Internal auditors visited their company's vendors to do compliance reviews of conflict of interest policies. The results were surprising and rewarding. Here's how to get started.

We did not invent vendor audits, of course. A great deal of our procedures and practices are derived from the experience and knowledge of others, via books and articles and, more importantly, from the war stories of seasoned audit veterans. In other words, we plagiarized the best of what others had and then added our own twists--twists we believe demonstrate our auditing and managerial imagination.

Commodity/Vendor Audits

From an internal audit perspective, the idea of auditing vendors is a sound one, especially if you add to it the concept of evaluating the goods or services the vendors provide. Consequently, what we started with, and what we still have, is the concept of commodity/vendor audits. (Commodity, for us, is defined as both goods and services.) These audits can be initiated either by selecting a commodity or by selecting a vendor. We started by selecting a commodity, mainly because we wanted to see more clearly the company's procurement, inventory, and disbursement systems. We wanted to know, for example:

* Who determined the business requirements for a particular commodity;

* How the commodity was used and consumed, and how anyone knew it had been consumed;

* What was done with the commodity after it was consumed; Did it have any residual value; If so, how disposal of the commodity was handled;

* What was the procurement process and what assurance we had that our company was getting good terms (in price and delivery, for example);

* How and when the internal accounting and operating systems recognized and controlled all of the transactions that had token place regarding a commodity, and who evaluated these transactions.

The questions go on. But you get the point. We wanted to start at the beginning and end at the end, thereby auditing transactions at a "micro" level rather than a "macro" level. We hoped to discover more than intellectual enlightenment at the end of the rainbow; we hoped to find a pot of gold there too. (And we did!) The first six commodity audits that we did resulted in more than a quarter of a million dollars recovered for our company. The recovery came from such items as duplicate billings for daily equipment rentals and prices for commodities that did not agree to the proper price lists. (If you are wondering how in the world such things could happen, remember the old axiom: every fail-safe system fails by failing to fail-safe.)

The techniques we used for these first audits were not profound. Because we wanted to start on a small scale and work our way up, the commodities did not include any of the important ones used by the company. Our basic techniques included the following:

* Do whatever research is required to become a quasi-expert on the commodity. Consult the purchasing department, operating departments, and outsiders. Buy whatever reference materials are necessary, if any exist. (In this case, knowledge is absolute power--and the only way to blow away any smoke.)

* Use your knowledge as a quasi-expert on the commodity, determine where the company fits into the scheme of things. Why do we use this commodity? Why would anyone use it? What do other companies do? What are the alternatives to using this commodity? What is the market, and where do we fit into it?

* Use all available analytical tools. Analyze, dissect, in other words, do an autopsy of all transactions (100%) in this commodity for at least a six-month time period.

* Finally, put on your cap and do whatever is necessary to separate the wheat from the chaff.

The first commodity audits were performed over a time frame of several years. They were scheduled to fit between assignments, assignments many would consider more typical for an internal audit department. But when the commodity audits became successful, they built a momentum of their own, moving up the priority totem pole to compete with other types of audit projects. It was at this point we decided to exercise some entrepreneurial spirit by expanding the scope to include examinations of vendor books and records. Little did we know we were about to open Pandora's box; and that when you lift that lid, you better be prepared to dance with whatever pops out. The Selection Process

The logic of examining vendors' books and records was, and is, compelling. From an audit perspective, we believed that, among other things, it would be the single most effective way to do compliance reviews of the company's conflict of interest policy. (It is!)

Once we had decided to examine the vendors' books and records, we had to decide who was to be first, who was to be the lucky one. There are a number of ways to make such a selection, and it's likely there are better ways than ours. However, this is how we did it:

1. We examined our company accounts payable detail, vendor by vendor, page by page, item by item. (The accounts payable detail is our company's record of all cumulative transactions for the year with its vendors. By the end of the year, this record is a computer report more than 12 inches thick.) We were looking for vendors with peculiar names or with names very similar to one another; invoice numbers issued in tight sequential order, meaning a vendor was doing a lot of its business with us; and invoice amounts that were always in even dollars or just looked funny. When we finished, we had 60 possible candidates to be the first lucky vendor.

