Task 3- Client Walkthrough Script

Client- “Thank you for scheduling the walkthrough of our current purchasing process and controls.

We’ve received your questions list, and will cover any unaddressed items at the end of our call. As
discussed, we also plan to cover our purchasing system (Purchase Request Portal) during today’s
meeting.

There’s a lot to go through, so let’s get started!”

1) Purchase Policy- Dissemination, Reviews and Approvals

“We’ll start our meeting at the top with our Purchasing Policy, which governs our internal purchasing
process.

Annually, the Risk Management Department is required to review the existing Purchase Policy to
determine if any amendments or additions should be made. Those reviews are required to take place
each year (at the end of June), and the update policy is then provided to the CFO for review and
approval.

After the latest version if the Purchase Policy is reviewed and approved, the Risk Management
Department notifies the IT Department of any resulting updates which are required to be made to the
Purchase Request Portal. For the most recent cycle, no such updates were required to be made to the
Portal (as a result of the latest Purchase Policy updates).

As soon as it is formally approved for use, a copy of the current Purchase Policy is placed on the
company-wide shared drive (to which all ABC Company employees are given access)

As an internal requirement, each year, every employee must acknowledge the receipt of the updated
version of the Purchasing Policy. This occurs after the annual Policy update, and after the updated
version is approved for use by our CFO. Every employee must also take a short quiz to ensure a general
understanding of our internal process.”

2) Purchase Request Process

a) Submitting a Purchase Request
“As the need arises, ABC Company employees may need to make purchases on behalf of the
company during their normal course of duties. When this occurs, the employee must refer to
the internal policy to determine the request threshold which applies to their role.

As defined within the current version of the Purchase Policy, the Policy thresholds are $5,000 or
more for Associates and Senior Associates, and $10,000 or more for Managers and above.

If, based on the defined thresholds, the employee must submit the purchase for pre-approval,
they will utilize the Purchase Request Portal to gain documented approval (from their direct
supervisor) before submitting their purchase to the vendor.

I will now share my screen to show the Portal dashboard, and will demonstrate how the
employee navigates in order to enter and submit their purchase request:
Task 3- Client Walkthrough Script
SCREENSHOT 1- PURCHASE REQUEST PORTAL LOGIN SCREEN

“Upon opening the portal (which is pre-installed on each employee’s company-issued laptop),
the requestor will enter their login credentials and press “Enter” to enter the Portal.

SCREENSHOT 2a- BLANK REQUEST TEMPLATE WITHIN PORTAL

Directly after logging in, the requestor will be taken to the “Requestor View” of the Purchase
Request Portal, where they will be prompted to enter the required details surrounding their
desired purchase. Fields which are required to be populated for each purchase request are
outlined as follows:

• Purchase requestor
• Role (Similar to department)
• Level (Similar to title)
• Date of purchase request (Date request entered into Portal)
• Type of purchase request (i.e. Nature of item(s) which are being submitted for purchase)
• Vendor
• Total value of purchase requested (Estimated, in dollars)

“After the required fields have been populated, the requesting employee selects “Submit”, and
the request is automatically routed to the assigned person.

b) Unpopulated Fields within Purchase Request

If the requestor omits any of the required fields and attempts to submit the request, the Portal
contains a built-in control to reject any incompletely populated purchase requests.

SCREENSHOT 2b- MISSING REQUIERED FIELDS (AUTOMATED REJECTION)

“As shown within this example, if I omit the details for the “Type of Purchase Request” field, and
then click “Submit”, an error message will be received. The employee will be directed to
complete the missing fields in order to re-submit the purchase request to their direct supervisor.

c) Confirmation of Purchase Request Submission

“After all missing fields are populated, and the purchase request is resubmitted, the Portal will
provide evidence that the purchase request was submitted successfully, as shown within the
follow screenshot:

SCREENSHOT 2c- SUCCESSFUL SUBMISSION OF REQUEST

d) Summary of Open Purchase Requests

“Within the Portal, after the purchase request is submitted, an employee can access their open
purchase requests via the “My Open Requests” view. If, at the time the record is checked, the
employee’s direct supervisor hasn’t yet provided review of the purchase request, the “Direct
Task 3- Client Walkthrough Script
Supervisor” and “Date of Approval Requests” fields will be shown as blank, as the record shows
in the following screenshot example:

SCREENSHOT 2d- RECORD OF SUBMITTED REQUEST (NOT YET REVIEWED BY

SUPERVISOR)

3) Purchase Review/Approval Process

“Now that we have covered how a requestor submits their purchase request, we will next detail
how the requestor’s direct supervisor is assigned the review, and how they provide approval (or
denial) within the Portal.

a) Notice of Required Review

“As soon as the request is accepted within the Portal (as discussed earlier), the system utilizes
an internally housed Organizational Chart to route the purchase request to the employee’s
direct supervisor. The supervisor is notified by automated email that they’ve been assigned a
new purchase request that requires their review and approval.
See the following screenshot for an example of the automated emails sent by the Purchase
Request Portal to the requestor’s direct supervisor:
SCREENSHOT 3- AUTOMATED EMAIL TO REVIEWER

b) Reviewing the Purchase Request

“Once the assigned supervisor logs into the portal (as previously covered during this
walkthrough), they will select “Reviewer View” from the Portal dashboard, and will review the
details entered by the requestor. Based on the details provided, the reviewer will either
“Approve” or “Deny” the purchase (by clicking on either of the two buttons), and then clicking
“Submit”.

