Third Party & Vendor

Management Audit
 Sylabus & Agenda

• Introduction Session
Day 1 • Part 1 - Audit Risk Assessment &Planning
• Part 2 - Audit on Initiation Phase
– Vendor Due Diligence & Selection
– Contract & Agreement
• Part 3 - Audit on Implementation Phase
– Internal Control Review
– Financial Stability
Day 2

– Service Quality & Performance Monitoring

– Third Party Business Continuity
• Part 4 - POJK Regulation on Third Party &
Outsourced Process

3
 References

1. PBI 9/15/2007 – SEBI

9/30/2007 Manajemen Risiko TI
2. POJK 38/03/2016 MRTI
3. POJK 9/03/2016 Alih Daya

➢Auditing External Business Relationships (May 2009)

➢Auditing Third Party Risk Management (October 2018)

4
Introduction: Third Party/ Vendor Relationship Management

1. Third Party/Vendor on Purchasing

and Repurchasing Contract
2. Third Party/Vendor on Project Basis
Assignment Contract
3. Third Party/Vendor on Outsourcing
Contract or Managed/Shared
Services

5
 What is Outsourcing & Shared Service?

Outsourcing is the process of contracting out one or more elements of operations to a

supplier of services outside of the organisation's management structure. A contractual
arrangement is entered into at an agreed price with the supplier providing the outputs that
had been produced internally.

While ownership and accountability of the service rests with the organisation some
operational risk is transferred to a third party with the necessary experience, skills and
resources. However, the organisation must recognise that by outsourcing a service or
activity it will not transfer all risk to that third party.

If an organisation chooses to outsource an element of its operations to a service provider

in another country, this is often referred to as Offshore Outsourcing.

6
Source: Chartered Institute of Internal Auditors
 Why outsourcing?

Financial & Management Advantage

1. Cost benefits through allowing reduction in overheads, unit costs and efficiency
savings, including:
• Reduced headcount,
• Reduced future pension liabilities,
• Staff training and recruitment costs,
• Reduced level of building space and office accommodation, and
• Reduced capital expenditure.
2. In a new business entity key functions can be put in place more quickly and
cheaply than building in-house capability from scratch.
3. Moving to an outsourced model not only reduces financial overheads, but also
management overheads of needing to manage an in-house service.

7
Source: Chartered Institute of Internal Auditors
 Why outsourcing?

Financial & Management Advantage Improved Performance

1. Securing assured service delivery through strengthening of its quality.

2. Being able to access high quality staff and service when required without a commitment to the salary
and benefit liabilities.
3. Using a larger outsourced service provider may allow access to cross selling of specialist
services otherwise not easily accessed.
4. Ability to state required performance and management through a contract without needing to
manage any potential staff or capability issues.
5. To help expand to new market areas, by taking the point of production or service delivery to the end
users.
6. Realize the benefits of re-engineering.
7. Enhancing better compliance to statutory requirements linked to the service’s core objectives.

8
Source: Chartered Institute of Internal Auditors
What is Outsourcing & Shared Service?

14
Source: Chartered Institute of Internal Auditors
Example of External Business Relationships

Service Providers:
Processing (Benefit, Payroll, etc.)
Shared Services Centers
Internal Audit Co-Sourcing
Contractors

Suppliers:
Demand Side Suppliers: Franchise, Licensing, etc
Supply Side Suppliers: Vendors

Joint Ventures:
Profit Sharing
Cost Sharing
Revenue Sharing

14
Risks from External Business Relationships
• Identify and assess all EBR:
• Relationships can’t be assessed appropriately

• Maintain Positive Reputation:

• EBR Misrepresents organization values
• EBR Violates Laws and Regulations
• EBR Doesn’t Comply with Contractual Obligations

• Minimize Insurable Risks:

• EBR doesn’t maintain adequate insurance coverage

• Clear Understanding of SLA

• Disagreement regarding the scope of services
• Service Levels are unsatisfactory

• Accurate Fees for EBR Services

• Overcharges or Services not performed
14
Top 5 Functions Outsourced

Source: IIA – Experis Manpower Group

12
Introduction: What is Third Party/Vendor Audit ?

Definition:
An Audit Activity to provide Management with an objective assessment of
contractors’ or vendors’ compliance to the terms and conditions of the
contracts/agreements.

Objective and Role:

The objective of Vendor Audit is to develop an audit function comprising of
qualified resources to effectively perform compliance audits to ensure that
the contracts are being executed in accordance with the intent and address
the net benefit to include cost recoveries, process improvement savings,
fraud prevention and identification of hidden risks.