2. To reduce 60 possibilities to a smaller number, we decided to take a chance and select only those vendors with tight invoicing sequences, regardless of how much business the company was doing with them. This got us down to less than 10 vendors. Next we did Dun & Bradstreet reports. Eventually, we would do D & Bs for the other 50 vendors as well.

3. Finally, we zeroed in on the vendors with whom we had spent the most money; the vendors who had the tightest invoicing sequence; and the vendors who represented the newest additions to the vendor master file. After combining these factors, we selected the lucky one: a vendor who had done over a million dollars of business with us for the year. The invoicing sequence for this vendor was so tight, light wouldn't have escaped. The company had just recently been formed as a new business and had just recently been added to the vendor master file.

Just Do It

We were now ready to go for it; we had a good target for our first vendor audit. We had developed a generic audit program, so we had a plan. We knew what records we wanted to review, so we had a list. We had decided to phone in advance and make an appointment, rather than to show up on the doorsteps with a surprise audit, so we figured we had a way to get in. What we didn't have was courage. It took more than a week for us to build up enough of it to make the phone call. After bracing myself for an unpleasant confrontation, I telephoned the lucky vendor's president. I introduced myself, told him his company had been selected for one of our routine vendor audits, and we would need to examine certain records. I told him which records we wanted to see and asked where these records were kept. He told me, and I replied that we would be there two days later at 9 a.m. (I subsequently sent a letter to him confirming our plans.) At the end of the conversation, the vendor's president told me he welcomed the audit and thought it was a good idea for our organization to conduct these audits. Well, here I was prepared for an unpleasant confrontation, and the guy was eager for an audit. I now figured we had clearly selected the wrong vendor and wondered if perhaps we should start with our second choice first. The only reason we didn't audit the second choice first was I didn't have the courage to call the first choice again and postpone what had already been set up. (It was a good thing I didn't!)

We arrived at the vendor's office on schedule, had an opening conference and then started to work. In less than 15 minutes, we began to suspect we were going to find some major violations of our company's conflict of interest policy. A casual glance at the vendor's books told us that nearly 100% of the vendor's gross sales was to our company and that its entertainment expenses (not including travel) for the year were more than 10% of gross sales.

Our suspicions turned out to be well founded. The results of the audit were devastating. There were major violations of our company's conflict of interest policy and evidence of minor frauds. Details must remain confidential; but the audit discovery was so easy to do and the facts so obvious even a first-year auditor could have sorted it out.

Well, Pandora's box was certainly open now. We became too busy to reflect much on where we were going, because we were so busy dancing. Before the dance was over, it lasted more than six years, we had danced with a cast of a thousand and one.

Learning from Experience

By the end of 1990 we had as much vendor auditing experience--and as many war stories--as any audit department we knew of. We had worked with Federal law enforcement agencies, the FBI, postal inspectors, IRS criminal investigators, and prosecutors in the U.S. Attorney's office. We had been sued for defamation of character. (We won the case.) And we had documented several substantial claims against our company's fidelity bond.

Other things had also happened by the end of 1990. The dust had settled a little, and we had time to reflect on past events. We developed a profile of our problem cases with vendors and defined six conditions that signaled trouble, or at least the potential for it. In no instance were all of these conditions present in a single case; but in most instances, at least two were represented:

* Large percentages of the vendors' sales were with our company-- always over 35%--sometimes as high as 100%.

* The vendors' pricing of goods or services and their methods of determining prices did not comply with the general practices for their industries.

* The vendors did not own the equipment our company was renting from them but were renting it themselves from sources from whom we could have rented directly.

* Entertainment charges incurred by the vendors were substantial percentages of their gross sales; in one case it was almost 10%.

* Third-party invoices submitted by the vendors as backup were entirely or partially altered or fictitious.

* The vendors' street addresses, as shown on their invoices and in our company's files, were fictitious.

Armed with hindsight, we also realized our vendor audit program was rather cumbersome. We could do only two audits a month, at best. And there were lots of vendors. Of course, we could have added dozens of auditors to the staff, but, really, such things are never in the cards at any company. Instead, we decided to use what we had learned to refine and further improve our approach to doing vendor audits.

New and Improved Tactics

In redefining our vendor audit approach, we agreed on several objectives we thought would improve our efforts. We agreed our revised approach would--

* contemplate all of the major characteristics of past problem cases;

* provide substantially wider coverage.

