Internal Audit Services Standard Audit Program Purchase to Pay (P2P)

I. Introduction

The following audit program should be followed while carrying out the audit of procurement to pay (P2P), for any client. These steps
are not exhaustive and are by no means intended to limit any other steps that may be required on an assessment of the overall
control environment as well as tests of design & operating effectiveness specific to the particular industry/ company. Hence,
professional judgment and discussion with the Engagement Manager would be required to suitably modify or add audit steps as
demanded by the engagement.

II. Key Fraud Risks

1. Unauthorized commitment of funds to purchase goods and services

2. Unauthorized purchase transactions are processed which may allow spending limits to be exceeded.
3. Unauthorized or fictitious receipt of goods/services may be posted and paid
4. Unauthorized payments are made and established authorization and approval limits are not adhered to
5. Payments made to suppliers without adjusting outstanding advances.
6. Selection of incompetent vendor or favouritism to particular vendor. Paying substantially higher product or service prices than fair
market value
7. Related party transaction not carried out at arms length. Goods purchased or sent to related party at less than cost. Failure to
disclose transactions entered into with related parties.
8. Inappropriate adjustment on outstanding debits in one vendor account with credits in another vendor account.
9. Contract obligation not being met by the vendor, such as volume discounts at year end, price credits due to fall in input prices etc.

III. Detailed Audit Steps

Area Sub – Areas Detailed Audit Steps

1. Verify the existence of following documents:

Schedule of Schedule of authority (SoA) or Delegation of Authority (DoA) for Procurement. Gain
an understanding of the authorization matrix of the organization for Procurement

Standard Operating Procedures for Procurement to Pay Process
Control
Environment 2. Review the Organisation Structure of the Project’s Team. If there are any conflicting roles or reporting
relationships, then understand the risks and impact on audit procedures. Discuss with the
management to understand the rationale of such conflicts and any mitigating/ monitoring controls.

3. Ask whether any work has been done on ITGC controls. Obtain the documentation of the same.

PricewaterhouseCoopers Page 1 of 12
Internal Audit Services Standard Audit Program Purchase to Pay (P2P)

Area Sub – Areas Detailed Audit Steps

Take cognizance of the above and modify the audit procedures accordingly.

Opening Meeting/ 4. Obtain a certified copy of the Trial Balance for the period under audit. Alternatively, extract the Trial
Pre Audit Balance from the system, personally.
Groundwork/ 5. Obtain a certified copy of the Creditors Trial Balance or Creditor’s Ledger Balance or Creditor’s
Planning Schedule for the period under audit. Alternatively, extract the Creditors Trial Balance or Creditor’s
Ledger Balance or Creditor’s Schedule from the system, personally.
6. Obtain a certified copy of the Details of Provisions as on the audit cut off date.
7. Trace the totals of the Creditors Trial Balance and Details of provisions into the Trial Balance.
8. Obtain a certified copy of the MIS Reports for the period under audit. Ensure that the figures reported
therein to management, agree with the books of account. Inquire into any ‘adjustments’ and review
reasonableness of the same.
9. In case of differences between the balances reported in the MIS and the balances as per the books,
ascertain whether these offline adjustments should have been effected in the books.
10. Obtain:
 Key Result Areas/ Objectives of the Procurement Function as well as of the Unit/ Category under
audit.
 An organogram of the Procurement Function
Planning  Delegation of Authority
 All policies, standard operating procedures, office orders, etc. which relate to the Procurement
Function.
 Obtain all key contracts/POs. In addition, specific contracts/POs may be obtained on a need
basis.

11. Review the above documents from the point of view of:
 Segregation of duties
 Coverage
 Design of controls – Ensure that the COSO Components of Control Activities, Information &
Communication and Monitoring are adequately covered.
 Contracts should be reviewed in terms of standard terms & conditions, detrimental terms, validity,
authorization as per DoA, completeness of contract, etc.

