Internal Audit Procurement Policies and Controls

Similar documents
Business advisory services Business solutions that bring you forward. Malaysia

Managing Tax. Balancing current challenge with future promise Session 5. The Grand Hyatt, Singapore 16 February 2017

Sustainability Services Driving responsible growth

Managing Fraud Risk: New Professional Guidance

DICA Corporate Governance Workshop. Separation between Board and Management: Good Practices and Benefits 12 July 2017

Why Is Third Party Risk Management Important?

Accounting for revenue under MFRS 15 Achieving a head start

Transforming authentication for a digital age

Internal Audit of the Future Evolution of Internal Audit Due to Digitisation. Cheryl Khor Asia Pacific Operational Risk Leader Deloitte

Asia Pacific Life Sciences Compliance Survey 2018 Executive Summary

Risk Advisory Services Developing your organisation s governance for competitive advantage

2017 Tax Management Consulting Conference Tax technology. Deloitte, Kuala Lumpur 12 July 2017

Managing employee mobility in Southeast Asia Global perspective. Local insight.

Quality Assessments what you need to know

Complex P2P processes are a thing of the past. NHS Shared Business Services

Deloitte Forum 2017: Global and Thailand Economic Outlook and How Disruptive Innovations Affect Your Competitive Landscape

Shared Services Trend Workshop Timothy Ho 20 July 2017

Procure to Pay (P2P) Risk Analytics. Risk Advisory

Model Risk Management A Southeast Asia Perspective

Global Treasury Advisory Services Creating Value with Innovation

Audit Committee Performance Evaluation

Using Transactional Analysis for

Managing Risk in Your P2P Process: 10 Ways that Automation Can Help Mitigate Risk

Financial Advisory. Valuation Services. Life Science Industry

REPORT ON AN AUDIT OF THE CITY'S PURCHASE CARD PROGRAM AUDIT PROJECT #9914

Sarbanes-Oxley 404(a) Efficient, Effective Consulting Solutions

Navigating the PCAOB s and SEC s internal control expectations A discussion. June 2015

Why global businesses need global audit networks October 2012

A Data Driven Company How Deloitte transformed itself. QlikView Business Discovery World Tour Eindhoven, 9 October 2013

Internal Audit Report Accounts Payable September 2017

Implementing Analytics in Internal Audit. Jordan Lloyd Senior Manager Ravindra Singh Manager

Are you prepared to make the decisions that matter most? Decision making in banking & capital markets

Detecting Fraud Through Vendor Audits

Cement Industry Risk Analytics For Private circulation only June Risk Advisory

Process Mining Invoice Process Rabobank NL Discovery & Optimization. Tijn van der Heijden, MSc.

IIA Springfield IL Chapter

Integrating COSO s Fraud Risk Management Guide on an Enterprise Scale

Can You Spot Fraudsters?

Digital Testing and Controls Automation A transformative approach to automating your control environment

Data analytics in fraud investigations

Seattle Public Schools The Office of Internal Audit

Fraud Prevention: How to Identify and Protect Your Higher Ed Institution

Data, Analytics and Your Audit

Creating a Fraud Risk Assessment and Implementing a Continuous Monitoring Program. Christopher DiLorenzo, CFE, CPA, CIA, CRMA

2/27/2017. Segregation of Duties/ Internal Controls. Objectives. Agenda

Terms of Reference for Financial Audit of Implementing Partners

Fraud Prevention and Detection for IT Professionals

Leading KPIs of Positive Financial Performance. Presented by: Hugh Shaw, Ventera Corporation Bill Riviere, Unanet


Federal CFO Insights Real solutions to win the fight against improper payments and fraud, waste and abuse

Contract and Procurement Fraud

Eric Kinsherf, CPA MMAAA Conference June 12, 2018

Internal Audit. Providing Assurance Over Project Delivery. Chris Nugent Institute of Internal Audit - 11 March 2014

FRAUD SCHEMES. South Carolina HFMA Finance & Reimbursement Forum. November 13, 2012 WITH RELATED INTERNAL CONTROLS

Energy Future Holdings (EFH)

