Procurement, the lifeblood of any organization, is unfortunately a prime target for fraud. The recent payment fraud case at the Four Seasons Hotel in Hong Kong serves as a stark reminder of this vulnerability. Given its importance, procurement is a topic you're likely to encounter in IA recruitment interviews. From inflated invoices to phantom vendors, the opportunities for illicit gain are numerous. As internal auditors, we're tasked with safeguarding company assets and ensuring ethical business practices.
Beyond the Checklist: A Holistic Approach
Gone are the days of simply ticking boxes on a compliance checklist. A modern internal audit of procurement requires a deep dive into the processes, a critical assessment of the control environment, and a proactive search for red flags. Think of it as navigating a labyrinth – you need a map (understanding the process), a compass (risk assessment), and a flashlight (data analytics) to find your way.
Procurement Fraud Risks & Controls
Drawing from my decade of experience in internal audit, Let's break down the procurement process and highlight the key control points and fraud risk indicators that need our attention:
-
1. Level of Authority
- ✅ Key Controls:
- Delegation of Authority Matrix
- Segregation of Duties (SoD)
- Approval Thresholds (by Job Level)
- ⚠️ Fraud Risk Indicators:
- Frequent Overrides/Unauthorized Approvals
- Outdated User Roles/Access
- Excessive Authority (Low-Ranking Staff)
- 🔍 Internal Audit Steps:
- Review/Test Authority Matrix (vs. HR Org Chart)
- Check for Overrides/Shared Accounts
- Re-perform SoD Analysis (ERP System)
- Test Approval Samples (Compliance)
- 📊 Data Analytics Techniques:
- User Access Reviews (Identify dormant or excessive access)
- Anomaly Detection (Flag unusual approval patterns)
- Benford's Law Analysis (Examine approval amounts for irregularities)
- ✅ Key Controls:
-
2. Vendor Sourcing
- ✅ Key Controls:
- Vendor Onboarding Due Diligence
- Conflict of Interest Declaration
- Price Benchmarking/Tender Process
- ⚠️ Fraud Risk Indicators:
- Awards to Related/Fictitious Vendors
- Lack of Documentation (Selection)
- Same Vendors Winning (No Rotation)
- 🔍 Internal Audit Steps:
- Vendor Master Data Analytics (Duplicate Addresses)
- Review Conflict of Interest Forms
- Sample Check Sourcing Files (RFQs, Bids, Memos)
- Cross-reference Vendor Names (Staff/Directors)
- 📊 Data Analytics Techniques:
- Vendor Master Data Analysis (Duplicate addresses, bank accounts, TINs)
- Network Analysis (Identify relationships between vendors and employees)
- Keyword Search (Review vendor descriptions for red flags)
- ✅ Key Controls:
-
3. Purchase Requisition (PR)
- ✅ Key Controls:
- PR Before PO
- Budget Availability Checks
- Workflow Audit Trail
- ⚠️ Fraud Risk Indicators:
- PR After Invoice/PO
- Frequent PRs (Same Person, Urgency)
- Splitting PRs (Avoid Limits)
- 🔍 Internal Audit Steps:
- Review PR Logs (Backdated/Late PRs)
- Analyze PR Amounts (vs. Approval Thresholds)
- Check Budget vs. Actual (Selected Items)
- Trace Audit Logs (Workflow Inconsistencies)
- 📊 Data Analytics Techniques:
- Time Series Analysis (Identify unusual spikes in PR frequency)
- Threshold Analysis (Flag PRs exceeding pre-defined limits)
- Text Analysis (Analyze PR descriptions for suspicious keywords)
- ✅ Key Controls:
-
4. Purchase Order (PO)
- ✅ Key Controls:
- PO Auto-Generated (After PR Approval)
- Matching (Vendor Quotation/Terms)
- Amendments Tracked/Reapproved
- ⚠️ Fraud Risk Indicators:
- PO Created Manually/Post-Invoice
- Repetitive Low-Value POs (Bypass Controls)
- PO Amendments Not Justified
- 🔍 Internal Audit Steps:
- Perform PO Transaction Walk-Through
- Review PO Audit Logs/Amendment History
- Match POs to PRs, Contracts, Quotations
- Analyze Vendor PO Frequency/Values (Outliers)
- 📊 Data Analytics Techniques:
- Deviation Analysis (Compare PO amounts to historical averages)
- Clustering Analysis (Identify groups of POs with similar characteristics)
- Association Rule Mining (Discover hidden relationships between POs and vendors)
- ✅ Key Controls:
-
5. Goods Receipt / Invoice Receipt (GRIR)
- ✅ Key Controls:
- 3-Way Matching (PO, GRN, Invoice)
- Receipt Confirmed (Authorized User)
- GRIR Suspense Account Cleared Timely
- ⚠️ Fraud Risk Indicators:
- GRN by Same Person (Raised PR)
- Mismatched Quantities/Duplicate GRNs
- Long-Outstanding Balances (GRIR Account)
- 🔍 Internal Audit Steps:
- Test 3-Way Match Samples (Mismatches/Bypassed Checks)
- Review GRIR Aging Report (Stale Entries)
- Reconcile PO/GRN/Invoice (High-Risk Vendors)
- Verify GRNs (Physical Stock/Receipt Documentation)
- 📊 Data Analytics Techniques:
- Matching Analysis (Identify mismatches between POs, GRNs, and invoices)
- Aging Analysis (Track the age of GRIR balances)
- Ratio Analysis (Calculate key ratios, such as GRIR turnover)
- ✅ Key Controls:
-
6. Payment
- ✅ Key Controls:
- Segregated Duties (Payment Processor ≠ Approver)
- Verified Vendor Bank Details
- Exception Reports/Batch Payment Review
- ⚠️ Fraud Risk Indicators:
- Payments to Suspicious/Personal Accounts
- Repetitive Rounding Figures (e.g., $99,999)
- High Volume of Manual Cheques
- 🔍 Internal Audit Steps:
- Perform Payment Sample Testing (Trace Back to PO/GRN)
- Analyze Payments (to “Other Vendors”/One-Time Vendors)
- Review Vendor Bank Change Logs
- Data Analytics (Duplicate/Split Payments)
- 📊 Data Analytics Techniques:
- Bank Account Analysis (Identify payments to unusual or personal accounts)
- Duplicate Payment Analysis (Detect duplicate invoices or payments)
- Benford's Law Analysis (Examine payment amounts for irregularities)
- Outlier Detection (Flag unusually large or frequent payments
The Bottom Line: Vigilance is Key
Combating evolving procurement fraud requires vigilance, data analytics, and continuous improvement of audit techniques to protect organizations. While the process is complex, the right tools and a proactive approach ensure integrity.
To aid in understanding, I've created a related mind map of the procurement control process, available on MindMeister at https://www.mindmeister.com/app/map/3702815560?t=sPqSv4CaWB for a more interactive view
Comments
Post a Comment