The role of Vendor Audit is established as the appraiser of the legitimacy of costs
billed by the contractors and vendors. This also includes the compliance with
procedures, policies, standards, rules, regulations and laws.

4
Source: IIA Canada
Introduction: Internal Audit vs Vendor Audit

4
 Introduction: Why Third Party/Vendor Audit ?
• Business environment is overlaid with increasing pressure on management for cost
reduction, governance and accountability
• Shortages of quality resources, materials, equipment and vendors. Accordingly,
cost estimation and schedule planning are inherently high risk
• Capital Expenditure:
• Project execution performance is often weak
• Poor budgeting (overruns and over budgeting)
• Risk not managed
• Project expenditure forecasts inaccurate during execution
• Project complexity increasing (consortiums, contracting structures, complex business cases
etc.)
• Weak owners and out sourced project management teams – shortage
• Mobility of Project Staff
• Operation & Maintenance Cost

4
Source: IIA Canada
 Benefits of Third Party/Vendor Audit

• Cost saving
• Process improvement
• Risk mitigation
• Relationship building
• Value addition / creation
• Help management to achieve objectives

4
Source: IIA Canada
Some Facts About Third Party/Vendor Audit
• On average 3% of contract values audited are identified as non-
compliant to contract terms. Further, out of that 3% noncompliance,
actual vendor cash recoveries range from 20% to 100%, with an
average of 50%.*

• To understand the magnitude of these recoveries, in the Alberta oil

sands alone this provides for a potential non-compliance of $690m, with
a cash recovery average of $345m, based on CAPP forecast of $23b
capital spend in 2013.*

* Source: Vendor Benchmark Survey conducted by EY

4
More Recent Facts About Third Party/Vendor
• 42% of companies now describe themselves as highly vulnerable to
vendor, supplier, or procurement fraud
– Kroll Global Fraud Survey

• A current survey indicates that 85% of companies

recently suffered at least one supply chain disruption
– Zurich Financial Survey

• 90% of all FCPA cases involved third-party intermediaries –

organizations need to evaluate their understanding of and compliance
with statutes such as the FCPA and the UK Anti Bribery Act.

4
More Recent Facts About Third Party/Vendor

• Facilitation Payments – 3rd parties must follow your company’s policy

– The Biebs Example

• 3rd party service providers handling customer credit card data –

storing, processing and transmitting, customer card data

• COSO 2013 Compliance – controls over outsourced service

providers are a big focal point today. In the past, SOX Compliance
reviews seemed sufficient, but now more in depth review of controls and
monitoring activities are required.

4
 Part 1.
Third Party/Vendor Audit
Risk Assessment & Planning
IIA IPPF Practice Guide: Auditing Process for EBR

Understand the
organization,
Understand the
environment

21
IIA IPPF Practice Guide: Auditing Process for EBR

Understand the
inherent risk,
understand
EBR partners
environment,
define key
controls

22
IIA IPPF Practice Guide: Auditing Process for EBR

Offsite or onsite
audit
Evaluate test
results, identify
findings and get
response

23
IIA IPPF Practice Guide: Auditing Process for EBR

Drafting,
discussion, and
final distribution

24
IIA IPPF Practice Guide: Auditing Process for EBR

Monitor follow
up activities,
provide
feedbacks to
EBR

25
Third Party Governance Model

Source:PwC
26
Vendor Selection Process

Conduct a complete
inventory of third-
party activities
ranked by risk
factors.

Ensure that controls

Third Party Assign a process to
and risk-assessment Risk manage each
adopted into the risk identified third-party
profile. Assessment risk/relationship.
Model

Establish clear and

unequivocal rules to
hold vendors
performance.

27
Third Party/Vendor Audit – Entry Point
Contracts: Right to Audit Clause
• Adequate Right to Audit Clause, i.e. Right to audit all cost elements with the
exception of contractor’s profit.
• Companies shall have the right to audit and copy any record, invoice,
document of the Vendor pertaining to the performance of the work.
• Records for all contracts, specifically including but not limited to lump sum
contracts (i.e. fixed price or stipulated sum contracts), unit price, cost plus or time &
material contracts with or without a guaranteed maximum (or not-to exceed
amounts) shall upon reasonable notice be open to inspection and subject to audit,
scanning, and/or reproduction during normal business working hours.
• Clearly defined Commercial Terms
4
Third Party/Vendor Audit – Commercials Objectives:

To ensure that all charges represent goods and/or services

rendered:
• Overcharges for services not performed or goods not delivered
• Overcharges for billing errors
• Goods and/or Services do not agree with contractual obligations

PRG Schultz International Inc.