* improve the administration of the vendor audit process, comprising such things as data and file maintenance and selection of vendors for audit; and

* be simple and fast and produce results.

After combining the characteristics of our problem cases and the objectives we wanted to accomplish, our revised audit approach took on the architecture of three basic features:

1. We developed a data base to provide fundamental information about the company's primary vendors (and many secondary ones too) and to serve as the focal point for administering the vendor audit process. The data base includes the main files of documents kept manually and a computer data base file. The documents in the main files include materials such as correspondence with vendors, vendor surveys (a questionnaire where we ask the vendor for information relating to ownership information and financial statements), Dun & Bradstreet reports, and the written results of any vendor audits. Often, if a vendor made the news for some reason, there are copies of news clips on file. At one time these files were a haphazard mess of pieces of scratch paper; now, they are well organized and maintained. The computer data base file came about because we often needed immediate access to data contained in the document files, especially when we were out of town.

2. We developed a priority assignment system that uses a simple risk analysis to determine a vendor's audit status. Each vendor is assigned a number from 0 to 10, with 10 as the highest priority. Keep in mind we make lots of exceptions. No vendor should feel safe that it might be precluded from ever being audited.

* We assign high priorities to any vendor that has more than 5% of its sales with our company, especially if annual sales volume with us exceeds a certain amount. (We will let everyone guess what the amount is, but it is not very big.)

* Vendors who have more than 15% of their sales with our company are likely to be put on an 18- to 24-month audit cycle, which is a high audit priority.

* We assign low priorities to large, nationally known companies who have their own internal audit staffs and who are likely to monitor their own conflict of interest policies.

3. Three phases of audit programs were developed. The phase used depends on the priority assigned to a vendor.

Phase I

The purposes of a Phase I audit are to find out more about a vendor than what is revealed in our vendor survey and the reports we have from Dun & Bradstreet, and, in so doing, to enhance our odds of detecting any problems as early as possible. A Phase I can be called a research project. It helps us to become familiar with a vendor and the type of business it is, including its general market, pricing structure, and goods or services. Above all, we must confirm that its methodology for pricing its goods or services follows industry practices.

During Phase I, we also obtain current financial data and calculate the percentage of the vendor's sales volume to our company and obtain representations from the vendor that it owns the equipment it is using or renting to us.

PHASE II

Phase II validates the existence of the vendor through a site visit and inspection of the vendor's facilities and requires the completion of a questionnaire designed to acquire additional data about a vendor. Some of the questions are rather pointed: "Were trips, merchandise, money, or other favors furnished to our employees; and, if so, who are these employees?" The questionnaire, comprised of about 15 questions, is finally signed by the vendor's representative (usually the owner) and by the auditor. (We are not opposed to or any longer intimidated by the possibility of confrontations with our vendors. But our basic approach is to avoid creating adversarial situations and, if we can, to create vendor relations that discourage misconduct.) More often than not, a Phase II is done if a Phase I is done; and the questionnaire is always done face-to-face. We have thought about mailing the questionnaire to selected vendors but have not done so thus far, because it just doesn't seem like the right thing to do.

Although Phase I and II both seem so simple, it is an interesting commentary that not one, not even one, of the problem cases we have detected since 1982 would have survived a Phase I and II audit. That is, they would not have survived without triggering a full-scale audit, which is a Phase III.

PHASE III

A full-scale vendor audit is done during Phase III. The audit program is a lengthy one, but to go through it should consume less than three days in the vendor's office. (If an audit takes more than three days in the vendor's office, it will be difficult to convince the vendor, or anyone else, that it is just routine. Everyone will start to get really edgy. If people get edgy, bizarre behavior is sometimes manifested. The worst kind, for us anyhow, is the kind where the owner feels personally compelled to look for and bring us every record and then sit in the room with us while we try to work, presenting us with an inexhaustible supply of reasons about why we don't really need to look at the records anyway.)

There are no particular secrets to our Phase III audit program. Experienced auditors, frankly, could just make it up as they go along. The coverage is typical. It covers mainly disbursements, such as those for promotion, advertising, donations, commissions, entertainment, travel, payroll, and the like. Anyone could develop an audit program for doing what we do. The real secret is in just doing something, in just getting started.