SCREENSHOT 4a- REVIEWER VIEW (AFTER PORTAL LOG-IN, BEFORE RESULT SUBMITTED)

If the reviewer is deciding to deny the purchase request, they may also provide a reason for
denial which will be included in the response received by the requestor.

After the reviewer submits their decision within the portal, they will receive notice that their
decision has been submitted. Note the red text at the top of the “Reviewer View” screen of the
Portal which appears after the reviewer’s decision is submitted, as shown within the following
screenshots.

SCREENSHOT 4b- DENIED PURCHASE EXAMPLE (REVIEWER VIEW)

SCREENSHOT 4c- APPROVED PURCHASE EXAMPLE (REVIEWER VIEW)

Task 3- Client Walkthrough Script
c) Automated Notice (Email) to Requestor

“To notify the requestor that an approval decision has been provided, an automated notice
(email) is sent by the Portal to the requestor as soon as the reviewer submits their decision
within the Portal.

Examples of those emails (one for purchase denial, and the other for purchase approval) are
provided within the following screenshots:

SCREENSHOT 5a- NOTICE OF DENIAL

SCREENSHOT 5b- NOTICE OF APPROVAL

The notice of approval includes direction that the requestor can now submit their purchase to
the vendor that they’ve outlined within their request.

4) Submitting the Purchase to Vendor

As outlined within the Purchase Policy, an employee must obtain pre-approval (for purchases exceeding
the defined thresholds) prior to submitting their purchase externally to the vendor.

It is the responsibility of each employee to ensure that they do not make any purchases on behalf of
ABC Company without first receiving documented purchase approval (when required by internal policy).

5) Archived Records within Portal

Archived purchase review results can be accessed within the Portal at any time. After logging into the
Portal, from the Portal dashboard, an employee can see their reviewed purchase requests via the
“Archived Records” view.

Both approved and denied purchase requests are archived by the Portal, and are archived in
chronological order, based on date of purchase request. Examples of archived screens are shown within
the following screenshots:

SCREENSHOT 6a- ARCHIVED RECORD OF DENIAL

SCREENSHOT 6b- ARCHIVED RECORD OF APPROVAL

At this time, the Purchase Request Portal has capacity to archive all purchase requests that have been
submitted through the portal.

6) Portal Organizational Chart Maintenance

“Each year, within five business days of the end of our annual promotion cycle, updates are made to the
Organizational Chart within the Purchase Request Portal (as required by internal policy). The HR
Department provides the IT Department with the updated Organizational Chart, and the IT Department
reviews/updates the existing chart within the Portal, where necessary.
Task 3- Client Walkthrough Script
See the following screenshot of the “Administrative View” of the Portal to view the Table of Employee
Supervisors. This table serves as the Organizational Chart governing which supervisor must review a
respective purchase request:
SCREENSHOT 7a- TABLE OF EMPLOYEE SUPERVISORS

“The IT Department team leads have access to the Administrative View of the Portal, and they perform
the updates (and subsequent tests) to ensure the updates are applied accurately.

To apply the updates, while within the Administrative View, the IT Department team lead clicks
“Update”, which causes the Table of Employee Supervisors to change from greyed-out to white, as
shown in the following screenshot:

SCREENSHOT 7b- TABLE OF EMPLOYEE SUPERVISORS (UPDATABLE VERSION)

This indicates that the table version is active, and allows for changes to be made to the existing data.

After the updates are complete, the IT team lead selects “Save” within the Portal. The table then
returns to the greyed view, indicating changes and data have been locked, as shown within the following
screenshot:
SCREENSHOT 7C- TABLE OF EMPLOYEE SUPERVISORS (UPDATED)

7) Questions Pre-Submitted by Audit Team

“Ahead of this walkthrough call, we received a listing of questions from the Audit Team, for which we
will now provide responses:
1) Process & Control Changes (Which Have Occurred Since Prior Year Audit Period):
• Please confirm whether the process to review and update the Purchase Policy is the same as
in the prior audit period
o RESPONSE- Confirmed

• What are the changes to Purchase Request Portal during the audit period (i.e. planned
maintenance, as a result of the most recent Purchasing Policy update cycle, etc.)?
o RESPONSE- The Purchase Request Portal (and associated process) went live during
the last audit period, with no major issues or changes since initial implementation.

• Have there been any changes to key personnel (as they relate to the purchasing process and
controls during the audit period)?
o RESPONSE- No major changes to the personnel associated with the purchasing
process occurred during the current audit period.