• Data Analytics and Recovery Audit
• Clients Books – Invoices, POs, Receiving Documents, etc.
• To Find Overpayments, Missed Discount, and Rebates

4
Third Party/Vendor Audit – Compliance Objectives:

• To ensure compliance with Company Policies:

• Code of Conduct and Business Ethics
• FCPA Compliance/Anti Corruption
• Export Compliance and Anti Boycott

• To ensure compliance with Government Regulations:

• Tax and Custom
• Manpower
• Environmental and Forestry, etc.

4
 Part 2.

Third Party/Vendor Audit Initiation Phase

2.1.1. Vendor Due-Diligence Review

Background Check –
References, prior performance,
licensing and certification, key
individuals, legal proceedings.

Business Model

Cash Flows – Can management

explain how cash flows (both
incoming and outgoing) move
between the member, the third
party, and the credit union?

Financial and Operational

Control Review – PSAK,
independent audit results, and/or
regulatory reports.

Contractual Provisions and

Legal Review

Certifications & Qualifications –

Company and individuals

Source: IIA – Experis Manpower Group 32

2.1.1. Vendor Selection Process

Source:PwC
24
 Vendor Selection Process:

• Vendor Risk Assessment – to determine Vendor Risk Profile:

• High Risk, Medium Risk, Low Risk Vendors
• Vendor Audit Risk Model, i.e. Vendor Audit = H + M/2 + L/3

• Variable considered (Risk Factors)

• Value of the Contract
• Number of Contracts
• Disclosure Agreement Results
• Procurement Watch List/Vendor Performance
• Time since Last Audit
 Audit Universe (EBR)

Proses Nama Core / Inherent Value OF DISCLOS Number Vendor Last Conclusi
Vendor Non Core Risk Contract URE of Performa Audit ons
E=3 15 M = 3 Sensitive Contract nce
C=2 H=2 5-14 = 2 =2 >5 = 3 <50% =3 3=3 11 – 15 =
Nc = 1 L=1 <5 = 1 NS = 1 2-4 = 2 60-80% = 2= 2 P1
1=1 2 1= 1 6-10 = P2
>80 = 1 <=5 = P3
Engineerin PT A 2 3 3 2 3 3 3 P1
g
PT B P2
PT C P3
PT D
Example of Third Party Assurance Model

1 Risk
2 Offsite –
3
Ongoing Onsite
Assessment
Review Assessment

Using a response to Further assessment with Thorough assessment with

questionnaire, with less documentation checking on location interview,
resources Inspection/observation

Risk Audit
Profile Result

23
Typical Third Party/Vendor Audit Process:
• Identification criterion
• “Spend Amount” / Contract value
• Nature or type of contract (cost reimbursable, unit rate, lump sum etc.)
• Scope of work (project, operation, maintenance, sustaining capital etc.)
• Management Input
• Planning considerations
• Brainstorm with stake holders (business unit, supply management, project)
• Preparation of charter document (planning document to identify areas to be tested)
• Opening meeting (explain audit process, objective and scope)
• Formal audit notification
• Execution approach
• Document / data collection (back of charges)
• Audit tests execution / Field visit
• Draft audit report preparation (report writing)
• Reporting and follow up
• Formal Audit issuance (distribution to stake holders)
• Management response review
• Recovery of overcharges (cheque, credit invoices, future benefit etc.)
• Audit closure
2.2. Contracts and Agreements:
• Cost Reimbursable (CR)
A written agreement in which the Company agrees to pay the Contractors for All Actual Costs
for the work plus some type of Mark-up to cover profit and Overhead.

• Time and Materials (TM)

Contract provides for acquiring supplies or services on the basis of Direct labor hours at
specified All Inclusive Hourly Rates that include wages, overhead, general and administrative
expenses, and profit.
Materials at cost, including, material handling costs as part of material costs.

• Lump Sum (fixed price, stipulated sum)

A written contract between the Company and Contractor wherein the owner agrees the pay the
contractor a Specified Sum of Money for completing a scope of work.

• Guaranteed Maximum Price (GMP)

The GMP contract provides for the Contractor to be reimbursed for Cost of Work plus a Fee
which together shall not exceed the pre-established contract ceiling (the GMP).
IIA IPPF Practice Guide: Auditing External Business
Relationships (EBR)

