Interested in this topic? Visit the links below for more resources:
Visit The IIA’s website or YouTube channel for related topics and more.
00:00:02 THE IIA
The Institute of Internal Auditors presents All Things Internal Audit. In this episode, Pam Strobel-Powers and Mark Marasini discuss the IIA's recently updated Global Practice Guide on auditing procurement in the public sector. They walk through the three pillars that make public sector procurement unique, explain how to distinguish a vendor from a sub-recipient, and share why fraud risk in procurement deserves its own lane in your audit approach.
00:00:30 Pamela Stroebel Powers
Hi, Mark. I'd like to talk with our audience today about our recently updated Global Practice Guide, Auditing Procurement in the Public Sector, Second Edition, which we published back in December of 2025.
00:00:44 Pamela Stroebel Powers
As a member of the International Internal Audit Standards Board, you assisted in the release by performing a consistency review of the guide with comparing it to the IIA's global internal audit standards. What are some of the aspects of auditing procurement and contracts that you believe are unique to the public sector or that public sector auditors should specifically pay attention to?
00:01:07 Mark Maraccini
Thank you, Pam. That's a very interesting question. And it's one we hear all the time from non-public sector people. Since most every organization across the globe has some type of purchasing process for goods and services, many people outside the public sector don't truly understand some of the nuances that we have to deal with on a day-to-day basis. Breaking this down, I like to summarize them into 3 buckets. Transparency, fairness,
00:01:37 Mark Maraccini
and legal compliance. And for each of these, I wanted to go into a little bit more detail. Transparency is definitely a concept that is unique in the public sector. We want a public procurement from the start. We want the RFP to be issued publicly so that everyone has a fair opportunity to respond to it. We also want the process to be very transparent.
00:02:00 Mark Maraccini
Many times a public sector entity will issue or release the specific scoring that they're going to use for a procurement. And this would never happen in the private sector. So you understand exactly how they're going to score it. You know, also within the public sector, they have
00:02:18 Mark Maraccini
procurement committee. So there's multiple people making the decision, not just one person from the organization to help not only with that transparency, but also with that fairness. And then the last part of transparency that I wanted to hit on is just the overall record management and record keeping. All of this information for the public sector becomes
00:02:42 Mark Maraccini
potentially public or could potentially become public. So ensuring that you maintain that information is critical in form and fashion that could be produced if someone needs to review it. In addition to that, if you're utilizing state or federal funding, you would also have requirements related to that in which both
00:03:03 Mark Maraccini
record retention would come into play, but then also other regulations could come into play with that funding that might require someone to come in and look at that information. The next concept is fairness. And within the public sector, we hear a lot about equality and equity within procurement. These types of programs are usually unique to the public sector. Many times they're mandated by local or state regulations.
00:03:31 Mark Maraccini
And they really require the organization to understand how the procurement will occur to ensure that this procurement will have equity for all the vendors that may want to purchase those goods or services. The third item that I wanted to talk about was legal compliance.
00:03:50 Mark Maraccini
And with that, again, we touched on the requirements, state and federal requirements, local requirements with procurement, but there's also a lot more legality within public sector, right? There's a lot more steps, a lot more items that you must do within the public sector. So at a 10,000 foot level, I would say those are the three main areas, and I would be happy to break down any of those areas further for you.
00:04:16 Pamela Stroebel Powers
Fabulous. Thank you, Mark. I absolutely agree that those are three key areas, transparency, fairness, and equity, which is incredibly important, I think, in everything that the public sector does, but especially in its procurement and making sure that we're providing through our procurement practices equitable services out to the public and in legal compliance, of course. And I think that's the one we all think of automatically. So I appreciate that came in third on your list. And as you said at the very beginning,
00:04:46 Pamela Stroebel Powers
public sector contracts out for so much of its work, everything from construction to outsourcing, even basic administrative processes. So there's certainly plenty of room for audit services within all of that.
00:04:59 Pamela Stroebel Powers
So some of our listeners may be aware, and if they aren't, they will be after this podcast, that you and I partner on a public sector webinar series that we provide those every quarter. Last year, procurement was the focus of one of our webinars, and we covered differences between grant sub-recipients and contractors. Can you talk about and explain some of the similarities and differences between these two parties?
00:05:24 Mark Maraccini
Of course.
00:05:26 Mark Maraccini
So to start, I want to say that one of the critical aspects is it's function over form. A lot of times we see an entity trying to establish an agreement and they'll put in the agreement, try to specify them as a vendor. However, that's not really the key factor that comes into play when you're looking at that, right? Regardless of how they want to define them, you really have to look at the services that are being performed and what they entail to the overall program.
