Procurement leaders and Controllers of small and large organizations often struggle with Procurement compliance.
If you ask a procurement professional, procurement compliance is a process by which they measure if the purchases are happening as per defined corporate Spend or the purchasing policy.
Procurement compliance is measured as Spend under management with preferred suppliers and as per the defined procurement process.
However, from a Controller’s perspective, the concern is whether the appropriate person authorized the Spend before AP paid the supplier.
In this blog post, we don’t address procurement compliance from a procurement perspective.
Ensuring Procurement compliance is challenging, especially when you have a manual purchasing process. Of course, you can approve every purchase to ensure compliance, but as CFO, you have better things to do them approving purchase requests!
Purchasing automation can help with ensuring purchasing compliance. If you want to see if ProcureDesk is a good fit for you, click here to schedule a 1-1 demo.
What is Procurement Compliance?
Procurement compliance is a measure of the effectiveness of a Company’s defined purchasing policies.
It is measured as the % of transactions that comply with the set purchasing policy of the company.
To measure compliance, you need to set up controls and then have systems to enforce those controls in the day-to-day purchasing process.
You can further categorize the compliance as follows:
To measure Procurement compliance, companies generally follow a compliance audit process. The process works as follows:
We recommend using SOX(Sarbanes Oxley) recommendations for setting up the control framework for Procurement.
Sarbanes Oxley act of 2002 is primarily applicable to public companies. However, some aspects of section 404 apply to private companies, such as the destruction of evidence to impede a federal investigation.
Sarbanes Oxley was the outcome of the debacle of Enron and Worldcom. The act was passed to ensure that investors are protected.
We are by no means SOX experts; this is our attempt to understand the implications of SOX on purchasing controls and how companies can think of automating such controls.
Section 404 requires management and external auditors to certify adequate internal controls to provide accurate financial reporting every quarter.
From a procurement or purchasing standpoint, we will focus primarily on section 404 controls that apply to the purchasing process.
Implementing and tracking Sox 404 controls for purchasing could be daunting.
A purchasing system not only automates that for you but also provides a complete audit trail so that you can easily track the compliance to established controls.
The list of 404 controls applicable to Procurement is as follows.
The general control is the segregation of duties to ensure that the same person doesn’t have access to create a supplier, issue a purchase order, receive the goods, and pay the invoices.
In a nutshell, you should have the following processes under separate control.
Another vital aspect of internal procurement controls is having the purchase orders and payments authorized at the right level in the company.
The authorization matrix should be part of the purchasing policy of the company. The controls for authorization can be manual or fully automated.
For example, even if the invoices are approved at the right level, most employees don’t pay enough attention. Most of them treat the review process as rubber stamping.
So it is important to ensure that there are controls to ensure that authorized employees approve purchase requests. Having a purchase order process and system is sufficient to ensure compliance with this control.
All suppliers must be vetted before they are set up for payments. There are a few levels of assessment.
Most companies stop here, but an additional level of assessment includes ensuring that there is no conflict of interest with the chosen supplier. For example, the supplier is not a relative of the person authorizing the product or service purchase.
Once the invoices are entered into the system, a few steps are required to ensure you are meeting the control requirements,
Even if you are following a purchase order process, issuing a purchase order to suppliers. You must ensure that the invoice is ready to pay by doing the following
Have a receipt process so that the person who ordered the product can create a receipt. The receipt is a confirmation that the product or service has been received.
If that is not possible, then the person who ordered the service should review and approve the invoice for payment. The review and approval process is a way for the employees to authorize the payments.
Not all payments made by the company are against a purchase order. There are a lot of other payments a company needs to make, for example, bank debt payments, employee benefits payments, etc.
So along with external vendor purchases, a company must have an approval process to ensure that those payments are authorized at the right level before the payment is made.
This is straightforward–Accounting must appropriately record all purchases in the financial system to ensure that a company can report on its cashflows.
To ensure that it happens, companies should adequately define the controls to ensure that all purchases are captured in one single system.
Companies struggle with these basic controls becuase they either don’t have a defined procure to pay process, or they have manual processes that don’t work. ProcureDesk automates these controls so that you don’t have to worry about compliance. Curious if ProcureDesk can simplify the controls for you? Schedule a 1-1 strategy session with one of our product specialists and find out.
In the section above, we talked about different controls from a SOX perspective. In this section, we will cover the benefits of automated controls. Automation of the controls and automated testing of those controls reduce the overall cost of the internal audit.
As per a survey by Protiviti, 80% of the companies have significant or moderate plans to automate the selected IT controls and processes:
The obvious benefit of automated controls is the consistency you get from an audit perspective.
If the controls are fully automated, the purchasing system drives consistency in pre-emptive controls and the authorization limits from a spend authorization perspective.
