In my experience as an auditor over the past 12 years, specifically as an internal auditor to multiple organizations, I believe that the risk landscape of businesses is changing with every passing year. What used to be an audit procedure to identify risks a few years ago is no longer relevant today, as the risks of today did not even exist a few years ago. 

Vendor Procurement Function is The High Risk Area in Organizations

If I need to pinpoint one area that is always a high-risk area in any organization, it is the procurement function. There are multiple risks an organization needs to take care of, especially in the procurement function. There are a lot of frauds that I have seen in my experience in the procurement function. 

Case Study of Internal Audit – Vendor Kickback

We were handling an internal audit of a big company where the monthly purchases ran into crores. We were analysing the risks in the procurement function. One of the key risks we identified was vendor kickbacks.

What is Vendor Kickback Risk?

Vendor kickback risk is a risk where the procurement personnel favour a vendor and allot a procurement contract in exchange for money (commonly known as kick-back).

In such scenarios, the vendor’s quality of products or services may not be regarded as a deciding factor, as the same becomes unimportant when the procurement personnel have made some extra money in the process. 

How Vendor Kickback Works?

Imagine a procurement head onboarding multiple vendors in a year; what could be the illicit gains he or she could have made in this process?

It is extremely difficult to find a vendor kickback in an audit, as the money flow never comes into the books of accounts. The vendor gets the contract and gets paid for the goods/service delivery, and the vendor, in turn, pays a fixed/percentage to the purchase personnel.

How We Detected Vendor Kickback in Internal Auditing?

We implemented below strategies & methodologies to identify the risk of Vendor Kickback during our internal audit.

1. We established Ethics Hotline Number – Establish an ethics hotline with a common number and an email ID mentioned in the tender document. The number mentioned here should be from one of the senior members of the board or an independent committee member. An ethics hotline is the best way to induce fear that such vendor kickback requests could be reported, and also the most cost-effective way to build controls. 
2. Vendor List Vetted By Directors – We did an analysis of the new vendors onboarded during the year for each item and get this list vetted by the directors. If they are aware of a change in vendors for such an item, and if such a change was warranted. Many times, such a person can identify that change was not warranted, and still, there has been a change. This shall be considered a red flag. 
3. Cost Analysis of New Vendor – We performed an analysis of whether onboarding the new vendor has either reduced the cost or enhanced the quality of the output. If the new vendor addition has not resulted in either of them, we dug deeper to understand the reason for such a change.
4. We experimented with Mock Calls – We did a few mock calls from one of the audit team members to see if the procurement personnel yield to such kick-back requests. This demanded some real acting skills, though!

Vendor kickbacks, unlike other risks, need a lot of in-depth audit to identify, and many times, only a pattern can help us identify such fraud.