A solid audit program turns procurement from a collection of ad-hoc decisions into a governed system. Done well, it clarifies risk appetite, codifies decision rights, and proves with evidence how funds move from intent to payment. That clarity matters far beyond finance; public procurement alone represents a double-digit share of many economies, so control failures ripple into cost, reputation, and supply continuity.
Auditors look for three things: clear rules, consistent execution, and retrievable evidence. The checklist below follows that path—scope first, then governance, then end-to-end control tests, data integrity, and continuous improvement. The principles apply across sectors; in capital-intensive settings, the stakes rise quickly, which is why many teams maintain a short explainer on recurring risks specific to manufacturing procurement to contextualize why certain controls exist.
Audit Scope and Objectives
Purpose, risk appetite, and success criteria (financial, compliance, operational)
Define why the audit exists and what “good” means. Common objectives include:
- safeguarding funds;
- ensuring fair and documented competition;
- enforcing contractual discipline;
- protecting data and supplier banking details;
- verifying that reported metrics (cycle time, price realization) match source records.
Risk appetite should be explicit—for example, zero tolerance for bank-detail changes without dual control, and low tolerance for non-PO invoices above a threshold.
Coverage boundaries—entities, categories, thresholds, sampling frames, and period under review
Name the legal entities, time horizon (e.g., last two quarters), spend bands, and categories in scope. Sampling rules should reflect materiality and risk: higher sampling for services without physical receipt, engineered items with unit-of-measure complexity, and one-time vendors. Note the “known hot spots” (e.g., urgent buys, grant-funded projects) so auditors can oversample intelligently.
Governance, Roles, and Evidence Standards
Decision rights and three lines of defense; segregation of duties
Publish a decision-rights map: who selects the sourcing method, who can waive competition, who approves spend by tier, who can edit supplier master data, who releases payments. Keep segregation of duties (SoD) tight: requesters never approve their own POs; supplier-master edits require verification by a second team; payment release is separate from invoice posting. Annual conflict-of-interest attestations for buyers and approvers should be mandatory.
Evidence requirements—source documents, logs, retention, and traceability
Audits fail on missing documents more often than on exotic fraud. Standardize the “evidence pack” per control: budget extract, RFQ/RFP file, evaluation scorecard, contract plus price-file map to SKUs, PO, receipt/GRN or service acceptance, invoice image, match logs, payment file with bank acknowledgment, and immutable logs for sensitive changes (bank details, tolerance edits). Retention policies must match regulatory needs.
End-to-End Control Checks (Plan → Source → Procure → Pay)
Pre-commit controls—budget check, competitive method, supplier due diligence, and contract hygiene
No requisition should advance without budget validation and an approved sourcing route matched to thresholds. Supplier onboarding must include legal existence, tax and sanctions screening, and verified banking—ideally with call-back procedures and dual control for any change. Contract hygiene means price and units map to catalog SKUs, not just narrative descriptions.
Commit-and-pay controls—PO mandate, GRN/acceptance, 2-/3-way match, tolerance tables, and exception routing
Enforce a PO mandate above a modest threshold. Physical goods require three-way match (PO, receipt, invoice); services may use two-way with stricter price tolerances and explicit acceptance. Publish tolerance tables (price, quantity, tax) and version them; route exceptions upstream to the owner that can fix the cause (catalog, contract, master data) rather than letting AP absorb rework.
Control Tests, Evidence, and Ownership
| Control area | Control test | Required evidence | Frequency | Control owner |
| Budgeting | PR approved within budget & cost center | Approved PR, budget ledger extract | 100% (automated) | Finance Controller |
| Competitive sourcing | Method aligns to thresholds; award rationale documented | RFQ/RFP pack, quote matrix, scorecard | Sampled monthly | Category Manager |
| Supplier onboarding | KYC, sanctions, tax IDs, bank-detail verification (dual control) | KYC file, screening logs, bank-change audit trail | 100% of new vendors | Compliance + AP |
| Contract compliance | Price/terms map to SKUs and UoM; expiry tracked | Contract file, price file, SKU map | Quarterly | Procurement Ops |
| PO mandate | Valid PO before invoice above threshold | PO vs. invoice cross-check | 100% (automated) | AP Lead |
| Goods/services receipt | GRN or acceptance before post | GRN/Service acceptance record | 100% (automated) | Receiving/Requester |
| Invoice matching | 2/3-way match within tolerance; tax validated | Match log, tolerance table, tax calc proof | 100% (automated) | AP Systems |
| Payments | Segregated approvals; bank file integrity | Payment file, approver logs, bank ack | Per payment run | Treasury |
Data Integrity and Analytic Procedures
Master data hygiene—supplier IDs, catalogs, UoM, tax, and contract-to-SKU mapping
One supplier must equal one identity. Suppress aliases and merge duplicates quarterly. Catalogs should enforce standard packs and units to avoid quantity mismatches. Contract price files must map to the exact SKUs and UoM used on POs; otherwise “price variance” becomes guesswork. Record effective dates and currency for every file.
Exception and anomaly tests—duplicate payments, split POs, price drift, off-contract spend
Embed automated tests that flag patterns, not just single records:
- Duplicate invoice logic: same supplier + number/amount/date within tolerance; escalate when recurrence exceeds a monthly threshold.
- Split-PO detection: multiple POs just under approval thresholds to the same vendor/cost center in a short window.
- Price realization: invoiced vs. contracted price by SKU; investigate if realization falls below a defined band (e.g., 98%).
- Off-contract spend: category dollars to vendors without active contracts.
- Bank-detail change risk: payments within 10 days of a bank-master edit require documented call-back verification.
- Tax variance: mismatches between calculated and expected tax based on ship-to and item attributes.
Fraud-aware controls save real money. The Association of Certified Fraud Examiners (ACFE) reports that tips account for roughly 43% of initial fraud detections, which is why hotlines and clear escalation paths belong in procurement and AP policies—not just finance manuals.
At a system level, digitized tendering and standard data deliver measurable benefits; a World Bank results brief for e-procurement reforms reported ~7% savings and cycle-time reductions from roughly 100 to 57 days post-implementation—proof that transparency and structure move dollars and days, not just dashboards. Source: World Bank e-procurement case evidence.
Reporting, Findings, and Continuous Improvement
Rating criteria, materiality thresholds, and root-cause taxonomy
Keep ratings simple (effective, partially effective, ineffective) and tie them to materiality bands. Classify root causes with a short taxonomy—policy, master data, process, system, supplier—so remediation lands with the right owner. A recurring “ineffective” on bank-detail verification is a control-design issue; recurring price variances with one vendor are a contract-to-SKU mapping issue.
Remediation playbooks—owners, SLAs, verification of fix, and re-test cadence
Every finding should name an owner, a due date, and a verification method (e.g., re-test a 30-invoice sample after the fix). Track exception recurrence within 30/60/90 days to confirm the fix holds. Publish a quarterly “what changed” note—new tolerance tables, refreshed price files, supplier enablement milestones—so definitions don’t drift and stakeholders stay aligned.
