Internal Audit Procurement Policies and Controls Melissa Aw Yong 10 October 2012 SAA Global Education Centre Pte Ltd Seminar 6/7 111 Somerset Road, #06-01/02 TripleOne Somerset Singapore 238164
Agenda Opening Key components of Procurement Identify and discuss key components in Procurement cycle Key Risks Discuss key risks and associated internal controls in the Procurement cycle Audit Steps of the Procurement cycle Brief discussion on the audit steps - develop strategy and plan, audit scoping, audit execution, delivering insights Challenges & Resources Discuss common challenges in review of Procurement cycle Discuss tools and resources to meet these challenges Practical suggested improvements to Procurement Process Common findings and recommendations to strengthen the internal controls of Procurement process Closing 1
Opening
Learning objectives Understanding of the key components and risks in the procurement cycle, audit steps, common challenges during the audit and resources to meet these challenges, suggested recommendations to strengthen controls over procurement process. 3
Attendees introduction 4
Speaker introduction Melissa Aw Yong serves as a Director with the Risk Consulting practice of Deloitte, providing governance, risk and compliance services, specialising in the Hospitality and Real Estate industries. She also serves as the President of the Singapore Chapter of the Association of Certified Fraud Examiners. Prior to Deloitte, she gained valuable work experience in internal audit, risk management, compliance and fraud investigations with professional firms, multinational corporations and government linked companies. These multi-national corporations included one of the largest international hotels management groups, where she contributed to the establishment of their internal audit presence in Asia Pacific, designing of their anti-fraud framework and establishment of their inaugural brand compliance management process. In her most recent corporate experience, she served as the Head of Internal Audit in a leading real estate company, engaged in business of management of development, project, property, estate and funds in Asia. Melissa gained her Bachelor of Accountancy from Nanyang Technological University. She is a Certified Internal Auditor (IIA), a Certified Fraud Examiner (ACFE), a Certified Public Accountant (ICPAS) and has also received a Certification in Control Self-Assessment (CCSA). 5
Key components of Procurement
Key components of Procurement Purchase Requisition Evaluation Selection Delivery Receipt Payment Matching Disbursement 7
Key Risks
Key risks Considerations for Risk Identification includes, but not limited to: Is a process established? Collusion between employees and vendors? Vendors defrauding the company? Collusion among vendors within an industry? Employees defrauding their employers? Is there segregation of duties? Are requestors authorised? Are the evaluation and selection criteria fair and transparent? Are the evaluators independent? Are receivers qualified / trained / equipped? Are transaction recorded? Are transactions in the systems accurate, valid, authorised, monitored? 9
Audit steps of the Procurement cycle
Audit steps of the Procurement cycle Audit steps 1. Understand the Business Objectives, Control Environment, Management Control, Industry, Regulatory Environment, Economic Issues 2. Recommend strategies for addressing the relevant issues identified in the risk profile and the resources required 3. Obtain Senior Management and Audit Committee approval. 4. Identify business objectives, risks, controls and exposures 5. Incorporate insights of specialists 6. Prepare detailed internal audit project workplan. 7. Perform detailed process/transaction/ systems 8. Walkthrough (process mapping) and documentation of results 9. Perform and document detailed testing, benchmarking to best practices and analysis 10. Evaluate results and collaborate with management 11. Draft report and solicit management responses 12. Issue final report 13. Follow-up and track key recommendations 11
Challenges & Resources
Challenges Volume Of Data Sampling Ability to verify Receipt Of Services Relationships matters 13
Resources Whistle Blowing
Whistle Blowing 15 Source: Association of Certified Fraud Examiners 2012 Report to the Nations on Occupational Fraud and Abuse
Whistle Blowing Employees Customers Vendors Competitors Agents, distributors, etc 16
Resources - Power of Analytics
The Old Way vs. The New Way 18
What is your data trying to tell you? Data analytics uses data to drive business strategy and performance. Looking backward to evaluate what happened in the past Forward-looking approaches like scenario planning and predictive modelling. To see it; see what it means; what it can do. 19
