PROCUREMENT RISK REGISTER

EVENT OWNER MEEVA THOMAS

AUDITOR INTERNAL AUDIT TEAM
AREA PROCUREMENT

Inherent Residual Risk

Area Risk Description Potential Impact Observation Risk Response Recommendation

Risk Score

Risk Score
Impact

Impact
Likelihoo

Likelihoo
d

Purchase Policy Purchase at higher cost
Purchase of sub standard material
Vendor not competent to deliver the material
Adequate compliance of vendor selection
policy
d
Not having a purchase policy leads to non segragation of Likely Moderate There is a procurement policy in place. Likely Moderate Company should update its current procurement policy
duties, lack of procurement planning, lack of controls for to a more comprehensive policy covering the set up of
procurement and non existence of procurement committee procurement committee, set up of annual procurement
to handle issues relating to procurement plan, payment process, procurement of services.

Purchase Budget Lack of authorisation Purchase made without sufficient authorisation Possible Moderate APP is not there as each project is different. Possible Moderate The company should have a formal purchase budget for
On the steel side bulk order cannot be done except the procurement team through annual procurement plan
the plates, but consumables can be ordered in bulk set by the sales divisional heads and project heads.
by anticipating the requirement for 3-4 months.
Also steel ordering is based on client drawings, as
and when AIC get drawings, only then the order
could be planned.

Vendor Agreements Non existence of supplier agreements Risk of unfavourable terms and conditions offered by the
vendor leading to
1) uncessary conflicts with vendors
2) waste of valuable time leading to project delays and price
hikes.
Almost certain Low There are around 400-500 suppliers registered in Almost certain
the system and there could be some out of the
system as well. Out of the system usually are for
water, sand, repairs and maintainence jobs.
There is no formal agreement with all the vendors
except the vendors evaluation. There cannot be any
renewals as such if there are no hard contracts.
Vendor evaluation is only done for A class
suppliers.
Suppliers classes are of three types A,B and C.
A is major project suppliers for steel, fasterners,
paint.
B welding wire for factory
C would be for stationary, electrical items.
For A every year evaluation is done and for B and C,
every two years.
For steel, company does get into short term
agreements for sourcing at a set price.
Low Company should try to enter into formal agreements
with all approved vendors/suppliers so as to lock in
terms and conditions to get advantages of better pricing,
timely deliveries and less litigation, if any, in the future.
On the process improvement side, company might think
of some other steps like negotiating reduced prices with
suppliers through committments of giving suppliers a
foothold in new markets/projects or conducting a market
study to assess future contracts within a geography and
working with supplier to estimate a percentage of return
on invested capital they would get through supplying and
hence sourcing from those suppliers at discounted
prices.

Vendor Codes Risk of inactive or duplicate vendor codes 1) Risk of entries passed in wrong vendor accounts
2) Fictitious vendors being created because of no consistent
numbering convention and chronological order.
Likely Low As per procurement team, for creation of new
vendor, all legal documents are being used.
Deletion of any vendor code cannot be done, it can
only be blocked.Usually sites are attached to each
vendor and blockage/freezing can be done for
those sites. History has to be maintained for each
and every vendor.
Likely Low Currently the duplication is being checked
manually.When issuing a PO, team does the check and
put a remark as not use. This is done because there are
some duplication when migrating from the old system as
vendor could not be used for financial reasons. Company
should be looking at automised way of checking the
duplication in vendor code creation and closing out the
issues with respect to migration of old data.

Duplication of vendor codes or names is being IFS should also ask for second level approval or
checked by manually.When issuing a PO, team does simaltaneous approval from the respective user
the check and put a remark as not use. This is done department as well when approving a vendor code.
because there are some duplication when
migrating from the old system as vendor could not
be used for financial reasons.

Activation of any vendor code is with procurement

head only.