12. Check the coverage / adequacy of the documented policy / manual / standard operating procedures in
respect of the above-mentioned areas.
13. Inquire as to when these policies were last updated / reviewed and when the next review date is.
14. For each audit procedure performed, ensure compliance of the SOP and report deviations.
15. Through a reading of various documents obtained as well as discussions with the Head of

PricewaterhouseCoopers Page 2 of 12
Internal Audit Services Standard Audit Program Purchase to Pay (P2P)

Area Sub – Areas Detailed Audit Steps

Procurement, understand and document (i.e. summarize) the:
 Procurement policy (e.g. Buy only from Original Equipment Manufacturers, etc.) for procurement
of Raw materials, Packing Materials, Consumables, Maintenance &and Engineering Items,
Services, Raw Materials, etc.
 Extent of centralization/ decentralization for each category of purchases.
16. If the Company does not have formally documented policies/ guidelines or standard operating
procedures, review available financial/ non-financial purchase information and conduct interviews with
operating management to identify the significant processes in the Procurement Function.
Also ascertain the extent of automation in the Procurement Function.
Basis the Key Result Areas/ Objectives, document the significant risks and mitigating controls. These
should be tested in the Work Program, unless some are clearly out of scope.
17. Through discussions with CFO and Procurement Head, identify if any of the purchase contracts have
embedded derivatives under AS 30 of ICAI. If yes, consult SME’s within PwC.
18. Read the internal audit report of the previous internal audit as well as any comments made by
External Auditors, and identify any unresolved issues for follow-up with Management. Review the
status of such matters with Management and document the results of the same.
 Determine whether there is a high level dependency on any particular country for procurement.
Discuss the same with management to understand their risk mitigation plans in place.
 Determine whether there is a significant proportion of procurement in any specific currency.
Discuss the same with management to understand their risk mitigation plans in place.
19. Through discussions with management, understand whether management raises Open (Standing)
Purchase Orders, i.e. agrees rates and commercial terms with vendors, with quantities to be
communicated periodically via Delivery Schedules, or whether management follows the concept of
Specific Purchase Orders.

Analytical 1. Segregate various categories of Procurement, as well as Provisions and then perform a Variation
Procedures Analysis on such segmented data, w.r.t. the prior period. Depending upon the nature of the business,
the prior period can be the preceding period, or the same period last year. Co-relate the financial
information to quantitative, non-financial information such as production, inventory, etc. The objective
of such analyses is to gain an overall understanding on and comfort on the financial information.

Vendor Master 1. Ascertain whether a vendor database/ master exists in the IT System, containing details of vendors as
Procurement Data & Its well as the specific goods/ services to be sourced from each of the vendors.
to Pay Management 2. Review the fields to ensure their completeness. For example, details such as TIN No., PAN No., etc.
should be captured.
3. Check that only the specified goods/ services can be sourced from individual vendors.
4. Check that the access to the vendor master is appropriately restricted.

PricewaterhouseCoopers Page 3 of 12
Internal Audit Services Standard Audit Program Purchase to Pay (P2P)

Area Sub – Areas Detailed Audit Steps

5. Determine if audit trails are enabled, on at least the key fields (e.g. Name, Address, Bank Account,
etc.).
6. Check if there is a process of regularly monitoring the log of changes to the vendor master. For this
purpose, basis the periodicity of review, select a sample and check:
 Evidence of review
 Resultant action plans
 Close looping/ monitoring thereof
7. Select a sample of amendments (i.e. additions, deletions & modifications) to the vendor master.
Review the process of initiating and effecting changes, covering:
 Initiation of change w.r.t. reasons
 Approvals for the change
 Effecting the change in the master database
 Review and approval of the changes actually made
8. Ensure that in case of ‘deletions’, the vendors are actually blocked and not really deleted as deletion
will result in loss of the trail of prior transactions with that vendor.
9. Check that the management has periodic process of reviewing the vendor masters to identify:
 Any inactive vendors in the masters/ database. Periodicity should be defined in the Company’s
policy for a vendor to be treated as inactive.
 Any multiple/ duplicate vendor codes in the database.
 Other changes to master were authorized.

