WorkCover and the Insurance Commission displayed good policies, practices and controls. The other 8 entities need to improve various aspects of their policies and practices, in particular, management and monitoring of their supplier master files.

Most entities need to improve their policies and procedures

Sound policies and procedures help ensure that only authorised additions and changes are made to supplier master file information, and that information is accurately recorded in a consistent manner, avoiding duplicate entries.

We found that only the Insurance Commission, WorkCover and City of Gosnells had good policies and procedures featuring all the essential guidance for employees. Although the remaining 7 entities did have policies and procedures, they provided limited guidance and had the following deficiencies:

• The policies of the 7 entities did not require regular review of their supplier master files to ensure employees’ compliance, validity, and completeness of the supplier records. These policies were also silent on consistent application of naming conventions when a new supplier record is created. This is important, to avoid the same supplier being created under multiple names.
• The policies of 5 entities did not require regular review of their supplier master files to identify and deactivate redundant supplier records, for example suppliers not used for more than 2 years.
• Three entities did not require recording of the reason for amendments to supplier records.
• Policies at 3 entities did not require independent review of the new supplier records created or amendments to existing supplier records. Independent review is a key control against unauthorised additions or amendments. At 2 of these entities, policies were also silent on retaining documentary evidence to support creation or amendment of supplier records.

Entities need better controls over creation and amendment of supplier records

We tested 425 newly created and existing supplier records amended from 1 January to 30 September 2018. Our objective was to assess if the internal controls implemented around creation and amendment of supplier records were appropriate and operating effectively.

The Department of Finance, Department of the Premier and Cabinet, Insurance Commission, and WorkCover demonstrated good controls over creation and amendment of supplier records. The common control deficiencies found at the other 6 entities included:

• At City of Busselton, new supplier records were created, and existing supplier records amended without an independent review. In addition, employees with the ability to create or amend supplier records could also authorise payments to suppliers. Where possible, staff who authorise payments should not also make changes to the supplier master file. At City of Belmont and City of Perth, independent review of master file updates was undertaken only on a ‘spot check’ basis and was limited to checking supplier bank details.
• At City of Gosnells, 44 of the 52 created and amended supplier records we tested had not been independently reviewed. At the Shire of Augusta-Margaret River, 30 of the 40 created and amended supplier records we tested were not independently reviewed.
• At the Public Trustee, 12 of 50, and at City of Gosnells 43 of 52 amendments to supplier records were made without confirming the changes with suppliers. This increases the risk of fraudulent changes passing undetected.
• At the Public Trustee and City of Perth, 37 and 12 supplier records respectively were created or amended by employees who were not authorised to do so.
• At the City of Gosnells, no documented evidence was available for 3 out of 52 supplier records created or amended.

Although we did not identify any fraudulent or erroneous transactions, the above control weaknesses increase the risk of incorrect or invalid suppliers being recorded in supplier master files. This could result in incorrect, duplicate or fraudulent payments. Also, if relevant evidence is not documented or readily available, it could be difficult for management to confirm the validity of newly created supplier records or changes to existing supplier records.

Most entities need to improve the management of their supplier master files

We reviewed the supplier master file databases for all the entities in our sample as at 30 September 2018. Our aim was to assess if the supplier master files were well managed, and were operating to promote effective accounts payable processes and reduce the risk of fraud and errors.

Only the Department of the Premier and Cabinet, Insurance Commission, and WorkCover were appropriately managing their supplier master files. The common findings at the other 7 entities were:

• Six entities had a total of 9,321 supplier records with missing information, including suppliers’ bank details, ABN, address or contact details. Completeness of supplier records is essential to enable effective processing.
• Seven entities had a total of 79,107 active supplier records unused for more than 2 years. Although there may have been reasons for retaining some of these records, there was no evidence that management had identified a reason. Lack of timely clean-up or deactivation of redundant supplier records makes ongoing monitoring and review of supplier master files difficult.  
• We tested 1,311 potential duplicate records and confirmed that 93 of these were duplicate supplier records, at 6 entities. These duplications were mainly due to suppliers either changing business names or bank details, but the entities did not delete or deactivate the redundant supplier records. Two of these entities also had 71 records with incorrect bank details or ABNs. Duplicate or incorrect supplier records may result in duplicate payments.

Most entities need to formally monitor compliance with their policies on a periodic basis

The Department of Finance, Insurance Commission, and WorkCover were formally monitoring their supplier master files.

Periodic review enables management to detect non-compliance with policies, remediate invalid, incomplete and obsolete supplier records, and reduce the likelihood of fraud or errors.

Conflicts of interest were not declared or effectively managed at 3 entities

Contrary to management’s policies, conflicts of interest were not declared by 2 employees at the Department of the Premier and Cabinet, and 6 employees at the Shire of Augusta-Margaret River who owned, or whose family members owned the suppliers that their entity was procuring from. These potential conflicts of interests involved 14 and 29 transactions undertaken by the respective entities between April 2017 and September 2018 totalling $41,383. The purchases included fencing, cleaning, fitness, carpentry and childcare services. We however confirmed that these employees did not approve any purchases from or payments to these suppliers.

Lack of appropriate disclosure and effective management of actual, potential or perceived conflicts of interest may undermine a fair and impartial procurement process, resulting in value for money not being achieved. Even if not involved in procurement or payment authorisation, it is important that entities’ conflicts management policies are complied with.

At the City of Belmont, an employee approved 2 purchase orders totalling $29,193 for payment of program funding to a supplier, of which the employee was a board member. An employee should not be involved in a procurement and purchasing process with a supplier they are related to. We recognise however that the employee had disclosed this conflict of interest, and that the subsequent payments were not approved by that employee.

If an employee has a conflict of interest because they are associated with a supplier, in addition to declaring the conflict, they should also not be involved in the process of procuring from that supplier.

Recommendations

Entities should:

1. have policies and procedures that include comprehensive guidance for employees to effectively manage supplier master files
2. ensure that all additions or amendments to supplier master files are subject to a formal independent review to confirm validity and correctness
3. regularly review employees’ access to create or amend supplier master files to prevent any unauthorised access, and ensure adequate segregation of duties between those amending the master files and those approving payments
4. ensure all key information is input at the time of creating a new supplier record
5. apply consistent naming conventions for supplier records, to avoid suppliers being registered under multiple names
6. ensure that documentary evidence is retained for all additions and amendments to supplier master files and there is a record of the reason for amending the supplier record
7. include a requirement for a formal and periodic internal review to identify incomplete, incorrect, duplicate or redundant supplier records
8. ensure any actual, potential or perceived conflicts of interest are declared and effectively managed, and that relevant employees are not involved in the procurement from, or management of supplier records in respect of their related suppliers.

Response from entities Entities in our sample generally accepted the recommendations and confirmed that where relevant, they either have amended policies and practices or will improve management of their supplier master files. The City of Perth advised that the amendments made to 12 supplier records by employees who were not authorised to do so, were minor administration changes to the supplier file and did not impact the core supplier details. The City of Busselton advised that it has implemented independent review of supplier master file updates.