39
 IIA IPPF Practice Guide: Auditing External Business
Relationships (EBR)

40
 IIA IPPF Practice Guide: Business Risks of EBR

41
 IIA IPPF Practice Guide: Business Risks of EBR

42
 IIA IPPF Practice Guide: Business Risks of EBR

43
 IIA IPPF Practice Guide: Business Risks of EBR

44
 IIA IPPF Practice Guide: Business Risks of EBR

45
 IIA IPPF Practice Guide: Business Risks of EBR

46
 IIA IPPF Practice Guide: Business Risks of EBR

47
Supply Chain Risk
Supply Chain Risk
Supply Chain Risk
 Typical Audit Issues Identified:
• Labor
• Labor base rates billed higher than actual in payroll
• Hours worked overstated
• Regular Hours billed as Overtime
• Over-recovery of payroll burden costs (Vacation, Pension, Health & Wellness)
• Billing for overhead type personnel

• Material
• Excess mark-up earned for inventory goods
• Mark-Up Billed on Material Purchased from Affiliated Company
• Non-reimbursable small tools and consumables billed as direct cost
• Discounts / Rebates received for material were not appropriately credited
• Material not used for fabrication billed as direct costs
• Excessive material purchased and billed on job resulted in scrap or waste

• Equipment
• Incorrect equipment rates billed
• Daily rates billed for equipment used on weekly basis
• Operator / fuel costs billed for all inclusive equipment
 Part 3.

Procure to Pay Cost Assurance Based

Steps of Strategic Cost Analysis
1. Identify Critical value Activities
5. Diagnose the cost driver
Identifying the value Activities of Supply Chain
Quantifying the effect on cost by examine
historical experience or “what-if” analysis.

2. Identify all significant cost and asset 6. Consider the cost dynamic
What is the most significant cost. How much is Shifting in key cost components caused by
the usage rate in operations. How much is the inflation cost, aging, market dynamics, etc.
indirect effect on other activities.

3. Categorizing purchased inputs 7. Develop a strategy

By size, regularity of purchase, and the real cost Make a conscious choice to do and test for its
change. sustainability.

4. Identify the suppliers for each item

and the proportion of purchase
Analysis on the contract terms and room for
maximizing values.
Flow Process

1. Identify the whole value chain of Corporate 2. Identify all significant operational cost 3. Categorizing purchase inputs by its size,
and asset cost regularity of purchases, and level of real price
changes, fixed or variable cost, etc

Interrelationships
Timing Location
Economies of
scale Integration Policies Learning Spill
(Partnership) Over
4. Identify the supplier of each items and the
proportion of purchases 5. Diagnose the cost drivers for each cost
Flow Process

Key Cost Dynamic

Cost Drivers
Factors

Economies of Aging
scale

Control cost drivers and/or

Interrelationships Inflation rate Reconfigure the value chain

Integration Market dynamic

6. Consider the cost dynamics 7. Develop the strategy

Data Analytics and root cause
analytics - Critical thinking
Regression Analysis
• Satu metode untuk menentukan hubungan
sebab-akibat antara satu variabel dengan
variabel(-variabel) yang lain.

• Variabel "penyebab" disebut dengan

bermacam-macam istilah: variabel
penjelas, variabel eksplanatorik, variabel
independen, atau secara bebas, variabel
X (karena sering kali digambarkan dalam
grafik sebagai absis, atau sumbu X).

• Variabel terkena akibat dikenal

sebagai variabel yang dipengaruhi, variabel
dependen, variabel terikat, atau variabel Y.

Do not copy, cite, or distribute without permission of the author.

 Pareto Analysis

• Pareto analysis is a formal

technique useful where many
possible courses of action are
competing for attention.

• In essence, the problem-solver

estimates the benefit delivered by
each action, then selects a
number of the most effective
actions that deliver a total benefit
reasonably close to the maximal
possible one

Do not copy, cite, or distribute without permission of the author.

Chi Test
Uji chi-kuadrat dapat digunakan untuk menentukan
apakah ada hubungan yang signifikan antara dua
variabel atau apakah perbedaan yang terlihat antara
distribusi frekuensi mereka dapat dianggap sebagai
kebetulan. Uji ini melibatkan perbandingan antara
distribusi frekuensi yang diamati dalam tabel
kontingensi dengan distribusi frekuensi yang
diharapkan jika tidak ada hubungan antara variabel-
variabel tersebut.

Hasil uji chi-kuadrat dinyatakan dalam bentuk nilai chi-

kuadrat dan p-value. Nilai chi-kuadrat menunjukkan
sejauh mana distribusi frekuensi yang diamati berbeda
dari yang diharapkan, sementara p-value memberikan
informasi tentang signifikansi statistik hasil uji. Jika p-
value lebih kecil dari tingkat signifikansi yang
ditetapkan sebelumnya (misalnya 0,05), maka dapat
disimpulkan bahwa ada hubungan yang signifikan
antara variabel-variabel yang diuji.

Do not copy, cite, or distribute without permission of the author.