Vendor 1. Select a sample of vendors added during the audit period, or in the recent past. Separate samples
Management should be selected for each category of vendors/ purchases where the underlying processes are
different – Example in case of Goods and Services.
2. For the sample selected, understand the reasons for adding new vendors.
3. Check system/ manual controls which ensure that a previously blacklisted vendor cannot participate
in/ be considered for (re)appointment.
4. For the sample selected, study the vendor files to understand the process of negotiation and award of
contracts:
 Check that tenders were invited, evaluated and that the most favorable tender (which may not
necessarily be the lowest), was accepted. Review the Comparative Quote Analysis prepared by
management for evaluation purposes. In cases where vendors quoting higher rates over others
were selected, inquire into the reasons for the same. Also review the documented reasons
therefor.
 In case the tendering/ negotiation process was a ‘e-procurement’ or ‘Reverse Auction’,
understand and review the process controls, including controls to ensure that confidential
information was not shared with/ available to individual bidders.
 In case of Reverse Auction, check the basis on which access was given to the participating

PricewaterhouseCoopers Page 4 of 12
Internal Audit Services Standard Audit Program Purchase to Pay (P2P)

Area Sub – Areas Detailed Audit Steps

vendors. Also ascertain how the start bid price and bid decrement price were determined, as well
as the basis for the same.
– Ensure adequate segregation of duties/ cross-functional involvement in the vendor
appointment process. Generally, Accounts & Finance Function should also be involved in the
process.
– Ensure formal sign offs on the final negotiations, as per Delegation of Authority.
5. In case any Earnest Money Deposits were taken from tenderers, check the accounting therefore. Also
ensure that the same was duly returned, as per original terms & conditions.
6. Review the agreements with these vendors. Ensure that what was negotiated is correctly reflected in
the contract.
7. Ensure that formal written contracts exist, covering at least the following aspects
 Price and its inclusions/ exclusions in terms of taxes, freight, insurance, etc.
 Terms and Conditions of Supply
 Payment Terms
 Warranty as to quality
 Manner of sampling and testing each shipment and the sample size
 Passing of title (e.g. Ex-works, CIF, FOB, etc.)
 Tolerance limits regarding quality
 Tolerance limits regarding quantity (i.e. Lot Size)
 Responsibility for late delivery
 Mode of payment
 Mode of settlement of disputes
 Jurisdiction of courts
 Non competition clause

Alternate Vendors 1. Obtain a list of all cases where a single item is being supplied by more than one vendor.
and Share of 2. Inquire into the management policy regarding sourcing from vendors; i.e. consolidation of vendors or
Business Allocation developing alternate vendors for the same item.
3. Where the management is following a policy of ensuring alternate vendors for the same items,
understand the manner in which the total requirement is allocated between two or more vendors. Also
ascertain if alternate vendors have been identified for all items.
4. Select a sample of items which are supplied by more than one vendor and review the share of
business allocation.
Ideally this allocation should be done on the basis of a number of factors such as:
 Adherence to delivery schedules in the past
 Quality of supplies
 Rejection percentage
 Strategic importance of the vendor

PricewaterhouseCoopers Page 5 of 12
Internal Audit Services Standard Audit Program Purchase to Pay (P2P)

Area Sub – Areas Detailed Audit Steps

Ensure that the share of business allocation is done in an objective manner and is formally
documented. Discuss the same with the management.
5. Ensure that the share of business allocated among vendors is formally approved by the management
and that the Procurement Plan is drawn up on the basis of the same.
6. If such a Procurement Plan is being prepared, ensure that the actual pattern of purchases is
monitored against this plan and that deviations are investigated and explained.
For the above mentioned sample of items, review purchases from these vendors to verify that the
procurement plan or the share of business allocation is in fact adhered to.
Inquire into cases where the share of business allocation is not being followed.
7. For the above sample, ensure that the share of business allocated to various vendors is cost
beneficial. Efforts should be made to source the largest quantity from the vendor who offers the lowest
rate.
 Check whether any procurement is being done from a single source. If yes, adequate reasons
should exist for the same.
 Verify risk mitigation in case of single source

Vendor Evaluation 1. Inquire from the operating managers if there is any system of vendor evaluation and vendor
and Development development. Ascertain the periodicity of the same and review the efforts made on this front during
the last year.
2. Select a sample of vendors across categories and check the latest available evaluation reports.
Review the:
 Quality of the reports
 Formal approval of the same by the management; and
 Follow up action (if any), initiated as a result thereof
3. Inquire if as a result of the vendor evaluation, vendors whose performance is not satisfactory are
dropped/ blacklisted and new vendors inducted.
4. Verify the action taken on vendor who have being rated adversely.

