No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Compliance

Revisiting Internal Controls Around Procurement During a Pandemic

Guarding Against Fraud and Waste Amid Business Disruption

by George Saitta, Jr. and Melissa Kiernan
April 15, 2020
in Compliance
e-commerce, mini cardboard boxes on computer keyboard

FTI Consulting’s George Saitta and Melissa Kiernan highlight why the time is now for public and private companies alike to revisit their procurement processes and internal controls.

Some of the most important internal controls at any company are the ones around procurement, the process by which a business obtains the goods and services to carry out its mission. In the current climate of disruption due to the COVID-19 pandemic, companies should examine and fortify their internal controls around procurement to ensure proper function, even when employees are working remotely and possibly distracted by health and domestic care issues.

The procurement function warrants scrutiny in times of crisis because it presents significant opportunity for abuse and misappropriation of a company’s assets. Both domestic and, more importantly, global organizations should consider centralizing and streamlining the procurement function, as much as practical, to avoid this increased opportunity for fraud, waste and abuse. As the procurement function may need to be run and supported by a reduced number of company personnel, consideration should be given to whether proper segregation of duties is maintained. Simply put, strong, well-communicated and transparent internal policies and procedures around procurement are necessary to promote ethical employee behavior.

Since procurement processes impact certain financial statement balances (e.g., cash, accounts payable, fixed assets) and footnote disclosures (e.g., contractual commitments), a public company’s annual, Sarbanes-Oxley 404 walkthrough and testing procedures will likely cover certain key internal controls around the procurement as they relate to financial reporting. However, public companies must not forget to implement robust and strong operation-based detective and monitoring controls that prevent larger, more material issues from striking the financial statements.

With more employees working from home and away from entrenched office systems to fight the spread of COVID-19, there may be increased use of alternative payment procedures that trade health protections for new financial risks. As we settle into our new normal of remote working and social distancing, now is the time for public and private companies to revisit their procurement processes and internal controls at a deeper operational level.

Keep Up with Training

Now more than ever, companies need to determine, understand and document who can buy what and who can approve what. Even for simple purchases, an organization must consider the answers to many questions, such as:

  • Can all (or active) personnel within a department requisition goods and services?
  • Can the department manager or leader approve?
  • Do approval levels remain intact to support proper segregation of duties?
  • How should requisitions be made for larger items or items being purchased for remote or home office use? How are proper sourcing and fair pricing secured (e.g., would the item otherwise be purchased under a master contract to secure better pricing versus one-off purchase via a purchase card)?
  • Who can make these requisitions, and how are they approved?

Best practices suggest that purchase requisition and approval authority matrices and policies be documented at a specific enough level to answer these questions. For those charged with purchasing decisions, annual training on procurement matrices and policies should be held – and now may be an excellent time to hold virtual refresher courses. If there are one or more procurement systems or portals used for requisitioning and purchasing certain types of assets or raw materials, employees charged with these purchasing decisions should be made aware of and trained on these systems. At a minimum, annual training should be provided on procurement policies and procedures.

Making Centralized Procurement Work

Companies constantly ask if the procurement function is centralized enough or too dispersed for the size of the organization. Again, now is a great time for companies to revisit and take a closer look. For a global organization, a centralized procurement function can leverage preferred pricing and benefits negotiated with key vendors via master service agreements (MSAs), blanket purchase orders or other contracts. Company management should revisit and determine which purchases should originate and/or be approved at a field or department level versus which purchases should originate, be approved and/or have increased scrutiny through centralized procurement.

Inside a large organization, additional segregation of the requisitioning and approval authorities within centralized procurement minimizes the risk of abuse or misappropriation of company assets. Segregation can help limit the risk of collusion, whether amongst employees where requisitioning and approving party are located in the same department or region or between company employees and third-party vendors.

Old-Fashioned Match-Making

A central tenet of internal control for procurement is the “three-way match,” which involves comparing the quantity and prices (possibly other elements) listed on the purchase requisition/purchase order documentation against the invoice and to accompanying shipping/receiving documentation. This match can take place in various stages, formats or degrees of complexity inside an organization.

