The supply chain process accounts for a material proportion of cash outflow in most organizations. Though supply chain processes are complex, and vulnerable to inefficiency, error, and fraud risks, they also can be a gold mine for internal auditors seeking to add value through data analytics, contract compliance, and process review. To best understand the risks inherent in supply chain and procurement processes, it is helpful to divide and tackle the vulnerabilities under contractual and behavioral risks.
At the outset, the buying organization needs goods or services from a supplier. A market tender typically will result in a supplier contract, which can adopt one or a hybrid of fixed-cost, variable-cost, or target-cost contracts. Each of these contract formats poses distinct risks to the buying organization.
Fixed-cost Contract Risks In fixed-cost contracts, the buying organization knows the end price with a degree of certainty. Perhaps there is a provision for staged payments based on the achievement of delivery milestones or a retention allowance payable to the supplier, following contract completion, to protect the buying organization against unfinished work or minor defects that come to light after the contract has ended. At face value, the fixed nature of the contract may appear to eliminate risk, as the buying organization knows the cost up front. For a variety of reasons, internal audit, or even executives or the board itself, may err if fixed-price contracts are considered riskless.
Because the supplier probably won the fixed-cost contract by submitting the cheapest price, it may seek to elevate its own interests by delivering inferior materials or labor skills to minimize costs to the detriment of the buying organization. Other ways a supplier can shift risk in its favor include acceleration of stage payments, or charging for overheads and add-ons such as tools or safety gear that the buying organization had assumed was part of the agreed-upon fixed price. After all, if they were not written into the contract, they were not agreed upon. Audit findings can arise from the contract having been poorly written, stage payments having been determined by the supplier without independent challenge from the buying organization, or compromised materials or workmanship.
In fixed-price contracts, new risks can emerge where circumstances change as delivery of the contract unfolds. For instance, the buying organization may change the original specifications or timetable after signing the fixed-price contract. Such changes can provide new opportunities for the supplier to convert even minor changes to its advantage. Fixed-price contracts usually contain provisions for change orders that take into account changes in circumstances and liquidated damages if either party causes delay. As change orders create variability in cost and represent a claim for payment by the supplier, they must be reviewed, assessed, and authorized by appropriately credentialed management from the buying organization before payment. If the organization’s scrutiny and authorization of change orders is weak, significant cost escalation can follow, negating the control intended by having a fixed-price contract. If left unchecked, the end cost charged by the supplier can be significantly higher than the original fixed-price contract.
For large projects, change orders are worthy of their own audits, because substantial value can be unearthed through supplier cost exaggeration. Change orders can cause a fixed-price contract to adopt the risk characteristics of a variable-cost contract.
Variable-cost Contract Risks Variable-cost contracts are sometimes known as time and materials, cost-plus, or schedule of rates, involving actual costs plus an agreed-upon percentage for overhead and profit. They may or may not contain a cap on the eventual cost. The supplier’s commercial bias often is to charge the highest possible rate and to maximize quantities or hours. The main risk is that the rate for future inflation has been appropriately determined at the time of the contract agreement, and that it is identical to the rate invoiced, rather than an arbitrary rate of the supplier’s choosing. Moreover, the variable quantity of materials and labor hours is supported by independently verified goods, delivery notes, and time sheets, which can be checked against attendance data (such as swipe in/out cards or biometrics). Where machinery use is charged, a plant log should show plant machinery no longer in use, with review and sign-off by management from the buying organization.
Besides checking basic rate and quantity, internal audit may find it beneficial to examine whether nonchargeable hours — such as administration, rework, sick days or holidays, or training — have been charged. If an overhead rate is charged, then any additional direct overhead costs would constitute duplication. There have been instances of suppliers charging accrued future costs up to a decade in advance, estimated costs calculated in the supplier’s favor, and even the cost of the annual holiday party — all charges that were contractually disallowable and, therefore, refundable.
Data analytics can help in reviewing whether supplier invoices have been split in an effort to remain under authorized thresholds or help uncover identical supplier charges across different projects. In the case of estimated costs, those should be actualized on a regular basis to correct overestimation errors. If the supplier has multiple projects, it is also possible it may seek to replicate recovery of the same material or labor costs across those multiple projects. Undescriptive supplier invoices and resistance to internal audit inquiries may suggest that the supplier is wrongly adjusting costs.
Some contracts will include volume discounts for goods that are triggered when predetermined volume targets are achieved. The burden is on the buying organization to ensure discounts are applied after volume criteria are reached.
By taking an investigative approach, the audit will either assure the board that the invoice approval process already addresses the most obvious overcharging risks, or it will identify cost recoveries and invoice approval process improvements. It’s a win-win for internal audit and the buying organization.
Another scheme involves suppliers overcharging by layering their overhead and profit percentages across their own supply chains. If suppliers subcontract their work to other companies that do complementary work, those subcontractors also may add overhead and profit charges to their costs when charging back up through the supply chain. The supplier group can multiply its earnings by layering overhead charges upon overhead charges across subcontractor and sub-subcontractor hierarchies. The remedy here is to require the supplier to market test any subcontract work and not merely award it to parties where there is a family relationship or vested interest.
