internal controls in fraud prevention procurement · elements of internal control t monitoring...

Internal Controls in Fraud Prevention

Procurement

Sripriya Kumar

Overview

• Internal Controls

• Fraud

• Procurement

• Inventories

CA 2013 – A Changed Control Landscape

• Threshold Based Compliances

• Significant responsibilities on KMP, Independent Directors

• Focus towards process driven rather than results oriented governance

• Audit Rotation

• Introduction of Internal Audit

• Filing of resolutions

• Fraud reporting by auditors

• Fraud defined

• Internal Financial Controls over Financial Reporting – Auditors and BoD

Auditors Report Contents Old Law

Qualification, reservation or adverse remark on maintenance of accounts

Not in the Old Act

Adequacy and operating effectiveness of internal financial controls

Not in the Old Act, not applicable for financial statements for year ended March 31, 2015

Other matters including 1. Disclosure of impact of pending litigations on the

financial position.2. Creation of provisions on foreseeable material

losses on long term contracts.3. Delay in transferring amounts such as the Investor

Education and the protection Fund4. CARO ( notified recently )

Not in the old Act, Rule 11 of Companies (Audit and Auditors Rules 2014)

CARO modified in the latest Act

Directors Responsibility Statement

Report All Companies

Listed Cos New / Old

Directors had prepared accounts on a going concern basis Yes Yes Old 217(2AA)

Applicable accounting standards have been followed and material departuresdisclosed

Yes Yes Old 217(2AA)

Selection and application of accounting policies to ensure prudence, true andfair


Adequate accounting records have been maintained for safeguarding assetsand preventing frauds and irregularities


Proper systems to ensure compliance with the provisions of applicable laws andsuch systems were adequate and operating effectively

Yes Yes New

Directors have laid down internal financial controls which are adequate andoperating effectively

Not Applicable

Yes New

The Onion Gets More intense

Self-Assessment

Quality Assurance Reviews

Internal AuditPeer Reviews

Management Oversight

Statutory Audit / Regulators

RISK

Definition • Probability of

• An Uncertainty

• Resulting in

• A Loss

Characteristics • Cannot be eliminated

• Strategic and operational

• External / Internal

• Can only be managed / reduced

• Materiality of the risk is important

Risk caused by Possibility of Fraud is Fraud Risk

Risk management

OperationalStrategic

ICFR Others

ERM

Risk management functions will play a key role in organisations

Key terms

Risk and Controls

OperationsRisk

Financial Risk

Compliance Risk

Understand Business Processes

Process Flows components

Control Design

Operating Effectivenes

s

Terms

Internal Audit

Business Process

Mapping

Preventive Detective Corrective

Manual and

Automated Controls

Orgnstructure/

DOA

Standard operating Procedure

s

• Risk

• Risk families

• Controls

• Control families

• IT environment

Risk Families

RISKFAMILIES

1. Strategic / Franchise

Risk2.

Legal/Compliance

Risk

3. Financial Reporting

Risk

4. Staffing/Organization

Risk

5. Credit Risk6.

Insurance Risk

7.Sovereign

Risk/ Cross Border Risk

8.Market

Risk

9.Operationa

l Risk

10.System/Technology

Risk

Frauds Risks are Agnostic Risks and are embedded in all Risk

Families

Elements of Internal Control

Co

ntr

ol E

nvi

ron

me

nt

Monitoring

Information System and Communication

Control Activities

Risk Assessment

• Paragraph 4(c) of the Standard on Auditing (SA) 315

“Identifying and Assessing the Risks of Material

Misstatement Through Understanding the Entity and

Its Environment” defines the term ‘internal control’

as “the process designed, implemented and

maintained by those charged with governance,

management and other personnel to provide

reasonable assurance about the achievement of an

entity’s objectives with regard to reliability of

financial reporting, effectiveness and efficiency of

operations, safeguarding of assets, and compliance

with applicable laws and regulations. The term

“controls” refers to any aspects of one or more of

the components of internal control.”

