This guidance is in two parts. The first part provides information relevant to internal auditors about the Prompt Payment Code; the second part then considers the role of internal audit and auditing compliance with the Code.
The Prompt Payment Code (PPC) was established in late 2008 as a voluntary code of practice for businesses. The scheme is managed under the supervision of the Office of the Small Business Commissioner (SBC) on behalf of the Department for Business, Energy and Industrial Strategy (BEIS). The UK Prompt Payment Policy was issued in 2015 and then updated in 2018.
The PPC sets standards for signatories to ensure good payment practices, including provision of clear guidance to suppliers and, most significantly, paying suppliers on time.
Signatories to the PPC must:
1) Pay suppliers on time
2) Give clear guidance to suppliers
3) Adopt and encourage good practice
Avoid any practices that adversely affect the supply chain
The PPC commitment to fair treatment of suppliers, as a key stakeholder, links to the Environmental, Social, and Governance (ESG) agenda, which is of growing importance in all sectors. Beyond the PPC itself, there are increasing expectations on organisations to demonstrate prompt and fair payment of suppliers, including the ‘payment practices and performance reporting requirements’ in force for certain UK organisations since 2017. The recent BEIS consultation (‘restoring trust in audit and corporate governance: proposals on reforms’) also included specific proposals on further strengthening corporate reporting on prompt payment practices. These considered mandatory reporting of supplier payment performance for Public Interest Entities in annual reports. While these proposals have not yet been enacted, there is value in ensuring organisations are well placed to respond, if required.
Organisations adopting the PPC can benefit from the clear commitment to treating suppliers fairly. This may, in turn, improve supplier goodwill, potentially resulting in more favourable pricing and improved supplier performance. Ensuring suppliers are paid promptly also boosts their cash flow and reliability, ensuring resilience in the supply chain.
However, there are also risks associated with the PPC. Failure to adopt the PPC may make an organisation appear uncaring or uninterested in its supply chain and could result in a loss of competitive advantage. For organisations that do adopt the PPC, ensuring ongoing compliance is crucial. The PPC’s Code Compliance Board can investigate organisational compliance. Failure to comply can result in serious reputational damage risk through ‘naming and shaming’ and the loss of supplier goodwill.
Internal audit can play a key role for organisations that have adopted the PPC, primarily through provision of assurance on the effective implementation of processes and controls to meet the PPC requirements. By following a similar approach, the internal audit function can also add value for organisations before they adopt the PPC, ensuring effective processes and controls are established ahead of adoption.
Policy framework and governance
Does the organisation have a policy framework that supports PPC compliance? This should cover considerations such as the organisation’s standard payment terms, treatment of smaller suppliers and scope of application (eg which subsidiaries are bound by the policy). Communications with suppliers and dispute resolution processes should also be defined (including right for suppliers to use late payment legislation to invoice for late payment interest and charges when appropriate). Is there a second line function that ‘owns’ the process? If so, what compliance controls have they established?
Communications and training (internal)
Has the PPC commitment and internal policy been effectively communicated to internal stakeholders? Have those with a direct role in dealing with suppliers been trained in their responsibilities? Is a culture that recognises the importance of prompt payment evident.
Communications (external)
Has the organisation adopted the PPC logo on its website and external documentation to communicate its commitments? What measures are in place to show suppliers that the organisation has adopted the PPC? Are the records for the organisation up to date? Click here for details.
Does the organisation have any contracts with central government, or intend to bid for any in future? Since September 2019, any organisation that bids for a central government contract in excess of £5 million a year must be able to demonstrate it has effective payment systems in place to ensure a reliable supply chain. Organisations who do not comply with this standard could be prevented from winning government contracts.
System configurations
Accounts payable systems are key to supporting PPC compliance.
Key considerations here include:
Management reporting
Ensuring ongoing compliance will require routine generation of management information by first or second line functions. This should go beyond the required reporting under the Prompt Payment Code, to ensure any weaknesses in processes or performance can be addressed at the earliest opportunity. Considerations here could include identifying what payment practice reporting the organisation has established.
Questions to ask include:
What payment practice reporting has the organisation established?
How is the underlying data extracted and analysed?
Is the process transparent and repeatable?
Are there appropriate segregations of duties in place between the accounts payable (AP) function and the reviewer?
Is the organisation subject to the ‘Reporting on Payment Practices and Performance Regulations 2017’ (see Gov.uk flow-chart below)
Payment data analysis
Analysing the organisation’s payment performance should be a key part of any audit of PPC compliance. The approach taken could be to extract historic data to reconcile with previous submissions to the Small Business Commissioner, or to monitor current performance over an agreed period.
As a minimum, the analysis should assess the following:
The volume of data is likely to be challenging, so use of a data analytics specialist may be necessary.
Understanding exceptions
Can any invoices paid out of compliance with the organisation’s policy or PPC terms be explained? If these relate to disputes, was there an early communication to the supplier on this as required? How are disputes handled and reported?
Treatment of cheque payments
For organisations using cheque payments, the paid date per system records should be reviewed. Is this the date that the cheque was issued or cleared? How does this affect payment performance calculations?
Encouraging good practice
Has the organisation taken any steps to promote PPC adoption in its broader supply chain as required?
Corporate reporting
Has the organisation established effective processes for reporting payment performance data to the Small Business Commissioner on a timely basis? Are there adequate review and approval processes in place prior to submission?
Risk Area | Expected controls |
Slow payment causing reduced supplier goodwill, loss of resilience in the supply chain |
|
Loss of revenue through exclusion from potential government procurement contracts | |
Failure to realise reputational gains once PPC registered |
|
Data quality does not support PPC compliance and reporting |
System controls to ensure:
|
Invoices are not reviewed and approved on a timely basis, resulting in delayed payment and potential for interest payment/charges (legislation allows suppliers to claim for this) |
|
Disputed invoices result in delayed payment, affecting PPC |
|
Reputational damage through non-compliance with the PPC terms:
|
|
An effective system for managing an organisation’s PPC commitments should include policy, training, communications, system-based controls and reporting measures.
An internal audit engagement should consider the design of controls i.e. preventative, detective, directive, including policy, training and system-based measures, in addition to their efficiency of operation. Organisational culture should also be considered, ensuring that the importance of treating suppliers fairly is recognised, and not seen as merely a ‘tick box’ compliance exercise.
Accounts payable and post payment assurance | IIA Technical Guidance
Prompt Payment Code website | Small Business Commissioner
Payment practices and performance reporting | PwC
Payment practices | Deloitte
Creating a Responsible Payment Culture | Gov UK
Payment practices performance reporting requirements | Gov UK
Restoring trust in audit and corporate governance | BEIS White Paper Gov UK