RISK ASSESSMENT AND CONTROL MATRIX

PROCESS: PROCUREMENT MANAGEMENT

Sub Process S.No Control Objective

3-Vendor Management

To ensure that the vendor to be added

Vendor research, selection and evaluation 3.1 is genuine and no potential red flags
are associated with it.

To ensure that vendor is assessed and

evaluated as per policy criteria so that
Vendor research, selection and evaluation 3.2
vendors are selected in the most
efficient and effective manner

To ensure that vendor is assessed and

evaluated as per policy criteria so that
Vendor research, selection and evaluation 3.2
vendors are selected in the most
efficient and effective manner

To ensure that vendor is assessed and

evaluated as per policy criteria so that
Vendor research, selection and evaluation 3.2
vendors are selected in the most
efficient and effective manner
 To ensure that vendor master is
Vendor research, selection and evaluation 3.2
amended as per policy criteria.

To ensure that vendor master is

Vendor research, selection and evaluation 3.2
amended as per policy criteria.

To ensure that vendor is added in

Vendor research, selection and evaluation 3.2
master data as per policy criteria.

To ensure that vendor is added in

Vendor research, selection and evaluation 3.2
master data as per policy criteria.

To ensure that vendor is added in

Vendor research, selection and evaluation 3.2
master data as per policy criteria.
 To ensure that vendor codes are
Vendor research, selection and evaluation 3.3 assigned as per the criteria defined in
SOP

Vendor selected is cost competitive

Vendor research, selection and evaluation 3.4 and appropriate for delivery of
goods/services

Vendor selected is cost competitive

Vendor research, selection and evaluation 3.4 and appropriate for delivery of
goods/services

Vendor selected is cost competitive

and appropriate for delivery of
Vendor research, selection and evaluation 3.4
goods/services and atleast 3 quotations
has been asked from vendors

Vendor selected is cost competitive

and appropriate for delivery of
Vendor research, selection and evaluation 3.4
goods/services and atleast 3 quotations
has been asked from vendors
 Vendor selected is cost competitive
and appropriate for delivery of
Vendor research, selection and evaluation 3.5
goods/services and atleast 3 quotations
has been asked from vendors

Vendor selected is cost competitive

and appropriate for delivery of
Vendor research, selection and evaluation 3.5
goods/services and atleast 3 quotations
has been asked from vendors

Procurement from active and reliable

Vendor research, selection and evaluation 3.6
members

Procurement from active and reliable

Vendor research, selection and evaluation 3.6
members
 Vendor selected is cost competitive
Vendor research, selection and evaluation 3.7 and appropriate for delivery of
goods/services

Vendor selected is cost competitive

Vendor research, selection and evaluation 3.7 and appropriate for delivery of
goods/services

Vendor selected is cost competitive

Vendor research, selection and evaluation 3.7 and appropriate for delivery of
goods/services

Vendor selected is cost competitive

Vendor research, selection and evaluation 3.7 and appropriate for delivery of
goods/services
 Vendor selected is cost competitive
Vendor research, selection and evaluation 3.7 and appropriate for delivery of
goods/services

Vendor selected is cost competitive

Vendor research, selection and evaluation 3.7 and appropriate for delivery of
goods/services

Vendor is selected from the approved list of Vendors , with whom Vendor selected is cost competitive
Contract is made, specifying the terms and conditions applicable 3.7 and appropriate for delivery of
as per SOP and defining the period. goods/services

Vendor selected is cost competitive

Vendor research, selection and evaluation 3.7 and appropriate for delivery of
goods/services

7-Cutt-off

To ensure goods received should be

Cut-off procedures for recording of goods received 7.1
accounted in correct accounting period

To ensure goods received should be

Cut-off procedures for recording of goods received 7.1
accounted in correct accounting period

To ensure goods received should be

Cut-off procedures for recording of goods received 7.1
accounted in correct accounting period

10-Purchase Orders
 Purchase order must be approved and
Purchase order Placement 10.1 DC/GRN must be matched agaist the
Purchase order

GRN must be entered by Warehouse

Purchase order Placement 10.2
Personals against the Purchase order.

GRN must be entered by Warehouse

Purchase order Placement 10.2
Personals against the Purchase order

Purchase Order raised is accurate,

Purchase order Placement 10.3
timely and authorized
 Purchase Order raised is accurate,
Purchase order Placement 10.3
timely and authorized

Purchase Order raised is accurate,

Purchase order Placement 10.3
timely and authorized

Purchase orders are approved as per

Purchase order Placement 10.4
authority matrix

Purchase orders are approved as per

Purchase order Placement 10.4
authority matrix
 Purchase orders are approved as per
Purchase order Placement 10.4
authority matrix

Purchase requisitions are closed after

Purchase order Placement 10.5
approval of PO

Purchase requisitions are as per our

Purchase order Placement 10.5
requirements
 Purchase requisitions are as per our
Purchase order Placement 10.5
requirements

Purchase orders are approved as per

Purchase order Placement 10.6
authority matrix

Procurement risk should be mitigated

Purchase order Placement 10.7 by building better relationships with
vendors.

