Planning and Conducting Vendor Audits - Fraud Conference · Planning and Conducting Vendor Audits Session Goals ... conducting a vendor audit. Provide you with some tools and approaches

Planning and Conducting

Vendor Audits

Ryan C. Hubbs, CFE, CIA, CCSA, PHR Senior Manager – Anti-Fraud & Investigation Services

Matson, Driscoll & Damico LLP

2 of 54

Planning and Conducting Vendor Audits

Session Goals

Familiarize you with audit clause language and

some risks and pitfalls to consider before

conducting a vendor audit.

Provide you with some tools and approaches to

select vendors for audit.

Highlight areas and schemes where vendors

could overbill and defraud.

Ultimately, strengthen your skills in planning

and conducting vendor audits.

3 of 54

Contract Terms and

Conditions:

The Foundation for Good

Vendor Audits

4 of 54

Goals of a Vendor Audit or Investigation

1. Ensure compliance with policies, procedures,

rules, regulations, and legal requirements.

2. Identify conflicts of interests or other fraudulent

activities or investigate allegations of

wrongdoing.

3. Determine if billings are accurate and in

compliance with contract terms.

4. Ensure that the goods and services that were

purchased were actually received.

5 of 54

Why Audit Vendors and Suppliers?

Significance of vendor-related fraud and

corruption.

6 of 54


7 of 54


Significance of vendor-related fraud and

corruption

Over-reliance on the contract

High costs of after-the-fact audits,

investigations, and legal involvement

• Recovery constraints

• Operational costs

• Audit and investigation costs

• Legal costs

8 of 54

The Importance of Effective

Contract Language

Can contract language and expectations

actually facilitate overbilling?

• Per diem

• Travel time

• Meals and break time

9 of 54

Are Vendor Audits Even Viable?

Are the signed and executed contracts

available?

Are there any change orders or verbal

addendums? If so, what do they say?

Does management have its supporting

documentation?

Does an adequate audit clause exist?

10 of 54

Crafting the Audit Clause

Boilerplate or Dynamic Audit Clause Language

Contract #1

• $15,000 contract

• Parking lot overlay

• Time and materials

Contract #2

• $10,000,000 contract

• Hardened concrete

and steal disaster

recovery facility

• Lump sum

11 of 54


Contract Variables and Considerations

Contract type

Contract amount

Geographical variables

Environmental variables

Time constraints or pressures

Reliance on quality of materials being supplied

Percentage or number of subcontractors

Regulatory oversight or implications

12 of 54


Audit Term Definitions

Are audit, inspect, examine, review, and

analyze the same thing?

• Audit: a formal examination of an organization's or

individual's accounts or financial situation

• Inspect: to view closely in critical appraisal; look over

• Examine: to inspect closely

• Review: a general survey (as of the events of a period)

• Analyze: to study or determine the nature and

relationship of the parts of by analysis

13 of 54


Audit Term Definitions

14 of 54


Audit Period

• Does the audit clause stipulate an audit period

that corresponds to the risk, cost, and length of

the contract services?

• Would there be any need to audit over a greater

time period?

• Example: Audit period is shorter than the primary

service period

• 1–3yr audit period on a 5–7yr construction engagement

15 of 54


Audit Notification

Planned vs. surprise?

16 of 54


Planned Audits

Pros

• Allows for audit ramp up,

data gathering

• Allows for travel and

coordination

• Keeps up good relations

with vendor

• Allows for additional

coordination and feedback

from internal resources

Cons • Tips off internal and external

parties that a vendor audit is

forthcoming

• Might give involved parties

enough time to fabricate,

destroy, alter, or conceal

fraud

• Might also give involved

parties enough time to

coordinate responses to

audit questions

17 of 54


Surprise Audits

Pros • Documentation exists in its

normal state

• Little time to coordinate

responses

• Increases the probability of

uncovering fraud

• Audits can be

spontaneous and flexible

based on need or concern

Cons • Documentation might not be

available for review

• On-site assistance might not

be available

• Office might be closed or

unavailable

• Vendor might dislike the

unplanned disruption to their

operations

18 of 54


Planned vs. Surprise

19 of 54


Invoice/Payment Review vs. Audit

Who executes the audit rights?

