Revisiting Internal Controls Around Procurement During a Pandemic

Some of the most important internal controls at any company are the ones around procurement, the process by which a business obtains the goods and services to carry out its mission. In the current climate of disruption due to the COVID-19 pandemic, companies should examine and fortify their internal controls around procurement to ensure proper function, even when employees are working remotely and possibly distracted by health and domestic care issues.

The procurement function warrants scrutiny in times of crisis because it presents significant opportunity for abuse and misappropriation of a company’s assets. Both domestic and, more importantly, global organizations should consider centralizing and streamlining the procurement function, as much as practical, to avoid this increased opportunity for fraud, waste and abuse. As the procurement function may need to be run and supported by a reduced number of company personnel, consideration should be given to whether proper segregation of duties is maintained. Simply put, strong, well-communicated and transparent internal policies and procedures around procurement are necessary to promote ethical employee behavior.

Since procurement processes impact certain financial statement balances (e.g., cash, accounts payable, fixed assets) and footnote disclosures (e.g., contractual commitments), a public company’s annual, Sarbanes-Oxley 404 walkthrough and testing procedures will likely cover certain key internal controls around the procurement as they relate to financial reporting. However, public companies must not forget to implement robust and strong operation-based detective and monitoring controls that prevent larger, more material issues from striking the financial statements.

With more employees working from home and away from entrenched office systems to fight the spread of COVID-19, there may be increased use of alternative payment procedures that trade health protections for new financial risks. As we settle into our new normal of remote working and social distancing, now is the time for public and private companies to revisit their procurement processes and internal controls at a deeper operational level.

Keep Up with Training

Now more than ever, companies need to determine, understand and document who can buy what and who can approve what. Even for simple purchases, an organization must consider the answers to many questions, such as:

• Can all (or active) personnel within a department requisition goods and services?
• Can the department manager or leader approve?
• Do approval levels remain intact to support proper segregation of duties?
• How should requisitions be made for larger items or items being purchased for remote or home office use? How are proper sourcing and fair pricing secured (e.g., would the item otherwise be purchased under a master contract to secure better pricing versus one-off purchase via a purchase card)?
• Who can make these requisitions, and how are they approved?

Best practices suggest that purchase requisition and approval authority matrices and policies be documented at a specific enough level to answer these questions. For those charged with purchasing decisions, annual training on procurement matrices and policies should be held – and now may be an excellent time to hold virtual refresher courses. If there are one or more procurement systems or portals used for requisitioning and purchasing certain types of assets or raw materials, employees charged with these purchasing decisions should be made aware of and trained on these systems. At a minimum, annual training should be provided on procurement policies and procedures.

Making Centralized Procurement Work

Companies constantly ask if the procurement function is centralized enough or too dispersed for the size of the organization. Again, now is a great time for companies to revisit and take a closer look. For a global organization, a centralized procurement function can leverage preferred pricing and benefits negotiated with key vendors via master service agreements (MSAs), blanket purchase orders or other contracts. Company management should revisit and determine which purchases should originate and/or be approved at a field or department level versus which purchases should originate, be approved and/or have increased scrutiny through centralized procurement.

Inside a large organization, additional segregation of the requisitioning and approval authorities within centralized procurement minimizes the risk of abuse or misappropriation of company assets. Segregation can help limit the risk of collusion, whether amongst employees where requisitioning and approving party are located in the same department or region or between company employees and third-party vendors.

Old-Fashioned Match-Making

A central tenet of internal control for procurement is the “three-way match,” which involves comparing the quantity and prices (possibly other elements) listed on the purchase requisition/purchase order documentation against the invoice and to accompanying shipping/receiving documentation. This match can take place in various stages, formats or degrees of complexity inside an organization.

Most importantly, a company’s procurement business process documentation, policies and procedures should outline how, when and by whom the three-way match is performed in procurement of different types of goods and services. Many times, this somewhat simplified concept becomes lost or muddled inside of the organization.

Increased centralization of the procurement function can assist and promote performance and tracking of the three-way match – monitoring and ensuring completion (e.g., centralized procurement is responsible for ensuring that the quantity in a system purchase order matches what was received at a department, warehouse or unit level).

The current environment presents a good backdrop for CFOs and COOs to raise questions: How is my company’s three-way match being tracked and performed? How is it documented? Are my current systems robust enough to facilitate this matching and key procurement internal control?