I believe that it’s the HR Department’s policy to notify the IT Team immediately when
employees are hired or leave the company. Then, the IT Department team leads
implement the change immediately/directly to the Purchase Request Portal’s Table
of Employee Supervisors. Please confirm with those teams.
Task 3- Client Walkthrough Script
• If so, when did those changes occur, and how were respective systems/processes updates
as a result?
o RESPONSE- Please follow-up with the HR and IT Departments for further detail

2) Purchase Request Portal:

a) Portal Issue Reporting:
• How are issues with the Portal typically identified/reported?
o RESPONSE- End-users of the Portal can escalate any issues directly to the IT
Department.

• Who are issues reported to?

o RESPONSE- See above

• How do stakeholders know where to report issues?

o RESPONSE- The IT Department handles all internal software issues, and a direct line
for issue reporting is disseminated via posting within various internal sites

• What is done after an issue is reported?

o RESPONSE- The IT Department would be better suited to answer this question

• How often is the Purchase Request Portal tested?

o RESPONSE- The IT Department (and the Internal Audit team) would be better suited
to answer this question. The following two questions can also be directed to those
teams.

• Who performs those tests?

• What were the results of the last test(s) performed?
o RESPONSE- See above

b) Purchase Approval Assignments (System Maintenance):

• How is the organizational chart within the Portal updated for each promotion cycle?
• Who is assigned responsibility to make those updates?
• When are they performed?
o RESPONSE- Please refer to the narrative provided earlier in this walkthrough for
these first three questions

• What documentation exists to verify that the control was performed in a complete and
timely manner?
o RESPONSE- Please follow-up with the IT Department for their process details

3) Approved Vendor Listing:

• Does ABC Company employee an Approved Vendor Listing (to ensure employee purchases
are only made to approved vendors)?
o RESPONSE- No, however, vendors are reviewed as part of the purchase
review/approval process
Task 3- Client Walkthrough Script
• How does ABC Company ensure that the purchases are made to third-party (unrelated)
vendors?
o RESPONSE- Please see response outlined above

4) Prior-Year Exception(s) Follow-up:

• Last year, an issue was identified in some purchase approval documentation not being able
to be retrieved/provided for audit support purposes (before the Purchase Request Portal
was phased-in).
o RESPONSE- As stated during the walkthrough, all historical purchases/denials are
retained by the Purchase Request Portal. The prior year exception was noted in our
process before the Portal “went live” during that audit period.

Please explain the Purchasing Portal process to retain/archive the electronically provided
approvals, including:
• How long is the approval archived within the system?
o RESPONSE- Perpetually (all records of purchase approval/denial will be retained)

• In what instances (if any) can data be retroactively altered (i.e. to pre-date approvals)?
o RESPONSE- Portal locks requests and results of review from alteration as soon as
reviewer submits response. No archived records can be adjusted

• What are the controls surrounding access for the documented approvals?
o RESPONSE- The “Archived Records” view within the portal allows for an employee to
see all of their own purchase requests. For assigned reviewers, personnel can also
access any purchase for which they reviewed and approved/denied.

5) Approval Timing:
• What controls exist to ensure that an employee does not externally submit a purchase to a
vendor without the prerequisite, documented approval of such purpose?
o RESPONSE- As per the required internal training and attestation surrounding the
purchasing process (discussed earlier in this walkthrough), all employees agree to
comply with the Purchasing Policy, including obtaining the required pre-approvals
before a purchase on behalf of the company is made

6) Disclosure of Issues Which Occurred During the Audit Period:

• Have there been any issues of control gaps (i.e. points in the purchasing process which were
risks were not adequately covered by an appropriate control)?
o RESPONSE- No such issues noted during the audit period

• Have there been any issues in control functionality (i.e. controls did not function as
designed, and therefore did not identify issues for which the control was designed to
detect/prevent)?
o RESPONSE- No such issues noted during the audit period

• Has your team identified any purchases which were submitted to the vendor prior to
obtaining the required approvals (per the Purchasing Policy)?
o RESPONSE- No such issues noted during the audit period
Task 3- Client Walkthrough Script

7) Internal Reviews (of Purchasing Process & Controls) Performed During Audit Period:
• Have there been any internal reviews (i.e. client’s internal audit team reviewed
process/controls, finance team reviewed process/controls, etc.) which cover the current
audit period?
• How often are the purchasing process controls reviewed/tested/updated?
• When did the last updates to these controls occur?
• When did the last internal tests of these controls occur (please provide supporting
documentation)
• Have any instances of control gaps or failures (i.e. where a control failed to identify an issue
or inaccuracy in the purchasing process, or where a control area was identified for
enhancement)?
o RESPONSE- The IT Department (and the Internal Audit team) would be better suited
to answer this question, and the two below

8) Initial (Drafted) Exceptions Noted as a Result of Current Year Fieldwork Performed:

• Purchase approval obtained from an employee other than the requestor’s direct supervisor
o RESPONSE- Based on my research, it appears that an intra-year re-assignment of
personnel was not captured in a timely manner within the Portal, and caused the
previous direct supervisor of the requester to be assigned to the purchase request
review.

• Purchase was made with vendor before required pre-approval was obtained
o RESPONSE- I followed-up with the purchaser and she noted that the exception was
the result of making a reservation which was urgent in nature (specifically, to
reserve a venue for the company’s holiday party).