Purchase orders are approved as per

Purchase order Placement 10.7
authority matrix

Purchase orders are approved as per

Purchase order Placement 10.8
authority matrix
 Purchase orders are approved as per
Purchase order Placement 10.8
authority matrix

Purchase orders are approved as per

Purchase order Placement 10.8
authority matrix

Purchase orders are approved on new

Purchase order Placement 10.9
quotations

PO is created through proper channel

Purchase order Placement 10.10
without by passing system.

Goods are ordered in accordance with

Purchase order Placement 10.11 agreed terms and conditions pertaining
to the vendor

All Purchase order amendments are

Purchase order Placement 10.12
valid and authorized

All Purchase order amendments are

Purchase order Placement 10.12
valid and authorized
 All Purchase order amendments are
Purchase order Placement 10.12
valid and authorized

All Purchase order amendments are

Purchase order Placement 10.12
valid and authorized
 Process Description Key Risk Control Ref.

Vendor is selected from the approved New vendor additions during the period
list of Vendors , with whom Contract is without proper documentation , such as
made, specifying the terms and agreement etc could result in non- 3.1.1
conditions applicable as per SOP and compliance and high risk vendors
defining the period. selection.

Supplier relationship management,

business requirements are identified
with stakeholders, which are then
developed into quantitative supplier
performance measures and suppliers are High risk vendors may not be identified
assessed against the performance and thererfore corrective actions could not 3.2.1
measures i-e delivery and quality. be taken to mitigate the risk
Further, monthly system generated
performance report to be sent to
suppliers based on already
communicated performance measures.

Supplier relationship management,

business requirements are identified
with stakeholders, which are then
developed into quantitative supplier
performance measures and suppliers are
Poor performing vendors are not
assessed against the performance 3.2.2
identified and monitored.
measures i-e delivery and quality.
Further, monthly system generated
performance report to be sent to
suppliers based on already
communicated performance measures.

Supplier relationship management,

business requirements are identified
with stakeholders, which are then
developed into quantitative supplier
performance measures and suppliers are
Poor performing vendors are not
assessed against the performance 3.2.3
identified and monitored.
measures i-e delivery and quality.
Further, monthly system generated
performance report to be sent to
suppliers based on already
communicated performance measures.
Upon intimation of vendor via email or
Vendors amended incorrectly due to
any hard document vendor is amended 3.2.4
inappropriate approvals and checks
in system

Upon intimation of vendor via email or

Vendors amended in the master file
any hard document vendor is amended 3.2.5
without adequate documentation.
in system

On the basis of vendor evaluation

Vendors added in the master file without
results via email or any hard document 3.2.5
evaluation.
vendor is added in system

On the basis of vendor evaluation

Vendors added in the master file without
results via email or any hard document 3.2.5
evaluation.
vendor is added in system

On the basis of vendor evaluation

Unauthorized vendors added in vendor
results via email or any hard document 3.2.6
master file.
vendor is added in system
 Local and import vendors may not be
monitored properly due to
Upon confirmation of vendor selection,
misclassification.
codes are assigned and approved by 3.3.1
Head of Procurement
Non-Compliance of policies and
procedures

Upon intimation by quality via email Vendors who are unable to meet service,
and comparison of rates, vendor is quality and price criteria are added on the 3.4.1
selected and added in system. vendor list.

Upon intimation by quality via email Vendors who are unable to meet service,
and comparison of rates, vendor is quality and price criteria are added on the 3.4.2
selected and added in syste. vendor list.

Absence of multiple resources of supply

which resulted in purchases of materials
Procurement must be value for money
at uncompetitive rates. Further I could 3.4.3
both in quality and quantity
lead to non availability of material in case
of any uncertainity with vendor.

Procurement of goods/services at non

competitive prices resulting in financial
Purchase history and vendor list are
loss
available at the time of creating PO for 3.4.4
better decision making.
Risk of disruption of business operations
due to non availability of goods/services
 Procurement of goods/services from non
New vendors identified or existing credible suppliers might result in
vendors for new product are added in procurement at uncompetitive prices
3.5.1
vendor master as per defined policies resulting in financial loss and risk of
and procedures disruption of business operations in case
of non supply as per agreed terms.

Procurement of goods/services from non

New vendors identified or existing credible suppliers might result in
vendors for new product are added in procurement at uncompetitive prices
3.5.2
vendor master as per defined policies resulting in financial loss and risk of
and procedures disruption of business operations in case
of non supply as per agreed terms.

Procurement of goods/services from non

credible suppliers might result in
Procurement must be from reliable
procurement at uncompetitive prices
vendors for effective procurement and 3.6.1
resulting in financial loss and risk of
better working relationship.
disruption of business operations in case
of non supply as per agreed terms.

