12 10 Jan 2011 Person 2

…

…

…

…

…

…

Risk areas for risk scoring


Transaction risk scoringThe higher the score, the riskier the transaction. Scoring creates a risk profile of the entire business process and provides insights on which areas of the process are riskier and need control enhancements.

The scores also tell you which transactions are riskier and thus allow you to focus on them for further investigation.

Transaction ID Approved Vendor

WithinBenford’s Law Payment Date Person Posting

Payment> 1 Payment on

Same Day Total

10000001 0 0 0 0 0 0

10000002 0 1 2 2 1 6

10000003 0 1 3 2 0 6

10000004 1 0 0 3 0 4

10000005 0 0 0 3 1 4

10000006 0 0 1 3 0 4

10000007 1 1 1 2 0 5

10000008 0 1 1 5 1 8

….

….

….

….

….


Sample analysis – Benford’s Law AnalysisBenford’s Law was applied on all payments made to vendors based on the paid invoice listing extracted by the Accounts Department. The figure below illustrates the fit between the payments made (Sample rate) and with Benford’s Law.


Sample analysis – Benford’s Law AnalysisAlthough majority of the transactions are in accordance with Benford’s Law, there were 4 instances wherein the deviation (z-statistic) of transactions exceeded the upper limit. These transactions begin with the digits 10, 15, 45 and 77 as illustrated below.

Further analysis of these indicated that there were multiple instances wherein the same vendor was paid the same amount on the same day or on different days.


Sample analysis – Benford’s Law exceptionsEach of these transactions have their unique identification numbers (not displayed). The IDs can either be the PO number, Invoice number, a combination of the PO and Invoice number, a system generated number or something else. It depends on how the system is designed.

Vendor Approved Vendor Amount Paid Payment Date Person Posting No of Payments

Transaction Amounts Starting with 10

Vendor 1 Yes

102.26

14 Apr 2011 Person 1 315 Feb 2011 Person 1 1517 Dec 2010 Person 2 1326 Nov 2010 Person 2 322 Nov 2010 Person 2 7

104.58 15 Feb 2011 Person 1 5101.37 12 Sep 2011 Person 1 3101.15 7 Jun 2011 Person 1 7109.03 11 Aug 2011 Person 1 3100.85 12 Sep 2011 Person 1 4101.02 11 Aug 2011 Person 1 5101.05 7 Jun 2011 Person 1 4101.20 12 Sep 2011 Person 1 3

Vendor 2 Yes 103.0017 Feb 2011 Person 1 231 Dec 2010 Person 2 4

Vendor 3 Yes 10.90 31 May 2011 Person 1 3

Vendor 4 Yes 101.1210 Jan 2011 Person 2 128 Feb 2011 Person 1 1


…


…


…


Sample analysis – Other analyses and risk scoring methodApproved vendor

Within Benford’s Law

Payment date

Person posting Payment

Person posting Payment

Number of Payments on same date

Approved vendor? Score

Yes 0

No 1

Amount Paid Score

Yes 0

No 1

Day type Score

Weekend 1

Holiday 1

Poster on leave 1

Normal working day 0

Authorized? Score

Yes 0

No 1

Same Person Posting? Score

Requisition 1

Purchase Order 1

Goods Receipt 1

Invoice 1

None of the above 0

Count Score

1 0

> 1 1


Audit findings and management insights

Top 5 riskiest transactions

Top 3 Riskiest areas of process

Analytics increases the precision ofaudit findings and makes deep-diveinvestigations very focused andspecific.

The value of analytics is not just in thenumber of audit findings and itsprecision, but in its ability to create anoverall risk profile and specificallyidentify the weak points in eachbusiness process.

4%13%

83%

Process risk profile

High Risk

MediumRiskLow Risk

Transaction ID Risk Score

10000003 15

10002312 13

10058392 13

10078920 12

10089372 12

Area No of Exceptions

Payment posting 3,234

Payment date 298

Payment amount 212

Practical suggested improvements to Procurement Process



38

Improve internal controls:

• Access to modify the Vendor Master File should be limited to authorised personnel

• Changes made to the Vendor Master File should be approved and supported by documents

• Vendor Master File and edits made to the Vendor Master File should be periodically reviewed

• There should be proper segregation of duties

• Supporting documentation for all payments to vendors should be independently reviewed

• Test detailed transactions

• Examine supporting documentation

• Interview employees



39

Identify and investigate Procurement Fraud red flag s:

• Unusual or unauthorized vendors

• Large gifts and entertainment expenses

• Unusual increase in vendor spending

• Round-dollar amounts

• Copies of supporting documentation in lieu of originals

• Duplicate payments

• Tips and complaints

• Sequential invoices paid

• Unusual/large/round-dollar amounts paid

• Payments just under authorization level

• Employee-vendor address match

• Multiple invoices paid on same date

• Slight variation of vendor names

Closing


Learning objectives

• Understanding of the key components and risks in the procurement cycle, audit steps, common challenges during the audit and resources to meet these challenges, suggested recommendations to strengthen controls over procurement process.

41


Contacts

42

Melissa Aw YongDirector, Risk ConsultingDeloitte & Touche+65 6530 [email protected]

About Deloitte

Deloitte & Touche LLP or one of its affiliated entities is the Singapore member firm of the Deloitte Network. The “Deloitte Network” is an association of firms that are members of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”). Neither DTTL nor, except as expressly provided herein, any member firm of DTTL has any liability for each other’s acts or omissions. Each member firm of DTTL is a separate and independent legal entity operating under the names “Deloitte”, “Deloitte & Touche”, “Deloitte Touche Tohmatsu” or other related names; and services are provided by member firms or their subsidiaries or affiliates and not by DTTL.

About Deloitte Singapore In Singapore, Deloitte & Touche LLP is the member firm of Deloitte Touche Tohmatsu, and services are provided by Deloitte & Touche LLP and its subsidiaries and affiliates.

Deloitte & Touche LLP is part of Deloitte Southeast Asia—a cluster of member firms operating in Brunei, Guam, Indonesia, Malaysia, Marshall Islands, Micronesia, Northern Mariana Islands, Palau, Philippines, Singapore, Thailand and Vietnam—which was established to deliver measurable value to the particular demands of increasingly intra-regional and fast growing companies and enterprises.

With a team of over 200 partners and 4,000 professionals located in 20 offices, Deloitte Southeast Asia specialists combine their technical expertise and deep industry knowledge to deliver consistent high quality services to companies in the region.

All services are provided through the individual member firms, their subsidiaries and affiliates which are separate and independent legal entities.

© 2012 Deloitte & Touche Enterprise Risk Services Pte Ltd

internal audit procurement policies and controlsdownload.icpas.org.sg/comm/icpas breakfast talk -...

Documents