Auditing procurement and contract management


The importance of effective procurement and contract management was emphasised by the COVID-19 pandemic, as procurement teams in particular rushed to bring in products and services that were essential to fight against the virus. In Autumn 2021, the challenges of supply chain management were also brought into the spotlight due to the shortage of HGV drivers, challenges loading and offloading ships and the general issues around moving goods from point A to point B and then on to customers. These challenges have been felt by organisations across all sectors, although naturally some sectors have been more significantly impacted than others.

In the following piece, we take a look at auditing procurement and contract management.


What is procurement?

The Chartered Institute of Procurement and Supply (CIPS) says that procurement and supply management “involves buying the goods and services that enable an organisation to operate in a profitable and ethical manner”.

What is the procurement cycle?

The CIPS Procurement and Supply Cycle sets out the key steps for procuring goods or services. It is a good practice tool that provides guidance to organisations, enabling them to follow an effective procurement cycle process. It is also a useful source of reference for all lines of assurance providers in the procurement space.

Contract management

What is contract management?

The CIPS definition of contract management is “a continuous procurement process that ensures suppliers adhere to their agreed contractual obligations along with negotiating any future changes that need to take place”.

The aim of contract management is to ensure that an organisation receives the goods or services procured, in compliance with the terms and conditions of the contract. Contract management could be formalised through the development of a contract management plan at the start of the contract term. The plan is monitored regularly to ensure compliance with contract terms and conditions, manage risk, and assess vendor performance. Ultimately, the goods or services purchased and the complexity of the contract should determine the type of contract performance measures that should be used.

What is the contract management cycle?

The CIPS Contract Management Cycle is a good practice model for maximising value and minimising risk across the four phases:

  1. Strategy
  2. Structures and resources
  3. Implementation
  4. Development and lifecycle management

It provides direction and guidance for assurance providers regarding testing best practice.

Public sector-specific perspective

In 2010, central government moved to a system which buys common goods and services once on behalf of government. To support this, the Crown Commercial Service was established to provide end-to-end purchasing services and departments were to transition spend on common goods and services to these arrangements.

All commercial activity must be compliant with the regulatory framework as set out in the ‘Public Procurement Policy and Legal Framework’. The National Audit Office (NAO) has reported that the annual public expenditure on goods and services routinely exceeds £206 billion per year. As in all things, there are risks and opportunities to deliver value for money for the taxpayer. Public sector organisations are required to follow guidance such as the NAO: Good practice contract management framework and the Government Functional Standard GovS 008: Commercial. These pieces of guidance set the expectations and direct consistency in the planning, management and execution of commercial activities, to ensure value for money is achieved in contracts and in the delivery of good quality public services.

Public sector organisations have to comply with the government’s transparency agenda. It is a requirement to make public sector opportunities available in one place: on Contracts Finder, and contract award information relating to the winning contractor should also be made available on Contracts Finder. This is for procurement opportunities that are subject to the Public Contracts Regulations 2015 and above the threshold of £10,000 for central government bodies or £25,000 for other public sector bodies.

A useful framework for procurement and contract management in the Public Sector is the National Audit Office (NAO) guidance on managing the commercial lifecycle.

Legal and regulatory framework

From 6 April 2021, all public authorities and medium and large-sized clients outside the public sector are responsible for deciding if the IR35 rules relating to the tax and NI contributions of contractors offering services to them through an intermediary apply. It is important for internal audit to consider what controls an organisation has in place within procurement and contract management to mitigate the risks of fines associated with non-compliance. See our detailed guidance on IR35 for more information.

The Modern Slavery Act 2015 imposes a duty on all commercial organisations with global turnovers of £36 million and above, providing they carry on business in the UK, to publicly report steps they have taken to ensure their operations and supply chains are trafficking and slavery free.

The UK Bribery Act 2010 dictates that an organisation will commit an offence if an ‘associated person’ performing services on its behalf bribes another person in order to obtain or retain either business or a business advantage for the organisation. As this could happen at any stage of the procurement and contract management process, it is vital for organisations to ensure that anti-bribery policies and adequate procedures are embedded into normal, day to day business practices. A person and the organisation guilty of an offence relating to failure of commercial organisations to prevent bribery are liable on conviction on indictment to a fine. The Financial Service Authority issued a final notice (October 2021) to Credit Suisse International with a financial penalty of £147,190,200, which is associated with bribery and corruption.

Role and importance of internal audit

Procurement and contract management cycles are influenced by a variety of associated processes. Assurance that all of these elements are efficient and effective will be of importance to organisations and their internal auditors across all sectors.

This guidance focuses on the importance of following the key activities in the cycles as these should encourage consistencies in approach for procurement and contract management which should result in better value for money and high quality of services.

The exact role, timing and extent of internal audit's involvement will be determined by the type of procurement or contract, the risk that this presents to the organisation, cost and complexity of the contract and supply chain levels.

Internal audit should provide assurance in respect of:

  • Procurement and contract management strategy and strategic decision-making, including environmental sustainability and reputational considerations
  • Robustness of information management relating to procurement and contract management
  • Risk management approach including bribery risks
  • Compliance with legislative requirements
  • Supplier relationship management
  • Contract performance management
  • Compliance with other contractual obligations

Internal audit may also provide consulting/advisory services in real time on the design of each stage of the procurement process. It is important for internal audit to be involved early to support the decision making process and to ensure that good practice is followed.

Internal audit assurance or consulting/advisory services can support achievement of value and compliance through improved practice and strategic planning.

Internal audit strategy considerations

In some large organisations, the procurement of goods and services is managed by a centralised commercial function which is responsible for overseeing all stages of procurement until the contract is awarded. Typically, after this stage, contract management is often delegated to business areas for the day-to-day management of the contract but with oversight from the commercial function and provision of professional support. Depending on the scope agreed with management, the audits can be done as a combined assignment or separately.

Planning a procurement and contract management audit

The first question to ask is whether your organisation has a procurement framework which is in alignment with the commercial strategy and whether it is fit for purpose. Does the procurement framework align with good practice and is it being complied with?

Below is a high-level checklist to use in discussion with procurement and commercial teams.

  • Does the organisation have a strong commercial function in terms of skills, expertise and guidance.?
  • Does the organisation have the capability needed to manage the procurement process and contract monitoring, and is it developing capability for the future?
  • Has the organisation deployed its capability in a balanced way across the procurement and contract management lifecycles and is commercial capability effectively integrated with business processes?
  • Is sufficient data and information being made available to make informed decisions about procurement and contracts? What gets reported and is there a standardised approach to using data?
  • Are potential suppliers well informed about the procurement framework/process ahead so suppliers know what they are committing to?
  • Has the organisation determined a minimum standard in advance, with tenders/bids below this standard not being considered?
  • Are EU procurement notice requirements being complied with?
  • Is there a code of conduct and a fit for purpose anti-bribery policy in place? What mechanism does management have in place for seeking assurance on conformance?
  • Has the anti-bribery policy been effectively communicated to staff and other stakeholders?

Risks and controls

An overview of some generic risks and controls is provided as a starting point for internal audit engagement planning of contract management and procurement reviews. These do not replace the need for local risk assessment work as risks should be aligned to the specifics of the organisation, sector and geographical location.

Potential controls Potential responses
Risk 1: A lack of commercial oversight and governance by appropriate board/committee structures results in a procurement strategy without a clear rationale, links to the organisational strategy, and fails to target value for money

Appropriate governance arrangements are in place with clearly defined structures, and roles and responsibilities which have been communicated

An approved procurement strategy plan is in place

Confirm the existence of a defined governance structure with a clear hierarchy of boards and committees in place to maintain oversight and approval of procurement strategy

Test the application of a defined risk management and escalation route to ensure it is fully understood and effectively deployed

Confirm that a documented procurement strategy plan exists

Review the plan to assess ownership of the procurement strategy document; clarity of the planned activities and timescales for completion of procurement; resources needed to fully execute the plan successfully and management of key risks

Risk 2: Research and information, acquired from customers (internal to the business) and the external environment, are poorly developed and/or utilised leading to business and procurement requirements that are not properly articulated, understood aligned with the organisation’s strategic objectives

A comprehensive stakeholder engagement plan is in place to identify and manage input from key stakeholders

A comprehensive internal and external environmental and strategic assessment has been undertaken, which has followed a recognised approach and links with the procurement strategy

Procurement requirements are clearly conveyed and align with business and organisational objectives

Confirm that all key stakeholders are identified, both internally and externally and that a defined stakeholder engagement plan is in place

Establish whether an accepted and approved approach has been taken to completing a strategic assessment of the procurement environment

Evaluate how market research has been structured, properly conducted and signed off by someone with appropriate authority

Test whether business requirements have been fully defined, articulated and documented 

Risk 3: Insufficient market engagement and research is undertaken to gain a full understanding of market capacity and capability, appetite, and option feasibility in order to develop a realistic and achievable procurement strategy that meets business/organisational requirements and effectively manages the associated risks

Effective engagement is held with market suppliers to shape procurement requirements and confirm feasibility, market appetite, and identify key risks

The market has been adequately analysed and evaluated including capability and capacity, to gain understanding of risks

Confirm the existence of a supplier engagement plan and its adequacy

Assess how supplier capability and capacity has been effectively evaluated to deliver the required procurement outcomes

Risk 4: Legislative and regulatory risks have not been identified and/or not effectively managed or complied with

Legislative and regulatory risks are managed/mitigated within the service or activity and monitoring arrangements are in place

Check if legislative and regulatory risks are clear to the market/potential bidders? Are these in line with the organisation’s assessment of the risks?

Establish if the terms and conditions of the contract been set out and if these meet the organisational needs to address
legislative and regulatory risks

Assess the adequacy of the evidence that bidders are required to provide to demonstrate that they have addressed any specification requirements in relation to managing legislative and regulatory risks

Are there proposed KRIs in place to monitor legal and regulatory risks against risk appetite?

Has the organisation established a clear and explicit process for reporting and responding to suspected incidents of non-compliance with legislation or regulation?

Contract management
Risk 5: The respective roles and responsibilities of the contract manager and supplier are unclear or ill defined, resulting in a failure to effectively manage the contract or hold the supplier to account

Roles and responsibilities of the contract manager and supplier are clearly defined in the contract and/or supporting documentation

Roles and responsibility in the procurement process have been defined, communicated and where appropriate included in the contract

Ascertain if clear ownership and accountability of the contract management process exists

Establish if there is a procurement process map setting out the key processes including contract management

Ascertain whether there is clear process for handling disputes and complaints

Ascertain how disputes lead to lesson learning

Risk 6: Fraud, financial loss and reputational damage to the organisation as a result of controls in place for the management of contracts being inadequately aligned to good practice

There are well defined processes and a clear contract management plan in place, with a focus on outputs and a ‘whole life’ approach to performance

The contract manager and those with procurement responsibilities have appropriate experience and skills (both specific contract management skills and more general procurement awareness and expertise), with access to relevant training and development

Contract management processes, policies and guidance are aligned with the organisation’s objectives and best practice

Contractual/supplier risk management is in place with clear responsibilities and processes, including identification of who is best placed to manage risk and supplier involvement, where appropriate

Obtain and review the contract management plans to determine whether they are up-to-date and focused on outputs and a “whole life” approach to performance, ensuring that ownership is clearly articulated

Discuss contract manager skills/qualifications and contract management background

Determine whether appropriate training has been provided to those with contract management and procurement responsibilities. If so, who attended, when, and what was covered?

Review the policy, procedures and guidance documentation relating to contract management and assess their alignment with good practice

Review and evaluate the arrangements in place for the identification and management of risk. Is this in line with HM Treasury guidance: The Orange book Check if contract management plan is structured around the risk allocation

Risk 7: Ineffective process in place for handling of changes to contracts

Contract is regularly reviewed to ensure it meets
evolving business needs

Processes are in place that clearly lay out the governance of contractual change including
approval processes

Approved processes for the management of major/minor changes and contract variations, with emphasis on the cost/effort being proportionate to the importance and value of the change

 Assess the effectiveness of the change control process. Are the forms completed accurately and duly authorised?
Risk 8: Performance management process is ineffective and or not operating as intended

A performance management framework is in place when the contract is signed

Supplier performance is assessed using clear, objective and meaningful metrics

Reporting arrangements are in place with supplier self-measurement and reporting where appropriate but with independent checking mechanisms to alert the purchaser to performance issues

Review performance management framework

Check the accuracy and adequacy of performance management reports and management trail of actions taken

Test a sample of KPIs, if they are in place, for compliance and follow up actions taken where these have not been achieved

Risk 9: Payments are made to the supplier are not in line with the contract and appropriate incentive mechanisms are not in place and well managed

Payment mechanisms are clearly documented and communicated to all parties

Payment processes are well defined with appropriate management checks and authorisation processes for paying invoices

Incentive structures (financial or non-financial) relate clearly to required outcomes, and are well managed and governed, with suitable checks and approval mechanisms

Service credits (pre-specified financial amounts which the customer becomes entitled to whenever a service level is not achieved) or equivalent mechanisms are well managed and governed, and proportionate to supplier profitability

Test a sample of invoices for compliance with processes. For example, is the appropriate documentation attached to the invoice, eg purchase order, goods received note and is there evidence of segregation of duties

Confirm through testing if service credits are effectively being applied as per the contract

Assess the adequacy of financial and non-financial incentives

Third party suppliers

It should be noted that the existence of third-party service suppliers may make internal audit planning and delivery more complex if the ‘right to audit’ is not included in the contract and the supplier is not prepared to provide support and information to progress audit engagements. However, if there are relatively mature performance measures in place it may make data gathering and validation much simpler. Two-way audit arrangements and the requirement for suppliers to cooperate with assurance providers should be built into contracts.

The use of data analytics in an internal audit of procurement and contract management

The pace of procurement is rapidly changing, with new technology developments taking place in the way procurement teams interact with stakeholders and deliver results for their organisations.

Data analytics could be considered in audits of procurement and contract management to enable continuous auditing or monitoring, as this could be used to identify outliers/areas where management needs to focus attention/investigate further. Results from use of data analytics should provide the internal auditor with potential areas to focus on during testing.

Some other testing techniques could be performed by the internal auditor using data analytics, for example:

  • Split purchase orders
  • Orders over financial delegations
  • Contracts spend over £10,000
  • Duplicate vendors
  • Duplicate payments
  • Vendors versus staff
  • General ledger reconciliations
  • Non approved suppliers versus approved suppliers
  • Expenditure versus budget
  • Invoice price and quantity variance
  • Types of procurement and financial values
  • Number of bidders versus category of suppliers
  • Contracts due to expire within less than 12 months

Other assurance providers

It is important to identify and understand assurance provided by other assurance providers that may be internal (eg 1st or 2nd line assurance providers) or external to the organisation (eg external audit). These could include risk managers, commercial managers, and the Infrastructure Project Authority in the public sector. The coordination of assurance resources can avoid duplication and gaps with overall benefit for the organisation. In such circumstances, internal audit within the customer organisation may have a role in evaluating the reliability of other assurance providers and this something to discussed and agreed with management.


Each organisation will have its own approach to procurement and contract management: some may choose to have separate teams dealing with each activity or a central commercial function with the responsibility for both. Internal audit needs to ensure appropriate analysis is in place to support an organisation’s procurement strategy and that risks associated with procurement and contract management are identified and addressed, with clear communication and oversight.

Strong procurement and contract management contribute to the achievement of organisational objectives, achievement of value for money and good financial viability. Internal audit will be required to provide ongoing assurance in both areas as new strategies evolve.

Further reading

External reading

CIPS: Guide to Contract Management | CIPS
CIPS: Contract Management Cycle
CIPS: Procurement and Supply Cycle
Modern Slavery Act 2015


Coordination of assurance services
Modern Slavery Act 2015

Content reviewed: 10 January 2022