©2012 Deloitte & Touche LLP
Internal Audit Procurement Policies and Controls
Melissa Aw Yong
10 October 2012SAA Global Education Centre Pte Ltd
Seminar 6/7
111 Somerset Road, #06-01/02 TripleOne Somerset Sing apore 238164
©2012 Deloitte & Touche LLP
Agenda
1
• Opening
• Key components of Procurement• Identify and discuss key components in Procurement cycle
• Key Risks• Discuss key risks and associated internal controls in the Procurement cycle
• Audit Steps of the Procurement cycle• Brief discussion on the audit steps - develop strategy and plan, audit scoping, audit
execution, delivering insights
• Challenges & Resources• Discuss common challenges in review of Procurement cycle• Discuss tools and resources to meet these challenges
• Practical suggested improvements to Procurement Process• Common findings and recommendations to strengthen the internal controls of
Procurement process
• Closing
Opening
©2012 Deloitte & Touche LLP3
Learning objectives
• Understanding of the key components and risks in the procurement cycle, audit steps, common challenges during the audit and resources to meet these challenges, suggested recommendations to strengthen controls over procurement process.
3
©2012 Deloitte & Touche LLP4
Attendees introduction
4
©2012 Deloitte & Touche LLP5
Speaker introduction
Melissa Aw Yong serves as a Director with the Risk Consulting practice of Deloitte, providing governance, risk and compliance services, specialising in the Hospitality and Real Estate industries. She also serves as the President of the Singapore Chapter of the Association of Certified Fraud Examiners.
Prior to Deloitte, she gained valuable work experience in internal audit, risk management, compliance and fraud investigations with professional firms, multi-national corporations and government linked companies.
These multi-national corporations included one of the largest international hotels management groups, where she contributed to the establishment of their internal audit presence in Asia Pacific, designing of their anti-fraud framework and establishment of their inaugural brand compliance management process.
In her most recent corporate experience, she served as the Head of Internal Audit in a leading real estate company, engaged in business of management of development, project, property, estate and funds in Asia.
Melissa gained her Bachelor of Accountancy from Nanyang Technological University. She is a Certified Internal Auditor (IIA), a Certified Fraud Examiner (ACFE), a Certified Public Accountant (ICPAS) and has also received a Certification in Control Self-Assessment (CCSA).5
Key components of Procurement
©2012 Deloitte & Touche LLP7
Key components of Procurement
Purchase Requisition Evaluation Selection
Delivery Receipt
Payment Matching Disbursement
Key Risks
©2012 Deloitte & Touche LLP9
Key risks
Considerations for Risk Identification includes, bu t not limited to:
• Collusion between employees and vendors?
• Vendors defrauding the company?
• Collusion among vendors within an industry?
• Employees defrauding their employers?
• Is a process established?
• Is there segregation of duties?
• Are requestors authorised?
• Are the evaluation and selection criteria fair and transparent?
• Are the evaluators independent?
• Are receivers qualified / trained / equipped?
• Are transaction recorded?
• Are transactions in the systems accurate, valid, authorised, monitored?
Audit steps of the Procurement cycle
©2012 Deloitte & Touche LLP11
Audit steps of the Procurement cycle
Audit steps
1. Understand the Business Objectives, Control Environment, Management Control, Industry, Regulatory Environment, Economic Issues
2. Recommend strategies for addressing the relevant issues identified in the risk profile and the resources required
3. Obtain Senior Management and Audit Committee approval.
4. Identify business objectives, risks, controls and exposures
5. Incorporate insights of specialists
6. Prepare detailed internal audit project workplan.
7. Perform detailed process/transaction/ systems
8. Walkthrough (process mapping) and documentation of results
9. Perform and document detailed testing, benchmarking to best practices and analysis
10. Evaluate results and collaborate with management
11. Draft report and solicit management responses
12. Issue final report
13. Follow-up and track key recommendations
Challenges & Resources
©2012 Deloitte & Touche LLP13
Volume Of Data SamplingAbility to verify
Receipt Of Services
Relationships matters
Challenges
Resources – Whistle Blowing
©2012 Deloitte & Touche LLP15
Whistle Blowing
15
Source: Association of Certified Fraud Examiners 20 12 Report to the Nations on Occupational Fraud and Abuse
©2012 Deloitte & Touche LLP16
Whistle Blowing
• Employees
• Customers
• Vendors
• Competitors
• Agents, distributors, etc…
Resources - Power of Analytics
©2012 Deloitte & Touche LLP18
The Old Way vs. The New Way
18
©2012 Deloitte & Touche LLP1919
Data analytics uses data to drive business strategy and performance.
• Looking backward to evaluate what happened in the past
• Forward-looking approaches like scenario planning and predictive modelling.
• To see it; see what it means; what it can do.
What is your data trying to tell you?
©2012 Deloitte & Touche LLP20
Art or Science…?
