As we saw during the supply-chain disruptions that occurred during and directly following the COVID-19 pandemic, procurement is a critical and fundamental component for just about any organization. A well-managed procurement function can move an organization toward success, while a mismanaged one has the potential to cause its downfall.
It has been nearly five years since the pandemic began, and still several suppliers face scarcity and disruption, leading to higher prices. The geopolitical tensions, such as those in Ukraine and the Middle East, have also emerged in multiple parts of the world, and some of these conflicts have extended for more than a year. Together, these developments have made for challenging times for those involved in procurement. For our purposes, procurement includes the purchase of all goods or services by an organization for goods and services sold, as well as those used in the administration of the organization and construction activities.
Because of these recent difficulties in the procurement process and the vital importance it holds, many internal audit teams have put an audit of procurement high up on the audit plan. It’s true too, that procurement is often among the best places to find cost savings and greater efficiencies in the organization. Indeed, the World Economic Forum estimates that sustainable and ethical sourcing processes can reduce supply chain costs by up to 16 percent!
Even if it’s not on the audit plan, internal auditors should familiarize themselves with the organization structure and the processes of governance, risk management, and controls around the procurement function.
Planning an Internal Audit of Procurement
Among the first steps to conducting an internal audit of the procurement process, the procurement audit team should agree on the scope and objectives of the audit, consider conducting an independent engagement level risk assessment, and build an appropriate audit program aligned with the planned audit’s goals.
It is critical to get input from stakeholders and identify areas of concern during the planning process. A procurement audit prevents potential fraud and malpractice, promotes business efficiency, and promotes compliance with rules and regulations. Here are some of the critical controls and best practices an internal auditor could leverage while auditing a procurement function.
Assessing the Overall Integrity of the Procurement Process
The internal audit function should focus on assessing the integrity of the procurement function. The auditors should confirm that the organization has a defined code of conduct for its suppliers that is nearly identical to its employees’ internal code of conduct. The code should mirror the organization’s values and priorities and cover aspects like safe working conditions, sustainability, and compliance with anti-trust laws and other regulations.
Internal auditors should be skeptical of deliberate acts of impeding the procurement process, such as favoritism to specific vendors. These practices should stop in the organization’s interest to reduce the potential misappropriation of funds and its risk exposure level.
The auditors should assess the right split of accountability and responsibility with the decision-makers to prevent the deliberate “act of exhibiting ethical blindness” in following the procurement process.
A lack of ethical business would negatively impact the organization’s corporate image, the integrity of the procurement process, and its cash flow. It will discourage the vendors from doing business with the organization. The issue of ethics, if not checked, could reduce the number of bids and proposals received from prospective bidders and proponents, thereby exposing the procuring entity to always lean on sole source, single source, outsourcing, and additional budget to meet the inflated quotes submitted by only one or limited number of vendors while submitting quote, proposal, or bid for a project.
The Right Procurement Strategy Framework
Internal auditors should inquire if the organization has a procurement strategy and consider doing a deep review.
The right procurement strategy benefits an organization with high financial performance, operational efficiency, and long-term goal achievement. From a strategic standpoint, procurement can identify critical projects and prioritize them within a reasonable time in collaboration with department heads.
The internal auditor should be watchful of too many requisitions being classified as a “priority” or “emergency,” leading to unrealistic actualization of the organization’s critical project goals in scheduled time, as there is the involvement of significant time in the development of the RFx package, evaluation, award, logistics, and execution of the project in line with the approved budget earmarked for it.
Review Procurement Policies and Procedures
The Internal auditor should also assess whether the organization’s procurement policies and procedures align with the strategic objectives and were formulated in consultation with all the key stakeholders. The policies and procedures standardize purchasing goods and services within an organization and should be customized to address the business’s needs.
It may include an objective; definitions of the terms used in the policy; roles, responsibilities, and authority of the procurement function and user departments specific to procurement; guidance on competitive and non-competitive solicitation of sole-source suppliers; emergency purchases; and small purchases. It may also include policies for competitive sealed bidding and proposals; competitive selection processes for designated services; and contract formation, ethics and code of conduct, training, and professional development.
Other policy factors to consider are sustainability and diversity, overall risk assessment and due diligence, delivery and acceptance of goods and services, and invoice approval and payment.
The procurement policy may also include guidance on special programs such as low-value spending, such as a purchasing card program, and sustainable procurement programs.
Besides evaluating the robustness of the policies and procedures, internal audit should also evaluate effective cascade of procurement policy and procedures to all levels of management, including effects of non-compliance. One of the most observed control deficiencies is procuring a product or service without a valid contract.
Consider Segregation of Duties Within the Procurement Process
Internal audit should review the segregation of duties to ensure that no one person has too much control over an organization’s spending. Internal auditors should evaluate whether different employees lead the processes for purchase approvals, goods receiving, payment approvals, transaction recording, and inventory.
Some key examples of segregation of duties in procurement include, but are not limited to:
- A separate individual should create the purchase requisition and should not be the person who would approve the purchase requisition or the purchase order.
- The same person should not create requisitions and approve vendor invoices.
- The person setting up the vendor should not be able to process the payment to the vendor.
- The employee opening the bids and proposals should not be the only person selecting the winner.
Conduct an Evaluation of Vendor Performance
Building solid relationships with suppliers is a top practice and a key to success. Internal audit teams should review the evaluation process of all significant vendors. Business Development Bank of Canada recommends evaluating suppliers using the 10 Cs model: competency, capacity, commitment, control, cash, cost, consistency, culture, clean (environmental and ethical standards), and communication.