Procurement of goods/services from non

credible suppliers might result in
Procurement must be from reliable
procurement at uncompetitive prices
vendors for effective procurement and 3.6.2
resulting in financial loss and risk of
better working relationship.
disruption of business operations in case
of non supply as per agreed terms.
 Procurement of goods/services at non
competitive prices resulting in financial
Procurement must be from reliable
loss
vendors for effective procurement and 3.7.1
better working relationship.
Risk of disruption of business operations
due to non availability of goods/services

Procurement of goods/services at non

competitive prices resulting in financial
Procurement must be from reliable
loss
vendors for effective procurement and 3.7.2
better working relationship.
Risk of disruption of business operations
due to non availability of goods/services

Procurement of goods/services at non

competitive prices resulting in financial
Procurement must be from reliable
loss
vendors for effective procurement and 3.7.3
better working relationship.
Risk of disruption of business operations
due to non availability of goods/services

Procurement of goods/services at non

competitive prices resulting in financial
Procurement must be from reliable
loss
vendors for effective procurement and 3.7.4
better working relationship.
Risk of disruption of business operations
due to non availability of goods/services
 Procurement of goods/services at non
competitive prices resulting in financial
Procurement must be from reliable
loss
vendors for effective procurement and 3.7.5
better working relationship.
Risk of disruption of business operations
due to non availability of goods/services

Procurement of goods/services at non

competitive prices resulting in financial
Procurement must be from reliable
loss
vendors for effective procurement and 3.7.5
better working relationship.
Risk of disruption of business operations
due to non availability of goods/services

Procurement of goods/services at non

competitive prices resulting in financial
Procurement must be from reliable
loss
vendors for effective procurement and 3.7.6
better working relationship.
Risk of disruption of business operations
due to non availability of goods/services

Procurement of goods/services at non

competitive prices resulting in financial
Procurement must be from reliable
loss
vendors for effective procurement and 3.7.7
better working relationship.
Risk of disruption of business operations
due to non availability of goods/services

When goods are delivered to store and Failure to record the good received in
GRN should be entered to update the correct accounting period will result in 7.1.1
goods at the point understatment of inventory

When goods are delivered to store and Failure to record the good received in
GRN should be entered to update the correct accounting period will result in 7.1.2
goods at the point understatment of inventory.

GRN is posted in system by warehouse

Failure to record the good received in
and lot is submitted in QC. Financial
correct accounting period will result in 7.1.2
impact shall not be recorded in system
understatment of inventory.
till QC pass inventory.
Purchase order is placed by
procurement according to the
requirement of production and Failure to obtain approvals may result
10.1.1
competitive prices are negotiated fictious purchase order may be placed
related to the item being procured in
purchase order

GRN should be parked by gatekeeper

Risk of unauthorized / fictious
which will than be posted by warehouse 10.2.1
procurement may be placed.
so as to maintain segregation.

Failure to enter the GRN on Timely basis

will result In delay in entering the
material received in system and
accordingly the payment will also me
GRN is enterned by Warehouse
made with delay will result in dispute
personals against purchase order placed 10.2.1
with the supplier on payment terms if
by the procurement.
terms are cash on delivery.

Delay may also result in understatement

on inventory during cutt-off period.

Risk of disruption of business operations

due to non availability of good/services

Procurement of goods/services not

Purchase order is directly linked with required or in excess of required quantity
purchase requisition for accurate leading to financial loss/unavailability of 10.3.1
ordering. working capital

Procurement of goods/services at non

competitive prices resulting in financial
loss
 Risk of disruption of business operations
due to non availability of good/services

Procurement of goods/services not

Purchase order is directly linked with required or in excess of required quantity
purchase requisition and master data for leading to financial loss/unavailability of 10.3.2
accurate ordering. working capital

Procurement of goods/services at non

competitive prices resulting in financial
loss

Risk of disruption of business operations

due to non availability of good/services

Procurement of goods/services not

Purchase order is directly linked with required or in excess of required quantity
purchase requisition and master data for leading to financial loss/unavailability of 10.3.2
accurate ordering. working capital

Procurement of goods/services at non

competitive prices resulting in financial
loss

Risk of disruption of business operations

due to non availability of good/services

Procurement of goods/services not

required or in excess of required quantity
System based approval matrix are
leading to financial loss/unavailability of 10.4.1
defined that are approved by board
working capital

Procurement of goods/services at non

competitive prices resulting in financial
loss

Risk of disruption of business operations

due to non availability of good/services

Procurement of goods/services not

required or in excess of required quantity
System based approval matrix are
leading to financial loss/unavailability of 10.4.1
defined that are approved by board
working capital

Procurement of goods/services at non

competitive prices resulting in financial
loss
 Risk of disruption of business operations
due to non availability of good/services

Procurement of goods/services not

required or in excess of required quantity
System based approval matrix are
leading to financial loss/unavailability of 10.4.1
defined that are approved by board
working capital

Procurement of goods/services at non

competitive prices resulting in financial
loss

Risk of disruption of business operations

due to non availability of good/services

Procurement of goods/services not

required or in excess of required quantity
PR are cleared on a timely basis for
leading to financial loss/unavailability of 10.5.1
better monitoring and control
working capital

Procurement of goods/services at non

competitive prices resulting in financial
loss

Risk of disruption of business operations

due to non availability of good/services

Procurement of goods/services not

PR are created by user based on required or in excess of required quantity
production needs that are approved by leading to financial loss/unavailability of 10.5.2
BUH working capital

Procurement of goods/services at non

competitive prices resulting in financial
loss
 Risk of disruption of business operations
due to non availability of good/services

Procurement of goods/services not

PR are created by user based on required or in excess of required quantity
production needs that are approved by leading to financial loss/unavailability of 10.5.2
BUH working capital

