Procurement compliance is a big subject and there is no universal definition of procurement compliance. If you ask a procurement professional, procurement compliance is defined as a process by which they measure if the purchases are happening as per defined corporate spend or the purchasing policy.
The focus is more on whether we are purchasing from preferred vendors, whether the Spend is under management or being negotiated through an RFP process.
In this blog post, we don’t address procurement compliance from procurement compliance. We address procurement or purchasing compliance from controllers and CFO’s perspective. More specifically, we address specific measures which controllers and CFO’s can take to ensure that the companies are complying with Sarbanes Oxley and other procurement control measures.
Sarbanes Oxley section 404 and procurement
Sarbanes Oxley act of 2002 is primarily applicable to public companies, however, some aspects of section 404 are applicable to private companies as well – such as destruction of evidence to impede a federal investigation.
As we all know these acts are established to protect the investors after the debacle of Enron and Worldcom, so we won’t get into details of why this law was passed, to begin with.
We are by no means SOX experts, this is our attempt to provide an understanding on the implications of SOX on purchasing controls and how companies can think of automating such controls.
Section 404 requires management and external auditors to certify every quarter that they have adequate internal controls to provide accurate financial reporting. From a procurement or purchasing standpoint, we will focus mostly on section 404 controls which are applicable to the purchasing process.
The list of 404 controls applicable to procurement are as follows
The general control is the segregation of duties to ensure that the same person doesn’t have access to create a setup a supplier, issue a purchase order, receive the goods, and pay the invoices.
Another important aspect of internal procurement controls is the need to have the purchase orders and payment authorized at the right level in the company. The authorization is generally defined in the purchasing policy of the company. The controls for authorization can be manual or fully automated.
A sub-control of this control is to ensure the purchase request is performed by an authorized employee. For example, even if the invoices are being approved at the right level, most of the employees don’t pay enough attention. Most of them treat the review process as rubber stamping.
So it is important to ensure that there are controls in place to ensure that purchase request is only approved by authorized employees. Having a purchase order process and system is sufficient to ensure compliance for this control.
All suppliers must be vetted before they are set up for payments. There are a few levels of assessment.
For example, the assessment of the suppliers on the capabilities and whether they are offering you the best value.
The next level is generally to ensure that whether they are registered, tax id is valid, etc. In other words, they are what they say they are.
Most companies stop here, but an additional level of assessment includes ensuring that there is no conflict of interest with the chosen supplier. For example, the supplier is not a relative of the person who is authorizing the purchase of the product or service.
Once the invoices are entered in the system, there are few steps which are required to ensure you are meeting the control requirements,
a) Product/service is received
Even if you are following a purchase order process, in other words issuing a purchase order to suppliers. You must ensure that the invoice is ready to pay by doing the following
Have a receipt process, whereby a receipt is created by the person who ordered the product. The receipt is confirmation that the product or service has been received.
If that is not possible, then the person who ordered the service should review and approve the invoice for payment. The review and approval process is a way for the employees to authorize the payments.
b) Invoice is reviewed and authorized at the right level before payment
Not all payments made by the company are against a purchase order. There are a lot of other payments a company needs to make, for example, bank debt payments, employee benefits payments, etc.
So along with external vendor purchases, a company must have an approval process to ensure that those payments are also authorized at the right level before the payment is made.
This is straightforward, to ensure that a company can report on its cashflows, it is important that all purchases are recorded properly in the financial system.
To ensure that it happens, companies should properly define the controls to ensure that all purchases are captured in one single system.
In the section above we talked about different controls from a SOX perspective. In this section, we will cover the benefits of automated controls. Automation of the controls and automated testing of those controls reduces the overall cost of the internal audit.
As per a survey by Protiviti, 80% of the companies have significant or moderate plans to automate the selected IT controls and processes.
Scalability, consistency & piece of mind
The obvious benefit of automated controls is the consistency you get from an audit perspective. Since the controls are fully automated, the system drives consistency in pre-emptive controls and the authorization limits from a spend authorization perspective.
As the organization scales, the control scales with them. Whether you go from 100 employees to 10,000, the system automatically ensures that the control requirements are met.
Lower audit cost
As you can see above the cost of compliance increases year over year and that has been consistent across the years. For example in 2018, the 2nd year cost of compliance is more than double the cost of compliance in the first year.
There could be many reasons for that
1. As companies increase the maturity of their controls, they spend more time auditing those controls and hence higher costs.
2. There could be more controls added in year 2 because of which the cost goes up.
Now not all the cost above is the cost due to purchasing controls but purchasing controls drives most of the other controls. For example, if the purchasing system has a way to accurately allocate the cost across different cost centers then you can be assured that the financial systems have the correct information.
By automating these purchasing controls, companies can lower the cost of the audit and as more and more controls are added, the cost of auditing those controls is reduced because of the integrity of the data provided by the purchasing system.
In the next section, we present a framework for assessing the maturity of internal controls and a roadmap on how to build strong internal controls. However, before we move any further, let’s quickly assess the current processes so that it is easier to identify gaps.
