Description
Imagine that this year you are auditing a fruit and vegetable wholesaler with approximately 35 employees. They import and distribute fresh produce to hospitality businesses, supermarkets, and market stalls. Dozens of purchase transactions take place daily with growers and auction houses, where speed is essential due to the perishability of goods.
Because the procurement process can sometimes be fast and unpredictable, they have defined several risks themselves, such as:
Purchases from unreliable suppliers: Purchases may be made from suppliers who have not been pre-approved or vetted. This can lead to poor product quality, conflicts of interest, or fraud (buyers could set prices above market rates in exchange for personal benefits).
Incorrect price entries in systems: Under time pressure and high transaction volumes, incorrect prices may be recorded, making inventories and margins unreliable.
Extreme price fluctuations due to crop failures: Crop failures can drive prices up significantly when supply is limited. The risk here is that buyers may accept prices above market value without sufficient justification, leading to excessive purchase costs and lower margins.
Payments to high-risk countries: Payments may be made to high-risk countries or unknown accounts, posing money laundering or fraud risks.
Controls
To further mitigate these risks, the company has implemented several measures in recent years:
- Approved Supplier List: Purchasing is only allowed from pre-approved suppliers, who are re-evaluated annually for quality, delivery reliability, and price agreements.
- Price Agreements and Tolerance Bands: Purchases within predefined price bands do not require additional approval; deviations require approval and documentation.
- Four-Eyes Principle: New suppliers and large orders require a second approval.
- Automated Blocks on Price Variances: Invoices with deviations exceeding 15% from standards are blocked for review.
During the interim audit, you discover that there is indeed a digital list of approved suppliers, and the IT auditor confirms that the system blocks any invoice deviating more than 15% and only releases it after approval by a management team member. However, the application's authentication appears to be inadequate—you even notice a post-it on someone’s computer with the current password.
Data Analysis
To gain some control over the purchase prices despite the authentication issues, you consider what data analyses you can perform. Since most controls rely on authentication (approval steps), it is of limited use to verify if all measures worked correctly throughout the year. However, you can still conduct the following analyses to gain additional insights:
1. Analyze Price Trends Over Time
Visualize price trends per product (e.g., by week or month) to detect anomalies such as unexplained spikes that cannot be attributed to seasonal factors.
2. Compare Prices Across Suppliers
Compare prices of identical products across different suppliers to identify suppliers that systematically charge higher prices or have atypical price agreements.
3. Reconcile Invoices to Financial Records
Match purchase invoices with entries in the accounting system to verify completeness and accuracy, and to detect missing or duplicate postings.
4. Analyze New Suppliers and High-Risk Countries
Combine data on new suppliers with payment records to flag suspicious transactions involving high-risk countries or unknown new suppliers.
5. Detect Outliers in Prices
Perform a Z-score analysis on purchase prices to identify price deviations that may indicate errors or unusual transactions requiring further investigation.
By performing these analyses, you gain insight into potential anomalies in purchase prices and supplier behavior. This helps to flag risks of overpayment, fraud, and errors, and provides valuable input for the management letter and the audit approach for the financial statement audit.