WARRANTY WASTE ANALYTICS

Contract and Procurement Fraud

How to stop improper payments: A focus on government vendor risk

Financial Controls Checklist

New Higg.org Platform Training. Understanding and Navigating the new platform

General Government and Gainesville Regional Utilities Vendor Master File Audit

Next Generation Controls(NGC) Moving towards a Robust Control Framework. August Risk

Name: Chapter 12 Revenue- and Inventory-Related Financial Statement Frauds MULTIPLE CHOICE

Bearing the Bad News Reporting to the Board on Internal Corruption. Peter Dent, National Leader Deloitte Forensics September 11, 2013

Terms of Reference (TOR) Provision of consultancy services for payroll verification exercise

Follow-Up on VFM Section 3.13, 2016 Annual Report RECOMMENDATION STATUS OVERVIEW

The use of CAATS in Auditing Application Controls. Institute Of Internal Auditors Zambia/ISACA Zambia Chapter, 28 August 2014 Tricha Simon

REQUIRED DOCUMENT FROM HIRING UNIT

Data integrity forensics Bring transparency and trust to third-party data use

De Coding IFC. 30 th December 2015 ICAI Baroda Branch

Powered by technology, our experts are unlocking the value of your audit. Dynamic Audit

COURSE LISTING. Courses Listed. with Customer Relationship Management (CRM) SAP CRM. 15 December 2017 (12:23 GMT)

QUICK START GUIDE. SQF Implementation. for.

Procurement May 2018

Payables Management. 2 nd Edition. Steven M. Bragg

HARNESSING THE POWER OF DATA ANALYTICS AND CONTINUOUS MONITORING

The Impact of Technology on Business Where will we go from here?

HR Metrics and Model for Modern Times

FORENSIC AUDIT SEMINAR Presentation by: Isaac Mutembei Murugu CIA, CISA

REGULATORY HOT TOPICS FOR INTERNAL AUDITORS: EVALUATING THE USE OF AML TECHNOLOGY

Certificate in Advanced Governance, Risk and Compliance (GRC)

Beyond Compliance. Leveraging Internal Control to Build a Better Business: A Response to Sarbanes-Oxley Sections 302 and 404

COURSE LISTING. Courses Listed. with SAP Ariba SAP Ariba Procurement. 4 February 2018 (03:51 GMT)

Fraud Risk Management

CFO meets M&A: Value creation in the digital age The Dbriefs Driving Enterprise Value series

Diving into the 2013 COSO Framework. Presented by: Ronald A. Conrad

Leveraging Data Analytics to Expand Audit Coverage and Add Organizational Value

EXECUTIVE SUMMARY - Internal Control Review of Facilities Engineering and Project Management

FRAUD DETECTION. Early Detection = $ Saved. Red Flag = Danger. But a symptom = FRAUD. Accounting Anomalies. Accounting Anomalies

Success in Joint Ventures: Sustained Compliance and Audit Oversight

PRODUCTS OF INSULAR POSSESSIONS TECHNICAL INFORMATION FOR PRE-ASSESSMENT SURVEY (TIPS)

Contract and Procurement Fraud. Fraud in Procurement without Competition

Internal Oversight Division Audit Approach for Continuous Auditing

UNFPA. This policy applies to all UNFPA personnel, particularly those involved in the purchasing and payment of goods and services.

Hidden Cost of Fraud How well are State & Local Governments detecting and managing fraud?

Banking, Payroll and Purchase: investigating financial fraud with data analytics

Fire Department Inventory Management Audit

Internal Financial Control (IFC)& Internal Financial Controls over Financial Reporting (IFCoFR)

PCF Analytics Workshop

REGULATORY HOT TOPICS FOR INTERNAL AUDITORS: EVALUATING THE USE OF AML TECHNOLOGY

Transcription:

Internal Audit Procurement Policies and Controls Melissa Aw Yong 10 October 2012 SAA Global Education Centre Pte Ltd Seminar 6/7 111 Somerset Road, #06-01/02 TripleOne Somerset Singapore 238164

Agenda Opening Key components of Procurement Identify and discuss key components in Procurement cycle Key Risks Discuss key risks and associated internal controls in the Procurement cycle Audit Steps of the Procurement cycle Brief discussion on the audit steps - develop strategy and plan, audit scoping, audit execution, delivering insights Challenges & Resources Discuss common challenges in review of Procurement cycle Discuss tools and resources to meet these challenges Practical suggested improvements to Procurement Process Common findings and recommendations to strengthen the internal controls of Procurement process Closing 1

