The importance of effective procurement and contract management was emphasised by the COVID-19 pandemic, as procurement teams in particular rushed to bring in products and services that were essential to fight against the virus. In Autumn 2021, the challenges of supply chain management were also brought into the spotlight due to the shortage of HGV drivers, challenges loading and offloading ships and the general issues around moving goods from point A to point B and then on to customers. These challenges have been felt by organisations across all sectors, although naturally some sectors have been more significantly impacted than others.
In the following piece, we take a look at auditing procurement and contract management.
The Chartered Institute of Procurement and Supply (CIPS) says that procurement and supply management “involves buying the goods and services that enable an organisation to operate in a profitable and ethical manner”.
The CIPS Procurement and Supply Cycle sets out the key steps for procuring goods or services. It is a good practice tool that provides guidance to organisations, enabling them to follow an effective procurement cycle process. It is also a useful source of reference for all lines of assurance providers in the procurement space.
The CIPS definition of contract management is “a continuous procurement process that ensures suppliers adhere to their agreed contractual obligations along with negotiating any future changes that need to take place”.
The aim of contract management is to ensure that an organisation receives the goods or services procured, in compliance with the terms and conditions of the contract. Contract management could be formalised through the development of a contract management plan at the start of the contract term. The plan is monitored regularly to ensure compliance with contract terms and conditions, manage risk, and assess vendor performance. Ultimately, the goods or services purchased and the complexity of the contract should determine the type of contract performance measures that should be used.
The CIPS Contract Management Cycle is a good practice model for maximising value and minimising risk across the four phases:
It provides direction and guidance for assurance providers regarding testing best practice.
In 2010, central government moved to a system which buys common goods and services once on behalf of government. To support this, the Crown Commercial Service was established to provide end-to-end purchasing services and departments were to transition spend on common goods and services to these arrangements.
All commercial activity must be compliant with the regulatory framework as set out in the ‘Public Procurement Policy and Legal Framework’. The National Audit Office (NAO) has reported that the annual public expenditure on goods and services routinely exceeds £206 billion per year. As in all things, there are risks and opportunities to deliver value for money for the taxpayer. Public sector organisations are required to follow guidance such as the NAO: Good practice contract management framework and the Government Functional Standard GovS 008: Commercial. These pieces of guidance set the expectations and direct consistency in the planning, management and execution of commercial activities, to ensure value for money is achieved in contracts and in the delivery of good quality public services.
Public sector organisations have to comply with the government’s transparency agenda. It is a requirement to make public sector opportunities available in one place: on Contracts Finder, and contract award information relating to the winning contractor should also be made available on Contracts Finder. This is for procurement opportunities that are subject to the Public Contracts Regulations 2015 and above the threshold of £10,000 for central government bodies or £25,000 for other public sector bodies.
A useful framework for procurement and contract management in the Public Sector is the National Audit Office (NAO) guidance on managing the commercial lifecycle.
From 6 April 2021, all public authorities and medium and large-sized clients outside the public sector are responsible for deciding if the IR35 rules relating to the tax and NI contributions of contractors offering services to them through an intermediary apply. It is important for internal audit to consider what controls an organisation has in place within procurement and contract management to mitigate the risks of fines associated with non-compliance. See our detailed guidance on IR35 for more information.
The Modern Slavery Act 2015 imposes a duty on all commercial organisations with global turnovers of £36 million and above, providing they carry on business in the UK, to publicly report steps they have taken to ensure their operations and supply chains are trafficking and slavery free.
The UK Bribery Act 2010 dictates that an organisation will commit an offence if an ‘associated person’ performing services on its behalf bribes another person in order to obtain or retain either business or a business advantage for the organisation. As this could happen at any stage of the procurement and contract management process, it is vital for organisations to ensure that anti-bribery policies and adequate procedures are embedded into normal, day to day business practices. A person and the organisation guilty of an offence relating to failure of commercial organisations to prevent bribery are liable on conviction on indictment to a fine. The Financial Service Authority issued a final notice (October 2021) to Credit Suisse International with a financial penalty of £147,190,200, which is associated with bribery and corruption.
Procurement and contract management cycles are influenced by a variety of associated processes. Assurance that all of these elements are efficient and effective will be of importance to organisations and their internal auditors across all sectors.
This guidance focuses on the importance of following the key activities in the cycles as these should encourage consistencies in approach for procurement and contract management which should result in better value for money and high quality of services.
The exact role, timing and extent of internal audit's involvement will be determined by the type of procurement or contract, the risk that this presents to the organisation, cost and complexity of the contract and supply chain levels.
