Procurement compliance can be a challenge for both leaders and controllers of organizations, regardless of their size.
If you ask a procurement professional, procurement compliance is a process by which they measure if the purchases happen as per defined corporate Spend or the purchasing policy.
Procurement compliance is measured as Spending under management with preferred suppliers and per the defined procurement process.
The Controller’s primary responsibility involves confirming if the authorized person approved the Spend before supplier payment by AP.
This blog post does not cover procurement compliance from a procurement standpoint.
- We will address Procurement or purchasing compliance from a Controller and CFO’s perspectives.
- We will address specific measures controllers, and CFOs can take to comply with Sarbanes Oxley and other finance control measures.
- What steps can controllers take to reduce the risk for the company?
- How to implement strong procurement controls for compliance. And ensuring that your company gets the best acquisition price.
- How to collaborate with the procurement team to drive better compliance.
What Is Procurement Compliance?
Procurement compliance measures the effectiveness of a Company’s defined purchasing policies.
It is measured as the % of transactions that comply with the set purchasing policy of the company.
To measure compliance, you need to set up controls and have systems to enforce those controls in the daily purchasing process.
You can further categorize the compliance as follows:
- Contract Compliance.
- Cost Savings compliance or preferred vendor spend compliance.
- Procurement process compliance
How Is Procurement Compliance Measured?
To measure Procurement compliance, companies generally follow a compliance audit process. The process works as follows:
- Setup up the cost controls based on an industry framework like SOX. Then document the controls in a procurement or Purchasing policy.
- Have a manual or automated process for enforcing those controls—for example, an automated purchasing system to control the approval policy.
- A cadence to measure procurement compliance. That should align with the audit of the other controls in the company.
- An audit team from the finance department measures procurement compliance by sampling the procurement transactions.
Procurement Compliance And Sarbanes Oxley Section 404
We recommend using SOX(Sarbanes Oxley) recommendations for setting up the control framework for Procurement.
Sarbanes Oxley act of 2002 is primarily applicable to public companies. However, some aspects of Section 404 apply to private companies, such as destroying evidence to impede a federal investigation.
Sarbanes Oxley was the outcome of the debacle of Enron and Worldcom. The act was passed to ensure that investors are protected.
We are not SOX experts; this is our attempt to understand the implications of SOX on purchasing controls and how companies can think of automating such controls.
Section 404 requires management and external auditors to certify adequate internal controls to provide accurate financial reporting every quarter.
From a procurement or purchasing standpoint, we will focus primarily on section 404 controls that apply to the purchasing process.
Implementing and tracking Sox 404 controls for purchasing could be daunting.
A purchasing system not only automates that for you but also provides a complete audit trail to track compliance with established controls easily.
The list of 404 controls applicable to Procurement is as follows.
1. General Control
The general control is the segregation of duties to ensure that the same person doesn’t have access to create a supplier, issue a purchase order, receive the goods, and pay the invoices.
In a nutshell, you should have the following processes under separate control.
- Purchasing process.
- Accounts payable process.
- Supplier management process
2. Appropriate Management-Level Approval
Another vital aspect of internal procurement controls is having the purchase orders and payments authorized at the right level in the company.
The authorization matrix should be part of the purchasing policy of the company. The controls for authorization can be manual or fully automated.
For example, even if the invoices are approved at the right level, most employees don’t pay enough attention. Most of them treat the review process as rubber stamping.
So it is important to ensure that there are controls to ensure authorized employees approve purchase requests. A purchase order process and the system are sufficient to ensure compliance with this control.
3. Assessment Of Suppliers
All suppliers must be vetted before they are set up for payments. There are a few levels of assessment.
- The assessment of the suppliers on the capabilities and whether they are offering you the best value.
- Where they are registered, tax id is valid, etc. In other words, they are what they say they are.
Most companies stop here, but an additional level of assessment includes ensuring that there is no conflict of interest with the chosen supplier. For example, the supplier is not a relative of the person authorizing the product or service purchase.
4. Invoices Should Be Appropriately Vetted
Once the invoices are entered into the system, a few steps are required to ensure you are meeting the control requirements,
a) Product/service is received
Even if you are following a purchase order process, issuing a purchase order to suppliers. You must ensure that the invoice is ready to pay by doing the following
Have a receipt process so the person who ordered the product can create a receipt. The receipt is a confirmation that the product or service has been received.