Opening

Learning objectives Understanding of the key components and risks in the procurement cycle, audit steps, common challenges during the audit and resources to meet these challenges, suggested recommendations to strengthen controls over procurement process. 3

Attendees introduction 4

Speaker introduction Melissa Aw Yong serves as a Director with the Risk Consulting practice of Deloitte, providing governance, risk and compliance services, specialising in the Hospitality and Real Estate industries. She also serves as the President of the Singapore Chapter of the Association of Certified Fraud Examiners. Prior to Deloitte, she gained valuable work experience in internal audit, risk management, compliance and fraud investigations with professional firms, multinational corporations and government linked companies. These multi-national corporations included one of the largest international hotels management groups, where she contributed to the establishment of their internal audit presence in Asia Pacific, designing of their anti-fraud framework and establishment of their inaugural brand compliance management process. In her most recent corporate experience, she served as the Head of Internal Audit in a leading real estate company, engaged in business of management of development, project, property, estate and funds in Asia. Melissa gained her Bachelor of Accountancy from Nanyang Technological University. She is a Certified Internal Auditor (IIA), a Certified Fraud Examiner (ACFE), a Certified Public Accountant (ICPAS) and has also received a Certification in Control Self-Assessment (CCSA). 5

Key components of Procurement

Key components of Procurement Purchase Requisition Evaluation Selection Delivery Receipt Payment Matching Disbursement 7

Key Risks

Key risks Considerations for Risk Identification includes, but not limited to: Is a process established? Collusion between employees and vendors? Vendors defrauding the company? Collusion among vendors within an industry? Employees defrauding their employers? Is there segregation of duties? Are requestors authorised? Are the evaluation and selection criteria fair and transparent? Are the evaluators independent? Are receivers qualified / trained / equipped? Are transaction recorded? Are transactions in the systems accurate, valid, authorised, monitored? 9

Audit steps of the Procurement cycle

Audit steps of the Procurement cycle Audit steps 1. Understand the Business Objectives, Control Environment, Management Control, Industry, Regulatory Environment, Economic Issues 2. Recommend strategies for addressing the relevant issues identified in the risk profile and the resources required 3. Obtain Senior Management and Audit Committee approval. 4. Identify business objectives, risks, controls and exposures 5. Incorporate insights of specialists 6. Prepare detailed internal audit project workplan. 7. Perform detailed process/transaction/ systems 8. Walkthrough (process mapping) and documentation of results 9. Perform and document detailed testing, benchmarking to best practices and analysis 10. Evaluate results and collaborate with management 11. Draft report and solicit management responses 12. Issue final report 13. Follow-up and track key recommendations 11

Challenges & Resources

Challenges Volume Of Data Sampling Ability to verify Receipt Of Services Relationships matters 13

Resources Whistle Blowing

Whistle Blowing 15 Source: Association of Certified Fraud Examiners 2012 Report to the Nations on Occupational Fraud and Abuse

Whistle Blowing Employees Customers Vendors Competitors Agents, distributors, etc 16

Resources - Power of Analytics

The Old Way vs. The New Way 18

What is your data trying to tell you? Data analytics uses data to drive business strategy and performance. Looking backward to evaluate what happened in the past Forward-looking approaches like scenario planning and predictive modelling. To see it; see what it means; what it can do. 19

Art or Science? Science Fact-based Data extraction and cleansing Statistical analysis and modeling Trending, statistical analysis and data classifications Data analysis techniques to perform queries and analyze data in support of a specific objective Technological tools and software basic and advanced MS Excel functions, Structured Query Language (SQL) and statistical models, among others Art Multi-dimension and multi-cross referencing of data Behavior and common practices Presentation of analysis and models Insights derived from multi-faceted interpretations and perspectives Data Analytics is the science and art of examining raw data with the purpose of identifying patterns and relationships to draw conclusions and insights from it. 20