IFCR

ICFR

134(5) Directors

Report

Rule 8(5)(viii)

Companies Accounts

Rules

143(3)

Auditors Report

The term “internal financial controls” has been defined as the means the policies and procedures adopted by the company for ensuring the following :• the orderly and efficient conduct of its business, • including adherence to company’s policies, • the safeguarding of its assets, • the prevention and detection of frauds and errors, • the accuracy and completeness of the accounting

records, and • the timely preparation of reliable financial

information

Methodology

Activities and

ProcessesRisk Families

Control design

Operating Effectiveness

Financial Statement Component

Process

Sub Process

Activity

GL Accounts and disclosures

Risk

Control Available

If yes, description of the control

Type of control

Process Owner

Process operator ( control administrator )

Testing Plan

Testing Document reference

Result

Remediation plan

Final remediation status

Procure to pay

• Examine the present procure to pay environment, understand existing the preventive and detective control framework to mitigate frauds and errors

• Identify potential fraud risk and other risk vulnerabilities through an effective analytics, internal audit and evaluation process

Procure to Pay

The Processes in the Procure to Pay life cycle to ensure existence, appropriateness and commensuration of control design and efficacy of operating effectiveness

Delegation of Authority

Key Aspects For Consideration

Control Ideas Fraud Risk

DOA to be signed and approved by relevant signatories of entity Board and not delegates

Handling of Temporary delegation

Cross functional negotiation team to be constituted with defined value limits and documents to be signed by all parties

Levels of authority to be defined for PO amendments to mandate approval by next higher authority




DOA to include relevant clauses in relation to • non splitting of contracts • Maintenance of supporting documentation• Delegate not to be the beneficiary of the transaction authorised by him/herself

DOA to define the following with sample formats• Note for Approval , Contracts , PO, PR, Justification Notes

Approved DOA document exists and IT system DOA should be as approved in the physical DOA approval




Temporary delegation of authority to be made to the same level of personnel and signed by HR and Finance heads


Vendor Empanelment



Pre – audit and evaluation processes to be implemented for all new vendors & on one time basis for existing vendors and updated in ERP

Supplier application forms should be available, complete in all respects and signed by the vendor authorised signatory prior to finance approval

Empanelment and supplier inclusions to be done with Finance and SCM approvals in writing in all cases

Process to enlist new suppliers and to ensure that new enquiries are duly considered by the entity

Vendor Empanelment



Process to be defined to block / black list suppliers to ensure that business cannot be transacted with such suppliers

Accuracy of vendor master data with reference to base documents provided to be ensured with appropriate offline maker checker controls

Related Party Transaction disclosures at the time of empanelment and strict covenants

Vendor Empanelment

Master Data



Supplier categories such as Sole suppliers, Approved repairers, Preferred Suppliers etc and buying type to be documented to enable user to select right type at the time of raising PO

Master Data Completeness to be ensured in all cases

Active vendor list to be maintained in IT system & Duplicate and Related vendors to be eliminated / flagged. Offline list of other vendors may be maintained to ensure that alternate suppliers may be available for sourcing

All masters to be handled by Master Data team and not by user departments ( creations and modifications)

Master Data



Coding of inventory

PO types to be maintained in IT system as separate series for ( Material, Service, Inter co, Subcontracting, Transfers ). Capex to be added

UOM’s to be predominantly in units or tonnage and be consistent across items of similar type. For instance, all drums should be classified as drums and not as drums or kg

Audit logs of all changes to master data and non variable terms of PO’s to be enabled as a report

Inactive codes to be blocked

Master Data

Contract Formats



Terms and Conditions ( General ) and specific long form Contract formats not cleared by legal team

There are no clear definitions on what trade arrangements can be formalised a Purchase Orders and those which need unique contract terms and conditions.

Repository of contracts to be enabled in ERP as Contract Register to ensure better controls over tracking of renewals as well as to enable sub-PO releases

Terms and Conditions not part of PO as acknowledged by vendor. No acknowledgements are insisted upon

Contract Formats



General Terms and conditions do not specify arbitration clause / jurisdiction are in case of dispute.

Credit period as per General Terms and Conditions is specified as 45 days and needs to be consistent with actual credit periods as granted

Terms and Conditions do not provide clear details of policies to be complied ( version and date ).