“Management has the right to review and audit

all billings to the contract terms.”

• In one example, front line management called their

monthly review of invoices “the monthly invoice

audit.” When the official audit was launched, the

vendor stated that the audit rights had already been

executed, and thus the vendor could not be subjected

to a secondary audit.

20 of 54


Format of Records

21 of 54


Format of Records

Is supporting documentation kept in paper or plastic

(electronic) format? What is the expectation?

• What is electronic format?

If in paper format, is there an expectation of

organization and proper file management?

Is the electronic data accessible?

• Outdated databases or 10,000 poorly scanned PDFs vs. Excel

or .CSV formats

Electronic data may be maintained, but the vendor may

charge for exporting or specialized queries.

22 of 54


Format of Records

23 of 54


Format of Records

What is a book?

• A volume in which financial or business transactions

are recorded?

What is a record?

• An account in permanent form, esp. in writing,

preserving knowledge or information about facts or

events?

Is a general term better than a list of examples?

24 of 54


Format of Records

25 of 54


Format of Records

26 of 54


Records Hold Period

No defined records hold period

• Vendor only has to make records available for audit.

Who is to say that they will be there when the audit

team gets there?

• Vendor’s records management program implications

Unlimited records hold

• Expectation that vendor keeps everything could be

viewed as overly burdensome. In fact, the vendor

may keep very little, but the organization is

completely unaware.

27 of 54


Records Hold Period

Legal statutes and implications

• The nature of the good, service, funding, or public

use of the item could bring the organization and its

vendors under the purview of various local, state,

federal, or international regulations.

28 of 54


29 of 54


Ability to Make Copies

Does the right to review or audit also mean I

can make a copy?

Vendor might not let the audit team have

access to or use the copier.

• Copier might also be conveniently under repair while

the auditors are on-site.

In some instances, the vendor might go so far

as to state in the contract that nothing can leave

the site.

30 of 54


Ability to Make Copies

31 of 54


Penalties for No Documentation?

What happens if a vendor didn’t keep its

records, either intentionally or accidentally?

Penalties for failing to maintain documents?

• Current payments could be held until the documents

are made available

• Forces vendor to maintain or face a financial penalty

• Puts the burden of proof on the vendor to dispute any

findings

• May be the gateway for the use of extrapolation if the

terms are included in the audit clause

32 of 54


Penalties for No Documentation?

33 of 54


Dual Agreements on Third-Party Auditors

Pitfalls of sharing the auditor decision with the

vendor?

• Audit firm vs. recovery firm vs. investigation firm?

• Could end up with an auditor that you have no

experience with

• Your own audit staff could be excluded

• The audit could end up costing significantly more

34 of 54


Agreed to Time and Place

35 of 54



Time and place audit clause language can

empower the vendor and put them in control

Gives them the ability to prolong or inhibit the

audit process

May use last-minute delays to derail the audit

staff

May be used to buy time in order to fabricate,

destroy, or conceal supporting documentation

36 of 54



37 of 54


Adequate Facilities

Does access to documents and records also mean

access to the bathroom or electricity?

Vendor tactic that may be used to disrupt the audit

process to make the auditors uncomfortable.

Vendor may restrict basic services such as restrooms,

electricity, phone, copier, internet etc.

Signs may be placed prohibiting non-employees past

certain points.

38 of 54


Suitable Workspace

Is having access to the records all the audit

team needs?

Favorite areas to place auditors:

• Break room, closet, storage room, crawl space,

storage shed, office with no furniture, or, literally, no

room at all.

Access does not automatically guarantee a

place to work.

39 of 54


With or Without Assistance?

Will audit staff be capable of navigating all of the

vendor’s records and documentation without asking a

single question?