Internal audit should provide assurance in respect of:
Internal audit may also provide consulting/advisory services in real time on the design of each stage of the procurement process. It is important for internal audit to be involved early to support the decision making process and to ensure that good practice is followed.
Internal audit assurance or consulting/advisory services can support achievement of value and compliance through improved practice and strategic planning.
In some large organisations, the procurement of goods and services is managed by a centralised commercial function which is responsible for overseeing all stages of procurement until the contract is awarded. Typically, after this stage, contract management is often delegated to business areas for the day-to-day management of the contract but with oversight from the commercial function and provision of professional support. Depending on the scope agreed with management, the audits can be done as a combined assignment or separately.
The first question to ask is whether your organisation has a procurement framework which is in alignment with the commercial strategy and whether it is fit for purpose. Does the procurement framework align with good practice and is it being complied with?
Below is a high-level checklist to use in discussion with procurement and commercial teams.
An overview of some generic risks and controls is provided as a starting point for internal audit engagement planning of contract management and procurement reviews. These do not replace the need for local risk assessment work as risks should be aligned to the specifics of the organisation, sector and geographical location.
|Potential controls||Potential responses|
|Risk 1: A lack of commercial oversight and governance by appropriate board/committee structures results in a procurement strategy without a clear rationale, links to the organisational strategy, and fails to target value for money|
Appropriate governance arrangements are in place with clearly defined structures, and roles and responsibilities which have been communicated
An approved procurement strategy plan is in place
Confirm the existence of a defined governance structure with a clear hierarchy of boards and committees in place to maintain oversight and approval of procurement strategy
Test the application of a defined risk management and escalation route to ensure it is fully understood and effectively deployed
Confirm that a documented procurement strategy plan exists
Review the plan to assess ownership of the procurement strategy document; clarity of the planned activities and timescales for completion of procurement; resources needed to fully execute the plan successfully and management of key risks
|Risk 2: Research and information, acquired from customers (internal to the business) and the external environment, are poorly developed and/or utilised leading to business and procurement requirements that are not properly articulated, understood aligned with the organisation’s strategic objectives|
A comprehensive stakeholder engagement plan is in place to identify and manage input from key stakeholders
A comprehensive internal and external environmental and strategic assessment has been undertaken, which has followed a recognised approach and links with the procurement strategy
Procurement requirements are clearly conveyed and align with business and organisational objectives
Confirm that all key stakeholders are identified, both internally and externally and that a defined stakeholder engagement plan is in place
Establish whether an accepted and approved approach has been taken to completing a strategic assessment of the procurement environment
Evaluate how market research has been structured, properly conducted and signed off by someone with appropriate authority
Test whether business requirements have been fully defined, articulated and documented
|Risk 3: Insufficient market engagement and research is undertaken to gain a full understanding of market capacity and capability, appetite, and option feasibility in order to develop a realistic and achievable procurement strategy that meets business/organisational requirements and effectively manages the associated risks|
Effective engagement is held with market suppliers to shape procurement requirements and confirm feasibility, market appetite, and identify key risks
The market has been adequately analysed and evaluated including capability and capacity, to gain understanding of risks
Confirm the existence of a supplier engagement plan and its adequacy
Assess how supplier capability and capacity has been effectively evaluated to deliver the required procurement outcomes
|Risk 4: Legislative and regulatory risks have not been identified and/or not effectively managed or complied with|
Legislative and regulatory risks are managed/mitigated within the service or activity and monitoring arrangements are in place
Check if legislative and regulatory risks are clear to the market/potential bidders? Are these in line with the organisation’s assessment of the risks?
Establish if the terms and conditions of the contract been set out and if these meet the organisational needs to address
Assess the adequacy of the evidence that bidders are required to provide to demonstrate that they have addressed any specification requirements in relation to managing legislative and regulatory risks
Are there proposed KRIs in place to monitor legal and regulatory risks against risk appetite?
Has the organisation established a clear and explicit process for reporting and responding to suspected incidents of non-compliance with legislation or regulation?