If access to supplier accounting transactions is permitted under the contract’s right-to-audit clause, it is important to first reconcile the supplier’s claims for payment to the accounting system to ensure all cost data has been captured at the outset. Downloading the supplier’s payment transactions can leverage the power of data analytics to mine for duplicated costs, double charging of sales taxes, and text searches on phrases such as “rework,” “entertainment,” “function,” “party,” and “hotel.” The contract’s disallowable costs list can be used to create search terms for data analytics. Every finding is a recoverable cost.
Another useful line of inquiry is whether the supplier obtained discounts or credit notes from its own supply chain that it did not pass on to the buying organization. If there is no right-to-audit clause in a supplier contract, internal audit should persuade the procurement department to ensure it is a standard inclusion in all contracts.
Even if a right-to-audit clause does not exist in the contract, suppliers might oblige internal audit’s request for information to keep their valued commercial relationship. An audit information request may include electronic transactions that allow internal audit to use data analytics on gifts, entertainment, and the existence of related parties. In some instances, these audits may find supplier-issued credit notes that never reach the buying organization’s accounting system and are immediate cost recoveries.
Target-cost Contract Risks While fixed-cost contracts and variable-cost contracts put the onus of governance on the buying organization, target-cost contracts usually involve a shared governance arrangement with the supplier. The target cost will have an associated gain-share formula if the final cost is within target; or a pain-share formula if the final cost exceeds the target. In this way, there should, in theory, be alignment of commercial interests between the buying organization and the supplier.
But appearances can be deceiving and provide the impression that risk has been minimized. The pain-share mechanism may mean that it is still in the supplier’s interest to overcharge its costs, even if it results in target-cost overspending, because the buying organization will subsidize that overspend.
Risk of accounting errors could also arise if the supplier’s personnel, rather than those of the buying organization or an impartial third party, manage it. This arrangement could create conflicts of interest that favor the supplier.
Though there are behavioral risks inherent within different contract types, there are several that can arise no matter which type of contract is in place.
Kickback Incentive Risks Commercial pressures in the supplier-buyer relationship encourage the use of added incentives to either secure a new supply relationship or maintain or improve an existing one. Although controls may be strong at the time of the initial contract, relationships can change over time, which can then serve to diminish control. The problem from an audit perspective is that these kickbacks usually sit outside the accounting system, making them impossible to detect through normal transaction testing. Evidence is more likely obtained through whistleblowing or confession. Long-standing or exclusive relationships between employees and suppliers can be a tell-tale sign. Data analytics may reveal findings of unusually consistent requisitioning or invoice approvals by the same manager. Multiple contract extensions at favorable rates can be another indicator of hidden behavioral risk.
While kickback arrangements are typically made behind closed doors, emotional guilt, as well as envy or resentment by knowledgeable personnel, can serve internal audit’s needs. Confessions may be obtainable via whistleblowing and gift declaration processes, careful evidence gathering, confidentiality assurances, and even humor to build audit client goodwill. These types of findings may result in staff disciplinary actions, terminations, and retendering of supplier contracts.
Related-party Risks Related-party risks can arise when personnel employed by the organization are related to supplier personnel, or when suppliers subcontract to other companies with whom they have family ties or ownership. The risk here is conflict of interest, which can increase the likelihood of collusion and circumvention of the internal controls normally applied in arm’s-length business relationships.
Segregation of duties is weakened materially if parties are related. For example, father signs off on the time sheets of son and nephew at the supplying organization with exaggerated or fictitious hours worked, and the sister-in-law processes them through the accounting system. Qualitative inquiries and data analytics across supplier invoices, time sheets, supplier and employee master files, and organization charts can help identify related parties.
Gifts and Kickbacks From the supplier’s viewpoint, sales personnel anxious to meet targets and achieve bonuses can be tempted to offer gifts, entertainment, and other kickback payments to induce potential buyers. The buying organization’s managers, in turn, know these pressures exist and are sometimes willing to accept, and even solicit, gifts in exchange for awarding contracts. It can help if suppliers are aware of the organization’s whistleblowing and gift-declaration processes.
Suppliers are sometimes willing to report concerns where they feel buyers in management have put them under pressure to provide gifts or entertainment. In other cases, suppliers have been willing to report concerns where their competitors have distorted fair play. Recommended practices include sending suppliers an annual email or letter informing them of the whistleblowing and gift-declaration policies and processes. This serves a dual purpose: as a warning to those engaged in wrongdoing and as a safe communication route to those who may have information to divulge.
Parties experienced in supply-chain contracting can creatively stack both rewards and penalties in their favor. Clever suppliers will start writing claims and change orders as soon as the contract is signed. Correspondingly, internal audit can increase its effectiveness by understanding supply contracts to ensure rates, allowables, disallowables, incentives, and penalties are applied correctly. Some internal audit departments have recovered dividends of at least 1 percent annually, amounting to millions of dollars. One thing is certain — when it comes to the supply chain, internal audit and management are on the same side.