00:05:56 Mark Maraccini
So one of the key characteristics of a vendor would be they're providing routine, ongoing goods or services to an entity. For example, Motorola, you know, you have Motorola monthly phone bill. That would be an example of a vendor. They're providing a routine service. They're not performing one of your organization's functions or taking on a function of your organization. And that really goes into the next
00:06:24 Mark Maraccini
point I wanted to bring up, which is who is owning that portion. So if you're looking to outsource a service, who's owning that service? Is it the vendor or is it the entity? And that's a critical question that we would have to look at to really make that determination of whether you're a vendor.
00:06:46 Mark Maraccini
or a sub-recipient. Going back to the Motorola example, clearly they are not owning a service for you, right? They're just performing a service that you could benefit from. They're not actually performing one of your services or helping you with a program. So really looking at the nature of the services is a critical component.
00:07:09 Mark Maraccini
Moving on to the subcontractor, they would actually be performing part of a program. So for example, let's say we are developing a program to feed starving children and we want to outsource a component of it, right? So if we break down that program and we look at what we're outsourcing,
00:07:34 Mark Maraccini
who's going to end up owning that service, right? So for example, let's say it was a delivery company and they're driving to bring food to certain locations. On the surface, that could be considered a vendor, right? They're not owning any part of the program. They're just providing a service to you to deliver the food from point A to point B. On the flip side, if you're having that vendor take ownership of a piece of that program,
00:08:02 Mark Maraccini
So for example, if you said you're going to own the transportation, the coordination, and the execution of ensuring that these meals get to where they need to go, then it starts to become a question of more, is that a sub-recipient, right? Because now you're looking at, they're not just providing a service to you, they're owning part of that program. They're going to be responsible for that piece of the program. Now, of course,
00:08:27 Mark Maraccini
We still have third-party requirements. We still have to manage them. We still have to be responsible overall for the program, but they are owning that small piece to provide it. So those are some of the key characteristics that we look at between the two when we're trying to make that determination.
00:08:44 Pamela Stroebel Powers
Fantastic. I thought that was an excellent way to break that down. And I think ownership is definitely somebody can take as a key takeaway to that distinguishment there. Thank you.
00:08:54 Pamela Stroebel Powers
So last year, hopefully our listeners are also aware that the Institute of Internal Auditors also issued our second topical requirement, which topical requirements are a new component of the International Professional Practices Framework, and they are required, as the name states. This second topical requirement was on third parties.
00:09:14 Pamela Stroebel Powers
Topical requirements, as Mark, are intended to cover pervasive risks and give auditors a baseline of criteria for consideration when they're auditing these specific topics. How do you think public sector auditors can best use this practice guide to assist in their implementation of the topical requirement?
00:09:34 Mark Maraccini
Yeah, I think one of the things that really jumped out to me when I was reviewing these documents
00:09:39 Mark Maraccini
is the procurement life cycle. And I feel that both documents addressed the procurement life cycle and broke it down in a similar fashion. So the guide provides practical insight into the stages of procurement, covers planning, solicitation, vendor selection, contracting, and contract management, which really correspond and closely relate to the life cycle stages from the third-party risk management topical requirement.
00:10:08 Mark Maraccini
And I think having that connection and being able to start conducting audits, understanding the phases of procurement and understanding what phase you would want to look at, it could be one phase, it could be two phases, it could be all phases of the process.
00:10:24 Mark Maraccini
Many times we see audits being performed on one or two of the phases just because of how comprehensive in nature and how high risk procurement can be for public sector entities. But I feel that life cycle connection between the two really laid it out nicely and really tied them together. So you could tell whatever phase you're auditing as part of your procurement audit, how that related directly to the third party topical requirement and ensure you're pulling those pieces in for that phase.
00:10:54 Pamela Stroebel Powers
Fabulous. I'm glad that the two did align as nicely as they did. And we did try to do a good job of really, as you said, breaking out those phases and giving auditors ideas in each of those. So thank you, Mark. As an additional supplement to the Global Practice Guide, we also issued a risk and controls matrix. And we issued it both as a separate document that they can download separately, or it is also included in an appendix in the guide itself.
00:11:23 Pamela Stroebel Powers
The purpose of this was to...
00:11:25 Pamela Stroebel Powers
provide public sector auditors examples of common risks and controls that may relate to their organization. Not intended to be an all-inclusive list, of course. How, Mark, do you think that auditors can use tools like this to improve efficiency in their audit engagements?
00:11:41 Mark Maraccini
That's a really good question. You know, and I think it's twofold with technology continuing to advance.