• Personnel, processes, data, systems, purchasing, invoices,

procedures, equipment, subcontractors, etc.

Don’t assume that the vendor will have staff available to

answer your questions.

It is better to plan ahead and require that a competent,

knowledgeable person is present.

40 of 54


Financial Audit, Compliance Audit, or Both?

Financial

• Invoices

• Receipts and other

supporting documentation

• Timesheets and payroll

records

• Accounts payable and

expenses

• Contracts and bid

documents

• Financial records and

banking information

Compliance • Policies and procedures

• Inspection reports

• Access to and interviews of

employees

• Quality control and testing

reports

• Training records

• Possibly some financial data

• Vendor surveillance

41 of 54


Financial Audit, Compliance Audit, or Both?

42 of 54


Dual Agreement on Audit Methodology

Vendor could limit scope or direct certain tests

away from sensitive or fraudulent areas.

A proven and tested audit methodology should

be used, regardless of whether dual agreement

is required.

43 of 54


Confidentiality and Trade Secrets

In the event of a vendor audit, will confidential or trade

secret information be available to be viewed?

If such material is available, will it be necessary to be

viewed during the audit?

And if so, how do we protect the audit rights and the

confidential information at the same time?

Legitimate vs. illegitimate confidentiality requests

• Both could be used as a delay tactic once the auditors are on

site.

44 of 54


Confidentiality and Trade Secrets

“Any records that support the billings shall be available for

audit and, if necessary, confidentiality agreements will be

signed prior to the audit. Claims of confidentiality or trade

secrets shall not prevent the company from auditing

records and supporting documentation.”

45 of 54


Audit Provisions and Subcontractors

Does the audit clause also include

subcontractors and their documentation?

Situations on why audit rights must pass down

• Vendor could be a markup middle man between the

company and the subcontractor

• Vendor could be a shell company

• Subcontractors could be fake or shells

46 of 54


Audit Provisions and Subcontractors

47 of 54


One-for-One or Extrapolation Cost Recovery

How will audit issues be quantified?

1-for-1

• Vendor reimburses for actual errors identified.

Extrapolation

• Vendor reimburses based on a statistical representation of the

issues identified.

If not ironed out before hand, the amount of audit

recovery could be significantly less than total amount

possible.

Not all samples are created equal.

48 of 54



49 of 54



50 of 54


Arbitration

The effects of an arbitration clause:

• Attack on audit methodology

• Attack on management authorizations or field requests

• Attack on process issues

• Inexperienced audit staff having to testify

• Costs, delays, and operational impacts

51 of 54


Limited Liability Clauses

The vendor is able to successfully insert language in the

audit clause or contract that reduces the impact of an

audit or any audit issues.

Use of words such as: except, attempt, where or when

possible, may, reasonable, etc.

Examples:

• “Owner shall have the right to audit the books and records of the

vendor, except on fixed-price contracts.”

• “Vendor will attempt to maintain accurate records”

52 of 54

Types of Contracts and Audit Challenges

Lump-sum or fixed-fee contracts

Time-and-materials contracts

Cost-plus contracts

Contracts based on unit rates

53 of 54

The Importance of Routinely Exercising

Vendor Audit Rights

Routine vendor audits can result in significant

reduction in vendor audit costs and overbillings,

and increased compliance by both employees

and vendors

• Audit staff is more adept at conducting the audits and

knowing what to look for.

• Vendors know what to expect from audits, what

documentation to keep, and where their processes

are generating overbillings.

54 of 54

The Importance of Routinely Exercising

Vendor Audit Rights

Strengthened organizational policies and procedures

Contract and audit clause language is improved based

on other vendor audits experiences

“Increase the perception of detection, decrease the

probability of fraud”

Company employees are aware that proactive vendor

audits can uncover areas where they are not performing

their jobs or are engaging in conflicts of interests or

kickbacks

Documents

Planning and Conducting Vendor Audits - Fraud Conference · Planning and Conducting Vendor Audits Session Goals ... conducting a vendor audit. Provide you with some tools and approaches