Procurement of goods/services at non

competitive prices resulting in financial
loss

Procurement from unauthorized vendors

System based approval matrix are may lead to risk of disruption of business
10.6.1
defined that are approved by board operations due to non availability of
good/services

Risk of disruption of business operations

due to non availability of good/services
Procurement strtegy should be devised
in such a manner so as to avoid 10.7.1
Procurement of goods/services at non
dependency with suppliers
competitive prices resulting in financial
loss

Procurement of goods/services not

required or in excess of required quantity
leading to financial loss/unavailability of
System based approval matrix are working capital
10.7.1
defined that are approved by board
Procurement of goods/services at non
competitive prices resulting in financial
loss

Procurement of goods/services not

required/unauthorized procurement or in
excess of required quantity leading to
financial loss/unavailability of working
Access rights for PO creation are given
capital 10.8.1
to authorized individuals as per LOAM.
Procurement of goods/services at non
competitive prices resulting in financial
loss
 Procurement of goods/services not
required/unauthorized procurement or in
excess of required quantity leading to
financial loss/unavailability of working
Access rights for PO creation are given
capital 10.8.1
to authorized individuals as per LOAM.
Procurement of goods/services at non
competitive prices resulting in financial
loss

Access rights for PO creation are given

PO splitting to by pass authority matrix 10.8.2
to authorized individuals as per LOAM.

New and updated quotations has been Procurement of goods/services at non

asked for all procurement from vendors competitive prices resulting in financial 10.9.1
and comparitive statement prepared. loss

Procurement of goods/services not

required or in excess of required quantity
Purchase orders are linked with PR 10.10.1
leading to financial loss/unavailability of
working capital

Procurement of goods/services at non

Control actions taken to manage competitive prices resulting in financial
10.11.1
currency risk loss or breaches of treasury and other
foreign currency regulations

Procurement of goods/services not

Amendment is authorized as per required or in excess of required quantity
10.12.1
LOAM in system leading to financial loss/unavailability of
working capital

Procurement of goods/services not

Amendment should be authorized as required or in excess of required quantity
10.12.1
per LOAM leading to financial loss/unavailability of
working capital
 Procurement of goods/services not
Amendment should be authorized as required or in excess of required quantity
10.12.1
per LOAM leading to financial loss/unavailability of
working capital

Procurement of goods/services not

Amendment should be authorized as required or in excess of required quantity
10.12.2
per LOAM leading to financial loss/unavailability of
working capital
 Existing Control Recommended Control

Vendor is added in master data with whom For the vendors to be added in the Master file,
Contract is made, specifying the terms and documentation should be completed prior to
conditions applicable and defining the period. opening of vendor account in the master file.
Further, evaluation is done to identify high risk,
medium risk and low risk, following this No mechanism to highlight high, medium and
vendor account is opened in SAP. low risk vendors.

Vendor performance evaluation should be done

on a monthly basis on the basis of which
vendors should be selected for the following
Supplier relationship management, business
period. In this way, vendors with the minimum
requirements are identified with stakeholders,
lead time and lowest rejection rate would be
which are then developed into quantitative
selected.
supplier performance measures and suppliers
are assessed against the performance measures
Further, monthly system generated
i-e delivery and quality.
performance report to be sent to suppliers
based on already communicated performance
measures.

A rating system has been defined in system.

Monthly system generated performance report
The system evaluates vendors on the basis of
to be sent to suppliers based on already
quality, timely delivery and full quantity
communicated performance measures.
delivery and assigns pre-defined rating.

Supplier relationship management, business

requirements are identified with stakeholders,
which are then developed into quantitative Quality control department generates the rating
supplier performance measures and suppliers report based on above criteria and evaluates
are assessed against the performance measures performance of vendors. Warning letters are
i-e delivery and quality. Further, monthly issued to poor performing vendors who
system generated performance report to be sent achieve less than 85% rating.
to suppliers based on already communicated
performance measures.
 Edit logs should be checked on a monthly basis
Access to vendor master is restricted with
on the basis of which unauthorized vendor
shared services only.
amendment details should be monitored.

Upon confirmation of vendor amendment,

codes are assigned based on supplier
amendment form and approved by Head of
Procurement which are than farwarded to Vendor data is amended in master data based
shared services team for incorporation in on supplier amendment form along with
system. request form sent by vendor.

Access to vendor master is restricted with

shared services only.

Upon confirmation of vendor evaluation, codes

are assigned based on supplier opening form
and approved by Head of Procurement which Vendor is added in master file based on
are than farwarded to shared services team for Supplier Opening Form (SOF) duly filled by
incorporation in system. vendor.

Access is restricted with shared services only.

Edit logs should be checked on a monthly basis

Access to vendor master is restricted with
on the basis of which unauthorized vendor
shared services only.
additions details should be monitored.

Upon confirmation of vendor evaluation ,codes

are assigned based on supplier opening form
and approved by Head of Procurement which
Access to vendor master file is restricted to any
are than farwarded to shared services team for
independent or Finance department.
incorporation in system.

Access is restricted with shared services only.