Organizations should consider setting realizable expectations early and performing ongoing vendor performance reviews. It is essential to pay the vendors on time to earn their trust. Internal auditors should verify a periodic assessment of vendor performance against security benchmarks, performance metrics in the form of key performance indicators (KPIs). The right KPIs can offer a clear, objective, efficient way to monitor vendors continuously.
How Are Contracts Negotiated?
Internal audit should also review the efficiency and effectiveness of the negotiation process at various times and stages of the procurement process. For example, the audit team can look at the entire history of contract negotiation from inception to the award of sample contracts. The internal auditors should use risk-based contract selection for their review, which does not always have to be based on dollars.
Some contracts, for example, may not follow standard terms and conditions and may require intense negotiation to include non-standard clauses. From a strategy perspective, striking a balance between cost and value is critical, given the organization’s long-term objectives. Exploring options that foster the organization’s growth beyond immediate gain will sustain the organization into the near future.
Are Risks Being Assessed in the Procurement Process?
Internal auditors should confirm that the procurement risks are evaluated as part of the organization’s Enterprise Risk Assessment process and applicable contract and project risk assessment processes. It would be beneficial to confirm that organizations have set the rules for third-party risk engagement based on their risk tolerance, data security, and privacy policies.
It would be beneficial to build the third-party risk management program by leveraging popular frameworks like NIST (National Institute of Standards and Technology) and ISO (International Organization for Standardization).
Internal Audit should verify if the key contracts have rules for data security and auditing in all third-party contracts. For example, do contracts include “right to audit” clauses in the vendor agreement.
Internal audit should review independent assurance reports (System and Organization Controls SOC1 and SOC2) and compliance attestations for cybersecurity standards such as the Payment Card Industry Data Security Standard (PCI-DSS) and International Organization for Standardization (ISO) standards as ISO 27001 and HITRUST assessments.
Internal audit should also verify specific contractual clauses for indemnity and insurance policies to avoid or reduce the impact of procurement risk. A contingency plan should be in place to help address any unforeseen circumstances that could impede the smooth execution of projects.
The risk assessment process would increase organizations’ readiness to face key procurement risks such as supply chain, ethics and regulatory issues, fraud, and pricing.
How is Technology and Data Analytics Being Used in Procurement?
Technology is a facilitator and can help organizations gain a significant edge over competitors. According to Procurement Magazine (procurementmag.com), ten disruptive technologies being used in procurement include: eProcurement platforms, spend analysis tools, supplier management software, strategic sourcing software, electronic auction and reverse auction platforms, contract management software (CMS), supply chain software, procure-to-pay software, procurement performance analytics, and integrated e-sourcing and e-contracting tools.
The internal audit team could leverage data analytics and technology for continuous auditing and monitoring. As an example, these techniques could be used to verify potential split purchase orders, orders over financial delegations, duplicate vendors, duplicate payments, approved and unapproved vendors, expenses exceeding budget, and invoice price and quantity variance.
Internal auditors should verify automation initiatives and data analytics are part of the organization’s long-term procurement strategy. Digitized artificial intelligence and machine learning processes can bring significant efficiencies and reduce the time consumed by manual business processes.
Some examples of procurement automation include purchase requisition workflows, PO creation, supplier relationship management, three-way invoice matching, PO and delivery records, vendor payments, and contract management.
Advanced procurement analytics tools (both predictive and diagnostic) can help uncover the “why” behind events and forecast future trends. It can help analyze sales trends and demand forecasts, monitor supplier performance, and gain visibility into order cycles.
According to the the Amazon Business report on procurement data, 98 pecent of respondents confirmed that they will be investing in analytical tools, automation, and AI for their procurement operations in the next few years.
Data analytics can also help bolster organization’s fraud deterrence. The PwC Global Economic Crime Survey 2024 identifies procurement fraud as among the top three most disruptive economic crimes globally in the past 24 months. This survey revealed that 20 percent of companies do not use data analytics to identify procurement fraud, despite the risks.
Other Aspects to Consider During an Internal Audit of Procurement
- Ensure a Process of Due Diligence for New Vendors: Internal auditors should review the effectiveness of screening new vendors. They should ensure the vendor security program aligns with the organization’s strategy on cybersecurity and confidentiality. The internal audit team should also corroborate the new vendors have been evaluated for qualifications, financial stability, media checks, regulatory compliance, and any SOC1 or SOC2-type reports. The auditors should also confirm that KPIs have been defined for the newly onboarded vendors.
- Inventory Optimization: Internal audit should evaluate if the inventory is optimized across an organization’s supply chain to reduce costs and maximize return on investment. Inappropriate inventory management can lead to significant stockout costs and sales losses. According to a report by Thought Spot, Inventory may be optimized by ABC analysis, demand forecasting, safety stock management, rationalization of stock-keeping units (SKUs), just-in-time inventory, and inventory automation. Proactively reacting to changes affecting supply and demand would help streamline any organization’s inventory management and operational efficiency.
- Continuous Education: The internal audit team should focus on the effectiveness of training courses for continuous improvement of the procurement function. Training courses could be a mix of in-house and external training.
Robust procurement and contract management processes contribute to achieving organizational objectives, value for money, and robust financial viability. Internal audits can provide both assurance and advisory support as new strategies evolve. 
Nirpendra “Nick” Ajmera, B. COMM, CA, CIA, CISA, CFE is an internal auditor with more than twenty years of experience in the internal audit and risk arenas. He has led several projects on procurement and supply chain management. He currently leads internal audit for a utility company in Nunavut, Canada.
Lawrence Ibeleme is a Certified Supply Chain Professional with more than fifteen years of experience managing supply chains and procurement. He is currently a key resource in the procurement department for a utility company in Nunavut, Canada.