Art or Science? Science Fact-based Data extraction and cleansing Statistical analysis and modeling Trending, statistical analysis and data classifications Data analysis techniques to perform queries and analyze data in support of a specific objective Technological tools and software basic and advanced MS Excel functions, Structured Query Language (SQL) and statistical models, among others Art Multi-dimension and multi-cross referencing of data Behavior and common practices Presentation of analysis and models Insights derived from multi-faceted interpretations and perspectives Data Analytics is the science and art of examining raw data with the purpose of identifying patterns and relationships to draw conclusions and insights from it. 20
The Value of Data 21
The value of Data 22
Resources - Methodology
Auditing your business differently Data Analytics in audit allows 100% review of the population size unlike sample testing in traditional audits. Aspect Typical Internal Audit Internal Audit with Analytics Understand the business Understand the business Work Flow Random sampling Test samples Understand the Data Perform Data Analysis Focused sampling Test sample/s Identify Audit findings Identify Audit findings Testing Random sampling 100% analysis and focused sampling Correlating data Data correlation from different sources is manually-intensive, almost impossible Ensures data from different sources are correlated and supports conclusion Audit findings Higher possibility of being arbitrary, ambiguous and subjective Fact-based and data driven (incontestable) resulting in more insightful recommendations Audit errors Higher risk of human errors Reduces risk of human errors 24
Unlocking data value 25
Data analytics methodology 26
Resources - Case study - To utilize analytics in the Procurement to Payment Process
Thought process What are the main processes and sub-process? What data is captured in each step? Is data captured in the system or on paper? Is the system-captured data useful? Can data be extracted from the system? Is data cleansing needed? Can it be cleaned? Can analytics be employed? Purchase Requisition Evaluation Selection Delivery Receipt Payment Matching Disbursement 28
Build Analytical Data Set (ADS) The ADS is a list of all records (transactions) that will be analyzed. It takes into account all data from various data sources and puts them together in one area to ensure consistency of analysis. Each transaction from each data source should have a connection to another transaction in another data source (Foreign key relationships). An ADS can range from having just 10 columns to hundreds of columns, depending on the amount of data. System access rights Approved vendor list Vendor details Purchase order listings Payment listings Invoice listings ADS 29
Identify data that may contribute to risk Vendor Approved Vendor Amount Paid Payment Date Person Posting Payment Vendor 1 Yes 152.26 14 Apr 2011 Person 1 Vendor 2 Yes 43.00 17 Feb 2011 Person 1 Vendor 3 Yes 20.90 31 May 2011 Person 1 Vendor 4 Yes 651.12 10 Jan 2011 Person 2 Risk areas for risk scoring 30
Transaction risk scoring The higher the score, the riskier the transaction. Scoring creates a risk profile of the entire business process and provides insights on which areas of the process are riskier and need control enhancements. The scores also tell you which transactions are riskier and thus allow you to focus on them for further investigation. Transaction ID Approved Vendor Within Benford s Law Payment Date Person Posting Payment > 1 Payment on Same Day 10000001 0 0 0 0 0 0 10000002 0 1 2 2 1 6 10000003 0 1 3 2 0 6 10000004 1 0 0 3 0 4 10000005 0 0 0 3 1 4 10000006 0 0 1 3 0 4 10000007 1 1 1 2 0 5 10000008 0 1 1 5 1 8..... Total 31
Sample analysis Benford s Law Analysis Benford s Law was applied on all payments made to vendors based on the paid invoice listing extracted by the Accounts Department. The figure below illustrates the fit between the payments made (Sample rate) and with Benford s Law. 32
Sample analysis Benford s Law Analysis Although majority of the transactions are in accordance with Benford s Law, there were 4 instances wherein the deviation (z-statistic) of transactions exceeded the upper limit. These transactions begin with the digits 10, 15, 45 and 77 as illustrated below. Further analysis of these indicated that there were multiple instances wherein the same vendor was paid the same amount on the same day or on different days. 33