The Value of Data 21

The value of Data 22

Resources - Methodology

Auditing your business differently Data Analytics in audit allows 100% review of the population size unlike sample testing in traditional audits. Aspect Typical Internal Audit Internal Audit with Analytics Understand the business Understand the business Work Flow Random sampling Test samples Understand the Data Perform Data Analysis Focused sampling Test sample/s Identify Audit findings Identify Audit findings Testing Random sampling 100% analysis and focused sampling Correlating data Data correlation from different sources is manually-intensive, almost impossible Ensures data from different sources are correlated and supports conclusion Audit findings Higher possibility of being arbitrary, ambiguous and subjective Fact-based and data driven (incontestable) resulting in more insightful recommendations Audit errors Higher risk of human errors Reduces risk of human errors 24

Unlocking data value 25

Data analytics methodology 26

Resources - Case study - To utilize analytics in the Procurement to Payment Process

Thought process What are the main processes and sub-process? What data is captured in each step? Is data captured in the system or on paper? Is the system-captured data useful? Can data be extracted from the system? Is data cleansing needed? Can it be cleaned? Can analytics be employed? Purchase Requisition Evaluation Selection Delivery Receipt Payment Matching Disbursement 28

Build Analytical Data Set (ADS) The ADS is a list of all records (transactions) that will be analyzed. It takes into account all data from various data sources and puts them together in one area to ensure consistency of analysis. Each transaction from each data source should have a connection to another transaction in another data source (Foreign key relationships). An ADS can range from having just 10 columns to hundreds of columns, depending on the amount of data. System access rights Approved vendor list Vendor details Purchase order listings Payment listings Invoice listings ADS 29

Identify data that may contribute to risk Vendor Approved Vendor Amount Paid Payment Date Person Posting Payment Vendor 1 Yes 152.26 14 Apr 2011 Person 1 Vendor 2 Yes 43.00 17 Feb 2011 Person 1 Vendor 3 Yes 20.90 31 May 2011 Person 1 Vendor 4 Yes 651.12 10 Jan 2011 Person 2 Risk areas for risk scoring 30

Transaction risk scoring The higher the score, the riskier the transaction. Scoring creates a risk profile of the entire business process and provides insights on which areas of the process are riskier and need control enhancements. The scores also tell you which transactions are riskier and thus allow you to focus on them for further investigation. Transaction ID Approved Vendor Within Benford s Law Payment Date Person Posting Payment > 1 Payment on Same Day 10000001 0 0 0 0 0 0 10000002 0 1 2 2 1 6 10000003 0 1 3 2 0 6 10000004 1 0 0 3 0 4 10000005 0 0 0 3 1 4 10000006 0 0 1 3 0 4 10000007 1 1 1 2 0 5 10000008 0 1 1 5 1 8..... Total 31

Sample analysis Benford s Law Analysis Benford s Law was applied on all payments made to vendors based on the paid invoice listing extracted by the Accounts Department. The figure below illustrates the fit between the payments made (Sample rate) and with Benford s Law. 32

Sample analysis Benford s Law Analysis Although majority of the transactions are in accordance with Benford s Law, there were 4 instances wherein the deviation (z-statistic) of transactions exceeded the upper limit. These transactions begin with the digits 10, 15, 45 and 77 as illustrated below. Further analysis of these indicated that there were multiple instances wherein the same vendor was paid the same amount on the same day or on different days. 33

Sample analysis Benford s Law exceptions Each of these transactions have their unique identification numbers (not displayed). The IDs can either be the PO number, Invoice number, a combination of the PO and Invoice number, a system generated number or something else. It depends on how the system is designed. Vendor Approved Vendor Amount Paid Payment Date Person Posting No of Payments Transaction Amounts Starting with 10 14 Apr 2011 Person 1 3 15 Feb 2011 Person 1 15 102.26 17 Dec 2010 Person 2 13 26 Nov 2010 Person 2 3 22 Nov 2010 Person 2 7 104.58 15 Feb 2011 Person 1 5 Vendor 1 Yes 101.37 12 Sep 2011 Person 1 3 101.15 7 Jun 2011 Person 1 7 109.03 11 Aug 2011 Person 1 3 100.85 12 Sep 2011 Person 1 4 101.02 11 Aug 2011 Person 1 5 101.05 7 Jun 2011 Person 1 4 101.20 12 Sep 2011 Person 1 3 Vendor 2 Yes 103.00 17 Feb 2011 Person 1 2 31 Dec 2010 Person 2 4 Vendor 3 Yes 10.90 31 May 2011 Person 1 3 Vendor 4 Yes 101.12 Transaction Amounts Starting with 15 Transaction Amounts Starting with 45 Transaction Amounts Starting with 77 10 Jan 2011 Person 2 1 28 Feb 2011 Person 1 1 34

