Much internal audit work has focused on financial transactions and controls. Now, many auditors are adding supply chain audits to their responsibilities. What’s behind this shift? One driver is the rise in many organizations’ supply chain costs, often a result of them offering more products and sales channels. Just as important, many supply chains can have a strategic impact on the organization’s performance. For instance, a disruption in operations at a primary supplier could harm some companies’ performance.
Supply chain audits present an “opportunity for internal audit teams to look at the supply chain organization and make sure they’re doing things to control costs and mitigate risk factors,” says Jonathan Eaton, practice leader with Grant Thornton’s national supply chain practice.
A first step is identifying supply chain risks. We’ve broken down some of the common ones below:
Working With Vendors and Third Parties
A supply chain audit should check that the organization is working with vendors that offer quality work at competitive prices and that it complies with relevant regulations, says Vivian Fu, internal audit manager with National Grid. Because regulations limit the amounts National Grid can charge its customers, “there’s consistent pressure to be more efficient,” Fu says. Among other functions, her team will test the processes used to select vendors to verify that they comply with corporate policy.
Once an organization’s vendors have been vetted and contracts are in place, the focus shifts to contract management. This often requires gaining clarity over which department—usually, purchasing or the business unit—is responsible for managing the contracts and monitoring vendor performance, Fu says. This is a business decision; audit’s main concern is that ownership is clearly determined, she adds.
For an asset-heavy company operating across multiple regions like National Grid, inventory and warehouse management is another key area.
“That is, do we have the right flow, and can we pull inventory when need to,” she asks. Among other tests, she and her colleagues check whether inventory is appropriately stored so that it remains in good condition.
Each year, the United Nation’s World Food Programme (WFP), serves more than 90 million people in more than 80 countries. They provide food to individuals impacted by conflict, natural disasters, and severe drought, among other challenges. It’s critical that the food makes its way to the intended beneficiaries safely and timely.
Kiko Harvey, inspector general, and her team test the food and cash controls related to the supply chain.
“There are many stops along the way, with logistics providers and transporters being our largest area of focus,” she says. They’ll evaluate the processes used to scan and track food deliveries, starting with its arrival in a country, to the warehouse, and then to food distribution centers.
Although it’s not strictly part of the supply chain, they’ll also test controls related to the distribution of food to individual beneficiaries, ensuring they receive the correct amounts for themselves and their families. This typically includes confirming that the food is weighed throughout the process and checking the ordering processes to make sure the right amount of food is ordered and delivered.
“It’s very difficult, but we’re very good at this kind of work,” Harvey says. “And it’s very rewarding.”
Data Protection and Cybersecurity
Two-thirds of respondents to a recent survey by Crowdstrike said their organizations had experienced a software supply chain attack. Nearly all—90 percent—had incurred some financial cost, with the average price tag topping $1.1 million.
With many companies linking electronically to their vendors, the risks of such attacks increase, says Bernie Donachie, managing director and leader of the global supply chain practice with Protiviti. To test this, auditors can review what data is accessible and who has access to it.
Geopolitical conflicts can disrupt trade routes, while changes in trade agreements and tariff schedules can increase costs, or even force companies to identify alternate sources of supply. Internal audit can consider ways to mitigate these risks, Eaton says. For instance, has the business unit identified other suppliers in case an issue arises with a country or its currency?
Challenges of Auditing Supply Chains
Even as supply chain audits have become more important, auditing them is challenging. First, there’s the number of processes, from purchasing to warehousing and contract management, contained within a supply chain. Due to time and resource constraints, audits often focus on one segment, which makes it challenging to get a holistic view, Fu says. Moreover, because the processes are interrelated, identifying the root cause of a problem can require continual digging.
“Even once you identify a gap, the root cause may need to be addressed somewhere else,” she says.
A sound supply chain audit requires understanding third-party risks, and that’s a unique skill set, Donatchie says. The auditor typically needs to understand both data and physical security, regulatory requirements, and the vendor code of conduct, among other functions.
Some supply chain risks, such as geopolitical risks, aren’t as relevant when auditing other areas.
“It goes beyond what most auditors accustomed to, regarding the basic blocking and tackling of financial auditing,” says Joseph Mauriello, director of the Center for Internal Auditing Excellence at the University of Texas at Dallas.
Approaching a Supply Chain Audit
Given the challenges, how can auditors conduct a successful supply chain exam? Fu engages stakeholders upfront and meets with them, typically on a quarterly basis, to check that they understand her team’s plans and to provide updates on their progress.
Fu also ties the audit team’s plans to the business’s financial, operational, and compliance objectives.
“We will approach the business by offering to kick the tires and provide assurance that risks are managed to achieve business objectives, or to identify areas of improvement,” she says.
Supply chain audits can require visiting vendors, factories, and warehouses to, for instance, physically check the inventory and to make sure the business actually exists.
Because these risks can impact departments throughout an organization, such as legal and human resources, a cross-functional team usually is also required to identify, prioritize, and decide how to mitigate them, Eaton says.
Additionally, auditors also need to be well versed in current affairs, macro-economic trends, and trade agreements, among other subjects. If the U.S. pulls out of trade agreement, how could that impact suppliers?
Given the growing complexity of many supply chains, their audits are likely to increase in both scope and number. Internal auditors need to prepare.
Strong supply chain auditors understand the business and the environment in which it operates and can work with individuals across the organization who can help identify supply chain risks and develop response plans.
Interested in learning more about this topic and others? Mark your calendars for September 10 as MISTI's Audit World Conference & Expo takes place in Orlando, Florida. Here's everything you need to know.