Sample analysis Benford s Law exceptions Each of these transactions have their unique identification numbers (not displayed). The IDs can either be the PO number, Invoice number, a combination of the PO and Invoice number, a system generated number or something else. It depends on how the system is designed. Vendor Approved Vendor Amount Paid Payment Date Person Posting No of Payments Transaction Amounts Starting with 10 14 Apr 2011 Person 1 3 15 Feb 2011 Person 1 15 102.26 17 Dec 2010 Person 2 13 26 Nov 2010 Person 2 3 22 Nov 2010 Person 2 7 104.58 15 Feb 2011 Person 1 5 Vendor 1 Yes 101.37 12 Sep 2011 Person 1 3 101.15 7 Jun 2011 Person 1 7 109.03 11 Aug 2011 Person 1 3 100.85 12 Sep 2011 Person 1 4 101.02 11 Aug 2011 Person 1 5 101.05 7 Jun 2011 Person 1 4 101.20 12 Sep 2011 Person 1 3 Vendor 2 Yes 103.00 17 Feb 2011 Person 1 2 31 Dec 2010 Person 2 4 Vendor 3 Yes 10.90 31 May 2011 Person 1 3 Vendor 4 Yes 101.12 Transaction Amounts Starting with 15 Transaction Amounts Starting with 45 Transaction Amounts Starting with 77 10 Jan 2011 Person 2 1 28 Feb 2011 Person 1 1 34
Sample analysis Other analyses and risk scoring method Approved vendor Approved vendor? Score Yes 0 No 1 Person posting Payment Authorized? Score Yes 0 No 1 Within Benford s Law Amount Paid Score Yes 0 No 1 Payment date Day type Score Weekend 1 Holiday 1 Poster on leave 1 Normal working day 0 Person posting Payment Same Person Posting? Score Requisition 1 Purchase Order 1 Goods Receipt 1 Invoice 1 None of the above 0 Number of Payments on same date Count Score 1 0 > 1 1 35
Audit findings and management insights Process risk profile 83% Top 3 Riskiest areas of process Area 4% 13% High Risk Medium Risk Low Risk No of Exceptions Payment posting 3,234 Payment date 298 Payment amount 212 Top 5 riskiest transactions Transaction ID Risk Score 10000003 15 10002312 13 10058392 13 10078920 12 10089372 12 Analytics increases the precision of audit findings and makes deep-dive investigations very focused and specific. The value of analytics is not just in the number of audit findings and its precision, but in its ability to create an overall risk profile and specifically identify the weak points in each business process. 36
Practical suggested improvements to Procurement Process
Practical suggested improvements to Procurement Process Improve internal controls: Access to modify the Vendor Master File should be limited to authorised personnel Changes made to the Vendor Master File should be approved and supported by documents Vendor Master File and edits made to the Vendor Master File should be periodically reviewed There should be proper segregation of duties Supporting documentation for all payments to vendors should be independently reviewed Test detailed transactions Examine supporting documentation Interview employees 38
Practical suggested improvements to Procurement Process Identify and investigate Procurement Fraud red flags: Unusual or unauthorized vendors Large gifts and entertainment expenses Unusual increase in vendor spending Round-dollar amounts Copies of supporting documentation in lieu of originals Duplicate payments Tips and complaints Sequential invoices paid Unusual/large/round-dollar amounts paid Payments just under authorization level Employee-vendor address match Multiple invoices paid on same date Slight variation of vendor names 39
Closing
Learning objectives Understanding of the key components and risks in the procurement cycle, audit steps, common challenges during the audit and resources to meet these challenges, suggested recommendations to strengthen controls over procurement process. 41
Contacts Melissa Aw Yong Director, Risk Consulting Deloitte & Touche +65 6530 5546 mawyong@deloitte.com 42
About Deloitte Deloitte & Touche LLP or one of its affiliated entities is the Singapore member firm of the Deloitte Network. The Deloitte Network is an association of firms that are members of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee ( DTTL ). Neither DTTL nor, except as expressly provided herein, any member firm of DTTL has any liability for each other s acts or omissions. Each member firm of DTTL is a separate and independent legal entity operating under the names Deloitte, Deloitte & Touche, Deloitte Touche Tohmatsu or other related names; and services are provided by member firms or their subsidiaries or affiliates and not by DTTL. About Deloitte Singapore In Singapore, Deloitte & Touche LLP is the member firm of Deloitte Touche Tohmatsu, and services are provided by Deloitte & Touche LLP and its subsidiaries and affiliates. Deloitte & Touche LLP is part of Deloitte Southeast Asia a cluster of member firms operating in Brunei, Guam, Indonesia, Malaysia, Marshall Islands, Micronesia, Northern Mariana Islands, Palau, Philippines, Singapore, Thailand and Vietnam which was established to deliver measurable value to the particular demands of increasingly intra-regional and fast growing companies and enterprises. With a team of over 200 partners and 4,000 professionals located in 20 offices, Deloitte Southeast Asia specialists combine their technical expertise and deep industry knowledge to deliver consistent high quality services to companies in the region. All services are provided through the individual member firms, their subsidiaries and affiliates which are separate and independent legal entities. 2012 Deloitte & Touche Enterprise Risk Services Pte Ltd