Planning and Conducting Vendor Audits - Fraud Conference · Planning and Conducting Vendor Audits Session Goals ... conducting a vendor audit. Provide you with some tools and approaches
Post on 11-Nov-2018
218 Views
Preview:
Transcript
Planning and Conducting
Vendor Audits
Ryan C. Hubbs, CFE, CIA, CCSA, PHR Senior Manager – Anti-Fraud & Investigation Services
Matson, Driscoll & Damico LLP
2 of 54
Planning and Conducting Vendor Audits
Session Goals
Familiarize you with audit clause language and
some risks and pitfalls to consider before
conducting a vendor audit.
Provide you with some tools and approaches to
select vendors for audit.
Highlight areas and schemes where vendors
could overbill and defraud.
Ultimately, strengthen your skills in planning
and conducting vendor audits.
3 of 54
Contract Terms and
Conditions:
The Foundation for Good
Vendor Audits
4 of 54
Goals of a Vendor Audit or Investigation
1. Ensure compliance with policies, procedures,
rules, regulations, and legal requirements.
2. Identify conflicts of interests or other fraudulent
activities or investigate allegations of
wrongdoing.
3. Determine if billings are accurate and in
compliance with contract terms.
4. Ensure that the goods and services that were
purchased were actually received.
5 of 54
Why Audit Vendors and Suppliers?
Significance of vendor-related fraud and
corruption.
6 of 54
Why Audit Vendors and Suppliers?
7 of 54
Why Audit Vendors and Suppliers?
Significance of vendor-related fraud and
corruption
Over-reliance on the contract
High costs of after-the-fact audits,
investigations, and legal involvement
• Recovery constraints
• Operational costs
• Audit and investigation costs
• Legal costs
8 of 54
The Importance of Effective
Contract Language
Can contract language and expectations
actually facilitate overbilling?
• Per diem
• Travel time
• Meals and break time
9 of 54
Are Vendor Audits Even Viable?
Are the signed and executed contracts
available?
Are there any change orders or verbal
addendums? If so, what do they say?
Does management have its supporting
documentation?
Does an adequate audit clause exist?
10 of 54
Crafting the Audit Clause
Boilerplate or Dynamic Audit Clause Language
Contract #1
• $15,000 contract
• Parking lot overlay
• Time and materials
Contract #2
• $10,000,000 contract
• Hardened concrete
and steal disaster
recovery facility
• Lump sum
11 of 54
Crafting the Audit Clause
Contract Variables and Considerations
Contract type
Contract amount
Geographical variables
Environmental variables
Time constraints or pressures
Reliance on quality of materials being supplied
Percentage or number of subcontractors
Regulatory oversight or implications
12 of 54
Crafting the Audit Clause
Audit Term Definitions
Are audit, inspect, examine, review, and
analyze the same thing?
• Audit: a formal examination of an organization's or
individual's accounts or financial situation
• Inspect: to view closely in critical appraisal; look over
• Examine: to inspect closely
• Review: a general survey (as of the events of a period)
• Analyze: to study or determine the nature and
relationship of the parts of by analysis
13 of 54
Crafting the Audit Clause
Audit Term Definitions
14 of 54
Crafting the Audit Clause
Audit Period
• Does the audit clause stipulate an audit period
that corresponds to the risk, cost, and length of
the contract services?
• Would there be any need to audit over a greater
time period?
• Example: Audit period is shorter than the primary
service period
• 1–3yr audit period on a 5–7yr construction engagement
15 of 54
Crafting the Audit Clause
Audit Notification
Planned vs. surprise?
16 of 54
Crafting the Audit Clause
Planned Audits
Pros
• Allows for audit ramp up,
data gathering
• Allows for travel and
coordination
• Keeps up good relations
with vendor
• Allows for additional
coordination and feedback
from internal resources
Cons • Tips off internal and external
parties that a vendor audit is
forthcoming
• Might give involved parties
enough time to fabricate,
destroy, alter, or conceal
fraud
• Might also give involved
parties enough time to
coordinate responses to
audit questions
17 of 54
Crafting the Audit Clause
Surprise Audits
Pros • Documentation exists in its
normal state
• Little time to coordinate
responses
• Increases the probability of
uncovering fraud
• Audits can be
spontaneous and flexible
based on need or concern
Cons • Documentation might not be
available for review
• On-site assistance might not
be available
• Office might be closed or
unavailable
• Vendor might dislike the
unplanned disruption to their
operations
18 of 54
Crafting the Audit Clause
Planned vs. Surprise
19 of 54
Crafting the Audit Clause
Invoice/Payment Review vs. Audit
Who executes the audit rights?