Distribution Analysis
(Bell Curve)
Analisis Bell Curve, atau juga dikenal sebagai analisis
distribusi normal atau analisis Gaussian, merujuk pada
metode statistik yang digunakan untuk menganalisis
dan menggambarkan distribusi data yang mengikuti
pola kurva lonceng atau kurva normal.

Dalam analisis Bell Curve, data dianalisis untuk melihat

sejauh mana distribusi data tersebut menyerupai kurva
normal. Hal ini dapat membantu dalam memahami pola
distribusi data, menemukan kecenderungan sentral,
mengidentifikasi outlier (data yang jauh dari pola
normal), dan mengevaluasi seberapa dekat data dengan
pola distribusi yang diharapkan.

Analisis Bell Curve juga dapat digunakan untuk

melakukan prediksi dan estimasi. Misalnya, jika suatu
dataset mengikuti pola distribusi normal, maka dapat
digunakan untuk memprediksi probabilitas kejadian
tertentu dalam dataset tersebut.

Do not copy, cite, or distribute without permission of the author.

Latihan Soal
Anda bekerja di Perusahaan kelapa sawit dimana Perusahaan mempunyai permasalahan
mengenai penggunaan fuel yang tidak efisien dimana menurut budget fuel yang dibudgetkan
80 L Per Unit Transaksi, sementara actual fuel yang terjadi sebesar 88 L Per Unit Transaksi.

Anda diberikan data mengenai Konsumsi fuel dimana dari data ini anda diminta mencari root
cause dengan cara

a) Melakukan analisa bell curve untuk melihat distribusi konsumsi fuel

b) Membuat pareto analisis atas unit yang paling memiliki konsumsi fuel terbesar yang tidak
efisien
c) Membuat analisa Regresi atas unit yang mempelajari apa faktor yang mempengaruhi
faktor konsumsi fuel terbesar

Do not copy, cite, or distribute without permission of the author.

Latihan Soal
Anda bekerja di Perusahaan kelapa sawit dimana Perusahaan mempunyai permasalahan
mengenai penggunaan fuel yang tidak efisien dimana menurut budget fuel yang dibudgetkan
80 L Per Unit Transaksi, sementara actual fuel yang terjadi sebesar 88 L Per Unit Transaksi.

Anda diberikan data mengenai Konsumsi fuel dimana dari data ini anda diminta mencari root
cause dengan cara

a) Melakukan analisa bell curve untuk melihat distribusi konsumsi fuel

b) Membuat pareto analisis atas unit yang paling memiliki konsumsi fuel terbesar yang tidak
efisien
c) Membuat analisa Regresi atas unit yang mempelajari apa faktor yang mempengaruhi
faktor konsumsi fuel terbesar

Do not copy, cite, or distribute without permission of the author.

Latihan Soal
Chi Test

Anda ingin menguji apakah umur mesin dan Keterlambatan pergantian fuel filter (karena keterlambatan pengiriman vendor)
mempengaruhi konsumsi bensin pada kendaraan. Anda mengumpulkan data dari 130 kendaraan yang terbagi menjadi tiga kelompok
umur mesin:

"Muda" (0-5 tahun), "Menengah" (6-10 tahun), dan "Tua" (11 tahun ke atas), serta dua kelompok keterlambatan: "tepat waktu" dan
"telat". Anda ingin mengetahui apakah semakin tua umur mesin akan mempengaruhi konsumsi bensin, dan apakah kegiatan
pergantian fuel filter yang telat berperan dalam pengaruh tersebut. Berikut adalah tabel silang yang menggambarkan jumlah
kendaraan dalam setiap kombinasi kategori:

Pengiriman
Umur Mesin
On Time Telat Total
Muda (0-5 Tahun) 40 20 60
Menengah (6-10 Tahun) 20 10 30
Tua (>11 tahun) 10 30 40
70 60 130

Do not copy, cite, or distribute without permission of the author.

Latihan Soal
Anda diminta untuk membuat

1. Hipotesa H0 dan H1
2. Membuat Expected Value dari nilai yang diberikan
3. Menghitung probabilitas
4. Membuat Chi Hitung dari data
5. Menentukan degree freedom dari data
6. Melakukan analsia Chi table untuk membuktikan hipotesa mana yang di tolak

Do not copy, cite, or distribute without permission of the author.

Latihan Soal
Buat rootcause dari hasil Interview mengenai symptom dari mesin tua dan jarang maintenance menyebabkan kenaikan
fuel

Machine Material

Mesin Tua Tidak dilakukan

Pergantian Fuel
Filter

Problem

Method

Do not copy, cite, or distribute without permission of the author.

END OF DAY 1

QUESTIONS?