Upon confirmation of vendor selection, codes Vendor codes should be reviewed at the time
are assigned and approved by Head of of vendor creation and any non-compliances
Procurement should be identified and rectified timely

In case of product items, QC department In case of product items, QC department

checks quality of the sample received from the checks quality of the sample received from the
prospective supplier. The Quality department prospective supplier. The Quality department
provides the results on Inspection Report. On provides the results on Inspection Report. On
the basis of input received from quality, the basis of input received from quality,
comparitive sheet is prepared which provides Standard Costing Sheet is prepared which
the rates offered by different suppliers for the provides the rates offered by different suppliers
same product and last purchase rate. It is for the same product and last purchase rate. It
approved by the Head of procurement. Only is approved by the Head of procurement. Only
then vendor is added in the master file. then vendor is added in the master file.

In case of general item, comparative statement In case of general item, comparative statement
specifying rates offered by different suppliers is specifying rates offered by different suppliers
approved by the Head of procurement. is approved by the Head of procurement.

In case of services, quotations are called in and In case of services, quotations are called in and
comparative statements are made when new comparative statements are made when new
service provider is to be engaged. Contract is service provider is to be engaged. Contract is
approved by the respective HOD. In case of approved by the respective HOD. In case of
renewal of existing contracts, rates are verbally renewal of existing contracts, rates are verbally
checked and then contract is signed as checked and then contract is signed as
mentioned above. mentioned above.

Alternate sources of supply have been

identified for key materials. The quantities to
Alternate sources of supply have been
be purchased from each vendor are formally
identified and atleast 3 quotations have been
defined and approved by the Head of
asked from different vendors so as manage risk.
procurement. Orders are placed with all the
suppliers to keep them active.

The purchase module maintains history of all The purchase module maintains history of all
purchases for each vendor/list of empanelled purchases for each vendor/list of empanelled
vendors for the specific purchase being vendors for the specific purchase being
initiated. At the time when a new PO is being initiated. At the time when a new PO is being
created against a PR in the system, potential created against a PR in the system, potential
vendors are automatically highlighted to the vendors are automatically highlighted to the
buyer for sending a 'Request for Quotation' buyer for sending a 'Request for Quotation'
(RFQ) (RFQ)
 Where empanelled vendors for a given
purchase are not available in the vendor
master/alternative list, vendors need to be
identified and added to the vendor master prior
to the purchase. Policies and procedures are
defined for adding of new vendors to the
New Vendor or existing vendor is identified as
vendor master. Procedures are defined for the
per the procedure by raising RFQ. Once the
format of RFQ's, Price checks that need to be
vendor is identified, vendor details and
performed, Financial review of the company
supporting documents are sent to shared
and any other due diligence that may need to
services for uploading in SAP.
be carried out. Once the vendor is identified
and reviewed as per the terms, the vendor
details and the supporting documentation is
sent in a standardized format to the vendor
master team for addition to the master.

Vendor background check is performed by

Policies and procedures for vendor background
asking a source of finance, procurement etc,
verification have been defined
that has to be filled in vendor evaluation form.

The purchase module maintains history of all

purchases for each vendor/list of empanelled
vendors for the specific purchase being
initiated. At the time when a new PO is being The system is configured to prohibit generation
created against a PR in the system, black listed of purchase orders on blacklisted vendors
vendors are automatically highlighted to the
buyer for sending a 'Request for Quotation'
(RFQ)

The purchase module maintains history of all

purchases for each vendor/list of empanelled
vendors for the specific purchase being
initiated. At the time when a new PO is being The system is configured to prohibit generation
created against a PR in the system, black listed of purchase orders on blacklisted vendors
vendors are automatically highlighted to the
buyer for sending a 'Request for Quotation'
(RFQ)
 Policies and guidelines are defined specifying
1) Requirement to cultivate alternative vendors
Policies and guidelines are defined to manage 2) maximum percentage of procurement that
procurement efficiently considering can be done from a single vendor
procurement risk and maintaining good 3) Price differential at which a vendor can be
business relationships. utilized for the purpose of maintaining an
alternative source of procurement

The procurement department on receipt of a

Purchase requisition checks if the
goods/service already has a predefined contract
Business and CPD maintained a list of single or is marked as a single source item. If the
source vendors and are not marked in system. latter, the buyer issues Request for Quotations
from potential suppliers. If the former, the
buyer immediately moves to the purchase
order creation stage.

The system is configured to send an RFQ to all

potential vendors. In the event if the number
of vendors to whom an RFQ is sent is less than
three, the purchase is flagged and would
System is configured with RFQ functionality
require additional approval as per the
and special approval is taken for single source
delegation of authority in the procurement
item from executive management.
system. An exception would be made to the
process if the material/service being procured
is flagged as a single source item

All authorized vendors have access to the

company's purchasing system via a web portal
where the request for quotations are received.
(Along with email alerts). Each vendor is
required to provide similar information at the
System is configured with RFQ functionality
time of responding to an RFQ. (e.g. Price, time
and all quotations will automatically be
to deliver, credit terms etc). The system is
uploaded in SAP
configured to prevent removal of any quotation
from a vendor quotation comparison once the
same has been submitted by the vendor within
the due date.
 Policies and procedures are defined to ensure
Currently no control exist for independece and
that all quotations are received by an
all buyers of relevant section received their
independent team to ensure that all quotations
own quotations
are considered for selection of vendor

A person independent from the buyer prepares

a comparative of all the vendor quotations
received based on the standard parameters and
Currently no control exist for independece and
any specific parameter defined in the PR/RFQ
all buyers of relevant section received their
and selects a preferred vendor for
own quotations
recommendation. The recommendation is sent
to an authorized personnel for review and
approval.