If that is not possible, the person who ordered the service should review and approve the invoice. The review and approval process allows the employees to authorize the payments.
b) Invoice is reviewed and authorized by the appropriate stakeholders
Not all payments made by the company are against a purchase order. There are a lot of other payments a company needs to make, for example, bank debt payments, employee benefits payments, etc.
So along with external vendor purchases, a company must have an approval process to ensure that those payments are authorized at the right level before the payment is made.
5. Recording Of Purchases In The Financial System
This is straightforward–Accounting must appropriately record all purchases in the financial system to ensure that a company can report on its cashflows.
To ensure that it happens, companies should adequately define the controls to ensure that all purchases are captured in one single system.
Procurement Compliance – Internal Controls And Regulations
In the section above, we discussed different controls from a SOX perspective. In this section, we will cover the benefits of automated controls. Automation of the controls and automated testing of those controls reduce the overall cost of the internal audit.
As per a survey by Protiviti, 80% of the companies have significant or moderate plans to automate the selected IT controls and processes:
Importance Of Automated Internal Controls
Scalability, Consistency & Peace Of Mind
The obvious benefit of automated controls is the consistency you get from an audit perspective.
If the controls are fully automated, the purchasing system drives consistency in pre-emptive controls and the authorization limits from a spend authorization perspective.
As the organization scales, the control scales with them. Whether you grow from 100 employees to 10,000, the system automatically meets the control requirements.
Lower Audit Cost
Source: Protiviti
As you can see above, the cost of compliance increases year over year, which has been consistent across the years. For example, in 2018, the 2nd year of compliance was more than double the cost of compliance in the first year.
There could be many reasons for that.
1. As companies increase the maturity of their controls, they spend more time auditing those controls and hence higher costs.
2. Finance could add more controls in year two because the cost increases.
Not all of the cost above is due to purchasing controls, but purchasing controls drive most other controls. For example, if the purchasing system can accurately allocate the cost across different cost centers, you can be assured that the financial systems have the correct information.
By automating these purchasing controls, companies can lower the audit cost.
As the number of controls increases, you would need regular audits to measure compliance rates.
The audit cost is reduced because of the high data integrity provided by the purchasing system.
Getting Started With Controls Assessment
In the next section, we present a framework for assessing the maturity of internal controls and a roadmap for building strong internal controls.
However, before we move any further, let’s quickly assess the current processes so that it is easier to identify gaps.
Let’s review each step in the purchasing process
Assessing Vendor Setup Process
The first step is to assess the vendors’ approval before entering the accounting system. The goal is to list the current process as is.
You can ask the following questions to assess the setup process.
1. Who in the company has access to set up a new vendor?
2. Who in the company has access to update vendor payment information like remittance address, ACH Information, etc.?
3. Is there any authorization for creating the vendor or updating an existing vendor record?
4. How do you validate the existence of the vendor company? Do you check against the IRS [Internal Revenue Service] website or any other source to ensure their existence?
5. How do you validate any new request for changes in vendor profile, for example, vendor remittance information? Do you call the vendor to validate?
Assessing The Purchase Order Process
The next step is to document the current purchase order process.
1. How are purchase orders created today? Is it manual, or do you have an automated process for creating a purchase order?
2. Can the orders only be created for approved vendors, or can the users submit an order for any vendor?
3. How is the approval request authorized, who approves it, and at what level?
4. What is the delegation process for delegating the approval authority of an individual?
5. How easy is retrieving old orders and their approval history for audit purposes?
6. Is there a process for measuring Supplier performance? How do we use supplier performance data in managing supplier relationships?
Invoice Review Process And Approval
The next step is to document the current process for invoice approvals. Key questions to ask:
1. What is the current process to ensure invoices submitted by vendors are for a valid purchase?
2. Do you have a two-way or 3-way invoice match process? The 2-way match process matches PO with the invoice, and the 3-way match process matches the purchase order with the invoice and receipt. The best practice is to conduct a 3-way match for all, purchases-including services. If you do a 3-way match, is this manual or automated?
