In an Aberdeen Group study of 125 supply management executives it was identified that visibility into spending and driving compliance with supply contracts are among the leading challenges facing procurement organisations today. If we add to this the current turmoil in global financial markets and renewed calls for governance, accountability and regulation, the perfect storm is brewing, explains Gregg Barett, Director of Cylon Technology, in this month’s SmartProcurement.
With this in mind let’s take a moment to lay the groundwork of what constitutes compliance within the procurement and contracting functions within an organisation. In the context of procurement and contract management we can breakdown the compliance environment into three domains:
– Regulatory compliance – the regulatory environment like Sarbanes Oxley, Health and Safety legislation, Public Finance Management Act etc.
– Procedural compliance – Internal organisational policies and procedures like signatory mandates, delegation of authority etc.
– Contractual compliance – Commitments defined on the contract like Service Level Agreements, Key Performance Indexes etc
If we take a look at the organisational approval process as an example, an organisations approval process will fit into the procedural compliance domain listed above. Procedural compliance constitutes the organisations internal controls.
Now what are internal controls and why are they?
The organisation that developed the commonly accepted structure of internal controls, the Committee of Sponsoring Organisations (COSO), was founded in 1985 and began looking at internal controls in response to concerns about the integrity of financial reporting.
Internal controls are processes and practices that provide reasonable assurance regarding the achievement of organisational objectives.
They have as their objectives the efficiency and effectiveness of operations, reliability and accuracy of financial reporting, and compliance with laws and regulations. While effective internal controls prevent or detect fraudulent behaviour, at a practical level their value is also in preventing errors.
In accordance with the COSO framework, the components of an effective internal controls program include monitoring, information and communication, control activities, risk assessment, and the control environment.
Now without getting to far into the details, controls generally are categorised as either preventive or detective. In procurement preventive controls involve control activities such as training and segregation of duties between procurement and accounts payable, for example. Detective controls may involve post-transaction reconciliation of financial information and management reviews, thereby detecting any errors or fraudulent behaviour.
Detective controls are important control activities in the procurement organisation and apply to things like procurement requisitions. When it comes to procurement requisitions as an example, because of transaction volumes, it is unwise in most instances to seek higher-level approval of every small purchase. Therefore, transaction screening that is processing the transaction request against the procurement organisations contracts is in most cases the best process of ensuring compliance, and with technology like Contract Lifecycle Management systems, one can fully automate this process.
As mentioned earlier, internal controls provide reasonable assurance regarding the achievement of organisational objectives. It is therefore critical that when defining internal controls organisations make certain that they are clearly aligned with organisational objectives and make sure that their processes are geared towards achieving these objectives. Too often I have seen organisations engineer processes that do not include desired contract outcomes for example, but focus only on management authorisation, a system of controls, and accounting practices. Should the contract outcome post signature be considered for a moment (as part of the organisational objective and hence encompassed within the control) this would in most cases necessitate additional or perhaps completely different persons in the review, approval, and management process.
To illustrate, I know of one example where a supplier to a major government department said: ‘We know this key performance indicator (KPI) is meaningless, and so do the end-users of the contract, but the contract manager insists that we continue to measure it because “that’s what it says in the contract”.’ In this instance if the review process had been properly aligned to the organisational objective and included the input of the eventual contract manager, the KPI would never have been included in the signed document.
So we have established that organisational objectives need to play a bigger role when formulating internal controls but further to this is the fact that internal controls illuminate a central issue: how best to balance the relationship between controls and operational effectiveness. Internal control processes entail a common issue, that of time and resources.
It must therefore be remembered that when formulating procurement processes the intent is not to cloak the organisation in further bureaucracy and administration (which increases operating costs) but to ensure that the necessary controls are in place to ensure the adherence to organisational intent behind transactions.
In a world that is calling for collaborative relationships underpinned with innovative and sometimes complex contracts to be forged with trading partners at lightening speed, it will be those organisations that can achieve this balance that will succeed while the rest remain embroiled in bureaucracy that stifles their ability to compete and innovate.
Who are the organisations that are dealing with these challenges and winning in the face of this increased complexity? Firms like P&G, Hewlett Packard, John Deere, Chevron and IBM to name a few. My recommendation is that others start taking note of what these firms are doing and rather than attempting to reinvent the wheel, emulate their success.