“Management has the right to review and audit
all billings to the contract terms.”
• In one example, front line management called their
monthly review of invoices “the monthly invoice
audit.” When the official audit was launched, the
vendor stated that the audit rights had already been
executed, and thus the vendor could not be subjected
to a secondary audit.
20 of 54
Crafting the Audit Clause
Format of Records
21 of 54
Crafting the Audit Clause
Format of Records
Is supporting documentation kept in paper or plastic
(electronic) format? What is the expectation?
• What is electronic format?
If in paper format, is there an expectation of
organization and proper file management?
Is the electronic data accessible?
• Outdated databases or 10,000 poorly scanned PDFs vs. Excel
or .CSV formats
Electronic data may be maintained, but the vendor may
charge for exporting or specialized queries.
22 of 54
Crafting the Audit Clause
Format of Records
23 of 54
Crafting the Audit Clause
Format of Records
What is a book?
• A volume in which financial or business transactions
are recorded?
What is a record?
• An account in permanent form, esp. in writing,
preserving knowledge or information about facts or
events?
Is a general term better than a list of examples?
24 of 54
Crafting the Audit Clause
Format of Records
25 of 54
Crafting the Audit Clause
Format of Records
26 of 54
Crafting the Audit Clause
Records Hold Period
No defined records hold period
• Vendor only has to make records available for audit.
Who is to say that they will be there when the audit
team gets there?
• Vendor’s records management program implications
Unlimited records hold
• Expectation that vendor keeps everything could be
viewed as overly burdensome. In fact, the vendor
may keep very little, but the organization is
completely unaware.
27 of 54
Crafting the Audit Clause
Records Hold Period
Legal statutes and implications
• The nature of the good, service, funding, or public
use of the item could bring the organization and its
vendors under the purview of various local, state,
federal, or international regulations.
28 of 54
Crafting the Audit Clause
29 of 54
Crafting the Audit Clause
Ability to Make Copies
Does the right to review or audit also mean I
can make a copy?
Vendor might not let the audit team have
access to or use the copier.
• Copier might also be conveniently under repair while
the auditors are on-site.
In some instances, the vendor might go so far
as to state in the contract that nothing can leave
the site.
30 of 54
Crafting the Audit Clause
Ability to Make Copies
31 of 54
Crafting the Audit Clause
Penalties for No Documentation?
What happens if a vendor didn’t keep its
records, either intentionally or accidentally?
Penalties for failing to maintain documents?
• Current payments could be held until the documents
are made available
• Forces vendor to maintain or face a financial penalty
• Puts the burden of proof on the vendor to dispute any
findings
• May be the gateway for the use of extrapolation if the
terms are included in the audit clause
32 of 54
Crafting the Audit Clause
Penalties for No Documentation?
33 of 54
Crafting the Audit Clause
Dual Agreements on Third-Party Auditors
Pitfalls of sharing the auditor decision with the
vendor?
• Audit firm vs. recovery firm vs. investigation firm?
• Could end up with an auditor that you have no
experience with
• Your own audit staff could be excluded
• The audit could end up costing significantly more
34 of 54
Crafting the Audit Clause
Agreed to Time and Place
35 of 54
Crafting the Audit Clause
Agreed to Time and Place
Time and place audit clause language can
empower the vendor and put them in control
Gives them the ability to prolong or inhibit the
audit process
May use last-minute delays to derail the audit
staff
May be used to buy time in order to fabricate,
destroy, or conceal supporting documentation
36 of 54
Crafting the Audit Clause
Agreed to Time and Place
37 of 54
Crafting the Audit Clause
Adequate Facilities
Does access to documents and records also mean
access to the bathroom or electricity?
Vendor tactic that may be used to disrupt the audit
process to make the auditors uncomfortable.
Vendor may restrict basic services such as restrooms,
electricity, phone, copier, internet etc.
Signs may be placed prohibiting non-employees past
certain points.
38 of 54
Crafting the Audit Clause
Suitable Workspace
Is having access to the records all the audit
team needs?
Favorite areas to place auditors:
• Break room, closet, storage room, crawl space,
storage shed, office with no furniture, or, literally, no
room at all.
Access does not automatically guarantee a
place to work.
39 of 54
Crafting the Audit Clause
With or Without Assistance?