3. What is the process for validating non-PO invoices? These are the invoices where there is no purchase order associated with them. Do you send these invoices for approval?
4. What is the approval process if you send the invoices for approval?
Payment Authorization Process
Now let’s look at the payment authorization process. Not every payment you would make is for a product. You might be making payments for employee benefits or other payments.
1. Make a list of all the payments which doesn’t go through an invoice process.
2. What is the process for authorization of such payments?
3. What is the authorization level for such payments? For example, the CEO must approve any payment over $500K.
4. How easy/difficult is it to retrieve the approval history for audit purposes
Now we have an inventory of our current process, let’s look at where your company stands from a compliance perspective.
Purchasing Automation And Purchasing Compliance – A Maturity Model For Internal Controls Automation
Since automation has many levels, organizations should consider a maturity model where the controls are getting more automated from one phase to another. Eventually, the controls will be fully automated.
Before you start working on a transformation model for your internal controls, you should assess the current state of internal controls.
Assessment Of Current Internal Controls
The above model from A.T. Kearny provides an excellent model to think through the IT controls journey. Let’s cover each of the four phases of the continuous improvement journey.
There are three tenants for assessing the internal controls
1. Documentation of internal controls
2. IT systems to automate those controls.
3. Resources to measure compliance with those internal controls.
Level 1: Adhoc
This is called level 1 because this is where most companies are when there are no controls.
To assess whether you are at level, ask the following questions:
1. How are procurement transactions processed today? Are they processed in one purchasing system?
2. Do you have a purchase authorization process, or do the invoices show up, and then the A/P department has to chase the business to find out about the purchase?
3. Do you have a purchasing policy that defines those internal controls? A purchasing policy should cover the critical controls so that it is easy for employees to refer to those controls.
4. If you have documented internal controls, who is responsible for ensuring compliance?
5. How is compliance measured? Are you conducting internal audits regularly
As per A. T. Kearny, most companies have ad-hoc processes; there is no single system for purchasing. The level of control varies from one channel of purchasing to another channel of purchasing.
In our view, that is where we find most of our customers before they start implementing ProcureDesk.
Level 2: Limited structure
Companies are not fully manual at this level of internal controls automation, and they do have the basic structure for compliance in place.
Ideally, it would help if you had the following at this level.
1. A well-defined purchasing policy that lists the internal controls.
Among those controls are the authorization of Spend and the authorization limits by job title. However, the purchasing policy and related controls are not centralized across all regions or business units at this level. This is not an issue if you only have one business unit.
2. Process for authorization of purchase.
For example, how to submit a purchase order request or a purchase requisition.
You should have a basic system that allows for the authorization of purchases. A typical process is email-based approval and standard requisition forms, which must be filled and attached with a purchase authorization email.
3. It is also not uncommon to see that purchasing authorization is done only for a few selected items or high-spend dollars, and the rest of the spending is on credit cards. Credit cards are generally not pre-authorized.
4. There are limited resources for measuring compliance, or it is not a full-time job for someone to measure compliance to controls.
Level 3: Sound foundation
Companies at Level 3 of the internal controls automation curve have the following attributes.
1. Controls are thoroughly documented in the form of the purchasing policy. However, each entity has its policy for companies across the regions or multiple business units.
2. Procurement systems are automated, but they are in silos. For example, an organization might have a separate system for evaluating new vendors called the sourcing function. There might be a separate system for centrally storing all contracts and a separate system for purchasing or issuing purchase orders.
This scenario is not uncommon to see where companies have different systems due to multiple acquisitions.
It is also possible that they have combined different systems over time to solve a problem. The drawback is that this approach requires a lot of manual data entry from one system to another, and there is an efficiency loss.
3. At this level, companies have dedicated resources for measuring compliance with the controls. That could be in the form of an in-house team or an outsourced audit team.
Level 4: Best in class
At level 4, the internal control is fully automated, and there is no need for manual processes. At this level, companies have the following.
1. Controls are fully documented across all business units. The main difference between level 3 and level 4 is that at level 3, companies might not have consistent controls across all business units. However, level 4 companies have uniform controls across all business units or regions.