As the organization scales, the control scales with them. Whether you grow from 100 employees to 10,000, the system automatically meets the control requirements.
As you can see above, the cost of compliance increases year over year, which has been consistent across the years. For example, in 2018, the 2nd year cost of compliance was more than double the cost of compliance in the first year.
There could be many reasons for that.
1. As companies increase the maturity of their controls, they spend more time auditing those controls and hence higher costs.
2. Finance could add more controls in year two because of which the cost goes up.
Not all the cost above is due to purchasing controls, but purchasing controls drive most of the other controls. For example, if the purchasing system can accurately allocate the cost across different cost centers, you can be assured that the financial systems have the correct information.
By automating these purchasing controls, companies can lower the cost of the audit.
As the number of controls increases, you would need regular audits to measure compliance rates.
The cost of the audit is reduced because of the high data integrity provided by the purchasing system.
In the next section, we present a framework for assessing the maturity of internal controls and a roadmap on how to build strong internal controls.
However, before we move any further, let’s quickly assess the current processes so that it is easier to identify gaps.
Let review each step in the purchasing process
The first step is to assess that the vendors are approved before entering the accounting system. The goal is to list the current process as is.
You can ask the following questions to assess the setup process.
1. Who in the company has access to set up a new vendor?
2. Who in the company has access to update vendor payment information like remittance address, ACH Information, etc.?
3. Is there any authorization for creating the vendor or updating an existing vendor record?
4. How do you validate the existence of the vendor company? Do you check against the IRS [Internal Revenue Service] website or any other source to ensure their existence?
5. How do you validate any new request for changes in vendor profile, for example, vendor remittance information? Do you call the vendor to validate?
The next step in the process is to document the current purchase order process.
1. How are purchase orders created today? Is it manual, or do you have an automated process for creating a purchase order?
2. Can the orders only be created for approved vendors, or can the users submit an order for any vendor?
3. How does the approval request is authorized, who approves it, and at what level?
4. What is the delegation process for delegating the approval authority of an individual?
5. How easy is it to retrieve old orders and their approval history for audit purposes?
6. Is there a process for measuring Supplier performance? How do we use the supplier performance data in managing supplier relationships?
The next step in the process is to document the current process for invoice approvals. Key questions to ask:
1. What is the current process to ensure invoices submitted by vendors are for a valid purchase?
2. Do you have a two-way or 3-way invoice match process? The 2-way match process matches PO with the invoice, and the 3-way match process matches purchase order with invoice and receipt?
The best practice is to conduct a 3-way match for all purchases-including services. If you do a 3-way match, is this manual or automated?
3. What is the process for validating non-PO invoices? These are the invoices where there is no purchase order associated with them? Do you send these invoices for approval?
4. If you send the invoices for approval, what is the approval process?
Now let’s look at the payment authorization process. Not every payment you would make is for a product. You might be making payments for employee benefits or other payments.
1. Make a list of all the payments which doesn’t go through an invoice process.
2. What is the process for authorization of such payments?
3. What is the authorization level for such payments? For example, any payment over $500K needs to be approved by the CEO.
4. How easy/difficult it is to retrieve the approval history for audit purpose
Now we have an inventory of our current process, let’s look at where your company stands from a compliance perspective.
Since automation has many levels, organizations should think about a maturity model where the controls are getting more automated from one phase to another. Eventually, the controls are fully automated.
Before you start working on a transformation model for your internal controls, you should assess the current state of internal controls.
The above model from A.T. Kearny provides an excellent model to think through the IT controls journey. Let’s cover each of the four phases of the continuous improvement journey.
There are three tenants for assessing the internal controls
1. Documentation of internal controls
2. IT systems to automate those controls.
3. Resources to measure compliance with those internal controls.
This is called level 1 because this is where most companies are when there are no controls.
To assess whether you are at level, ask the following questions:
1. How are procurement transactions processed today? Are they processed in one purchasing system?
2. Do you have a purchase authorization process, or do the invoices just show up, and then the A/P department has to chase the business to find out about the purchase?
3. Do you have a purchasing policy that defines those internal controls? A purchasing policy should cover the critical controls so that it is easy for employees to refer to those controls.
4. If you have documented internal controls, then who is responsible for ensuring compliance.
5. How is compliance measured? Are you conducting internal audits regularly
As per A. T. Kearny, most companies have ad-hoc processes; there is no single system for purchasing. The level of control varies from one channel of purchasing to another channel of purchasing.
In our view, that is where we find most of our customers before they start implementing ProcureDesk.
Companies are not fully manual at this level of internal controls automation, and they do have the basic structure for compliance in place.
Ideally, it would help if you had the following at this level.
1. A well-defined purchasing policy that lists the internal controls.
Common among those controls are the authorization of Spend and the authorization limits by job title. However, the purchasing policy and related controls are not centralized across all regions or business units at this level. If you only have one business unit, then this is not an issue.
