Contracting and Procurement Services Performance Auditing and Risk Area Considerations

Sometimes auditing can be an adventure, like setting out on a long hike somewhere new. While exciting, the prospect of a long, challenging journey can also cause anxiety and stress. Similarly, auditors may also experience these mixed emotions when their organization’s leadership asks them to conduct a performance audit for the first time. Performance auditing may seem more difficult than a financial controls or compliance audit because testing criteria are often poorly defined. However, reviews like these can help to assess existing policies and procedures, evaluate the effectiveness of controls and identify inefficiencies. In addition, operational audits help institutions proactively identify weaknesses and manage reputational, financial and compliance risks.   

Recently, Portland State University (PSU) leadership requested a performance audit of contracting and procurement services. The purpose of the audit was to assess and address stakeholders’ concerns that the contracting process was inefficient, untimely and ineffective. Auditors with operational and performance audit experience advise that a performance audit should be approached the same way you would prepare for a long hike. This method was a success for PSU, and is worth considering for other institutions undertaking similar projects.

First, most experienced hikers will emphasize the importance of having a reliable partner join you on your adventure. Co-sourcing an audit project helps with staffing and often provides new insights. At PSU, that trusted advisor was Kyra Castano, a senior consultant with Baker Tilly. Together, Baker Tilly and PSU’s audit team crafted procedures to enable benchmarking of contracts and procurement services operations and to identify operational bottlenecks or gaps in controls. 

Second, to be safe and successful on any hike, hikers need to carry basic supplies and equipment. Similarly, experienced auditors know that they can tap into tried-and-true audit steps and testing procedures, even in areas where they have limited experience. For example, audit interviews, research into industry best practices, review of management’s ability to monitor and track key performance metrics, and analytical procedures provide value as part of any audit.

During PSU’s performance audit, benchmarking was a key method for gaining an understanding of the relationship between peers’ staffing and contract processing times. This enabled PSU to determine whether internal staffing levels were negatively impacting processing times. Figure 1 (below) demonstrates the volume of contracts flowing through PSU’s procurement department during the audit timeframe. This analysis provided management with a better understanding of the “busy season” for processing contracts. For PSU, this occurs during the beginning of the fall term. The following illustrations provide examples of benchmarking used to assess the organization’s contracting and procurement services.

Figure 1

Source: Figure 1 was compiled by PSU’s Internal Audit Office based on data pulled from the PSU contracts database.


Figure 2 (below) shows how long, on average, contracts take to progress from a draft agreement to a fully-executed contract.  

Figure 2

Source: Figure 2 was compiled by PSU’s Internal Audit Office based on data pulled from the PSU contracts database.


Figure 3 (below) examines staffing levels and turnover. The project team learned that a key performance monitoring metric tracked contract requests that exceeded 100+ days to process; see Figure 4 (below). Therefore, PSU took steps to analyze this metric and compared the results to our staffing analysis in Figure 3. The project team found that staffing levels directly impacted this key performance metric and management’s ability to achieve processing goals within the department.   

Figure 3

Source: Figure 3 was compiled by PSU’s Internal Audit Office based on review of staffing levels in Contracting and Procurement Services (CAPS).
 

Figure 4

Source: Figure 4 was compiled by PSU’s Internal Audit Office based on data pulled from the PSU contracts database.

The project team also compared staffing levels to peer higher education institutions. See Figure 5 (below).   

Figure 5

Source: Figure 5 was compiled by Baker Tilly from benchmarking staffing levels in contracts and procurement services at select universities. Staffing figures were obtained from publicly available information on each institution’s website.
 

In addition, the project team compared staffing levels to expenditure levels of other institutions of higher education. See Figure 6 (below).   

Figure 6

Source: Figure 6 was compiled by Baker Tilly by benchmarking staffing levels in contracts and procurement services at select universities and comparing staffing levels to institutions’ total expenditures in their 2019 audited financial statements.
 