00:11:48 Mark Maraccini
There's many tools that can now be utilized to help streamline the risk assessment process. But to your question and your point related to the risk control matrix, I really feel that this would help accelerate the risk identification process. Having that risk control matrix, having those sample risks or potential
00:12:09 Mark Maraccini
risks that you may have also helps organizations really get a breadth of what they may not be thinking about, hearing about. In the public sector, still many of the risk assessments, even with AI coming in and taking over the world, still many public sector risk assessments are performed very manually. And they involve a lot of interviews, a lot of documentation reviews,
00:12:33 Mark Maraccini
So it's a very painstaking manual process that many organizations still go through. So having that type of risk control matrix out there really gives them a great starting point, but also gives them something to look at and really see how others are perceiving those risks from similar type entities.
00:12:54 Pamela Stroebel Powers
Absolutely funny that you mentioned AI, and I was thinking of that as well. And I think that these tools are really intended to be supplemental, just like AI, and we can use all of the tools available to us to brainstorm and help. But it's always nice not to start with a blank sheet of paper. So that was my intent for the tool. So I do hope that people will find it as useful as you do. So not to put you on the spot, but anything else that you would like our audience to know or to think about regarding auditing procurement in the public sector?
00:13:24 Mark Maraccini
We touched a little bit on fairness, but we really didn't dive into ethics or fraud. And both of those are really critical concepts within public sector procurement. Unfortunately, public sector procurement is one of the largest areas for fraud and is directly tied to dollars.
00:13:43 Mark Maraccini
So it's very noticeable, right? You see the impact very easily a lot of times with a procurement fraud as opposed to other frauds that may occur. So I think ensuring that you understand what your fraud risk factors are within procurement is critical. So we just talked about the risk assessment process with the RCA, but really taking into account those fraud factors and not only taking them into account, thinking about how you want to address them
00:14:14 Mark Maraccini
because a regular risk may require a different response than a fraud risk. And that's an important concept we have to think about and what we might want to add to an audit, to an audit program to really ensure we're addressing fraud risks throughout the procurement process.
00:14:31 Pamela Stroebel Powers
Absolutely. As a, that brought me back to my practitioner days a little bit as you were talking about that. And I always tried to, I actually, I didn't necessarily have a separate risk assessment, but I did always, when I was assessing fraud risk, took that out of the factor with all of the other risks, because otherwise it can be so easy to say, oh, well, of course my fraud risks rank higher than anything else because I've used the F word, the fraud word right in it, right? And so that can bring the hairs on the back of your
00:15:01 Pamela Stroebel Powers
neck right up when you think about it.
00:15:03 Mark Maraccini
Well, yes. And also when you think about a procurement function that's operating as intended, they're not looking to hide anything more likely than not, right? So your audit approach to how you audit that may be different to a situation where you potentially could have a fraud because they want to conceal that, right? So you have to look at it differently and think about that component too, and ensure that you have that due diligence, that questioning mind coming in, understanding that's
00:15:31 Mark Maraccini
fraud risk and we can't take everything set on the surface, we need to dig deeper and think about how we want to address that risk. Absolutely.
00:15:39 Pamela Stroebel Powers
And that brought us full circle as that hit on two of the prior questions I asked you both about risks and about what the importance of the auditor, excuse me, what the importance of the auditor role is. And the auditor doesn't serve necessarily to prevent fraud or even audit for fraud, but we definitely need to be aware and procure
00:16:01 Pamela Stroebel Powers
procurement is, as you said, one of those high risk areas for fraud and the potential that an employee may think, or even a contractor may think they can get away with something. So really, really important. And I encourage people not only to look at the guide for ideas, but to also look at the third party topical requirement for ideas around baseline things they should find within their procurement processes to assure that are in place in their organizations to help prevent and monitor for some of these things.
00:16:31 Pamela Stroebel Powers
So thank you so much, Mark, for not only for helping with the guide in the 1st place, for giving your input to it, but also for being here with me today to talk about this and remind our public sector auditors that this new updated procurement global practice guide is out and available for them. And it's now in alignment with the new standards. And we gave it a little facial facelift, let's say, a little refresher. So I also want to thank the members of our public
00:17:01 Pamela Stroebel Powers
Sector Global Knowledge Group, which all contributed to updating the guide, as well as other members of the International Internal Audit Standards Board and the Global Guidance Council that all serve a role in the due diligence processes for our global practice guides. We have a lot of subject matter experts all around the world that help us get these global practice guides out and where it's especially important to us to get public sector specific guidance out for our public sector audience. So thank you again and thank you to all of those members.
00:17:31 Mark Maraccini
And thank you, Pam, and thank you to the IIA for this opportunity. I really enjoyed providing some education to our constituents.
00:17:37 Pamela Stroebel Powers
Sure, that would be great, Mark. We talked about fairness. You talked about fairness. Can we dig a little bit deeper on equity and how that applies specifically to procurement, why that's important?