Let review each step in the purchasing process
The first step is to assess that the vendors are properly authorized to be set up in your accounting system. The goal is to list the current process as is, questions to ask are as following
1. Who in the company has access to set up a new vendor?
2. Who in the company has access to update vendor payment information like remittance address, ACH Information, etc.?
3. Is there any authorization for creating the vendor or updating an existing vendor record?
4. How do you validate the existence of the vendor company? Do you check against the IRS [Internal Revenue Service] website or any other source to ensure their existence?
5. How do you validate any new request for changes in vendor profile, for example, vendor remittance information? Do you call the vendor to validate?
The next step in the process is to document the current purchase order process
1. How are purchase orders created today? Is it manual or you have an automated process for creating a purchase order.
2. Can the orders only be created for approved vendors or the users can submit an order for any vendor?
3. How does the approval request is authorized, who approves, and at what level?
4. What is the delegation process for delegating the approval authority of an individual?
5. How easy it is to retrieve old orders and their approval history for audit purposes?
The next step in the process is to document the current process for invoice approvals. Key questions to ask
1. What is the current process to ensure invoices submitted by vendors are for a valid purchase?
2. Do you have a 2 way or 3-way invoice match process? The 2-way match process is matching PO with the invoice and the 3-way match process is matching purchase order with invoice and receipt?
The best practice is to conduct a 3-way match for all purchases-including services. If you do a 3-way match, is this manual or automated?
3. What it the process for validating non-PO invoices, these are the invoices where there is no purchase order associated with them? Do you send these invoices for approval?
4. If you send the invoices for approval, what is the approval process?
Now let’s look at the payment authorization process. Not every payment you would make is an invoice from the vendor. You might be making payments for employee benefits or other payments.
1. Make a list of all the payments which doesn’t go through an invoice process.
2. What is the process for authorization of such payments?
3. What is the authorization level for such payments? For example, any payment over $500K needs to be approved by the CEO.
4. How easy/difficult it is to retrieve the approval history for audit purpose
Now we have an inventory of our current process, let’s look at where your company stands from a compliance perspective.
Source: A.T. Kearney
Given that automation has many levels, organizations really should think about a maturity model where the controls are getting more automated from one phase to another, and eventually, the controls are fully automated.
Before you start working on a transformation model for your internal controls, you should assess the current state of internal controls.
The above model from A.T. Kearny provides a good model to think through the IT controls journey. Let’s cover each of the four phases of the continuous improvement journey.
There are three tenants for assessing the internal controls
1. Documentation of internal controls
2. IT systems to automate those controls.
3. Resources to measure compliance with those internal controls.
This is called level 1 because this is where most companies are when there are no controls.
To assess whether you are at level, ask the following questions
1. How are procurement transactions processed today? Are they processed in one purchasing system?
2. Do you have a purchase authorization process or the invoices just show up and then the A/P department has to chase the business to find out about the purchase?
3. Do you have a purchasing policy that defines those internal controls? A purchasing policy should cover the key controls so that it is easy for employees to refer to those controls.
4. If you have documented internal controls, then who is responsible for ensuring compliance.
5. How is compliance measured? Are you conducting internal audits on a regular basis
As per A. T. Kearny, at this level most companies have ad-hoc processes, there is no single system for purchasing. The level of control varies from one channel of purchasing to another channel of purchasing.
In our view, that is where we find most of our customers before they start implementing ProcureDesk.
At this level of the internal controls automation, companies are not fully manual and they do have the basic structure for compliance in place
Ideally, you should have the following at this level
1. A well-defined purchasing policy that lists the internal controls.
Common among those controls are the authorization of spend and the authorization limits by job title. However, at this level – the purchasing policy and related controls are not centralized across all regions or business units. If you only have one business unit then this is not an issue.
2. Process for authorization of purchase.
For example, how to submit a purchase order request or how to submit a requisition for purchase.
You should have a basic system that allows for the authorization of purchases. A common process for this is email-based approval and standard requisition forms which need to be filled and attached with purchase authorization email.
3. It is also not uncommon to see that purchasing authorization is done only for a few selected items or high spend dollars and the rest of the spending is on credit cards where is there is no pre-authorization.
4. There are limited resources for measuring compliance or it is not a full-time job for someone to measure compliance to controls. This is either because there are limited transactions for measuring control or the resources are limited and hence it is not a focus area.
Companies that are Level 3 of internal controls automation curve have the following attributes.
1. Controls are fully documents in the form of the purchasing policy. However, for companies that are across the regions or have multiple business units – each individual entity has its own policy.
2. Procurement systems are automated but they are in silos. For example, an organization might have a separate system for evaluating new vendors, also called the sourcing function. There might be a separate system for centrally storing all contracts and a separate system for purchasing or issuing purchase orders.
This is not uncommon to see where companies have either acquired different systems with multiple acquisitions or they have put together different systems overtime to solve a problem. The drawback is that this approach requires a lot of manual data entry from one system to another and there is an efficiency loss.
3. At this level, companies have dedicated resources for measuring compliance with the controls. That could be in the form of an in-house team or outsourced audit teams.
