Internal Audit Checklist: Purchasing Organization

Corporate Purchasing

In general, the objective of an internal audit is to assess the risk of material misstatement in financial reporting. Material misstatements can arise from inadequacies in internal controls and from inaccurate management assertions. As such, testing the validity of various implicit managerial assertions is a key objective of an internal auditor.

While this applies to all financial cycles, this article is the first in a series focusing on the General Control Activities for the Purchasing cycle. The most important general control areas for Purchasing include:

  • Organization
  • Performance Management
  • Supplier Selection
  • Ordering
  • Purchase Commissions
  • Goods and Services Received
  • Invoice Verification
  • Master Data Purchasing

In this post, we’ll focus on the General Control Activities for the Purchasing Organization.

Personnel Responsibilities and Accountability

The business should ensure that all responsibilities and authority limits are properly defined and communicated. In addition, there should be adequate descriptions for each key individual role.

When conducting the audit, evaluate the following controls/best practices:

  • Verify that an organizational chart available to all staff and periodically updated
  • Validate that an authority schedule available to all staff and periodically updated
  • Make sure there are clear job descriptions and that they are regularly updated
  • Test to make sure there is a regular review to determine if the business structure reflects the business activities and responsibilities

Segregation of Duties/System Access Rights

Businesses should have policies and procedures surrounding segregation of duties (“SoD”)/system access rights. The goal is to ensure that critical functions are adequately segregated, SoD is properly supported by logical user access authorizations, and access to critical vendor master data is restricted to appropriate personnel.

When conducting the audit, evaluate the following controls/best practices:

  • Make sure there is a periodic review of roles and responsibilities of purchasing staff
  • Verify that the organizational chart and authority schedule are available to all staff to make them aware of the competences
  • Validate that the following critical functions are segregated with the operating system:
    • Periodic review of conflicting tasks in the ERP system (SoD conflict matrix)
    • Implementation and documentation of compensating controls for SoD conflicts
    • Access to critical master data properly restricted and tailored within the system
    • Ex post controls to monitor master data changes are in place (e.g. log files to catch changes of vendors; review of aged creditor reports generated from ERP system)
    • Multiple eyes principle is adhered to with respect to changes of critical master data
    • User access rights are periodically reviewed for adequacy (are functions properly reflected in the user access rights matrix)


The business should ensure that key processes are defined and detailed procedures for carrying out the main purchasing processes are in place.

When conducting the audit, evaluate the following controls/best practices:

  • Make sure there is clear definition on the ownership of procedures
  • Verify that procedures are documented and accessible to all relevant parties
  • Verify that there is a regular formal review and update of key procedures
  • Validate that conformance audits are regularly conducted to validate compliance with procedures
  • Make sure there is regular training for relevant employees and that there is a training plan in place
  • Verify that policies and procedures are stored in shared document management system and that reminders are automatically sent to owners for review
  • Validate that there is a clear policy in place relating to the acceptance of gifts for suppliers and test to make sure the policy is being followed

Adequacy of Staffing

It is important to ensure that there is adequate staffing in the purchasing activity otherwise there will be an increased risk of Segration of Duties issues, overworked/overwhelmed employees, productivity issues during absences, insufficient opportunity for training, and the potential for increased employee departures.

When conducting the audit, evaluate the following controls/best practices:

  • Validate that there is a budget for replacement of vacant job positions
  • Make sure there is a succession plan is in place
  • Verify that procedures are in place for staff promotions
  • Validate that there is a management development program
  • Make sure there is a training program in place and it is monitored
  • Verify that employee satisfaction surveys are in place
  • Validate that there is a personal development process
  • Make sure there is an adequate incentive structure

Code of Conduct

It is critical that the business have a Code of Conduct that is embedded within the culture of the organization and adhered to at all levels.

When conducting the audit, evaluate the following controls/best practices:

  • Make sure that all employees receive CoC training within 6 months of start date
  • Verify that sales staff periodically acknowledge that they are abiding by CoC and competition laws
  • Validate that there is face-to-face training for all customer facing staff
  • Make sure that there is CoC training at least once every 3 years (or at a schedule that is compliant with legal standards)
  • Verify that human resources has an effective method of tracking which employees have competed CoC training courses
  • Validate that there are procedures and/or monitoring controls in place to detect CoC violations
  • Make sure that there are appropriate repercussions to adequately address CoC violations and that actions are communicated to staff

In conclusion, auditing standards require that auditors test basic underlying management assertions implicit in the financial statements. Key objectives to these assertions are; Existence and Completeness, Rights and Obligations, Valuation or Allocation, and Presentation and Disclosure.