Procurement is the function that spends the organisation’s money — and because of that, it sits at the intersection of financial risk, fraud risk, supplier risk, and an increasingly complex regulatory environment. Procurement policy violations are the most common finding in internal audits of commercial organisations: purchases approved by someone without sufficient authority, preferred suppliers used without a qualifying process, invoices paid without three-way matching, contracts renewed without review, and suppliers operating for months without a signed agreement. Beyond the internal policy dimension, the regulatory environment is expanding rapidly — the EU Corporate Sustainability Due Diligence Directive (CSDDD), Germany’s Supply Chain Act (LkSG), and the CSRD are requiring large companies to conduct and document supply chain due diligence for human rights, labour standards, and environmental impact. A procurement compliance review addresses all of this systematically: auditing spending authority, contract adherence, supplier qualification, payment accuracy, conflict of interest management, and supply chain ESG obligations in a single structured process. This free checklist gives procurement directors, CFOs, and internal auditors a structured framework for the full procurement compliance review.
Policy adherence, spending authority validation, regulatory compliance, contract adherence, and approval documentation. The foundational question: is every purchase authorised by someone with the correct authority, within a valid contract, and consistent with policy?
Spend analysis by supplier, category, and department; invoice and payment accuracy; three-way matching compliance; duplicate payment detection; and cost optimisation opportunities (consolidated spend, renegotiated rates, volume commitments).
Conflict of interest identification, supplier concentration risk, supplier financial health monitoring, fraud indicators, and supply chain continuity assessment.
Procurement cycle times, supplier on-time delivery against contract, purchase order compliance rate (orders raised before rather than after goods receipt), and procurement team KPIs against objectives.
Eight phases covering the complete procurement compliance review — from scope setting and data collection through spending authority, contract compliance, supplier qualification, payment accuracy, fraud risk, spend analysis, and corrective action reporting.
Spending authority violations are the most common procurement compliance finding. The purpose of authority limits is not bureaucratic — it is to ensure that every purchase is reviewed by someone with appropriate seniority and financial accountability for the decision.
Maverick spend (also called rogue spending) occurs when purchases are made outside the defined procurement process — bypassing the approved supplier list, the purchase order requirement, the competitive quotation threshold, or the approval authority. Research consistently shows that organisations with weak procurement controls have maverick spend rates of 30–60% of total addressable spend — meaning a significant proportion of all purchases bypass the controls designed to manage cost and risk.
The cost of maverick spend is not just the overpayment on the individual purchase — it is the erosion of negotiated rates (suppliers who know they will receive orders regardless of compliance have less incentive to maintain contracted pricing), the fraud risk (unapproved supplier relationships are the most common vector for procurement fraud), and the data gap (spend that bypasses the procurement system does not appear in spend analytics, making it impossible to manage strategically).
A procurement review that focuses only on invoice processing misses conflict of interest. One that focuses only on supplier qualification misses maverick spend. CheckFlow’s procurement compliance review runs all four dimensions — governance, financial, risk, and process — in a single structured process.
The procurement compliance finding that generates a corrective action that is never implemented is a finding that recurs in the next review. CheckFlow assigns each finding to a named owner with a deadline, tracks completion, and escalates overdue items to the review lead.
Internal audit, board oversight, external audit, and regulatory compliance all depend on evidence that procurement controls are systematically operated and reviewed. Every procurement compliance review conducted through CheckFlow is documented, dated, and archived — providing the governance record that accountability requires.
Procurement compliance reviews often find purchase order approval failures. CheckFlow’s Purchase Order Approval Checklist covers the structured PO approval process that procurement compliance requires. See the Purchase Order Approval Checklist →
Supplier qualification compliance is one of the key areas of the procurement review. CheckFlow’s Supplier Onboarding Checklist covers the structured qualification process. See the Supplier Onboarding Checklist →
A procurement compliance review covers eight areas: review preparation and scope setting (period, categories, spend threshold, team assembly), spending authority compliance (authority matrix currency, PO approval sampling, split PO detection), contract compliance (no-contract spending, expired contracts, commercial terms adherence), supplier qualification (approved supplier list currency, unapproved supplier identification, insurance and compliance documents, ESG due diligence), invoice and payment compliance (three-way matching, maverick spend, duplicate payment screening, payment terms), conflict of interest and fraud risk (COI declarations, related-party screening, spend concentration analysis, tender compliance), spend analysis (category analysis, tail spend, spend under management, consolidation opportunities), and findings report with corrective actions.
Three-way matching is the process of comparing three documents before approving a supplier invoice for payment: the purchase order (what was authorised to be ordered), the goods receipt or service confirmation (what was actually delivered or completed), and the supplier invoice (what the supplier is claiming payment for). All three must match within defined tolerances before payment is approved. Three-way matching is the primary control against overbilling, duplicate invoices, payment for goods not received, and invoice fraud. Invoices paid without a valid matching PO represent a procurement policy violation and a significant financial control weakness.
The EU Corporate Sustainability Due Diligence Directive (CSDDD) requires large companies to identify, prevent, and address actual and potential adverse impacts on human rights and the environment across their supply chains and business operations. Germany’s Supply Chain Act (LkSG) requires companies of a certain size operating in Germany to implement human rights due diligence processes covering their direct suppliers. Both require documented due diligence processes, regular risk assessments, and reporting. For procurement teams, this means supplier qualification processes must include assessment of human rights and environmental practices — not just commercial and financial criteria.
Maverick spend is procurement that occurs outside the defined procurement process — bypassing preferred suppliers, purchase order requirements, approval authorities, or quotation thresholds. It is typically caused by: urgent business needs where the procurement process is perceived as too slow, business units that are unaware of procurement policies or approved supplier arrangements, procurement systems that are difficult to use (encouraging workarounds), and weak enforcement with no consequences for policy bypass. Research consistently shows maverick spend rates of 30–60% in organisations with weak procurement controls — representing significant cost, risk, and compliance exposure.
14-day free trial, no card required. The Business plan is $10 per user per month after the trial. Full details at checkflow.io/pricing.