Row no 7 in RCM to be analysed as and when the response comes

Vendor Lack of control over vendor developments Absence of control over vendor developments may lead to Possible Low As per procurement team, there is no formal
inactive or duplicate vendor codes, missing lack of documented process but this is done as follows :
information from other possible/alternate sources of supply AIC, being a big name in the market, being
approached by new vendors on a regular basis, and
the usual pre-qualifying system is applied.
Vendor developments are tracked automatically
specially in terms of any addition of product line.
AIC being a big name in the market, this
information is very well shared by the vendors.
In terms of when the delivery is short or or of bad
quality, an NCR report is issued for that vendor.
More NCR's could have an impact of conitnuity of
that vendor with AIC.
Vendor Lack of control over employee vendor conflict Vendor are not selected on the basis of set parameters Likely Moderate Employees are trained and experienced to deal
of interest ensuring quality, timely delivery and better prices. with the vendors professionally.
Purchase Request Lack of delegation of authority matrix Unauthorized transactions can be made Possible Low Any purchase request above AED 1,000 on the
asset side would have the CAPEX form attached
and approval of Mr Wasim and Finance is required
in this case.
There is no DOA set for the steel and
consumables(their PR is in millions). The only
control there is to work within the budgets and if
something is crossing the numbers as compared to
the budgeted tonnage, it would be blocked and
coordination would be done.
Purchase Request Lack of automatic conversion from PR to PO Purchase order missing terms and conditions Likely High No first level automatic conversion of PR into PO as
there could be many revisions in the PR because of
reasons like steel not available in the current
rolling cycle and others as well.
Purchase Request Lack of delegation of authority matrix Procurement without sufficent authorisation resulting in Possible Moderate Company should be developing an delegation of
purchase made without justification authority matrix which shall define the limits of
approval basis the amounts set.
Purchase Lack of specification for delivery dates and Delay in procuring the required items as per the Likely High As per the procurement team , yes it mentions all
Request/Purchase terms & conditions specification mentioned leading to delays in procuring and the required information.
Order hence completion
Purchase Lack of penalty clauses Risk of incurring substantial costs and not saving through Possible Moderate Applicable for local purchases only, oversease
Order/Vendor penalty clauses purchases do not allow this clause in the contract.
Agreements For imports, there is no mention in the PO as such
but AIC gets compensation for the difference, in
case supplier informs them of late deliveries and
getting the supply from the local market.
For paints and wires, there is a mention of the
penalty clause in the PO.
Sourcing from mills is cheaper and from local
stockists, it is costlier.
Possible Low Even though company has solid reputation and hence
vendors approach the company frequently, but still on
the process improvement side, it is suggested that a
formal process for tracking vendor development should
be in place. This will help the company to track and
assess market information in a more streamlined way.
Ideally internal audit team also should track the vendor
developments at reasonable intervals and also in terms
of verifying the new vendors created, any modifications,
duplication and inactive vendors.
Likely Moderate There should be a quaterly submission from all
employees, who are dealing on behalf of the company, to
highlight the relation they have with suppliers and other
partners of the company.
There is a policy on Corporate Values but there are no set
controls in place to ensure that no transactions are
conducted wherever there is a conflict of interest.
The company also should be developing an exhaustive
Code of Conduct Policy.
Possible Low Company should be developing an delegation of
authority matrix which shall define the limits of approval
basis the amounts set.
Company's control for this is working within the budgets
and blocking the purchase requisition requests if budgets
are being exceeded.
Likely High We have reviewed some sample PO's and PR's and there
is no automatic conversion from PR to PO and there is no
mention of any terms and conditions.
Also there are many manual adjustments done to the PR
as well. The access rights to make an amendment should
be available with the procurement manager after
verifying all the supporting information and the approval
from project/sales manager and this is to be approved
finally by procurement head along with attaching all the
documents relating to the modification.
Possible Moderate Company should be developing an delegation of
authority matrix which shall define the limits of approval
basis the amounts set.
Likely High As per the review done, there are no terms and
conditions mentioned on the purchase request or
purchase order.
Possible Moderate There are no terms and conditions mentioned in the PO
and PR as such even for local purchases as well, found on
the review of PO and PR.
If the vendors are not agreeing for insertion of penalty
clauses, company should look for alternatives through
which the potential risks could be shared.
Purchase Order Lack of automation in PO approval process Risk of unauthorised transactions Possible Moderate Hard copies are given to the Finance only for the Possible Moderate We understand that approval process for PO's is manual
payment purpose, for others POs are visible for all and not through an automated workflow. Company
the related department through system. should be modifying the IFS and embedding the approval
workflow mechanism in the system itself.

Purchase Order Lack of automation in PR and PO raising Possibility of unauthorised amendments Likely High There is manual PO for logistics as it is not Likely High Company should be linking the logistics with the IFS
process for logistics connected with IFS as of now and hence no PR also
in this case.

Amendments Lack of delegation of authority matrix and Unauthorized amendments may be made in a PR or PO Possible High Amendments are done and approval process is Possible High Compay should set a time limit set for any kind of
time limit for amendment duly followed. amendment either in PR or PO.

If supplier cannot deliver a specific item and informs that

there would be a lag of certain period in getting that item
for which he proposes an alternative item. This is
communicated to the projects team and basis their
negative confirmation for the same, the procurement
should delete that specific item from the PR and
accordingly that is to be done from the PO.
All approvals should be taken care by the system.

Next step would be raising a fresh PR and PO for the new

item agreed.

DOA is also to be complied with at every step.

ALso the system should be maintaining the audit log in

respect of all amedments or modifications made.

Terms and conditions Lack of legal review for terms and conditions Possibility of contract disputes and legal action Likely High Likely High The contracts department after highlighting the terms
and conditions to be included and after getting the
contract signed by the designated authority in the
company and before handing over to the customer/client
should verify that all terms and conditions as agreed
have been included in the final contract.
There should be an undertaking taken from the
respective sales or project manager that all terms and
conditions highlighted by the contracts department have
been included in the final agreement.