Contract Formats



Usage of vendor advised formats. Such cases need to be specifically vetted by legal

Clauses reflecting less favourable terms ( eg. termination ) than Company standard format not to be agreed without specific highlight of the same to the authorised signatory

Items not covered in service contracts should not be sourced from the same vendor without competitive sourcing only on the reason that there is a contract with the vendor

Contract Formats



Requisition justification and approvals to be filed along with PR’s with signature of supervisor for approval of the PR

PR’s ( same date – same suggested vendor ) split where such splits result in approvals being obtained from a lower threshold signatory to be reviewed

Pending Purchase Requisitions to be reviewed and actioned on a timely basis

Purchase Requisitions



User involvement in suggestion of vendor to be used to be minimised progressively by maintaining a robust procurement database in ERP with vendors stratification to appropriate product groups

Requisitions raised and forwarded to the Procurement team to indicate M / Sole supplier etcto enable further negotiations for non stock items and cases where user recommended suppliers are only preferred without multiple quotes, such PR’s should be approved in writing by the HOD

PR in the event of emergencies to be reviewed

Purchase Requisitions

Quote to Award



Request For quotes to be maintained properly and filed along with PO’s. RFQ formats and Comparative Statement of Quotes to be uniformly implemented and archived by enabling ERP functionality (*)

Competitive sourcing to be waived for certain categories of purchase transactions only based on robust approvals and defined contracts ( eg. Sole supplier, M etc )

PO creator and Approving manager should ensure that all relevant parties have been considered in the RFQ process and previously applied rates are reviewed

Orders to be placed only on the basis of recent quotes and within the quote validity period

Quote to Award



Comparative Statement of Quotes to be prepared for all PO’s > certain value

All cases of quote waiver to be evidenced by a Justification Note and approved by HOF for PO’s exceeding a certain value threshold

Vendor quotes should be complete for Item , Price, taxes, Lead time, delivery location, validity period in all cases

PO’s raised after receipt of material / services to be reviewed on a periodic basis

Non L1 contracts to be backed by Justification Notes in all cases and should be approved by higher authority

Quote to Award



Tender process not followed for certain contracts

Tenders received by E Mail to the assigned ID can be opened and printed before tender closing date

Invitation to Tender not sent to all approved list of recommended vendors

Tenders not addressed to Tender Committee.

Quote to Award – Tendering Process

PROCURE TO PAY



Tender receipt date not stamped on tender documents received

Tender opening date and time to be stamped on ALL pages of the tender.

Persons opening the tender to sign on all pages containing price information. Not done in many cases

Certain tender documents not available on record

Identical Quote formats to be reviewed

Quotes in incomplete formats. Eg. No address, no phone number, no mail id, no web site, no TIN number, no Service tax reference

Quote to Award – Tendering Process

PO creation

PROCURE TO PAY



PO creation and Authorisation by the same person to be avoided

PO splits for same date / same vendor transaction resulting in approvals being diluted to be reviewed

Multiple PO’s to be avoided by configuring structured scheduling agreements which can simplify PO generation for materials & services . Rate contracts with M’s and special prices to be finalised at the earliest

PO acknowledgements from vendor to be enabled

Open PO’s closure protocols to be enabled

Purchase Order Creation and Approvals

PROCURE TO PAY



Amendments regardless of nature or value to be approved by next higher level of authority

Supporting documents for the amendment to be filed along with the PO amendment print out

Amendment reports to be reviewed for large / unusual / exceptional transactions

All material / service receipts to be only after creation of PO’s

Purchase Order Amendments

Material Receipt Certification

PROCURE TO PAY



Quality flagging at material code level to be done

Quality policy / protocols for items to be defined – Visual Inspection or Detailed inspections.

QC parameters to be defined for major items to be decided

Separate team to be enabled for QC approval

Items for which no QC required to be decided based on supplier review ( ISO certifications )

Weighment slips for bulk materials not signed by person conducting the weighment at the weighbridge and the driver of the vehicle

Material Receipt Certification

PROCURE TO PAY


Delays in GRN to be avoided and tracked

Delay in GRN for direct receipt of materials by users not tracked for prompt closure ( eg. Cement )

Duplicate supplier accounts to be reviewed

Key Aspects For Consideration Material Receipt Certification

Bill receipt and certification

PROCURE TO PAY



Bill should not be addressed to user and Bill to be received at Vendor help desk

Liability to be accounted after review

All invoices to contain a serial number and in original

Duplication to be checked for

Payment based on GRN / Service receipt certification

Payment directly to vendor

Bill receipt and Certification

internal controls in fraud prevention procurement · elements of internal control t monitoring...

Documents