As an increased number of procurement employees may be working from home, now is an excellent time to redistribute and review process documentation (e.g., source-to-pay, procure-to-pay, order fulfillment to cash) and hold team calls to discuss potential internal control gaps or areas of concern or to perhaps gain insight into procurement efficiencies and improvements – perhaps asking whether a much broader process assessment should be undertaken by the company when things return to business normal.

Using Purchase Cards Wisely

Many organizations use a procurement or purchase card^[1] program to promote the efficiency of procuring goods and services across departments or operations. However, proper purchase card issuance, setup and monitoring are required and the complexity is worth a revisit:

• Purchase Card Program – The purchase card program should be managed and controlled out of a company’s centralized procurement function, not treasury alone. As an increasing number of employees are working remotely, now is a great time for procurement leadership to review the company’s purchase card program and inventory and check up on card issuance. In this growing and new “telework” environment, companies may experience a surge in purchase card use and activity, so there also may be a need to consider whether purchase card access/requisition should be restricted by certain level/title of employee or asset class.
• Purchase Card Issuance – Centralized procurement should be responsible for keeping a master listing of each department and/or person in the organization that is issued a purchase card (purchase card master list). The company should consider having individuals assigned a card to sign an annual attestation that the card was used in accordance with company policy to emphasize the importance of card ownership.
• Purchase Card Portal and Tools – Centralized procurement should be tasked with activating and assigning cards to users through the bank or credit card organization’s online app or purchasing portal. While best practices generally require limiting the cardholder’s access to online purchases, the current crisis is swiftly making online purchasing a necessary option as some traditional suppliers shutter operations. If internal controls need to be changed to allow new and increasing online purchases, organizations should consider restricting or closely monitoring payments to vendors through e-commerce sites, as these pose an increased risk or opportunity for collusion.
• Vendor Master List – Regardless of the purchasing method, all vendors should be listed on the approved vendor master list. This is a good time to revisit how the vendor master list is controlled and if there are any systemic gaps that would allow purchases from unapproved vendors to occur.
• Analytics – The purchase card portal may also provide an analytics suite to track spend by card, by type and by vendor and to monitor online charges – a critical feature, considering the current environment. On a monthly basis, sometimes with the assistance of internal audit, centralized procurement should analyze purchase card spend by department or individual cardholder, types of charges, etc. and update and review periodic trends in purchase spending to see if a specific purchase card requires further review for potential misuse, fraud or abuse.

The Risk of Corporate Credit Cards

Somewhat an extension of the above, many C-suite and other company executives are issued a corporate credit card, primarily for expenditures associated with business travel. The ubiquity of the corporate credit card can lead to slack and problems with spend control when it comes to restricting their use solely to business purposes. Employees generally are required to submit expense receipts (for charges over a certain dollar amount) and supporting documentation to procurement for review and to substantiate business justification.

Incurrence of personal charges on corporate credit cards – outside of company policy – that are reimbursed by the company can lead to unwanted perquisites being paid to the executive that should otherwise be factored into compensation. These charges also may impact SEC proxy statements and other related party disclosures.

The general counsel’s office should oversee a detailed policy that covers issuance and use of corporate credit cards, particularly those used by C-suite executives. Executive management should be trained on policy requirements, including acceptable and nonacceptable business charges and the required receipts and documentation to be submitted in order to substantiate business justification. Delegation authority (e.g., to an administrative assistant) should be closely controlled and monitored.

Outside of policy, centralized procurement should remain in charge of the corporate credit card program. A detailed and monthly review of corporate credit card statements and enclosed charges should be performed and centralized in corporate procurement. A process should guide centralized procurement on handling the inquiry of questionable charges and whether the general counsel’s office should get involved, provided certain concerning observations or patterns arise.

The Time is Now

Procurement is an area that already requires periodic and frequent refresh and review, but never more so than under the circumstances we are experiencing in the COVID-19 pandemic. When internal controls around purchasing weaken due to disruption of normal business processes, it can lead to increased risk of fraud, waste and abuse. Now is the time to revisit procurement internal controls, increased “centralization” of procurement activities and procurement policies and procedures. Those in the C-suite – particularly CFOs and COOs – should address the areas above with their management teams to avoid these outcomes. Even if the issues raised here seem rudimentary, the extra scrutiny at this moment in time may lead to uncovering and addressing potentially significant risks.

The opinions expressed are those of the author(s) and do not necessarily reflect the views of FTI Consulting, Inc., its clients or any of its respective affiliates.

^[1] “Purchase card” in the context of this article refers to a credit card issued to employees for making purchases and which the card is directly paid for by the company without the need for issuing reimbursement to employees.