2. The IT processes are fully automated to support the entire procure-to-pay process. At level 4, companies have one single system for sourcing, contracts, purchasing, and invoicing. With one system, companies realize the benefits of seamless data processing and avoid errors due to data entry from one system to another.
3. At this level, companies have a central audit team to measure compliance with internal controls. A central team measures all controls, and compliance measurement and tracking are consistent across all business units and regions of the company.
4. At this level, controls are pre-emptive and reactive. That means the systems are proactively driving compliance to policies, and there is little need for any manual intervention.
The above maturity model is a good yardstick for companies to measure their current state and plan any improvements in their ongoing process.
Building Internal Controls For Procurement And Supply Chain
We are not qualified to advise you on setting up a compliance team for audit purposes, but we can certainly advise on the IT processes that will help you go from level 1 to level 4.
The steps involved in building the internal control process are as follows
Automation Of Vendor Setup Process
Following is a checklist of controls you must implement for the vendor setup process.
1. The person setting up vendors should not have access to creating purchase orders.
2. There should be a process to check the vendor’s existence by validating the tax Id mentioned on the w-9 provided by the vendor
a) Validate EIN and name on IRS website
b) Check for vendor names against the US Treasury blacklist. You can use the OFAC (office of foreign asset control) website to check for any sanctions against the vendor/s.
3. The person setting up the vendors should not be able to set up the vendor before approval from another person. Ideally, a second person should validate all the documents before the vendor setup request is approved.
4. If possible, automate the vendor setup process through a workflow tool so that the vendor approval request is approved electronically. Having electronic approval or approval through a system allows the auditors to quickly review the audit trail at a later point in time
Automation Of The Purchase Order Process
The next step in the automation of the internal controls is the automation of the purchase order process.
Before automating the purchase order process, you should create a purchasing policy including the following.
- Process for creating and authorizing requisitions or purchase orders.
- Authorization of Spend based on the levels in the organization hierarchy
- Signature authority for signing contracts.
If you want to learn more about a purchasing policy, you can read about setting up a purchasing policy.
After you set up the purchasing policy, you should automate the purchase order process.
- There should be no self-approvals; at least one person must approve all purchases in the organization.
- All major purchases should be reviewed by finance to ensure that appropriate budgets are allocated for those purchases.
- The purchase order approval process should be automated; a purchase order system should be implemented to authorize controls automatically. It makes the review process simple since the controls are automatically enforced.
- The audit trail should be available for review at any point in time.
Other benefits of centralizing your purchasing process through a system include visibility and cost control. Still, from an internal controls standpoint, it provides a repeatable, auditable purchase order process.
It also ensures compliance with the company’s policies.
Automation Of Invoice Process
The next step is ensuring proper controls are implemented for invoice processing. There are generally two types of invoices.
- An invoice against a purchase order
- An invoice that is not issued against a purchase order. That is also called a non-PO invoice.
AP should match an invoice against the purchase order and receipt/s to ensure that invoice amount and quantities are the same on all three documents. This process is called a 3-way match process. This can be manual or automated using an invoice automation tool.
There should be a defined exception review and approval process so that the budget owners review and approve any exceptions from the 3-way match process.
The invoice must be reviewed and approved for non-PO invoices before the payment can be made. Ideally, the authorization limits and the process should be the same as the purchase order process.
And last but not least, the audit trail for all the reviews and approvals should be readily available to the compliance team for further review.
Automation Of The Expense Management Process
Not all expenses go through a purchase order process or an invoice process. Most companies have expense reporting tools so that employees can report on expenses.
So we should also look at the controls for expenses
- There should be an easy process for employees to submit expenses.
- It should be easy for the end-users to attach receipts with the expenses.
- The manager should approve all expense reports of the person submitting the expenses. The idea is that the manager reviews and approves only expenses allowed under the corporate purchasing policy.
- Some companies require a receipt for every purchase, which is not easy for the employees. You might want to look at having receipts above a certain threshold, for example, anything over $25.
- Finally, the approved expenses should be easily accessible to the auditors for easy review.
What Is Purchase Order Compliance?
Purchase Order Compliance is an essential aspect of procurement management that focuses on adhering to specific regulations, policies, and procedures when placing, approving, and fulfilling purchase orders. This compliance ensures that all stakeholders involved in the purchasing process follow the required rules and standards, thereby limiting the risk of fraud, errors, inconsistencies, and unnecessary expenses.