Many Benefits

Our first approach to doing vendor audits served us well; in fact, there was only one reason to make any changes. We had learned that it was overkill, meaning that we did not have to do full-scaled audits to find problems. Problems can be found with much less effort. Full-scale audits can be reserved for those cases where problems are detected, or suspected, or for those major vendors set up on an audit cycle of 18-24 months. We think our revised approach gives us far more coverage and exposure to vendors and helps to discourage the sort of employee and vendor misconduct that happened in the past. The lesson to be learned from all of this is that a vendor audit program is well worth the time and effort expended, even if you're convinced the vendors' records and documents will not show anything. Our experience has shown us time and time again the vendors' records and documents are quite adequate for audit purposes. You will never do any vendor audits if you are defeated by the natural propensity for underestimating what can be found on the paper trail. A final word: virtually all our vendors like our program of doing vendor audits. It gives them someone to go to if they think they are being unfairly treated. And it gives them a good excuse for not doing the entertainment (or whatever) they did in the past. They can now say, if they wish, that they can't do it anymore because of the company's nosy auditors. We believe that our vendors now offer better procurement terms because their costs of doing business with our company have been reduced.

QUESTIONS AND ANSWERS ABOUT OUR VENDOR AUDIT PROGRAM

Why don't you do surprise audits and just show up at the vendor's front door? There are several reasons we don't do surprise audits. First, we believe it would be discourteous just to show up without an appointment. And if the people you want to see are not in that day, the auditors are the ones who are surprised.

Second, we advertise our vendor audit program as a routine one. Audits on an unannounced basis seem inconsistent with that advertisement. Besides, we have overcome our fear that documents might disappear or be altered; two or three day's notice is just not enough time for someone to purge the paper trail.

What happens if a vendor refuses to let you do an audit? We've never had a vendor refuse an audit out-of-hand. One vendor insisted on a "confidentiality agreement" that stipulated we would not divulge trade secrets and the like. It seemed fair enough to us, so we went along with it; and the audit proceeded.

One vendor refused to let us look at the chief records we wanted to examine, limiting significantly the scope of our proposed audit. We audited what we could; and what we could was enough to find violations of our company's conflict of interest policy. This incident by the way, happened right after we first started doing vendor audits. If we had to do it all over again, we would have withdrawn from the audit and made the appropriate report to management, because years later this vendor represented to others that a complete audit had been done by us, when in fact, a complete audit had not been done. How do you go about getting "audit rights" with your vendors? Audit rights can be acquired in all of the usual ways: a) a contract provision, stated in whatever language a legal department, or anyone, believes appropriate; b) a provision somewhere on the backside of whatever procurement document is used, such as on the backside of a purchase order; c) all of the above, plus an audit provision included within a special document that is completed and signed by vendors, such as a vendor survey mailed to all new or proposed additions to the vendor master file.

Actually, I do not concern myself with audit rights. A few of our vendors have wanted to debate the issue of audit rights, and my response is they should assume we have no audit rights. We are basing our request for the audit not on legal rights, which I consider irrelevant, but on a reasonable business request from our company to theirs. The audit is our company's way of routinely testing for compliance with its conflict of interest policy. So tiff, this position has eliminated any debate and quarrels regarding the issue of audit rights. What do you do if management does not want you to audit the company's vendors? The answer depends on the definition of management. If the president supports the program, if the chairman of the audit committee supports the program, that's enough. If neither of them supports the program, you should forget it. There is no need for the members of the audit staff to become pawns on the corporate chess board. In our case, we had support from the very beginning, not only because such support was, and is, the right thing to give, but because we were so successful with monetary recoveries from the start. These monetary recoveries helped considerably to defeat any criticisms that might have come from anyone in the organization.

What do you do if some senior person in management wants you to exclude a vendor from your audit program? I have never had this happen, but this is what I would do if it did. I would have this senior person make a list of all vendors to be excluded from audits; make sure the list is comprehensive. Now then, I will let you guess what I would do if I were ever lucky enough to gain possession of such a list.

B. Ray Mize, Jr., CPA, former manager of Internal Audit at Ocean Drilling & Exploration Co. in New Orleans, is a consulting auditor based in Kenner, Louisiana.