Most importantly, a company’s procurement business process documentation, policies and procedures should outline how, when and by whom the three-way match is performed in procurement of different types of goods and services. Many times, this somewhat simplified concept becomes lost or muddled inside of the organization.

Increased centralization of the procurement function can assist and promote performance and tracking of the three-way match – monitoring and ensuring completion (e.g., centralized procurement is responsible for ensuring that the quantity in a system purchase order matches what was received at a department, warehouse or unit level).

The current environment presents a good backdrop for CFOs and COOs to raise questions: How is my company’s three-way match being tracked and performed? How is it documented? Are my current systems robust enough to facilitate this matching and key procurement internal control?

As an increased number of procurement employees may be working from home, now is an excellent time to redistribute and review process documentation (e.g., source-to-pay, procure-to-pay, order fulfillment to cash) and hold team calls to discuss potential internal control gaps or areas of concern or to perhaps gain insight into procurement efficiencies and improvements – perhaps asking whether a much broader process assessment should be undertaken by the company when things return to business normal.

Using Purchase Cards Wisely

Many organizations use a procurement or purchase card[1] program to promote the efficiency of procuring goods and services across departments or operations. However, proper purchase card issuance, setup and monitoring are required and the complexity is worth a revisit:

  • Purchase Card Program – The purchase card program should be managed and controlled out of a company’s centralized procurement function, not treasury alone. As an increasing number of employees are working remotely, now is a great time for procurement leadership to review the company’s purchase card program and inventory and check up on card issuance. In this growing and new “telework” environment, companies may experience a surge in purchase card use and activity, so there also may be a need to consider whether purchase card access/requisition should be restricted by certain level/title of employee or asset class.
  • Purchase Card Issuance – Centralized procurement should be responsible for keeping a master listing of each department and/or person in the organization that is issued a purchase card (purchase card master list). The company should consider having individuals assigned a card to sign an annual attestation that the card was used in accordance with company policy to emphasize the importance of card ownership.
  • Purchase Card Portal and Tools – Centralized procurement should be tasked with activating and assigning cards to users through the bank or credit card organization’s online app or purchasing portal. While best practices generally require limiting the cardholder’s access to online purchases, the current crisis is swiftly making online purchasing a necessary option as some traditional suppliers shutter operations. If internal controls need to be changed to allow new and increasing online purchases, organizations should consider restricting or closely monitoring payments to vendors through e-commerce sites, as these pose an increased risk or opportunity for collusion.
  • Vendor Master List – Regardless of the purchasing method, all vendors should be listed on the approved vendor master list. This is a good time to revisit how the vendor master list is controlled and if there are any systemic gaps that would allow purchases from unapproved vendors to occur.
  • Analytics – The purchase card portal may also provide an analytics suite to track spend by card, by type and by vendor and to monitor online charges – a critical feature, considering the current environment. On a monthly basis, sometimes with the assistance of internal audit, centralized procurement should analyze purchase card spend by department or individual cardholder, types of charges, etc. and update and review periodic trends in purchase spending to see if a specific purchase card requires further review for potential misuse, fraud or abuse.

The Risk of Corporate Credit Cards

Somewhat an extension of the above, many C-suite and other company executives are issued a corporate credit card, primarily for expenditures associated with business travel. The ubiquity of the corporate credit card can lead to slack and problems with spend control when it comes to restricting their use solely to business purposes. Employees generally are required to submit expense receipts (for charges over a certain dollar amount) and supporting documentation to procurement for review and to substantiate business justification.

Incurrence of personal charges on corporate credit cards – outside of company policy – that are reimbursed by the company can lead to unwanted perquisites being paid to the executive that should otherwise be factored into compensation. These charges also may impact SEC proxy statements and other related party disclosures.

The general counsel’s office should oversee a detailed policy that covers issuance and use of corporate credit cards, particularly those used by C-suite executives. Executive management should be trained on policy requirements, including acceptable and nonacceptable business charges and the required receipts and documentation to be submitted in order to substantiate business justification. Delegation authority (e.g., to an administrative assistant) should be closely controlled and monitored.