Sample analysis Other analyses and risk scoring method Approved vendor Approved vendor? Score Yes 0 No 1 Person posting Payment Authorized? Score Yes 0 No 1 Within Benford s Law Amount Paid Score Yes 0 No 1 Payment date Day type Score Weekend 1 Holiday 1 Poster on leave 1 Normal working day 0 Person posting Payment Same Person Posting? Score Requisition 1 Purchase Order 1 Goods Receipt 1 Invoice 1 None of the above 0 Number of Payments on same date Count Score 1 0 > 1 1 35

Audit findings and management insights Process risk profile 83% Top 3 Riskiest areas of process Area 4% 13% High Risk Medium Risk Low Risk No of Exceptions Payment posting 3,234 Payment date 298 Payment amount 212 Top 5 riskiest transactions Transaction ID Risk Score 10000003 15 10002312 13 10058392 13 10078920 12 10089372 12 Analytics increases the precision of audit findings and makes deep-dive investigations very focused and specific. The value of analytics is not just in the number of audit findings and its precision, but in its ability to create an overall risk profile and specifically identify the weak points in each business process. 36

Practical suggested improvements to Procurement Process

Practical suggested improvements to Procurement Process Improve internal controls: Access to modify the Vendor Master File should be limited to authorised personnel Changes made to the Vendor Master File should be approved and supported by documents Vendor Master File and edits made to the Vendor Master File should be periodically reviewed There should be proper segregation of duties Supporting documentation for all payments to vendors should be independently reviewed Test detailed transactions Examine supporting documentation Interview employees 38

Practical suggested improvements to Procurement Process Identify and investigate Procurement Fraud red flags: Unusual or unauthorized vendors Large gifts and entertainment expenses Unusual increase in vendor spending Round-dollar amounts Copies of supporting documentation in lieu of originals Duplicate payments Tips and complaints Sequential invoices paid Unusual/large/round-dollar amounts paid Payments just under authorization level Employee-vendor address match Multiple invoices paid on same date Slight variation of vendor names 39

Closing

Learning objectives Understanding of the key components and risks in the procurement cycle, audit steps, common challenges during the audit and resources to meet these challenges, suggested recommendations to strengthen controls over procurement process. 41

Contacts Melissa Aw Yong Director, Risk Consulting Deloitte & Touche +65 6530 5546 mawyong@deloitte.com 42

About Deloitte Deloitte & Touche LLP or one of its affiliated entities is the Singapore member firm of the Deloitte Network. The Deloitte Network is an association of firms that are members of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee ( DTTL ). Neither DTTL nor, except as expressly provided herein, any member firm of DTTL has any liability for each other s acts or omissions. Each member firm of DTTL is a separate and independent legal entity operating under the names Deloitte, Deloitte & Touche, Deloitte Touche Tohmatsu or other related names; and services are provided by member firms or their subsidiaries or affiliates and not by DTTL. About Deloitte Singapore In Singapore, Deloitte & Touche LLP is the member firm of Deloitte Touche Tohmatsu, and services are provided by Deloitte & Touche LLP and its subsidiaries and affiliates. Deloitte & Touche LLP is part of Deloitte Southeast Asia a cluster of member firms operating in Brunei, Guam, Indonesia, Malaysia, Marshall Islands, Micronesia, Northern Mariana Islands, Palau, Philippines, Singapore, Thailand and Vietnam which was established to deliver measurable value to the particular demands of increasingly intra-regional and fast growing companies and enterprises. With a team of over 200 partners and 4,000 professionals located in 20 offices, Deloitte Southeast Asia specialists combine their technical expertise and deep industry knowledge to deliver consistent high quality services to companies in the region. All services are provided through the individual member firms, their subsidiaries and affiliates which are separate and independent legal entities. 2012 Deloitte & Touche Enterprise Risk Services Pte Ltd

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback