Audit Procedures and Internal Control Questionnaire Purchase Orders Core Audit Program

(Total Estimated Time to Complete 300 hours)

I. Audit Approach As an element of the Universitys core business functions, Purchase Orders will be audited approximately every three years using a risk-based approach !he minimum re"uirements set forth in the #general overview and risk assessment$ section below must be completed for the audit to "ualify for core audit coverage %ollowing completion of the general overview and risk assessment, the auditor will use professional &udgment to select specific areas for additional focus and audit testing II. eneral O!er!ie" and #is$ Assessment '(stimated time to complete ) *+, hoursAt a minimum, general overview procedures will include interviews of department management and key personnel. a review of available financial and operational reports. evaluation of policies and procedures associated with business processes. inventory of compliance re"uirements. consideration of key operational aspects. and an assessment of the information and communication systems environment /uring the general overview, a detailed understanding of the management structure, significant financial and operational processes, compliance re"uirements, and information and communications systems will be obtained 'or updatedAs needed, the general overview will incorporate the use of internal control "uestionnaires 'an example is provided as Attachment A-, process flowcharts, walk-throughs, and the examination of sample documents supporting key processes A !he following table summari0es audit ob&ectives and corresponding high-level risks to be considered during the general overview1 Areas of Risk 5mproper re"uisition. inade"uate approval of P2. late transmission of re"uisition to Procurement. delay in ordering 6ack of segregation of duties may lead to weak controls in preventing and detecting errors and irregularities Unauthori0ed or improperly approved PO leading to fraud, waste or abuse Poor vendor performance. inferior "uality of goods and services 6ack of competitive pricing, increased costs and unreasonable pricing Processes and information systems may not be well designed or implemented, and may not yield desired results, i e , accurate financial information, operational efficiency and effectiveness, and compliance with regulations, policies and procedures

Audit Objective Obtain detailed understanding of significant procedures and practices employed in the Purchase Order 'PO- process, specifically addressing the following components1 %unctional and organi0ational structure related to POs Purchase re"uisition 'P2- initiation, approval and transmittal to Procurement /elegation of purchasing authority and responsibility 3ignature authority for P2s and POs 4endor selection and pricing of goods and services purchased 5nformation systems, applications, databases and electronic interfaces (valuation and management reporting of operating results, transaction volume, trends and performance metrics Process strengths, best practices and opportunities for improvement

/ecember 77, 7,,8

Audit Procedures and Internal Control Questionnaire Purchase Orders Core Audit Program
(Total Estimated Time to Complete 300 hours)
9 !he following procedures will be completed as part of the general overview whenever the core audit is conducted :eneral ;ontrol (nvironment * Obtain and review purchasing policies and procedures, including organi0ational and government re"uirements, relevant to the campus or laboratory 7 Obtain purchasing function process flow, organi0ation chart and functional structure involved in P2 and PO process, delegation of authority, approval limits and management reports 5nterview customers and key personnel to obtain their perspective on the purchase order function /uring all interviews, solicit input on concerns or areas of perceived risk (valuate processes for ade"uate separation of responsibilities (valuate ade"uacy of functional and organi0ational structure to provide reasonable assurance that University resources are properly safeguarded 5f the functional and organi0ational structures do not appear ade"uate, consider alternative structures or processes to enhance assurance ;omparison to other purchasing departments may identify opportunities for demonstrating better control and accountability

8 <

9usiness Processes + 5dentify key activities and gain an understanding of the purchase order business process 5nterview individuals in the Purchasing department to gain an understanding of the following1 ;urrent P2 and PO processing steps 4endor selection and pricing ;hange order processing 'e g , customer changes, engineering changes> 5dentify positions with responsibility for key activities, including initiating, reviewing and approving of purchase re"uisitions and purchase orders Use flowcharts or narratives to identify process strengths, weaknesses, and mitigating or compensating controls ;onduct walk-throughs of the key processes, using a small sample of transactions 2eview documents, correspondence, reports, and statements, as appropriate, to corroborate process activities (valuate processes for ade"uate segregation of responsibilities (valuate the ade"uacy of processes to provide reasonable assurance that University resources are properly safeguarded

*, 5f processes do not appear ade"uate, develop detailed test ob&ectives and procedures, and conduct detailed transaction testing with specific test criteria ;onsider whether statistical 'versus &udgmental- sampling would be appropriate for purposes of pro&ecting the impact on the population as a whole or for providing a confidence interval

/ecember 77, 7,,8

Audit Procedures and Internal Control Questionnaire Purchase Orders Core Audit Program
(Total Estimated Time to Complete 300 hours)
5nformation and ;ommunications 3ystems ** 5nterview procurement and information systems personnel to identify key information systems, applications, databases, and interfaces 'manual or electronic- with other systems associated with the processes and to get responses to the following "uestions1 a 5s this an electronic or manual information systemA b /oes the system interface with core financial systemsA 5f yes, is that interface manual or electronicA c /oes the system interface with outside vendor information systemsA 5f yes, is that interface manual or electronicA d Bhat type's- of source documents are used to input the dataA e Bhat types of access controls and edit controls are in place within the automated systemA f Cow are transactions reviewed and approved within the systemA g Bhat are the application user roles or security levels. what transactions are allowed for each user role or security levelA h Bho has change access to master dataA i Bho reconciles the systemDs output to ensure correct and accurate informationA & 5s a disasterEback-up recovery system in place for this systemA k Bhat is the retention period for source documents and system dataA *7 Obtain and review systems documentation, if available *8 /ocument information flow and interfaces with other systems, using flowcharts or narratives ;onsider two-way test of data through systems from source documents to final reports, and from reports to original source documents *< (valuate the ade"uacy of the information systems to provide for availability, integrity, and confidentiality of University information *= (valuate the ade"uacy of segregation of duties between user roles and note incompatible access rights granted, e g , input transaction data and access to master records. prepare P2 and create PO. input, change and approve P2EPO data *+ 5f system controls do not appear ade"uate, develop detailed test ob&ectives and procedures, and conduct detailed testing with specific test criteria ; %ollowing completion of the general overview steps outlined above, a high-level risk assessment should be prepared and documented in a standardi0ed working paper 'e g , a risk and controls matrix- !o the extent necessary, as determined by the auditor, this risk assessment may address aspects of other areas outlined below 'financial reporting, compliance, operational efficiency and effectiveness, and information and communications systems- 5n addition to the evaluations conducted in the general ob&ectives section, the risk assessment should consider the following1 annual purchases, time since last review, recent audit findings, organi0ational change, regulatory re"uirements, etc III. Compliance '(stimated time to complete ) *,, hoursA !he following table summari0es audit ob&ectives and corresponding high-level risks regarding compliance with policies and procedures, and regulatory re"uirements1
8

/ecember 77, 7,,8

Audit Procedures and Internal Control Questionnaire Purchase Orders Core Audit Program
(Total Estimated Time to Complete 300 hours)
Audit Objective (valuate compliance with the following re"uirements1 Purchasing policy, standard practices and procedures 2egulatory re"uirements ;onflict of interest Areas of Risk 4iolation and non-compliance with policies and procedures may result in inappropriate transactions, misappropriation of assets and increased risks %ailure to comply with regulatory and reporting re"uirements could result in fines and additional restrictions

!he following procedures should be considered whenever the audit is conducted1 * Obtain list of POs issued within the last three years and separate into separate universes if such is warranted by different policies and procedures 'e g , underEover F=,,,,, for campuses in accordance with 9U3-<8, Part 8Obtain the following lists1 approved vendors, debarred vendors, employee-vendors Obtain organi0ations signature authority matrix (nsure that the matrix is up-to-date for authori0ed personnel, titleEposition vs authority, dollarEvolume limits, and override procedures 'and related down-stream controls. subse"uent reporting or escalation to higherlimit personnel- Cighlight thresholds under which only one person 'i e , the buyer- can initiate a PO Analy0e awards by vendor andEor buyer for the past *7 months to identify possible splitting of orders to avoid approval controls or other unusual activity On a test basis, select purchase orders and review purchasing re"uirements /etermine if purchase transactions are supported by approved P2 and PO /etermine appropriate signature authority for approvers 2eview ade"uacy of records kept in PO files to evidence competitive "uotations %or non-competitive procurements review ade"uacy of documented &ustification and management approval for use of a single source as well as basis for concluding the price is reasonable 2eview re"uired documentation from engineering, "uality or the re"uesting department to support the purchase from a single or directed source 2eview consecutive POs to the same vendor for potential splitting of orders to avoid dollar thresholds for approval, cost analysis and submission of cost or pricing data /etermine ade"uacy of information fields on PO !est accuracy of PO coding as to applicability of sales tax 5f PO involved purchase of patient care supplies, ensure re"uirements of Patient ;are Products 3tandardi0ation and Utili0ation were met 2eview vendor bidding, selection and evaluation policies and procedures /etermine practices in place to assure procurement at competitive prices including development of purchase re"uirements to achieve maximum competition /etermine whether a preferred or #approved$ supplier list is used !race vendors from above PO selected to approved vendor and debarred vendor listings Gap the process of vendor bid processing and evaluate current controls in place
<

7 8

< 8

<

/ecember 77, 7,,8

Audit Procedures and Internal Control Questionnaire Purchase Orders Core Audit Program
(Total Estimated Time to Complete 300 hours)
/etermine if multiple bidding is utili0ed from several providers including 2%P 're"uestfor-proposal-, selection criterion for evaluation, and in"uiry of any possible conflicts of interest with vendors

/etermine if re"uisitioning and procurement personnel are re"uired to disclose financial or ownership interest in suppliers and if such disclosure procedures are followed !race suppliers from the POs selected above to (mployee-4endor listing and note any potential conflicts /etermine if there are policies and procedures assigning responsibilities for notifying the campus or laboratory community about product recalls and for coordinating the return, repair or destruction of defective items 9ased on results of audit procedures, evaluate whether processes provide reasonable assurance that PO activities and practices are in compliance with policies and procedures, and regulatory re"uirements 5f it does not appear that processes provide reasonable assurance of compliance, develop detailed audit procedures and criteria to evaluate extent of non-compliance and impact

>

I%.

Operational E&&ecti!eness and E&&icienc' '(stimated time to complete ) 7, hoursA !he following table summari0es audit ob&ectives and corresponding high-level risks regarding operational effectiveness and efficiency1 Audit Objective (valuate PO process, specifically addressing the following areas1 !urnaround time from re"uisition to issuance of PO 3upplier performance ;ustomer satisfaction Performance metrics Use of the U; Planned Purchasing Program and available government contract sources 'if applicable 9est practices 9 Areas of Risk /elay in ordering, processing re"uisition and delivery from supplier. shortage in materials and supplies. adverse impact on pro&ect completion 5ncreased cost of materials and services purchased Poor "uality of materials and services received Cigh administrative cost for purchasing function

!he following procedures should be considered whenever it is determined that audit work related to operational effectiveness and efficiency should be conducted1 * 7 2eview any available manual or electronic databases capturing performance indicators or measures to identify areas where improvements are likely needed %or a sample POs, determine turnaround period from the time P2 is received in Procurement to the time PO is issued

/ecember 77, 7,,8

Audit Procedures and Internal Control Questionnaire Purchase Orders Core Audit Program
(Total Estimated Time to Complete 300 hours)
8 /etermine if PO processing time is acceptable to the Procurement organi0ation, re"uesting department and industry standardsEachievements at other campusesElaboratories /etermine if POs were placed on a timely basis to allow sufficient time for supplier to meet re"uesting departments date of delivery as indicated in P2, without the incurrence of extra costs /etermine steps taken by the purchasing department to follow-up on orders to assure timely delivery, if necessary

2eview supplier performance rating system, if any, that evaluates price, "uality and delivery performance ;ompare suppliers from sampled POs to supplier performance rating and evaluate continuing orders from these suppliers based on their performance 2eview the ade"uacy of any system of reports and performance measures in place to provide management information on purchasing activities and performance 2eview results of customer surveys, if any, to determine issues and opportunities for improvement of PO function 5nterview customers to determine feedback on their re"uisitions and related PO 9ased on knowledge of processes gained through work performed as part of the general overview and other sections, consider whether there are operational improvements that can be made to the process to make it more efficient or effective

< =

%.

In&ormation and Communications ('stems '(stimated time to complete ) 7, hoursA !he following table summari0es audit ob&ectives and corresponding high-level risks regarding information and communications systems1

/ecember 77, 7,,8

Audit Procedures and Internal Control Questionnaire Purchase Orders Core Audit Program
(Total Estimated Time to Complete 300 hours)

Audit Objective (valuate information and communications systems, applications, databases, system interfaces, and records practices, specifically addressing the following1 (lectronic or manual interfaces with intraUniversity systems, applications, andEor databases (lectronic or manual interfaces between University and third party systems, applications, andEor databases 2ecords management policies and practices for both hardcopy and electronic records

Areas of Risk 3ecurity management practices may not ade"uately address information assets, data security, or risk assessment Application and systems development processes may result in poor design or implementation !he confidentiality, integrity, and availability of data may be compromised by ineffective physical, logical, or operational controls 9usiness continuity planning may be inade"uate to ensure prompt and appropriate crisis response 2ecords management practices may not ade"uately ensure the availability of necessary information