Science Art
• Fact-based • Data extraction and cleansing• Statistical analysis and modeling
• Trending, statistical analysis and data classifications
• Data analysis techniques to perform queries and analyze data in support of a specific objective
• Technological tools and software• basic and advanced MS Excel
functions, Structured Query Language (SQL) and statistical models, among others
• Multi-dimension and multi-cross referencing of data
• Behavior and common practices• Presentation of analysis and models• Insights derived from multi-faceted
interpretations and perspectives
Data Analytics is the science and art of examining r aw data with the purpose of identifying patterns and relationships t o draw conclusions and
insights from it.
©2012 Deloitte & Touche LLP21
The Value of Data
©2012 Deloitte & Touche LLP22
The value of Data
22
Resources - Methodology
©2012 Deloitte & Touche LLP24
Auditing your business differently
Aspect Typical Internal Audit Internal Audit with Analy tics
Work Flow
Testing Random sampling 100% analysis and focused sampling
Correlating dataData correlation from different sources is manually-intensive, almost impossible
Ensures data from different sources are correlated and supports conclusion
Audit findingsHigher possibility of being arbitrary, ambiguous and subjective
Fact-based and data driven (incontestable) resulting in more insightful recommendations
Audit errors Higher risk of human errors Reduces risk of human errors
Identify Audit findings
Test sample/s
Focused sampling
Perform Data Analysis
Understand the Data
Understand the business
Data Analytics in audit allows 100% review of the population size unlike sample testing in traditional audits.
Identify Audit findings
Test samples
Random sampling
Understand the business
©2012 Deloitte & Touche LLP25
Unlocking data value
25
©2012 Deloitte & Touche LLP26
Data analytics methodology
Resources - Case study - To utilize analytics in the Procurement to Payment Process
©2012 Deloitte & Touche LLP
Thought process
28
• What are the main processes andsub-process?
• What data is captured in each step?
• Is data captured in the system or onpaper?
• Is the system-captured data useful?
• Can data be extracted from thesystem?
• Is data cleansing needed? Can it becleaned?
• Can analytics be employed?
Purchase Requisition Evaluation Selection
Delivery Receipt
Payment Matching Disbursement
©2012 Deloitte & Touche LLP29
Build Analytical Data Set (ADS)
The ADS is a list of all records (transactions) that will be analyzed. It takes into account all data from various data sources and puts them together in one area to ensure consistency of analysis. Each transaction from each data source should have a connection to another transaction in another data source (Foreign key relationships).
An ADS can range from having just 10 columns to hundreds of columns, depending on the amount of data.
ADSInvoice listings
Purchase order
listings
System access rights
Approved vendor
list Vendor details
Payment listings
…
©2012 Deloitte & Touche LLP30
Identify data that may contribute to risk
VendorApproved
VendorAmount Paid Payment Date
Person Posting Payment
Vendor 1 Yes 152.26 14 Apr 2011 Person 1
Vendor 2 Yes 43.00 17 Feb 2011 Person 1
Vendor 3 Yes 20.90 31 May 2011 Person 1
Vendor 4 Yes 651.12 10 Jan 2011 Person 2
…
…
…
…
…
…
Risk areas for risk scoring
©2012 Deloitte & Touche LLP31
Transaction risk scoringThe higher the score, the riskier the transaction. Scoring creates a risk profile of the entire business process and provides insights on which areas of the process are riskier and need control enhancements.
The scores also tell you which transactions are riskier and thus allow you to focus on them for further investigation.
Transaction ID Approved Vendor
WithinBenford’s Law Payment Date Person Posting
Payment> 1 Payment on
Same Day Total
10000001 0 0 0 0 0 0
10000002 0 1 2 2 1 6
10000003 0 1 3 2 0 6
10000004 1 0 0 3 0 4
10000005 0 0 0 3 1 4
10000006 0 0 1 3 0 4
10000007 1 1 1 2 0 5
10000008 0 1 1 5 1 8
….
….
….
….
….
©2012 Deloitte & Touche LLP32
Sample analysis – Benford’s Law AnalysisBenford’s Law was applied on all payments made to vendors based on the paid invoice listing extracted by the Accounts Department. The figure below illustrates the fit between the payments made (Sample rate) and with Benford’s Law.
©2012 Deloitte & Touche LLP33
Sample analysis – Benford’s Law AnalysisAlthough majority of the transactions are in accordance with Benford’s Law, there were 4 instances wherein the deviation (z-statistic) of transactions exceeded the upper limit. These transactions begin with the digits 10, 15, 45 and 77 as illustrated below.
Further analysis of these indicated that there were multiple instances wherein the same vendor was paid the same amount on the same day or on different days.
©2012 Deloitte & Touche LLP34
Sample analysis – Benford’s Law exceptionsEach of these transactions have their unique identification numbers (not displayed). The IDs can either be the PO number, Invoice number, a combination of the PO and Invoice number, a system generated number or something else. It depends on how the system is designed.
