Purchase or procurement to pay or p2p is a process where an organization purchases the required material for manufacturing goods or for its own use from selected vendor on some pre-requisite criteria and this process complete when final payment is made to the vendor. This entire process is simple for a small organisation where few people works or having limited activities. Owner himself is associated with the activities of organization and he himself takes decision what is good for business and ultimately investor (Himself). But as the business grows manifold or for that matter any big organization listed or unlisted, where n number of stakeholder involve (like owner, management, shareholder, investor or tax authority) where multiple process are independent and large enough for a separate department, control required as various Risk associated with each process cropped-up and that’s how this term derived and process created.
Whether it is SOX compliances for businesses based in USA or USA based businesses doing business in other countries for whom SOX compliance is mandatory, they need to ensure that all other businesses in other jurisdiction are also SOX complied as business has to present consolidated financial statements at headquarter. Whether it is Quarterly filling of 10Q or annual filling of 10K, CEO, CFO, management and Auditor of the organization need to certify and verify that internal control has been implemented and working effectively. Similarly, in India every listed company has to report on Internal Financial Control (IFC) on his board report that they have laid down adequate and efficient IFC system. In addition, Auditor also need to present his opinion on IFC system and operating effectiveness of such control as per Section 134(5) (e) of companies Act, 2013. Even, unlisted companies director has to comment on internal control effectiveness. Report by such executive can only be given when there is effective internal control working throughout the year within the framework of organization.
Let’s come to our specific topic of P2P, where we will discuss, what is the risk associated with each of the intermediate process and relevant control for mitigation of such risk. Let’s see the step involved first to understand the process in P2P-
Material Request———Purchase Order Created———Goods Receiving———Invoice Processing——–Payments
(Process Initiated)—- (Order Creation) ———- (Goods Received) ——– (3way matching done) —- (Completed)
As discussed above, risk is associated with every step involved and each organisation need to have appropriate control to mitigate such risk. No two organizations are same similarly no two organizations have similar activities and ideally similar control. Risk is associated with misappropriation of assets, frauds, wilful concealments of facts or some other or any direct and indirect benefits of person involved. Risk also varies whether above discussed processed are followed manually or automatic. In automated control one need to ensure that ERP is correctly implemented and there is proper segregation of duties (SOD) for creation and approval of vendor, payment and GL, then one may safely assume that control is working appropriately. However, in manual control one need to actually observe, re-verify, re-calculate or inquire to actually see the entire process and accordingly adjust auditing process to verify that control is working appropriately.
Let’s discuss few apparent risk associated with P2P process and relevant control associated with the risk-
1) Purchase request may be created by any user —— Approval process should be at department head that has authority to approve or reject the request.
2) PO is created based on approved purchase request ——– There should be proper mechanism to check and verify that PO should match with purchase request.
3) New Vendor Creation — There should be appropriate check & balances in place while creation of new vendor in system. There should be proper segregation of duties (SOD) while creation and approval of vendor in automated system. Manually, at least 3 quotations should be sought from random vendor before selecting one who meets demand in terms of quality, quantity and price. If it’s a regular supply then order is from approved vendor and at approved price.
4) Goods Receiving ———- Goods received should thoroughly match with PO and finally checked for quality, quantity before approving GRN. Any deficiency/ surplus should be adjusted with Debit/ credit note.
5) Invoice processing ———- Before processing invoice and making payment to the vendor. Matching should be done to ensure that PO, GRN and Invoice match in terms of price and quantity.
6) Payment — Once invoice is approved payment is done to the specific Vendor and approved invoice and GL entry.
As discussed not all above process is standard and applicable everywhere. It thoroughly depends on organization and the way it conduct business. However, these are general control and it gives fair amount of idea that how each step in a process gives rise to a RISK and how control should be created to mitigate the same. In addition, now day’s most large companies have customised ERP system where most of the processes are automated and any deficiency automatically flagged-up. However, one needs to regularly test ERP system itself for the control implemented and its actual working. Also, any new risk identified, gives rise to a new control that need to be implemented, accordingly.
******
Writer is a professional in practice, may be reached at [email protected] or WhatsApp at 91-9117979588.This write up is for academic purpose only and views expressed are personal in nature.
CA Minish Mishra is having very vast and dynamic work experience of 10+ years. He started his career at a very young age and worked with various businesses outsourcing industry in various capacities and completed Chartered Accountant course by utilising his practical knowledge acquired during his early life through self-study. His interest areas are taxation and Audit and he is passionate about law.