!he following will be completed each time the PO core audit is conducted * 7 5dentify any significant changes to information and communications systems and corresponding business processes (valuate the impact of any significant changes to the PO function (valuate ade"uacy of PO files maintained in accordance with purchasing procedures and record retention policy

;onsider two-way tests of data through systems from source documents to final reports and from reports to original source documents (valuate the ade"uacy of the information and communications systems to provide for availability, integrity, and confidentiality of University information and communications resources 5f (lectronic /ata 5nterchange '(/5- is used, evaluate the ade"uacy of internal controls, especially over consistency of price structures to enable Accounts PayableE/isbursement personnel to accomplish their price matching responsibilities

/ecember 77, 7,,8

>

Attachment A Proposed Internal Control Questionnaire (ICQ) Purchase Orders

Control Questions Are purchase orders based on authori0ed re"uisitionsA Are purchase orders serially numbered 'manual POs- and accounted for or electronically controlled with access and approval controlsA 5s the use of standardi0ed purchase order forms 'electronic or hard copyre"uiredA Are effective controls or status reports maintained to record the receipt and status of purchase re"uisitionsA Are make-or-buy or lease-or-buy decisions ade"uately documentedA /oes the purchasing department have ade"uate controls to prevent use of canceled or voided purchase re"uisitionsEpurchase ordersA 5s the purchasing department independent of other departments, and responsible for procuring all materials, supplies, and e"uipmentA 5f other departments have purchasing authority, does the purchasing department oversee or review their activitiesA Are the receiving and inspection functions separate from the purchasing functionA At the time of issuance, are paper or electronic copies of purchase orders furnished or made available to the receiving, accounts payable, and when appropriate, expediting departmentsA /o procedures re"uire complete history files for items purchased fre"uently and for all ma&or procurementsA 5s purchasing re"uired to develop and maintain lists of potential bidders or offerors for particular types of materialsA Are periodic independent checks made to verify existence of suppliers on the bidder listA /o procedures re"uire maintenance of ade"uate documentation in purchase order filesA 5s there a formal bid control system in place which complies with all of the re"uirements in the relevant purchasing policies and proceduresA /o procedures re"uire appropriate &ustification when the low bidder in a competitive solicitation is not selectedA Are practices in place to assure procurement at competitive prices including development of purchase re"uirements to achieve maximum competitionA /o non-competitive procurements re"uire documented &ustification re"uired from engineering, "uality or the re"uesting source to support the purchase from a single or directed sourceA /o procedures for non-competitive procurements re"uire documented basis for determining and approving price reasonableness 5f re"uired, is a listing of debarred suppliers maintained and checked against potential and existing suppliersA 5f re"uired, is there a supplier performance rating system that rates suppliers on price, "uality, and delivery performanceA /o procedures specifically prohibit splitting orders to avoid dollar thresholds for approval, cost analysis, cost accounting standards and submission of cost or pricing dataA Are delivery dates re"uired on purchase re"uisitionsA Comments

* 7 8 < = + > ? @ *, ** *7 *8 *< *= *+ *> *? *@ 7, 7* 77 78

7< 5s the purchasing department re"uired to follow-up on orders to assure timely deliveryA 7= Are approval levels defined for purchase orders and supplements to purchase ordersA Attachment A - p *

Attachment A Proposed Internal Control Questionnaire (ICQ) Purchase Orders

Control Questions 7+ /o competitive pricing policies exist for inter-entity 'i e , between /O( laboratories- ordersA 7> Are inter-entity transactions handled in accordance with company policyA 7? Are there performance measures on the PO function communicated regularly to managementA 7@ Are there re"uirements for purchasing personnel handling POs to certify annually that they have not engaged in any prohibited activities, such as kickbacks and gratuitiesA 8, Are procurement personnel involved with POs re"uired to complete an annual conflict of interest certification, including disclosure of financial or ownership interest in suppliersA 8* Are suppliers re"uired to provide representation that no kickbacks are provided, solicited or offeredA 87 5s provision made for periodic rotation of procurement personnel involved with POsA Comments

88 Are ther e internal control conc e r n s relat e d to this proc e s s , which re"uir e imme di a t e att e n tionA 5f yes, plea s e describ e

8< Are there ade"uate resources to effectively and efficiently perform this processA 5f not, please describe

Attachment A - p 7