The importance of Purchase Order Compliance cannot be overemphasized in controlling the purchasing process. Finance teams can prevent unauthorized spending and ensure accountability in the procurement process and financial statements by ensuring that every purchase order aligns with the approved policies and procedures. Compliance will help avoid vendors providing goods and services that do not meet the required standards while reducing the risk of overpaying for items.
Compliance requirements for Purchase Orders include verifying vendor credentials, obtaining multiple quotes, and validating budget availability. These requirements ensure that only trustworthy and competent suppliers are engaged in providing goods and services. The financial planning process can benefit significantly by ensuring that procurement decisions align with the organization’s budget and that proper authorization is obtained before ordering.
What Is PO Complaint?
PO Compliance refers to the adherence to purchase order processes by employees responsible for requisitioning and purchasing goods and services. It ensures that purchasing activities are carried out by the organization’s procurement policies and procedures.
PO compliance is crucial in maintaining the financial health of a company. It facilitates accurate and timely financial reporting by providing a clear trail of all purchases and ensuring cost-effective spending. Compliance also helps to avoid legal complications arising from a failure to adhere to legal and regulatory requirements related to procurement activities.
Several factors may lead to PO complaints. These include failing to obtain necessary approvals before purchasing, inadequate record-keeping, incomplete documentation, and delays in processing invoices. Moreover, deviations from procurement policies and procedures can also contribute to PO Complaints.
The financial controller and CFO have a critical role in ensuring PO compliance. They can do so by implementing robust control mechanisms designed to identify and mitigate areas of non-compliance with procurement policies and procedures. Additionally, providing adequate employee training on procurement policies and procedures can help prevent future breaches. Conducting periodic reviews of the procurement process is also essential to ensure compliance.
Examples Of Purchase Order Compliance Rules
Procurement compliance is vital to any organization’s financial operations; financial controllers and CFOs must be aware of the most common purchase order compliance rules. These rules ensure that all procurement activities are conducted legally and within the company’s policies and procedures.
Firstly, a crucial aspect of procurement compliance is purchasing orders. Purchase orders are legal documents that outline the terms and conditions of the transaction between the buyer and the seller. Controllers and CFOs should enforce the use of purchase orders for all procurement activities. This ensures that all transactions are properly documented and the buyer is protected from the risks of fraudulent activities.
Secondly, before a purchase order is released, it should be approved by authorized personnel. This could be a manager or senior executive designated to authorize transactions. The approval process ensures the purchase complies with the company’s procurement guidelines and budgetary constraints.
Another crucial compliance rule is to ensure that only approved vendors are used for procurement. The company has evaluated and approved such vendors based on quality, reliability, and compliance. Using unapproved vendors could put the company at risk of legal and financial penalties in the event of non-compliance.
Furthermore, maintaining a detailed record of all purchase orders, approvals, and the approval process is critical to compliance. This ensures that all transactions are adequately documented and can be easily traced in the case of an audit or an internal investigation. Additionally, record-keeping is essential for budget tracking, monitoring vendor performance, and ensuring timely payment for goods and services purchased.
Finally, delegation processes must be a part of the purchase order compliance program to prevent fraudulent activities. Delegation ensures that no single person controls the purchase order process, mitigating fraud risks. However, the delegation process should follow strict guidelines to prevent any misuse of authority.
Procurement Compliance Checklist
In summary, here is a checklist to build procurement compliance within your organization
- Have a process and approvals to ensure that only authorized users can create or change new suppliers.
- The Accounts Payable(AP) team should validate all supplier data with third-party data sources like IRS to ensure suppliers’ existence and the information’s correctness.
- Set up a purchase order process to ensure that all Spend is pre-authorized and approved at the right level. This is to prevent any unauthorized spending.
- Set up a 3-way invoice matching process to match the invoice against the purchase order and receipt. A 3-way invoice matching process ensures the invoice is for the pre-authorized expense and the product has been received. In the case of service, the receipt process validates that the service has been delivered as per agreed-upon criteria.
- Set up segregation of duty so that one person can’t complete the entire transaction from purchase order to invoice without further approvals.