These benchmarking steps helped the audit team identify areas of focus for detailed testing during the fieldwork portion of the audit. Further analysis showed that staffing level was one of many factors that impacted contract processing times, including:

• Draft agreements that contained terms and conditions related to the privacy requirements of the General Data Protection Regulation or the California Consumer Privacy Act.  

• Draft agreements for information technology vendors that required technical specifications as part of their service agreement.

• Agreements that required legal review or multiple-level signing authority review.

Assessment tools from national procurement organizations like the National Procurement Institute (NPI) can also be incorporated into a review to assess the maturity and efficiency of an organization’s contracting and procurement services procedures. The NPI has established 18 areas of procurement and contracting that organizations can utilize to assess the performance of their operations (see npiconnection.org/aep/documents/2021AEPApplicationFinal.pdf).
 

Further Risk Areas to Consider:

When performing a contracting and procurement services audit, there are several other areas of control, operational and compliance risk that are important to consider, including:

• User access controls to the contracts database.

• Contracts that may need legal review to mitigate compliance requirements (e.g., health and medical services or work with minors).

• Non-resident alien tax compliance related to contracts processed for student organizations and clubs.

• Assessing whether detective or preventative controls for low-dollar agreements should be utilized to assist with contract processing times.

• Assessing signing authority for procurement contracts.

• An exemption¹ to portions of the federal procurement thresholds under the Uniform Grant Guidance based on provisions outlined within the National Defense Authorization Act.

• Data reliability and classification risks that may trigger a draft agreement to bypass key control and review processes.

• Potential opportunities to enhance how diversity, equity and inclusion are assessed and scored within the organization’s formal contracting and procurement processes.

• Reporting requirements for foreign gifts and contracts under Section 117 of the Higher Education Act.

At the end of every hike, it is important to look back at what has been achieved and reflect on lessons learned. We hope that this information, based on our own experiences, will be helpful to other audit teams embarking on contract and procurement services audits.  

1) See www.hrsa.gov/sites/default/files/hrsa/grants/manage/IncreasingAcquisition.pdf for more information on how to request this exemption from the Uniform Grant Guidance.

About the Authors

David Terry

David Terry, CPA, CFE, CIA leads Portland State University’s Internal Audit Office. He has more than 17 years of experience in auditing and also holds positions as an audit committee member on two Oregon governmental audit committees.
Read Full Author Bio

David Terry

David Terry, CPA, CFE, CIA leads Portland State University’s Internal Audit Office. He has more than 17 years of experience in auditing and also holds positions as an audit committee member on two Oregon governmental audit committees.

Articles
College Admission Scandals: A Good Time for Internal Audit to Review Recruiting and Remissions Practices
Contracting and Procurement Services Performance Auditing and Risk Area Considerations
Human Resource Operations: Internal Controls Practices and Risks for Pre-Employment Background Checks and Overload Pay
Leveraging Your ACUA Network for Audit Recommendations
Piecing Together the Puzzle of Auxiliaries at Your Institution

Kyra Castano

Kyra Castano is a senior consultant with Baker Tilly US. She joined the firm in 2018 and provides internal audit and risk advisory services to a number of higher education institutions. Kyra has experience supporting...
Read Full Author Bio

Kyra Castano

Kyra Castano is a senior consultant with Baker Tilly US. She joined the firm in 2018 and provides internal audit and risk advisory services to a number of higher education institutions. Kyra has experience supporting engagements in the areas of student affairs, athletics, compliance, sponsored research, advancement, contracts and procurement services, information technology, finance and administration. Kyra is a Certified Internal Audit (CIA) and she obtained her bachelor’s degree in Finance and Accounting from Saint Francis University (PA) and was awarded summa cum laude distinction. 

Articles
Contracting and Procurement Services Performance Auditing and Risk Area Considerations
Environmental Health and Safety in Higher Ed – How ‎institutions can implement internal controls to protect their ‎community