00:17:49 Mark Maraccini
Yes. So equity is a key concept when we look at the concepts of equality and equity.
00:17:55 Mark Maraccini
public sector entities really want to ensure that their programs are achieving those, right? And looking at how they do that, many governments have different methods to do this. Many governments have a supplier diversity program, right? So they would make a determination of a set of qualifications of who meets that supplier diversity definition and who could get pre-qualified with
00:18:21 Mark Maraccini
what a city, state, federal government even, to be part of that program, right? And many times that is focused on women-owned business, minority-owned business, veteran-owned businesses throughout the country. So with those types of programs, you really want to look at how they're engaging both the supplier diversity firms or vendors
00:18:45 Mark Maraccini
and, potentially other vendors that don't meet those qualifications, right? And there's a couple methods that they may go through to do that. But, what the really critical point, I think, in this is trying to still look at the overall purpose of the procurement, what we're trying to achieve, and how the best way is to do that, right? So some procurements might just be we're going to just open up this procurement to a, well, I'll call them a supplier diversity firm.
00:19:16 Mark Maraccini
Others might be, we're going to open this up and we're going to have a percentage requirement saying we want 15, 20, 25 percent of this contract for you to subcontract out to a supplier diversity firm. So, you know, they have different ways of trying to help ensure that we have an equal and fair process through this. So we deal with this many times. It kind of depends on the geographic market at times, because every
00:19:44 Mark Maraccini
State is different. The beauty of America and the 50 states is every state is different. And of course, every state has different rules and requirements around this and how they're going to approach it. So it's very good to understand that and look at how your local or state is set up, local government or state is set up to ensure that you're following those types of requirements.
00:20:11 Pamela Stroebel Powers
Absolutely.
00:20:11 Pamela Stroebel Powers
That's excellent.
00:20:13 Pamela Stroebel Powers
I'm glad you brought those programs up.
00:20:14 Pamela Stroebel Powers
And I do want to also point out, at least the state that I live in, Oregon, our state also has programs even for small businesses.
00:20:22 Pamela Stroebel Powers
So not even one of those, you mentioned three great classifications, women-owned, minority-owned, veterans-owned, but even small businesses that can't, don't have the resources to compete with larger firms and larger contractors.
00:20:33 Pamela Stroebel Powers
So definitely be considering that as auditors when you're looking at the programs.
00:20:37 Pamela Stroebel Powers
What kind of programs do they have?
00:20:38 Pamela Stroebel Powers
Are they following those programs?
00:20:40 Pamela Stroebel Powers
Are they, do they have process
00:20:41 Pamela Stroebel Powers
for ensuring they're looking at those types of things and giving fair, equitable opportunity to all vendors.
00:20:47 Mark Maraccini
And to build on that, I think another key component for auditors is to really look at not only compliance, are they meeting the program?
00:20:58 Mark Maraccini
Is the program doing what it's intended to do?
00:21:00 Mark Maraccini
Is it truly achieving what it was set out to do and making procurements fair and equal, right?
00:21:07 Mark Maraccini
And many times as auditors, we kind of get into the mode of
00:21:11 Mark Maraccini
looking at information and testing it against a regulation or a policy, which is great.
00:21:17 Mark Maraccini
And we want to do that.
00:21:18 Mark Maraccini
We want to make sure everything is being done in accordance with the rules and requirements, but also taking a step back and saying, is this program doing what we intended it to do?
00:21:28 Mark Maraccini
And if not, what recommendations can we make to really help improve the program so it does achieve the outcomes we're looking for?
00:21:38 Pamela Stroebel Powers
Absolutely, definitely different audit objectives between auditing an actual agreement or project versus auditing the program itself.
00:21:47 Pamela Stroebel Powers
I think that's an excellent point.
00:21:48 Pamela Stroebel Powers
Thank you, Mark.
00:21:50 THE IIA
To celebrate Internal Audit Month, the IAA is offering members 20% off application and exam registration fees throughout the entire month of May.
00:21:59 THE IIA
So if you're thinking about getting your CIA, CRMA, or IAP, now might be the best time.
00:22:05 THE IIA
Becker, the official CIA exam review partner of the IIA, is offering up to 20% off CIA exam prep and $50 off IAP prep.
00:22:14 THE IIA
You can find the code and link to this offer in the show notes of this episode.
00:22:18 THE IIA
So don't wait too long because this offer ends May 31st.
00:22:25 THE IIA
If you like this podcast, please subscribe and rate us.
00:22:28 THE IIA
You can subscribe wherever you get your podcasts.
00:22:31 THE IIA
You can also catch other episodes on YouTube or at the IIA.org.
00:22:35 THE IIA
That's T-H-E-I-I-A.org.