|Risk 5: The respective roles and responsibilities of the contract manager and supplier are unclear or ill defined, resulting in a failure to effectively manage the contract or hold the supplier to account|
Roles and responsibilities of the contract manager and supplier are clearly defined in the contract and/or supporting documentation
Roles and responsibility in the procurement process have been defined, communicated and where appropriate included in the contract
Ascertain if clear ownership and accountability of the contract management process exists
Establish if there is a procurement process map setting out the key processes including contract management
Ascertain whether there is clear process for handling disputes and complaints
Ascertain how disputes lead to lesson learning
|Risk 6: Fraud, financial loss and reputational damage to the organisation as a result of controls in place for the management of contracts being inadequately aligned to good practice|
There are well defined processes and a clear contract management plan in place, with a focus on outputs and a ‘whole life’ approach to performance
The contract manager and those with procurement responsibilities have appropriate experience and skills (both specific contract management skills and more general procurement awareness and expertise), with access to relevant training and development
Contract management processes, policies and guidance are aligned with the organisation’s objectives and best practice
Contractual/supplier risk management is in place with clear responsibilities and processes, including identification of who is best placed to manage risk and supplier involvement, where appropriate
Obtain and review the contract management plans to determine whether they are up-to-date and focused on outputs and a “whole life” approach to performance, ensuring that ownership is clearly articulated
Discuss contract manager skills/qualifications and contract management background
Determine whether appropriate training has been provided to those with contract management and procurement responsibilities. If so, who attended, when, and what was covered?
Review the policy, procedures and guidance documentation relating to contract management and assess their alignment with good practice
Review and evaluate the arrangements in place for the identification and management of risk. Is this in line with HM Treasury guidance: The Orange book Check if contract management plan is structured around the risk allocation
|Risk 7: Ineffective process in place for handling of changes to contracts|
Contract is regularly reviewed to ensure it meets
Processes are in place that clearly lay out the governance of contractual change including
Approved processes for the management of major/minor changes and contract variations, with emphasis on the cost/effort being proportionate to the importance and value of the change
|Assess the effectiveness of the change control process. Are the forms completed accurately and duly authorised?|
|Risk 8: Performance management process is ineffective and or not operating as intended|
A performance management framework is in place when the contract is signed
Supplier performance is assessed using clear, objective and meaningful metrics
Reporting arrangements are in place with supplier self-measurement and reporting where appropriate but with independent checking mechanisms to alert the purchaser to performance issues
Review performance management framework
Check the accuracy and adequacy of performance management reports and management trail of actions taken
Test a sample of KPIs, if they are in place, for compliance and follow up actions taken where these have not been achieved
|Risk 9: Payments are made to the supplier are not in line with the contract and appropriate incentive mechanisms are not in place and well managed|
Payment mechanisms are clearly documented and communicated to all parties
Payment processes are well defined with appropriate management checks and authorisation processes for paying invoices
Incentive structures (financial or non-financial) relate clearly to required outcomes, and are well managed and governed, with suitable checks and approval mechanisms
Service credits (pre-specified financial amounts which the customer becomes entitled to whenever a service level is not achieved) or equivalent mechanisms are well managed and governed, and proportionate to supplier profitability
Test a sample of invoices for compliance with processes. For example, is the appropriate documentation attached to the invoice, eg purchase order, goods received note and is there evidence of segregation of duties
Confirm through testing if service credits are effectively being applied as per the contract
Assess the adequacy of financial and non-financial incentives
It should be noted that the existence of third-party service suppliers may make internal audit planning and delivery more complex if the ‘right to audit’ is not included in the contract and the supplier is not prepared to provide support and information to progress audit engagements. However, if there are relatively mature performance measures in place it may make data gathering and validation much simpler. Two-way audit arrangements and the requirement for suppliers to cooperate with assurance providers should be built into contracts.
The pace of procurement is rapidly changing, with new technology developments taking place in the way procurement teams interact with stakeholders and deliver results for their organisations.
Data analytics could be considered in audits of procurement and contract management to enable continuous auditing or monitoring, as this could be used to identify outliers/areas where management needs to focus attention/investigate further. Results from use of data analytics should provide the internal auditor with potential areas to focus on during testing.
Some other testing techniques could be performed by the internal auditor using data analytics, for example:
It is important to identify and understand assurance provided by other assurance providers that may be internal (eg 1st or 2nd line assurance providers) or external to the organisation (eg external audit). These could include risk managers, commercial managers, and the Infrastructure Project Authority in the public sector. The coordination of assurance resources can avoid duplication and gaps with overall benefit for the organisation. In such circumstances, internal audit within the customer organisation may have a role in evaluating the reliability of other assurance providers and this something to discussed and agreed with management.
Each organisation will have its own approach to procurement and contract management: some may choose to have separate teams dealing with each activity or a central commercial function with the responsibility for both. Internal audit needs to ensure appropriate analysis is in place to support an organisation’s procurement strategy and that risks associated with procurement and contract management are identified and addressed, with clear communication and oversight.
Strong procurement and contract management contribute to the achievement of organisational objectives, achievement of value for money and good financial viability. Internal audit will be required to provide ongoing assurance in both areas as new strategies evolve.