Will audit staff be capable of navigating all of the
vendor’s records and documentation without asking a
single question?
• Personnel, processes, data, systems, purchasing, invoices,
procedures, equipment, subcontractors, etc.
Don’t assume that the vendor will have staff available to
answer your questions.
It is better to plan ahead and require that a competent,
knowledgeable person is present.
40 of 54
Crafting the Audit Clause
Financial Audit, Compliance Audit, or Both?
Financial
• Invoices
• Receipts and other
supporting documentation
• Timesheets and payroll
records
• Accounts payable and
expenses
• Contracts and bid
documents
• Financial records and
banking information
Compliance • Policies and procedures
• Inspection reports
• Access to and interviews of
employees
• Quality control and testing
reports
• Training records
• Possibly some financial data
• Vendor surveillance
41 of 54
Crafting the Audit Clause
Financial Audit, Compliance Audit, or Both?
42 of 54
Crafting the Audit Clause
Dual Agreement on Audit Methodology
Vendor could limit scope or direct certain tests
away from sensitive or fraudulent areas.
A proven and tested audit methodology should
be used, regardless of whether dual agreement
is required.
43 of 54
Crafting the Audit Clause
Confidentiality and Trade Secrets
In the event of a vendor audit, will confidential or trade
secret information be available to be viewed?
If such material is available, will it be necessary to be
viewed during the audit?
And if so, how do we protect the audit rights and the
confidential information at the same time?
Legitimate vs. illegitimate confidentiality requests
• Both could be used as a delay tactic once the auditors are on
site.
44 of 54
Crafting the Audit Clause
Confidentiality and Trade Secrets
“Any records that support the billings shall be available for
audit and, if necessary, confidentiality agreements will be
signed prior to the audit. Claims of confidentiality or trade
secrets shall not prevent the company from auditing
records and supporting documentation.”
45 of 54
Crafting the Audit Clause
Audit Provisions and Subcontractors
Does the audit clause also include
subcontractors and their documentation?
Situations on why audit rights must pass down
• Vendor could be a markup middle man between the
company and the subcontractor
• Vendor could be a shell company
• Subcontractors could be fake or shells
46 of 54
Crafting the Audit Clause
Audit Provisions and Subcontractors
47 of 54
Crafting the Audit Clause
One-for-One or Extrapolation Cost Recovery
How will audit issues be quantified?
1-for-1
• Vendor reimburses for actual errors identified.
Extrapolation
• Vendor reimburses based on a statistical representation of the
issues identified.
If not ironed out before hand, the amount of audit
recovery could be significantly less than total amount
possible.
Not all samples are created equal.
48 of 54
Crafting the Audit Clause
One-for-One or Extrapolation Cost Recovery
49 of 54
Crafting the Audit Clause
One-for-One or Extrapolation Cost Recovery
50 of 54
Crafting the Audit Clause
Arbitration
The effects of an arbitration clause:
• Attack on audit methodology
• Attack on management authorizations or field requests
• Attack on process issues
• Inexperienced audit staff having to testify
• Costs, delays, and operational impacts
51 of 54
Crafting the Audit Clause
Limited Liability Clauses
The vendor is able to successfully insert language in the
audit clause or contract that reduces the impact of an
audit or any audit issues.
Use of words such as: except, attempt, where or when
possible, may, reasonable, etc.
Examples:
• “Owner shall have the right to audit the books and records of the
vendor, except on fixed-price contracts.”
• “Vendor will attempt to maintain accurate records”
52 of 54
Types of Contracts and Audit Challenges
Lump-sum or fixed-fee contracts
Time-and-materials contracts
Cost-plus contracts
Contracts based on unit rates
53 of 54
The Importance of Routinely Exercising
Vendor Audit Rights
Routine vendor audits can result in significant
reduction in vendor audit costs and overbillings,
and increased compliance by both employees
and vendors
• Audit staff is more adept at conducting the audits and
knowing what to look for.
• Vendors know what to expect from audits, what
documentation to keep, and where their processes
are generating overbillings.
54 of 54
The Importance of Routinely Exercising
Vendor Audit Rights
Strengthened organizational policies and procedures
Contract and audit clause language is improved based
on other vendor audits experiences
“Increase the perception of detection, decrease the
probability of fraud”
Company employees are aware that proactive vendor
audits can uncover areas where they are not performing
their jobs or are engaging in conflicts of interests or
kickbacks
top related