Vendor Approved Vendor Amount Paid Payment Date Person Posting No of Payments
Transaction Amounts Starting with 10
Vendor 1 Yes
102.26
14 Apr 2011 Person 1 315 Feb 2011 Person 1 1517 Dec 2010 Person 2 1326 Nov 2010 Person 2 322 Nov 2010 Person 2 7
104.58 15 Feb 2011 Person 1 5101.37 12 Sep 2011 Person 1 3101.15 7 Jun 2011 Person 1 7109.03 11 Aug 2011 Person 1 3100.85 12 Sep 2011 Person 1 4101.02 11 Aug 2011 Person 1 5101.05 7 Jun 2011 Person 1 4101.20 12 Sep 2011 Person 1 3
Vendor 2 Yes 103.0017 Feb 2011 Person 1 231 Dec 2010 Person 2 4
Vendor 3 Yes 10.90 31 May 2011 Person 1 3
Vendor 4 Yes 101.1210 Jan 2011 Person 2 128 Feb 2011 Person 1 1
Transaction Amounts Starting with 15
…
Transaction Amounts Starting with 45
…
Transaction Amounts Starting with 77
…
©2012 Deloitte & Touche LLP35
Sample analysis – Other analyses and risk scoring methodApproved vendor
Within Benford’s Law
Payment date
Person posting Payment
Person posting Payment
Number of Payments on same date
Approved vendor? Score
Yes 0
No 1
Amount Paid Score
Yes 0
No 1
Day type Score
Weekend 1
Holiday 1
Poster on leave 1
Normal working day 0
Authorized? Score
Yes 0
No 1
Same Person Posting? Score
Requisition 1
Purchase Order 1
Goods Receipt 1
Invoice 1
None of the above 0
Count Score
1 0
> 1 1
©2012 Deloitte & Touche LLP36
Audit findings and management insights
Top 5 riskiest transactions
Top 3 Riskiest areas of process
Analytics increases the precision ofaudit findings and makes deep-diveinvestigations very focused andspecific.
The value of analytics is not just in thenumber of audit findings and itsprecision, but in its ability to create anoverall risk profile and specificallyidentify the weak points in eachbusiness process.
4%13%
83%
Process risk profile
High Risk
MediumRiskLow Risk
Transaction ID Risk Score
10000003 15
10002312 13
10058392 13
10078920 12
10089372 12
Area No of Exceptions
Payment posting 3,234
Payment date 298
Payment amount 212
Practical suggested improvements to Procurement Process
©2012 Deloitte & Touche LLP38
Practical suggested improvements to Procurement Process
38
Improve internal controls:
• Access to modify the Vendor Master File should be limited to authorised personnel
• Changes made to the Vendor Master File should be approved and supported by documents
• Vendor Master File and edits made to the Vendor Master File should be periodically reviewed
• There should be proper segregation of duties
• Supporting documentation for all payments to vendors should be independently reviewed
• Test detailed transactions
• Examine supporting documentation
• Interview employees
©2012 Deloitte & Touche LLP39
Practical suggested improvements to Procurement Process
39
Identify and investigate Procurement Fraud red flag s:
• Unusual or unauthorized vendors
• Large gifts and entertainment expenses
• Unusual increase in vendor spending
• Round-dollar amounts
• Copies of supporting documentation in lieu of originals
• Duplicate payments
• Tips and complaints
• Sequential invoices paid
• Unusual/large/round-dollar amounts paid
• Payments just under authorization level
• Employee-vendor address match
• Multiple invoices paid on same date
• Slight variation of vendor names
Closing
©2012 Deloitte & Touche LLP41
Learning objectives
• Understanding of the key components and risks in the procurement cycle, audit steps, common challenges during the audit and resources to meet these challenges, suggested recommendations to strengthen controls over procurement process.
41
©2012 Deloitte & Touche LLP42
Contacts
42
Melissa Aw YongDirector, Risk ConsultingDeloitte & Touche+65 6530 [email protected]
About Deloitte
Deloitte & Touche LLP or one of its affiliated entities is the Singapore member firm of the Deloitte Network. The “Deloitte Network” is an association of firms that are members of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”). Neither DTTL nor, except as expressly provided herein, any member firm of DTTL has any liability for each other’s acts or omissions. Each member firm of DTTL is a separate and independent legal entity operating under the names “Deloitte”, “Deloitte & Touche”, “Deloitte Touche Tohmatsu” or other related names; and services are provided by member firms or their subsidiaries or affiliates and not by DTTL.
About Deloitte Singapore In Singapore, Deloitte & Touche LLP is the member firm of Deloitte Touche Tohmatsu, and services are provided by Deloitte & Touche LLP and its subsidiaries and affiliates.
Deloitte & Touche LLP is part of Deloitte Southeast Asia—a cluster of member firms operating in Brunei, Guam, Indonesia, Malaysia, Marshall Islands, Micronesia, Northern Mariana Islands, Palau, Philippines, Singapore, Thailand and Vietnam—which was established to deliver measurable value to the particular demands of increasingly intra-regional and fast growing companies and enterprises.
With a team of over 200 partners and 4,000 professionals located in 20 offices, Deloitte Southeast Asia specialists combine their technical expertise and deep industry knowledge to deliver consistent high quality services to companies in the region.
All services are provided through the individual member firms, their subsidiaries and affiliates which are separate and independent legal entities.
© 2012 Deloitte & Touche Enterprise Risk Services Pte Ltd