Various controls can be applied to manage these risks:
- The entity might establish an authorised list of suppliers, and goods and services can be purchased only from suppliers on the list.
There may be exceptions to the policy guidelines. For example, a company policy may be that a supplier must be on the authorised list if more than one purchase order is ever placed with the supplier, but for one-off purchases, a supplier does not need to be on the list.
- There should be procedures for the requisition of goods and services, and procedures for the authorization and approval of purchase orders. For example, requisitions to purchase store items may be generated by the store department’s inventory control system, and the authorisation for the purchase and the placing of the purchase order should be made by individuals at a suitable level of seniority, depending on the size and value of the order.
- There should be established policies and procedures in the buying department for negotiating favorable prices with suppliers.
- For very large purchase contracts, it may be a policy requirement that a system of tendering should be used, and more than one supplier should be asked to tender for the contract.
- Supplier performance should be monitored. Have they delivered goods on time and to the specified quality?
- The payments system should be subject to suitable controls.
- There should be a control reporting system that reports to management on supplier performance and any breach of purchasing policy guidelines and procedures.