Auditing the Prompt Payment Code

This guidance is in two parts. The first part provides information relevant to internal auditors about the Prompt Payment Code; the second part then considers the role of internal audit and auditing compliance with the Code.

Information guidance

What is the Prompt Payment Code?

The Prompt Payment Code (PPC) was established in late 2008 as a voluntary code of practice for businesses. The scheme is managed under the supervision of the Office of the Small Business Commissioner (SBC) on behalf of the Department for Business, Energy and Industrial Strategy (BEIS). The UK Prompt Payment Policy was issued in 2015 and then updated in 2018.

The PPC sets standards for signatories to ensure good payment practices, including provision of clear guidance to suppliers and, most significantly, paying suppliers on time.

Signatories to the PPC must:

1) Pay suppliers on time

• 95% of invoices must be paid within the agreed payment terms
• 95% of all invoices must be paid within 60 days
• 95% of invoices from businesses with fewer than 50 employees must be paid within 30 days

2) Give clear guidance to suppliers

• Provide suppliers with ‘clear and easily accessible guidance on payment procedures and invoicing requirements’
• Advise suppliers immediately if there is any reason why an invoice will not be paid to the agreed terms
• Establish and communicate a system for managing payment disputes

3) Adopt and encourage good practice

• Request that lead suppliers encourage adoption of the PPC in their own supply chains
• Use the PPC logo, on your website, to demonstrate commitment to the Code principles

Avoid any practices that adversely affect the supply chain

Why is the Prompt Payment Code important?

The PPC commitment to fair treatment of suppliers, as a key stakeholder, links to the Environmental, Social, and Governance (ESG) agenda, which is of growing importance in all sectors. Beyond the PPC itself, there are increasing expectations on organisations to demonstrate prompt and fair payment of suppliers, including the ‘payment practices and performance reporting requirements’ in force for certain UK organisations since 2017. The recent BEIS consultation (‘restoring trust in audit and corporate governance: proposals on reforms’) also included specific proposals on further strengthening corporate reporting on prompt payment practices. These considered mandatory reporting of supplier payment performance for Public Interest Entities in annual reports. While these proposals have not yet been enacted, there is value in ensuring organisations are well placed to respond, if required. 

What are the benefits and risks associated with the PPC?

Organisations adopting the PPC can benefit from the clear commitment to treating suppliers fairly. This may, in turn, improve supplier goodwill, potentially resulting in more favourable pricing and improved supplier performance. Ensuring suppliers are paid promptly also boosts their cash flow and reliability, ensuring resilience in the supply chain.

However, there are also risks associated with the PPC. Failure to adopt the PPC may make an organisation appear uncaring or uninterested in its supply chain and could result in a loss of competitive advantage. For organisations that do adopt the PPC, ensuring ongoing compliance is crucial. The PPC’s Code Compliance Board can investigate organisational compliance. Failure to comply can result in serious reputational damage risk through ‘naming and shaming’ and the loss of supplier goodwill.

Auditing the Prompt Payment Code

The role of internal audit

Internal audit can play a key role for organisations that have adopted the PPC, primarily through provision of assurance on the effective implementation of processes and controls to meet the PPC requirements. By following a similar approach, the internal audit function can also add value for organisations before they adopt the PPC, ensuring effective processes and controls are established ahead of adoption.

Key considerations for auditing PPC compliance

Policy framework and governance

Does the organisation have a policy framework that supports PPC compliance? This should cover considerations such as the organisation’s standard payment terms, treatment of smaller suppliers and scope of application (eg which subsidiaries are bound by the policy). Communications with suppliers and dispute resolution processes should also be defined (including right for suppliers to use late payment legislation to invoice for late payment interest and charges when appropriate). Is there a second line function that ‘owns’ the process? If so, what compliance controls have they established?

Communications and training (internal)

Has the PPC commitment and internal policy been effectively communicated to internal stakeholders? Have those with a direct role in dealing with suppliers been trained in their responsibilities? Is a culture that recognises the importance of prompt payment evident.

Communications (external)

Has the organisation adopted the PPC logo on its website and external documentation to communicate its commitments? What measures are in place to show suppliers that the organisation has adopted the PPC? Are the records for the organisation up to date? Click here for details.

Does the organisation have any contracts with central government, or intend to bid for any in future? Since September 2019, any organisation that bids for a central government contract in excess of £5 million a year must be able to demonstrate it has effective payment systems in place to ensure a reliable supply chain. Organisations who do not comply with this standard could be prevented from winning government contracts.

System configurations

Accounts payable systems are key to supporting PPC compliance.

Key considerations here include:

• Does the system accurately capture the organisation’s defined payment terms by default?
• Does the system have the facility to categorise small suppliers (with less than 50 staff) which should be paid within 30 days? Is this data captured effectively and accurately at the point of new supplier creation?
• How does the system treat disputed invoices?
• How does the system generate payment runs and calculate due dates?

Management reporting

Ensuring ongoing compliance will require routine generation of management information by first or second line functions. This should go beyond the required reporting under the Prompt Payment Code, to ensure any weaknesses in processes or performance can be addressed at the earliest opportunity. Considerations here could include identifying what payment practice reporting the organisation has established.

Questions to ask include:

What payment practice reporting has the organisation established?

How is the underlying data extracted and analysed?

Is the process transparent and repeatable?

Are there appropriate segregations of duties in place between the accounts payable (AP) function and the reviewer?

Is the organisation subject to the ‘Reporting on Payment Practices and Performance Regulations 2017’ (see Gov.uk flow-chart below)

Payment data analysis

Analysing the organisation’s payment performance should be a key part of any audit of PPC compliance. The approach taken could be to extract historic data to reconcile with previous submissions to the Small Business Commissioner, or to monitor current performance over an agreed period.

As a minimum, the analysis should assess the following:

• Proportion of invoices paid within agreed payment terms
• Proportion of invoices paid within 60 days
• Proportion of invoices from businesses with fewer than 50 employees paid within 30 days

The volume of data is likely to be challenging, so use of a data analytics specialist may be necessary.

Understanding exceptions

Can any invoices paid out of compliance with the organisation’s policy or PPC terms be explained? If these relate to disputes, was there an early communication to the supplier on this as required? How are disputes handled and reported?

Treatment of cheque payments

For organisations using cheque payments, the paid date per system records should be reviewed. Is this the date that the cheque was issued or cleared? How does this affect payment performance calculations?

Encouraging good practice

Has the organisation taken any steps to promote PPC adoption in its broader supply chain as required?

Corporate reporting

Has the organisation established effective processes for reporting payment performance data to the Small Business Commissioner on a timely basis? Are there adequate review and approval processes in place prior to submission?

Key risks and controls

Conclusion

An effective system for managing an organisation’s PPC commitments should include policy, training, communications, system-based controls and reporting measures.

An internal audit engagement should consider the design of controls i.e. preventative, detective, directive, including policy, training and system-based measures, in addition to their efficiency of operation. Organisational culture should also be considered, ensuring that the importance of treating suppliers fairly is recognised, and not seen as merely a ‘tick box’ compliance exercise.

Further reading

Accounts payable and post payment assurance | IIA Technical Guidance

Prompt Payment Code website | Small Business Commissioner 

Payment practices and performance reporting | PwC

Payment practices | Deloitte

Creating a Responsible Payment Culture | Gov UK

Payment practices performance reporting requirements | Gov UK

Restoring trust in audit and corporate governance | BEIS White Paper Gov UK