2. Process for authorization of purchase.
For example, how to submit a purchase order request or how to submit a purchase requisition.
You should have a basic system that allows for the authorization of purchases. A typical process for this is email-based approval and standard requisition forms, which must be filled and attached with purchase authorization email.
3. It is also not uncommon to see that purchasing authorization is done only for a few selected items or high spend dollars, and the rest of the spending is on credit cards. Credit cards are generally not pre-authorized.
4. There are limited resources for measuring compliance, or it is not a full-time job for someone to measure compliance to controls.
Companies that are at Level 3 of the internal controls automation curve have the following attributes.
1. Controls are thoroughly documented in the form of the purchasing policy. However, for companies across the regions or have multiple business units – each entity has its policy.
2. Procurement systems are automated, but they are in silos. For example, an organization might have a separate system for evaluating new vendors, also called the sourcing function. There might be a separate system for centrally storing all contracts and a separate system for purchasing or issuing purchase orders.
This scenario is not uncommon to see where companies have different systems due to multiple acquisitions.
It is also possible that they have put together different systems over time to solve a problem. The drawback is that this approach requires a lot of manual data entry from one system to another, and there is an efficiency loss.
3. At this level, companies have dedicated resources for measuring compliance with the controls. That could be in the form of an in-house team or an outsourced audit team.
At level 4, the internal control is fully automated, and there is no need for manual processes. At this level, companies have the following.
1. Controls are fully documented across all business units. The main difference between level 3 and level 4 is that at level 3, companies might not have consistent controls across all business units. However, level 4 companies have uniform controls across all of the business units or regions.
2. The IT processes are fully automated to support the entire procure-to-pay process. At level 4, companies have one single system for sourcing, contracts, purchasing, and invoicing. With one system, companies realize the benefits of seamless data processing and avoid errors due to data entry from one system to another.
3. At this level, companies have a central audit team to measure compliance with internal controls. A central team measures all controls, and compliance measurement and tracking are consistent across all business units and regions of the company.
4. At this level, controls are pre-emptive and reactive. That means the systems are proactively driving compliance to policies, and there is little need for any manual intervention.
The above maturity model is a good yardstick for companies to measure their current state and plan any improvements in their ongoing process.
We are not qualified to advise you on setting up a compliance team for audit purposes, but we can certainly advise on the IT processes that will help you go from level 1 to level 4.
The steps involved in building the internal control process is as follows
Following is a checklist of controls that you must implement for the vendor setup process.
1. The person setting up vendors should not have access to creating purchase orders.
2. There should be a process to check the vendor’s existence by validating the tax Id mentioned on the w-9 provided by the vendor
a) Validate EIN and name on IRS website
b) Check for vendor name against US Treasury blacklist. You can use the OFAC (office of foreign asset control) website to check for any sanctions against the vendor/s.
3. The person setting up the vendors should not be able to set up the vendor before approval from another person. Ideally, a second person should validate all the documents before the vendor setup request is approved.
4. If possible, automate the vendor setup process through a workflow tool so that the vendor approval request is approved electronically. Having electronic approval or approval through a system allows the auditors to quickly review the audit trail at a later point in time
The next step in the automation of the internal controls is the automation of the purchase order process.
Before automating the purchase order process, you should create a purchasing policy that should include the following.
If you want to learn more about a purchasing policy, you can read about setting up a purchasing policy.
After you set up the purchasing policy, you should automate the purchase order process.
There are other benefits of centralizing your purchasing process through a system that includes visibility and cost control. Still, from an internal controls standpoint, it provides a repeatable, auditable purchase order process.
It also ensures compliance with the company’s policies.
The next step is to ensure that proper controls are implemented for processing an invoice. There are generally two types of invoices.
AP should match an invoice against the purchase order and receipt/s to ensure that invoice amount and quantities are the same on all three documents. This process is called a 3-way match process. This can be manual or automated using an invoice automation tool.
There should be a defined exception review and approval process so that the budget owners review and approve any exceptions from the 3-way match process.
For non-PO invoices, the invoice must be reviewed and approved before the payment can be made. Ideally, the authorization limits and the process should be the same as the purchase order process.
And last but not least, the audit trail for all the reviews and approvals should be readily available to the compliance team for any further reviews.
Not all expenses go through a purchase order process or an invoice process. Most companies have expense reporting tools so that employees can report on expenses.
So we should also look at the controls for expenses
In summary, here is a checklist to build procurement compliance within your organization
Automating procurement controls is hard. You, of course, can patch together a solution for procurement compliance, or you can rely on ProcureDesk to help solve this for you. Want to know more?
Schedule a 1-1 demo with one of our product specialists.