13 May 2010 | Paul Desrosiers
With a renewed focus on risk, internal audits of procurement are on the rise. Paul Desrosiers looks at what you can and should do to prepare
“Ineffective control and management of supplier contracts cost businesses $153 billion (£100 billion) per year in missed savings opportunities.” So says the Aberdeen Group’s Contract Management Benchmark report.
Procurement functions are increasingly the subject of internal audits. These cover cost control, compliance and risk management – and the economic climate has helped raise the profile of these issues in the boardroom.
Matters that might in more buoyant times have been overlooked are now under increased scrutiny in an environment where businesses are seeking to not only protect their bottom line but ensure their survival.
Companies are recognising procurement’s role in adding significant value through strategic sourcing. But this may have increased the risks, or at least significantly changed the risk profile. Reasons include: more complex supply arrangements, a higher dependency on fewer supplier relationships, and now the ever-present risk of fraud and malpractice.
There is also now more accountability and more regulations to minimise these issues, including the Foreign and Corrupt Practices Act in the US and the UK Bribery Act, especially as their implications and responsibilities reach beyond UK and US borders.
The typical board response has been to ask internal audit departments to review strategic procurement, or change the focus of existing audit processes to include the non purchase-to-pay elements. This ensures a more robust and responsible approach to corporate expenditure.
A changing environment
Contractual arrangements have become more complex since the advent of strategic sourcing. Initiatives such as outsourcing, offshoring and complex supply partnerships have transferred additional responsibilities on to suppliers, resulting in a completely altered risk profile and the need for a different set of controls to support this type of activity. These more complex arrangements raise the question of how organisations are now getting assurance from suppliers, particularly on insurance, pricing and health and safety. These assurances need to be documented into legal and service-level agreements.
Consolidation of the supply base has also resulted in a greater dependency on fewer suppliers. This has increased the average value of a contract and puts far more at stake for suppliers during every contract award and renewal. Consequently buyers are now more dependent on what the supplier does and says. Without sufficient controls, supplier contracts represent a major risk-management “blind spot” for many companies where the relationship with a supplier is now based in part on trust.
This increase in the complexity and value of contracts has also increased the risk of internal and external malpractice, misreporting, incorrect invoicing and fraudulent behaviour.
Alex Plavsic, UK head of KPMG’s forensic practice, has “investigated more procurement frauds in the past two years than at any time in the past 20 years”. And in a recent SM poll of buyers, 24 per cent of respondents said their organisations did not have a policy preventing staff from participating in deals where there was a conflict of interest.
These risks are driving board members and senior management teams to demand greater assurance that strategies, policies and procedures are in place to protect the organisation. Procurement professionals at all levels of the organisation have an important role to play in supporting internal audits to ensure the correct controls are in place and that these are met by internal stakeholders and suppliers.
Internal audits of procurement departments are not new, but the emphasis of these internal audits is changing. Typically, procurement audits were considered part of a broader finance audit, focusing on transactional activity and the integrity of the purchase-to-pay process. This remains an important feature of the process, but a far greater focus is now put on the sourcing, contract management and supplier relationship management processes as businesses recognise the importance of these activities.
A procurement audit will typically be conducted every 12 to 18 months as part of a wider audit programme and usually lasts a week, depending on the complexity of the organisation. Standard internal audit processes are well documented and most buyers would probably consider most of the requirements a core part of professional procurement practice.
Procurement audits tend to focus on strategy, policies and procedures; organisational structure; sourcing and supplier management processes; technology; and risk management, including the management controls and assurance processes over the identified risks.
Policies and procedures are typically the first area reviewed. It is important an appropriate procurement strategy exists and is consistent with the broader business plan. For example, savings targets in the procurement strategy should be linked to those being declared by the business. A lack of alignment between procurement and the rest of the business is often the root cause of other issues such as a lack of business buy-in and poor contract compliance later in the procurement process.
Supporting this strategy should
be a set of policies and procedures that clearly document how the strategy is going to be delivered. These policies and procedures should support the entire procurement process from the identification of needs through to contract and supplier relationship management.
Ian Jackson, an associate partner in KPMG’s intellectual property and contract governance team, says that increased contract complexity, combined with trust-based obligations, mean there is an increasing trend for procurement or internal audit to exercise the audits rights in major supply contracts to obtain assurance that the supplier is meeting its contractual obligations. In particular this applies to pricing where contracts have transparency provisions (such as cost-plus, open-book or most favoured customer (MFC) obligations). As a result of confidentiality issues, especially with regard to MFC provisions, organisations are increasingly employing third parties to perform these reviews.
Fit for business
Where procurement is not managing the entire spend profile there should still be consistency of process. Even in instances where procurement is not responsible for sourcing goods and services it should be aware of how the money is being spent and ensure that other departments follow the procurement policies and procedures consistently.
The organisational structure of procurement and how it is positioned in the business should be appropriate for the type of goods and services being procured. There is often no standard approach; however some basic indicators of good practice are having clear divisions of responsibility, no duplication of resources, a clear segregation of duties, procurement representation at senior levels and an appropriate number of buyers for the value of spend being managed.
Procurement functions must also be able to demonstrate a sufficient level of control, on both expenditure and the rest of the organisation, to give assurance that they are managing risk well on behalf of the business. A comprehensive contracts register with renewal dates documented well in advance of contract expiry is an important first step. A defined procurement methodology that encompasses supporting contract and supplier management processes should also exist. Typically buyers will need to demonstrate and provide supporting evidence that these processes were followed in the case of a current contract.
Supplier and contract management are often the most neglected elements of the procurement process, particularly where functions have not been through strategic development or are significantly under-resourced. As a result of the increased complexity of contracts, a strong contract management process should encompass regular reviews and reliable supporting management information.
Other areas of focus are likely to be the suitability and skills of the core procurement team, quality of internal and external training and the adequacy of systems to support buyers in analysing data.
The output of the internal audit will be the identification of a number of risks against each of
the major procurement areas under review. These risks will be rated in terms of their severity and impact, a recommendation will be made and a joint management action plan agreed with appropriate timescales and clear ownership for delivery.
The main purpose of the audit is to ensure that any risks in the procurement process are mitigated as soon as possible. Progress against these risks is often reviewed and updated prior to the final audit report being delivered.
Given the scrutiny on third-party expenditure and the increased awareness of fraud, the need for procurement to participate in internal audits is only likely to increase in the future. This is recognition of procurement’s increasing importance to the business and should not be a worry for buyers following professional procurement practices.
* Paul Desrosiers is executive adviser at KPMG
What to do
Show you have a plan that fits with the business strategy
Ensure suppliers meet contractual obligations. Do not neglect contract management or supplier relationship management
Take control of risk and spend (for example, by establishing a contracts register)
Collect management information data