The system is configured to compare all

quotations received and select the vendor who
can deliver the quality/quantity required at the
lowest cost. In the event the automatic
System is not configured for automatic selection is not considered by the buyer, a logic
selection, however additional approval is note is required to be provided by the
required for not selecting lower quote requestor/buyer documentation the reasons for
not selecting the lower quote. This is sent for
additional approval via a workflow. (The
approval levels being defined in the system as
per delegation of authority)

Code of conduct for the procurement team is

Midas code of conduct is defined for all defined and an annual declaration of interest
departments, however separate code of conduct disclosure has been received from each buyer
is required for procurement department due to confirming that the buyer has no conflicts of
high risk of fraud and sensitivity. interest in respect to the purchase
counterparties.

When goods are delivered to store, GRN Goods received in the last month of the year
should be entered to update the goods at that must me given considration to avoid cutt-off
point errors

Finance department send an email to Gatekeeper control system should be

warehouse department to record all GRN's in incorporated whereby GRN shall initially be
system at the end of period. Further security parked by gatekeeper in system and than it will
guard enter details of receiving in manual be posted by warehouse department to record
register. complete inventory at the cutt off date

Accurual entry should be recorded at the end of

No control to record accural entry for In quality
period that should automatically be reversed on
inspection inventory
the start of new accounting period.
System based authority matrix is defined that is System based authority matrix should be
duly approved as per LOAM. defined as per LOAM.

Proper SOP should be Followed in purchase Proper SOP should be Followed in purchase
order placement as per LOAM. order placement.

System should be developed to park GRN in

No control to park GRN in system and GRN is system by gatekeeper through DC which will
directly posted by warehouse in system. than be posted in system by warehouse
department.

GRN should be properly reviewed before GRN should be properly reviewed before
entering in the system against the purchase entering in the system against the purchase
order for accuracy order for accuracy

The purchasing system auto generates the

PO is automatically generated against PR, Purchase Order based on the approved system
quotation or contract in system. generated quotation/existing contract and
Purchase requisition.
No system mechanism to send an email The system is configured to email the Purchase
automatically but procurement department order to the vendor as a confirmation of the
farward an email to vendor as a confirmation of order.
the order.

The system is configured to adopt the details

PO is automatically generated against PR and entered in the Purchase requisition at time of
master data details in system. creating the PO.

The purchase order is approved in the SAP

The purchase order is approved in the SAP
system by an appropriate personnel, who
system by an approved personnel as per
compares the PO details with the approved
LOAM.
vendor quotation before approving the PO.

The purchase order is approved in the SAP

The purchase order is approved in the SAP
system by an appropriate personnel, who
system by an approved personnel as per
compares the PO details with the approved
LOAM.
vendor quotation before approving the PO.
 The system is configured with validation
controls to highlight the following:
The purchase order is approved in the SAP
1) Mandatory fields left blank
system by an approved personnel as per
2) Instances where the PO quantity is more
LOAM.
than PR qty
3) PO without scheduled delivery dates. Etc

All purchase requisitions are changed to closed All purchase requisitions are changed to closed
upon creation of the corresponding purchase upon creation of the corresponding purchase
order. A system generated report to monitor order. A system generated report to monitor
open PRs is available and is reviewed by the open PRs is available and is reviewed by the
purchasing team periodically/at defined times purchasing team periodically/at defined times

The system restricts creation of a PO against a

PR, if the serial number of the PR for which
System does not restricts creation of PO
the PO is being created is greater than an
without PR
overdue open PR in the system
System does not restricts creation of PO Purchase orders are generated against valid and
without PR approved purchase requisitions/MRP runs

System restricts creation of PO without vendor Purchase orders can only be created for
master vendors in the vendor master

The company follows a risk mitigation strategy

with respect to its supply of critical goods and
services by implementing a policy for business
No control exist with regard to business share share allocation. The policy clearly states, by
allocation products and services the percentage
procurement that can be done from a single
vendor. The same is used as a guidance in
placing orders with Vendors

System based authority matrix is defined as per All purchase orders should be approved as per
LOAM in system the defined LOAM in system

Only authorized persons are allowed to created

Only authorized personnel have access to
PO and system based approval authority matrix
create purchase orders in the system
is defined as per LOAM
Only authorized persons are allowed to created
Only authorized personnel have access to
PO and system based approval authority matrix
create purchase orders in the system
is defined as per LOAM

System based authority matrix is defined as per Responsibility fixing and actions should be
LOAM in system taken against reponsible person.

The system is configured to only allow raising

System is not configured for single purchase
of a single purchase order against a quotation
order against single quotation.
comparative.

System is configured to prevent creation of a

System is configured with PR and PO
purchase order without a PR reference

Policies and Procedures are defined for

managing foreign currency fluctuation risk.
Foreign currency risk is hedged due to dollar
Roles and responsibilities for communicating
currency as a base currency
Foreign currency transactions to the treasury
are defined and followed.

The system is configured to automatically

System restricts / block purchase order once it
block amended purchase order, until it is
is amended in system and approval is required
approved as per the defined approval matrix in
as per LOAM
the system.

The system is configured to automatically

System restricts / block purchase order once it
block amended purchase order, until it is
is amended in system and approval is required
approved as per the defined approval matrix in
as per LOAM
the system.
 The system is configured so that access to
modify any information is restricted based on
roles and responsibilities. Further, all
System restricts / block purchase order once it
modifications to purchase orders require a
is amended in system and approval is required
reason code to be entered into the system and
as per LOAM
an auto email of the changes are sent to the
vendor

System is configured to only allow

System restricts / block amendments in
amendment/deletion of Purchase Order lines
purchase order which are not fulfilled.
which have not been fully fulfilled.
 Audit Procedure Source Of Information Comments

For a sample of Vendors added during the

period, check that vendor creation forms are
duly approved and opened in SAP.
Vendor Creation form
High,medium and low risk vendors are
categorized and prioritoes should be set.

For a sample of vendors selected, obtain

vendor performance evaluation reports for a
couple of months to ensure that vendors are Vendor evaluation form
evaluated and corrective measures are
taken.

Obtain vendor performance evaluation

reports for a couple of months to ensure that
vendors are evaluated and rated.

Basis of evaluation should be verified which

Vendor evaluation form
includes quality, delivery, production
capabilities, financial stability, required
certification, industry reputation, Timely
deliveries, Price competitiveness and
stability, Credit period extension etc.

Obtain vendor performance evaluation

reports for a couple of months to ensure that Vendor evaluation form
vendors are evaluated and rated.
Perform a system based walk through to
check the unauthorized access should not be
granted in supplier master data.
Vendor Master file
Edit log report should be generated and
verified with change request form for
verification of unauthorized amendments on
vendor master data.

Perform a system based walk through to

check the unauthorized access should not be
granted in supplier master data.

Edit log report should be generated and

verified with change request form for
Vendor Master file
verification of unauthorized amendments on
vendor master data.

Edit log report should be generated to

highlight incomplete information in master
data.

Perform a system based walk through to

check the unauthorized venors should not be
added in supplier master data.

Edit log report should be generated and

verified with change request form for
Vendor Master file
verification of unauthorized additions on
vendor master data.

Edit log report should be generated to

highlight incomplete information in master
data.

Perform a system based walk through to

check the unauthorized venors should not be
added in supplier master data.

Edit log report should be generated and

verified with change request form for
Vendor Master file
verification of unauthorized additions on
vendor master data.

Edit log report should be generated to

highlight incomplete information in master
data.

Perform a system based walk through to

check the unauthorized access should not be
granted in supplier master data.
Vendor Master file
Edit log report should be generated and
verified with change request form for
verification of unauthorized amendments on
vendor master data.
For a sample of vendors selected, check that
vendor codes are assigned according to
defined policy criteria.
Vendor Creation form
Perform a system test to analyze the
duplicate vendor details in system

Perform a walkthrough to ensure that same

standard is followed. i.e comparitives are
Vendor Evaluation form
prepared for all PO's and lowest quotes are
accepted.

Perform a walkthrough to ensure that same

standard is followed. i.e comparitives are
prepared for all service contracts and lowest
quotes are accepted.

Perform a walkthrough to ensure that

multiple quatoataions have been identified
for procurement.

Perform a system walkthrough to verify that

the system is configured correctly.
Check whether product and vendor sourcing
strategies exist for key products and
services and whether they are reviewed
periodically

For a sample of new vendors added to the

vendor master, review that market
research/RFQ process was performed to
select potential suppliers to comply with
sourcing strategy

Check system based RFQ used for all PO's

For a sample of vendors added to the vendor

master, test check on a sample basis that a
vendor background check was performed
and included the following checks:

a) Restricted parties screening

b) Vendor's legal background check (review
of compliance with statutory requirements)
c) Vendor's financial background check
(review of financial statements etc.)
d) Vendor performance assessment results
(for checking blacklisted vendors that may
be reapplying)

Conduct a system walkthrough to confirm

the system configuration

Obtain a list of blacklisted vendors for the

audit period. Confirm if alternative vendors
have been identified for the blacklisted
vendors. Test if any purchase orders were
raised against blacklisted vendors after the
date on which they were blacklisted
Perform data analytics to verify that
procurement percentages by vendor are
appropriate and comply with defined
policies and guidelines.

Perform compliance check to veify that

cultivation to alternate vendor is approved
as per policies and procedures.

Obtain the report of all purchases made

during the period of review and check, If
any item marked as single source followed
the procurement RFQ process

Goods/Services for which the company has

existing rate contracts were procured from a
different vendor at higher prices

for a sample of procurement, if the

minimum number of quotations were
received, and if not, check for evidence that
the minimum number of RFQ were sent out.

Perform a system walkthrough to verify that

the system is configured correctly.

Check approval of executive management

for monopolized items.

Check agreements with monopolized

suppliers for uniterepted supply

Perform a system walkthrough to verify that

the system is configured correctly.
Understand the process followed and verify
that roles and responsibilities for receiving
quotations has been appropriately defined.

Understand the process followed and verify

that roles and responsibilities for preparing
vendor quotation comparisons has been
appropriately defined.

Perform a system walkthrough to verify that

the system is configured correctly.

For a sample of purchases made in the audit

period, confirm if the purchases have been
made in line with the system generated
comparison or justification is recorded if
not.

For a sample of personnel in the

procurement team, verify if declaration of
interest disclosures have been received for
the audit period under review

GRN of the start of the year was received

and compared with the Delivery challans to
Data base
verify the date when the goods were
actually received

Perform a walkthrough by comparing last 3

days secuity guard record with GRN in
system

Verify that accural entry is passed in system

by finance department.
Sample of Purchase oder were taken and
review the aprrovals process weather this is
according to the requirement of production
and not above and less quantity is ordered.

Review approval matrix to ensure right

Data base
peoples have approved PO as per LOAM.

Analyse system based GR/IR report and

compare with PO to identify rates and
quantity not matching between GRN and
PO.

System should be recommended for parking

and posting of GRN.

Delays in GRN should be highlighted.

Fictious procurement should be minimized

or controlled.

Sample of GRN were received from the list

of GRN Generated during the Audit period
and Against Respective GRN, PO, Gate Data base
pass Delivery challan and invoice were
reviewed

Perform a system walkthrough to verify the

correct functioning of the system
Perform a system walkthrough to verify the
correct functioning of the system

Perform a system walkthrough to verify the

correct functioning of the system

Perform a system walkthrough to review

how the delegation of authority has been
mapped in the system and check that all
PO's require an approval prior to being
finalized.

For a sample of PO's raised during the

period of review, check the Order raised to
the source vendor quotation and the
purchase requisition to verify that the PO
was correctly raised. (and correctly verified
at the time of approval)
Perform a system walkthrough to verify that
all possible validation controls are enabled
in the PO creation screen.

Perform analytics to identify any PO raised

during the audit period without the required
mandatory fields, Quantity in excess of PR
quantity or any visible inaccuracies.

Perform a system based walkthrough to

ensure release stretegies can be edited.

Perform a system based walkthrough to

ensure sensitive fields i.e. delivery date,
payments terms etc are editable.

Perform a system based walkthrough to

ensure rates in PO are equal for all units. In
case of any deviations identify reasons for
such deviations.

Obtain and age the list of open PRs in the

system. Identify the following:

1) Old open PRs not closed.

2) PRs open past the required date of receipt
of goods/service.
3) PRs open which cannot be fulfilled in
time on comparison to the average vendor
lead times.

Understand reasons for long overdue open

PRs. Investigate on how the purchase needs
were met in those instances

Perform a system walkthrough and confirm

the system logic

Perform analytics and identify instances

where POs have been raised against PRs in
spite of previously overdue open PRs in the
system
Perform a system walkthrough to confirm if
POs can be raised without a valid PR

Analyze the PO's generated against the

corresponding PRs and identify
anomalies/blanks in the PR reference.

Perform a system walkthrough to analyze

PO can be raised before PR and identify
instances where the PO date is before the
PR date

Perform a system walkthrough and confirm

if a PO can be raised on a vendor not
available in the vendor master

Analyze the PO data against the vendor

master data and identify instances where
PO's have been generated to vendors not
available in the Vendor master

Analyze the volume of purchases made

from vendors. Confirm if the business share
is aligned with the policy and excessive
reliance is not placed on a single/handful of
vendors

For a sample of Purchase Orders, review

system POs and confirm that these have
been approved as per the defined LOAM.

Perform a system based walkthrough by

generating a report to ensure unauthorized
individuals are not allowed for PO creation

Perform a system based walkthrough by

generating a report to ensure PR and PO
access is not given to same individuals.
Perform a walkthrough by generating a PO
report to ensure domain of same assigned
person has been used, as mentioned in
LOAM while creating PO

Perform a walkthrough by generating a

report to ensure LOAM is properly
followed.
Perform a system walkthrough to verify that
the system prevents creation of more than
one PO against a single approved quotation
comparative.

Perform a system walkthrough to verify that

the system prevents creation of PO without
PR creation.

Understand the foreign currency risk

management process followed by the
company and the role of the procurement
department

Verify that key procedures related to

managing currency risk related to foreign
currency PO's are being followed

Perform a system walkthrough to verify that

the SAP system automatically blocks the
amended Purchase Order until it is approved
as per the approval matrix.

Identify instances where the purchase orders

were modified and for sample cases check:
a) Request for modification received from
requestor.
b) Approvals obtained as per approval
matrix to amend/delete.
c) Check whether the reasons for
amendment/deletion of purchase orders
have been accurately captured in the system.
Ascertain the validity of the reasons
entered.
Test the system configuration in the test
environment and obtain an extract of all
POs that have been amended during the
audit period and verify that they have been
approved as per the approval matrix. Verify
that reason code field is correctly captured
for a sample of instances.

Test the system configuration in the test

environment whether purchase orders can
be modified after complete receipt of
material.

Review the PO edit log and confirm date of

amendment with the date of GRN raised
against the PO.

Test the system whether purchase orders

can be modified for partial receipts.