Outside of policy, centralized procurement should remain in charge of the corporate credit card program. A detailed and monthly review of corporate credit card statements and enclosed charges should be performed and centralized in corporate procurement. A process should guide centralized procurement on handling the inquiry of questionable charges and whether the general counsel’s office should get involved, provided certain concerning observations or patterns arise.

The Time is Now

Procurement is an area that already requires periodic and frequent refresh and review, but never more so than under the circumstances we are experiencing in the COVID-19 pandemic. When internal controls around purchasing weaken due to disruption of normal business processes, it can lead to increased risk of fraud, waste and abuse. Now is the time to revisit procurement internal controls, increased “centralization” of procurement activities and procurement policies and procedures. Those in the C-suite – particularly CFOs and COOs – should address the areas above with their management teams to avoid these outcomes. Even if the issues raised here seem rudimentary, the extra scrutiny at this moment in time may lead to uncovering and addressing potentially significant risks.

The opinions expressed are those of the author(s) and do not necessarily reflect the views of FTI Consulting, Inc., its clients or any of its respective affiliates.


[1] “Purchase card” in the context of this article refers to a credit card issued to employees for making purchases and which the card is directly paid for by the company without the need for issuing reimbursement to employees.


Tags: COVID-19Financial ReportingInternal Controls
Previous Post

COVID-19: DOJ’s Aggressive Prosecution of Fraud and Pandemic-Related Crimes

Next Post

NAVEX Global Launches Disclosure Management Tool to Help Organizations Manage Conflict of Interest Risk

George Saitta, Jr. and Melissa Kiernan

George Saitta, Jr. and Melissa Kiernan

George A. Saitta, Jr. is a Managing Director in the Washington, DC office of FTI Consulting, Inc. and is involved in leading the SEC & Accounting Advisory practice in Washington, DC. George has spent the majority of his 19-year career as forensic accountant in professional services, consulting with public companies, general counsel, boards of directors, audit committees and law firms on matters involving application of forensic and technical accounting skill sets to investigate alleged accounting and financial statement disclosure frauds, asset misappropriation, embezzlement schemes and whistleblower allegations.
Melissa Kiernan is a Senior Consultant in the Washington DC office of FTI Consulting, Inc. and is involved in the Forensic Accounting and Advisory Services practice, with over two years of experience providing SEC and accounting advisory services to public and private companies. Since joining FTI, Melissa has provided accounting advisory services related to financial disclosures, revenue recognition and internal control remediation. Additionally, Melissa has worked on financial investigations, applying technical accounting knowledge to examine alleged fraud, money laundering and whistleblower allegations.

Related Posts

Accounting For Non Accountants : Debit, Credits And Financial Statements

Accounting For Non Accountants : Debit, Credits And Financial Statements

by Aarti Maharaj
February 13, 2023

OVERVIEW This webinar will equip attendees with an understanding of financial ledger components within the organization’s accounting and reporting structure....

covid business closure insurance

Who’s on the Hook for Pandemic-Related Business Disruptions? Courts Agree, It’s Not Property Insurers.

by Crowell & Moring
February 8, 2023

We’re nearing the three-year anniversary of widespread business shutdowns in the early days of the Covid-19 pandemic. In that short...

uvalde crosses

Will 2023 Bring More ‘Permacrisis’ Culture?

by Lisa Schor Babin
January 4, 2023

While 2022 had no shortage of chaotic events, ethics columnist Lisa Schor Babin shares her hopes for 2023 — and...

joining forces

Why ESG Programs Should Make Internal Audit an Ally

by Kapish Vanvaria
November 30, 2022

Recent research shows internal audit functions are rarely involved in setting strategy for ESG or even in reviewing how goals...

Next Post
red and blue arrows pointing in opposite directions

NAVEX Global Launches Disclosure Management Tool to Help Organizations Manage Conflict of Interest Risk

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT