RISKS AND CONTROLS IN THE PURCHASING PROCESS (STUDY OBJECTIVE 2, continued)

As described in previous chapters, management is responsible for implementing internal controls over each business process. Accordingly, the purchasing process needs special attention to reduce the risk of fraud or errors specific to these types of transactions. The next section identifies common procedures, organized according to the five internal control activities discussed in Chapter 3.

AUTHORIZATION OF TRANSACTIONS

Specific individuals within the company should be given authoritative responsibility for the preparation of purchase requisitions and purchase orders, including approval of the specific items to purchase, order quantities, and vendor selection. Only those designated individuals should have the opportunity to carry out these tasks. The company should establish specific procedures to ensure that POs have been properly authorized before the order is officially placed with a vendor. The authorized individual typically includes his or her signature or initials on a purchase requisition to indicate proper authorization. In an automated system, specific authorization for purchase transactions can be controlled by limiting access to the authorization function. This is a critical control in that no purchasing events should begin until the initial authorization occurs. In most organizations, the approval of a purchase requisition is the initial approval that triggers the remaining purchasing processes.

A company should have established guidelines for managing vendor relationships, including securing competitive bids for purchase requisitions, negotiating payment terms, and maintaining current price lists. These functions should be limited to designated individuals within the company.

SEGREGATION OF DUTIES

Within the purchasing process, the accounting duties related to requisitioning, ordering, purchase approval, receiving, inventory control, accounts payable, information systems, and general accounting should be segregated in order to meet the objectives of internal controls. In general, responsibilities for authorization, custody, and record-keeping functions should each be separated in order to prevent the possibility of error or fraud. The authority function includes approval of purchasing transactions and certain information systems tasks such as data entry, programming, IT operations, and security. The custody function includes inventory handling and receiving, as well as the related cash disbursement duties. The record-keeping function includes preparation of POs, as well as the general accounting reports such as the purchases journals, the accounts payable subsidiary ledger, the inventory ledger, the general ledger, and financial statements.

Ideal internal controls involve complete separation of inventory custody from inventory accounting. With respect to the purchasing process, this control is especially important in reducing instances of fraud. If, on the other hand, individuals have an opportunity to both handle inventory and access the related records, theft could occur and be concealed by altering the records. If custody and record keeping are segregated, the person having access to the goods may have an opportunity to conduct the theft, but will not have the capability to alter records.

ADEQUATE RECORDS AND DOCUMENTS

Accounting personnel should ensure that adequate supporting documentation is maintained for purchasing transactions. Files should be maintained for purchase requisitions, POs, receiving reports, invoices, and so forth. These files should be organized either in chronological order by due date, in numerical sequence by form number or inventory item number, or in alphabetical order by vendor name. When documentation is well organized, a company can establish the validity of its transactions and determine whether omissions have occurred. For instance, if the purchase requisition, PO, receiving report, and invoice are each retained and matched, accounting personnel can determine that each purchasing transaction is carried out properly with respect to quantity, quality, price, vendor, timing, etc. Proper documentation also establishes an audit trail and facilitates the performance of independent checks and reconciliations.

SECURITY OF ASSETS AND DOCUMENTS

Purchasing records and programs must be protected from unauthorized access through the use of electronic controls, such as passwords, and physical controls, such as locked storage cabinets. Physical controls should also be used in the company's storage warehouse and receiving area, in order to protect purchased items from theft.

INDEPENDENT CHECKS AND RECONCILIATION

Some specific internal control procedures to be performed to achieve accountability for this process are presented next. The performance of these functions by someone independent of the related authority, custody, and record-keeping functions for the purchasing process will enhance their effectiveness. For example, periodic physical inventory counts should be reconciled with the inventory ledger and general ledger control account to make sure inventory is being properly accounted for. Significant differences may indicate that purchases have been omitted or theft may have occurred. Independent reconciliation of the accounts payable subsidiary ledger to the general ledger control account also helps ensure that transactions have been properly posted.

COST–BENEFIT CONSIDERATIONS

We know from previous chapters that companies will implement internal controls only if the corresponding benefit exceeds the cost of implementation. Accordingly, the company should evaluate risks prevalent in its system before determining the mix of controls to execute. Some high-risk characteristics that might warrant the need for extensive internal controls are as follows:

1. Goods received are especially difficult to differentiate, count, or inspect.
2. High volumes of goods are often received, or the goods are of high value.
3. Inventory pricing arrangements are complex or based on estimates.
4. Frequent changes occur in purchase prices or vendors.
5. The company depends on one or very few key vendors.
6. Receiving and/or record keeping are performed at multiple locations.

When any of these circumstances exist, management should be especially mindful of related controls that could effectively prevent or detect errors or fraud that could occur.

Exhibit 9-8 summarizes examples of internal controls and the related risks that are minimized in the purchasing process. This exhibit does not include all the possible risks and controls surrounding purchasing transactions, but provides some common problems that may be encountered.

Exhibit 9-8 Purchasing Controls and Risks