Procurement 1. Understand the process of procurement planning. The planning process could either be based upon
Planning/ Net demand/ sales forecasts, upon production capacity or upon availability of a critical input which is in
Requirement limited supply. Focus specifically upon:
Planning  Inter-functional linkages
 Agreed timelines for information flows
2. Select a sample and review the procurement planning carried out by management, w.r.t.:
 Underlying assumptions
 Consistency with prior periods
 Accuracy of source data, e.g. for opening inventory, open Purchase requisitions, etc.
 Adherence to timelines

PricewaterhouseCoopers Page 6 of 12
Internal Audit Services Standard Audit Program Purchase to Pay (P2P)

Area Sub – Areas Detailed Audit Steps

3. For the sample, compare the actual procurement with the plan and inquire into reasons for variations.
Evaluate whether these could have been factored in at the planning stage itself.
4. Where the client has SAP or any other application which helps in Material Requisition Planning (MRP)
run, then enquire into this process and also ascertain whether manual overrides can be done in the
MRP. If yes, how is the overall control exercised to ensure the right goods of right quantity at right
time is procured.

Purchase requisition 1. From the Trial balance, identify the value of purchases for each category of materials (e.g. Raw
/ Indenting Materials, Packing Materials, Consumables, etc.) and services. For each category of purchases,
select a sample of Purchase Requisitions (PR’s) for review.
2. Determine if the workflow is through the IT system or outside. Inquire into the reasons for manual
workflows.
3. For the sample selected, check:
 Quantity available as on date of the PR
 Planned production/ consumption
 Net requirement of the materials
 Approval for the PR
4. Check that PR’s are approved with in the defined standard lead time for PR approval.
5. Check that mandatory information/ fields have been defined by management, which the User
Department has to complete, enable the Procurement Department to process the transaction.
6. For one-time purchases, check if there is a process of capturing ‘Estimated Cost’ as a mandatory field
at the time of approval of PR by the user department.
7. Review the status of open PR’s and ageing thereof. Ascertain the root cause of old PR’s. Also check
whether these are factored into the process of procurement planning.
8. Check whether management reviews open PR’s on periodic basis? Select a sample and check
evidence of managements review, as well as resultant actions.
9. Check actual receipts against the sample of PR’s to ascertain if the actual procurement was in
accordance with PR’s. Ascertain reasons for variations. Keep in mind that minor variations (e.g. + 2%-
3%) could occur due to packing/ lot sizes).
10. Identify and test controls in place which prevent amendment/ modification to approved PR’s.

Purchase Orders 1. For the sample of PR’s selected earlier, ensure that formal Purchase Orders (PO’s) were raised, and
on approved vendors.
2. Determine if a PR’s is converted into a PO upon approval, by the IT system or whether there is a
manual intervention into the raising of PO’s.
3. Check that the PR was correctly converted into a PO, w.r.t.:
 Item

PricewaterhouseCoopers Page 7 of 12
Internal Audit Services Standard Audit Program Purchase to Pay (P2P)

Area Sub – Areas Detailed Audit Steps

 Quantity
 Delivery schedule/ Due date
 Approved vendor (and basis planned Share of Business Allocation)
 Vendor agreement/ contract reference
 Timeliness
4. If advances were released to vendors, check that these are as per the contract. Also, ensure correct
accounting for the same.
5. If as a result of releasing the PO, the purchase budget is exceeded, check the controls in place prior
to release of such a PO.
6. Check whether PO’s carry the standard terms & and conditions (vetted by the Legal Department), and
include a liquidated damages/ penalty clause. Also ensure that these are not contradictory to the
agreement with the vendor.
7. For the sample, check whether all the PO’s were duly approved as per Delegation of Authority.
8. Ensure that PO’s were duly communicated to vendors, and within defined timelines. Inquire into
delays or time lags in communication. Some companies have introduced a good practice of obtaining
PO acceptance from the vendors,
9. Ascertain if there is a process of tracking PO’s raised, basis due dates. Select a sample and check if
management regularly reviews a report of Overdue PO’s or Open PO’s. Also see if management’s
reviews result in remedial actions thereon.
10. Obtain a listing of PO’s where either the Due Date has expired or the quantity has been exhausted.
Inquire as to why such PO’s are still live and have not been closed.
11. Select a sample of PO’s and do a reverse check to ensure that all PO’s issued are backed by a valid
PR. Check the (manual or automated) control which prevents the creation of a PO without a PR.
12. Alternatively, if the IT system permits, obtain an exception report of all PO’s not backed by/ linked to a
PR. Do a root cause analysis on the same.
13. If the IT system permits, obtain an exception report of all PR’s not converted into PO’s within a
defined timeline. Do a root cause analysis on the same. Conduct a follow-through check to see if the
receipt was actually delayed as a result of this. If so, trace the impact of the same in terms of
emergency procurement, stock transfers or production delays.
14. Check the process followed for amendments to existing PO’s. For this purpose, select a sample of
amendments and ensure that:
 The revised PO is approved as per Delegation of Authority. In no circumstances should the
amendment be approved by a person junior to that who approved the original PO.
 In case PO is amended due to price change and the revised price is above the L1 quote, were
specific reasons for the same documented and whether these appear reasonable.
15. Review the Item master and their sources of supply. Inquire specifically into items procured from a
single source. See if the Delegation of authority provides any special approval for such procurement.
However, keep in mind that there could be (proprietary) items which have only a sole source.

PricewaterhouseCoopers Page 8 of 12
Internal Audit Services Standard Audit Program Purchase to Pay (P2P)

Area Sub – Areas Detailed Audit Steps

16. Check if the company has defined a process for emergency procurement. Review the same from a
controls perspective, w.r.t.:
 Specific, i.e. higher approvals
 Periodic monitoring by management – By Material, By Location and By Manager
 Underlying root causes
17. Ensure adequate segregation of duties between person approving PR and raising the PO.
18. Select a sample and check that PO’s cannot be raised on blacklisted/ blocked vendors.
19. Check whether there are instances of confirmatory POs i.e. POs raised after receipt of materials –
check for the trend (same vendor, buyer etc).

Receipt of goods 1. Check whether a Goods Receipt Note (GRN) or equivalent is prepared for every receipt of goods, and
and services a Service Receipt Note (SRN) or equivalent is prepared for every receipt of the service and is tracked
against the PO/ Contract.
2. For the sample of PR’s selected initially, trace receipt of goods w.r.t. GRN or SRN and verify:
 Gate entry date
 Vendor
 Item(s)
 Quantity
 Timeliness of receipt
 Quality Approval
Inquire into variations/ inconsistencies and do a root cause analysis.
3. Physically visit the Receiving Area/ Store to inspect its layout. Ensure that goods pending inspection
are adequately segregated.
4. During the physical visit, also determine how the quantity received is verified, i.e. by estimation/
judgment, by actual weighing, etc. Also check of any conversion is being done (e.g. From Liters to
Kilograms, etc.).
5. Check whether the IT system or the manual process, as applicable, allows a GRN / SRN to be
prepared without a PO/ Contract.
6. Check the tolerance levels set in the IT system, or allowed manually, to control the quantities
received. Select a sample of receipts in excess of these limits and check the specific approvals as
well as the reasons for acceptance of such excessive quantities.
Many companies allow acceptance of excessive quantities, but pay for these only subsequently, when
these are actually required.
7. Obtain and review a listing of PO’s and quantities received against the same. Check if exhausted
PO’s are automatically closed/ blocked so that further supplies are not accepted. Inquire into and
determine the root cause of exceptions.
8. Understand the processes followed in case of Quality Rejections. Select a sample of rejections and
check w.r.t.:

PricewaterhouseCoopers Page 9 of 12
Internal Audit Services Standard Audit Program Purchase to Pay (P2P)

Area Sub – Areas Detailed Audit Steps

 Rejection Report
 Approvals
 Physical segregation of the goods
 Contracted terms (for dealing with such consignments), including defacing/ mutilating of such
goods
 Intimation to vendor
 Inputs to vendor rating mechanism
9. Check controls in place which prevent a GRN/ SRN from being prepared even after the expiry of PO/
Contract.
10. From the Production/ Operations Team, obtain a report of production delays or stoppages alongwith
reasons. In case a ‘stock out’ has occurred, understand:
 The frequency of such occurrences
 Any trends, i.e specific items, line, etc.
 The root cause.

Bill Passing 1. Understand the process of receipt and review of vendor bills. Review the aspect of segregation of
duties.
As a general rule, the department/ function who negotiated the contract and appointed the vendor or
the department/ function who raised the order should not be involved in approval of bills.
2. For the sample of PR’s selected initially, trace vendor invoices and verify w.r.t.:
 Originality of invoice
 PO/ Contract
 Approved GRN/ SRM
 Freight and Insurance
 Taxes and Duties
 Adjustment of Advance, if any
 Deduction of Tax at Source (if applicable – E.g. Services)
 Approval by the Accounts Function
 Defacing of Supportings
 Booking of ‘Liability for Purchases’
Inquire into variations/ inconsistencies and do a root cause analysis.
3. For the above sample, check payment authorization. Ensure that:
 Payment is made on the ‘due date’
 Maker-checker controls are in place.
4. For EFT payments, check that the file forwarded to the bank is encrypted and/or password protected,
which should not be known beyond the dealing executive.
5. For the above sample, trace the entry into the books of account.
6. Review the Bank Reconciliation Statements for the accounts used for vendor payments and see if

PricewaterhouseCoopers Page 10 of 12
Internal Audit Services Standard Audit Program Purchase to Pay (P2P)

Area Sub – Areas Detailed Audit Steps

vendor’s cheques are appearing as a reconciling items under ‘Cheques Issued But Not Presented’.
Specifically investigate such items.
7. In case of system based payment processing, determine whether rates (including freight, taxes, etc.)
are picked up from the PO at the time of booking of bill. In case of any deviations/ interventions, check
the procedure followed.
8. Select a sample of Debit Notes raised on vendors. Check:
 Underlying reasons (w.r.t. PO/ Contract)
 Accounting
9. Check to ensure that access rights to create PR, PO, GRN and Bill Payment should be restricted with
appropriate segregation of duties.
10. Review the ageing of entries in the GR/IR, Clearing Accounts. Inquire the reasons for long pending
entries.
11. Inquire the process of making deductions or raising debit notes for quality and line rejections. Check
deduction/ debit notes for quality and line rejections.

Book Closure 1. Ascertain the process of balance confirmation and account reconciliation followed, if any. Review the
same from an internal control as well as effectiveness perspective. Also ensure that no person from
Procurement Function is directly involved in the process.
2. Obtain client prepared schedule of ‘Summary of Sundry Creditors’ and select a sample of creditors
covering at least 75% of the aggregate value and check:
 Balances w.r.t. books of account
 Reasonableness of balances
 Ageing
 Subsequent payments
3. Review the Accounts Payable Trial Balance to ensure that all debit balances therein have been
reviewed for their validity and reasonableness by the Accounts/ Finance Head. On a sample basis,
Finance & testing should be done to ensure that balance does not represent a pending balance to be knocked
Accounts off against a contra transaction/ balance.
4. Obtain and review a listing of Aging of Accounts Payable. Ensure:
 It tallies with the books of account
 Inquire into old payables
5. Obtain a list of Vendor Advances and review the ageing thereof. Inquire into old advances. Ascertain
if any need to be provided for.
6. From the list of Vendor Advances, trace significant items into the books. Also, ensure that no inactive
or blacklisted vendors are appearing in the list.

Liability for 1. Obtain client prepared schedules showing details of ‘Liability for Purchases’ and select a sample
Expenses covering at least 75% by value of the aggregate liability. Check:

PricewaterhouseCoopers Page 11 of 12
Internal Audit Services Standard Audit Program Purchase to Pay (P2P)

Area Sub – Areas Detailed Audit Steps

 The process of estimation of the liability
 Reasonableness of the estimates, w.r.t. underlying bills, invoices, receiving reports, orders,
contracts, payment vouchers and other related supporting.
 Scrutinize subsequent payments, to ascertain reasonableness of the provision as well as to
ascertain omission of any significant liability.

Notes:

1. The intent of the audit program is to select an initial, well defined, sample of purchase requisitions and then trace these through,
right up to payments. This is important. In addition, the auditor is free to pick up additional samples and do various kinds of
truncated walkthroughs and/ or analysis.
2. While conducting any analysis, the preferred option is to analyze 100% of the target population.
3. Wherever a sample needs to be selected, it should be based upon the Sampling Guidance Note.

PricewaterhouseCoopers Page 12 of 12