At level 4, the internal control is fully automated and there is no need for manual processes. At this level, companies have the following
1. Controls are fully documented across all business units. The main difference between level 3 and level 4 is that at level 3 companies might not have consistent controls across all business units. However, level 4 companies have uniform controls across all of the business units or regions.
2. The IT processes are fully automated to support the entire procure to pay process. At level 4, companies have one single system for sourcing, contracts, purchasing, and invoicing. With one single system, companies realize the benefits of seamless data processing and avoid any errors due to data entry from one system to another.
3. At this level, companies have a central audit team to measure compliance with internal controls. All controls are measured by a central team and compliance measurement and tracking are consistent across all business units and regions of the company.
4. At this level, controls are pre-emptive and reactive. That means the systems are proactively driving the compliance to policies and there is limited need for any manual intervention.
The above maturity model is a good yardstick for companies to measure their current state as well as plan any improvements in their ongoing process.
We are not qualified to advise you on how to set up compliance team for audit purpose, but we can certainly advise on the IT processes which will help you to go from level 1 to level 4.
The steps involved in building the internal control process is as follows
Following is a checklist of controls that you must implement for the vendor setup process.
1. The person setting up vendors should not have access to creating purchase orders.
2. There should be a process to check the vendor’s existence by validating the tax Id mentioned on the w-9 provided by the vendor
a) Validate EIN number and name on IRS website
b) Check for vendor name on US Treasury blacklist. You can use OFAC (office of foreign asset control) website to check for any sanctions against the vendor/s.
3. The person setting up the vendors, should not be able to set up the vendor prior to approval from another person. Ideally, there should be a second person who is validating all the documents before the vendor setup request is approved.
4. If possible, automate the vendor setup process through a workflow tool so that the vendor approval request is approved electronically. Having electronic approval or approval through a system allows the auditors to easily review the audit trail at a later point of time
The next step in the automation of the internal controls is the automation of the purchase order process.
Before automating the purchase order process, you should create a purchasing policy which should include the following
• Process for creating and authorizing requisitions or purchase orders.
• Authorization of spend based on the levels in the organization hierarchy
• Signature authority for signing contracts.
If you want to learn more about a purchasing policy you can read about setting up a purchasing policy
After you are done setting up the purchasing policy, here is what should be automated in the purchase order process.
♦There should be no self approvals, all purchases must be approved by at least one person in the organization.
♦ All major purchases should be reviewed by finance to ensure that appropriate budgets are allocated for those purchases.
♦ The purchase order approval process should be automated, a purchase order system should be implemented so that the authorization of controls is automatically done by the system. It makes the review process simple since the controls are automatically enforced.
♦ The audit trail should be available for review at any point in time.
There are other benefits of centralizing your purchasing process through a system that includes visibility and cost control but from an internal controls standpoint, it provides a repeatable, auditable purchase order process.
It also ensures compliance with the company’s policies.
The next step is to ensure that proper controls are implemented for processing an invoice. There are generally two types of invoices.
An invoice against a purchase order and an invoice without a purchase order also called a non-PO invoice.
♦ A PO invoice should be matched against the purchase order and receipt/s to ensure that invoice amount and quantities are the same on all 3 documents. This process is called a 3-way match process. This can be performed manually or through an invoice automation tool.
♦ There should be a defined exception review and approval process so that any exceptions from the 3-way match process are reviewed and approved by the budget owners.
♦ For non-PO invoices, the invoice must be reviewed and approved before the payment can be made. Ideally, the authorization limits and the process should be the same as the purchase order process.
♦ And last but not least, the audit trail for all the reviews and approvals should be readily available to the compliance team for any further reviews.
Not all expenses go through a purchase order process, or through an invoice process. Most companies have expense reporting tools so that employees can report on expenses.
So we should also look at the controls for expenses
♦ There should be an easy process for employees to submit expenses.
♦ It should be easy for the end users to attach receipts with the expenses.
♦ All expense reports should be approved by the manager of the person submitting the expenses. The idea is that the manager is reviewing and approving only those expenses which are allowed under the corporate purchasing policy.
♦ Some companies require a receipt for every purchase and that could be burdensome for the employees. You might want to look at having receipts above a certain threshold, for example, anything over $25.
♦ Finally, the approved expenses should be easily accessible to the auditors for easy review.
In summary, here is a checklist to build procurement compliance within your organization
Have a process and approvals to ensure that only authorized users can create new suppliers in the system or change existing suppliers.
All supplier data should be validated with third-party data sources like IRS to ensure the existence of suppliers and the correctness of the information.
Setup a purchase order process to ensure that all spend is pre-authorized and approved at the right level. This is to prevent any unauthorized spending.
Setup a 3-way invoice matching process so that the invoice can be matched against the purchase order and receipt. This ensures that the invoice is for the pre-authorized expense and the product has been received. In the case of service, the receipt process validates that the service has been delivered as per agreed-upon criteria.
Setup segregation of duty so that one person can’t complete the entire transaction from purchase order to invoice without further approvals.
Hope you found this helpful. If you would like to see how ProcureDesk can help you automate and implement these controls, let us know by clicking on the button below.