Procurement Audit and Compliance
Procurement audit programme — transaction sampling, non-conformance reports, and the annual compliance dashboard.
Group Policy & Procedure | Document No. | P-POL-027 |
Group Supply Chain | Ver. No. | Rev Date | 0.4 | 08 APR 2026 |
Title: Procurement Audit & Compliance | Effective Date | 08 April 2026 |
BUKHATIR GROUP
Strength through Diversity
Group Policy and Procedure
Group Supply Chain (GSC)
Procurement Audit & Compliance
Audit Program, Red Flags & Compliance Monitoring
Document No: P-POL-027
Copyright © 2026 Bukhatir Group
Revision Control
This document is issued under the authority of Bukhatir Group and applies when carrying out the activities described. Revisions may be issued as necessary under the authority of the Group Head of Procurement. Revision history is recorded below with every revised policy.
Revision History
Ver. No. | Effective Date | Description |
|---|---|---|
02 | September 2016 | Original Procurement Policy |
0.3 | March 2026 | Procurement Policy – Procurement Audit & Compliance |
0.4 | 08 April 2026 | Redesign, content modernization & flowcharts – Procurement Audit & Compliance |
Revision Sign-Off
Approving Committee | Name | Signature |
|---|---|---|
Endorsed by — Group Head of Supply Chain | Mohamad Koussa | |
Reviewed by — BIIL CEO | Mr. Ayman Ismail | |
Reviewed by — Group Chief Financial Officer | Mohamad Adnaan Sait | |
Approved by — Group Vice Chairman & Group CEO | Mr. Salah Bukhatir |
Distribution List
# | Departments |
|---|---|
1 | Business Unit Procurement Departments |
2 | Group Supply Chain (GSC) |
3 | Finance, Legal, Compliance, Internal Audit |
4 | Business Unit Management |
1. Purpose & Objective
This policy establishes a structured audit program to ensure adherence to procurement policies, controls and best practices. Regular audits identify control gaps, fraud risks and process improvement opportunities.
2. Scope
Applies to all procurement activity across Bukhatir Group Business Units and Group Supply Chain. Audits cover process compliance, transaction controls and supplier management.
3. Audit Types
Type 1: Process Audit (Annual)
- Scope: Review of procurement policies, delegation of authority (DOA), approval workflows and Oracle configuration.
- Frequency: Conducted once per year by Internal Audit.
- Fieldwork: GSC and BU Procurement interviews, policy documentation review, workflow testing in Oracle.
- Output: Process Audit Report with findings, root causes and remediation timelines.
Type 2: Transaction Audit (Quarterly Sample)
- Scope: Detailed examination of selected PO/invoice transactions to verify compliance with policy requirements.
- Sampling: Minimum 10% of total POs issued in the quarter; 100% of transactions exceeding AED 1 million.
- Testing: Each sampled transaction is examined against the audit checklist (see section 5).
- Output: Quarterly Transaction Audit Report with exception summary and root-cause analysis.
Type 3: Supplier Audit (As-Needed)
- Scope: On-site assessment of supplier operations, quality systems, HSE, compliance and financial stability.
- Trigger: Required for Tier-1 (strategic) suppliers annually; Tier-2 suppliers every 2 years; Tier-3 as-needed.
- Fieldwork: 2–3 day site visit; interviews with supplier management, facility tour, document review.
- Output: Supplier Audit Report with risk rating, non-conformances and corrective action requests (CARs).
Type 4: Special Investigation
- Scope: Targeted investigation of suspected fraud, policy breach, conflicts of interest or operational anomalies.
- Trigger: Based on whistleblower reports, exception patterns flagged by Internal Audit analytics, or management request.
- Fieldwork: Forensic review of transactions, emails, approvals; interviews with implicated parties.
- Output: Investigation Report with findings, evidence and recommendations for remedial action.
4. Transaction Sampling & Materiality
Transaction audits use risk-based sampling:
Transaction Threshold | Sampling Rate | Scope of Testing |
|---|---|---|
AED 0 – AED 100K | 10% of transactions | DOA compliance, competitive bidding, three-way match |
AED 100K – AED 1M | 25% of transactions | All items above plus contract coverage, HSE compliance |
Above AED 1M | 100% of transactions | Full comprehensive audit: all policy requirements, vendor suitability, insurance/bonds |
5. Audit Checklist & Policy Compliance Points
Each sampled transaction is tested against the following checklist:
Compliance Point | Testing Method | Pass Criterion |
|---|---|---|
DOA Compliance | Verify transaction value vs. approved authority; check approval chain in Oracle | Approval authority commensurate with value; all required signatures present |
Competitive Bidding | Confirm RFQ/tender process followed; verify minimum quotations received | Minimum 3 bids for non-framework; framework call-offs accepted without re-quote |
Contract Coverage | Check that transaction is covered by signed contract or framework | 100% of transactions must be under contract (PO + terms/conditions) |
Three-Way Match | Verify PO, GRN, Invoice matched in Oracle; check for tolerance exceptions | All three documents present; any variance within tolerance and approved |
Oracle Data Integrity | Verify all mandatory PR fields populated; check GL coding, cost centre, project | All fields complete; coding consistent and reasonable |
Segregation of Duties | Verify that PO issuer is not approver, receiver or payment processor | Four distinct parties for large transactions; no dual roles |
Vendor Suitability | Check vendor is on approved supplier list (ASL) or exception approved | Non-ASL vendors require formal exception approval documented in PO |
Insurance/Bonds | For contracts >AED 500K or works, verify bonds/insurance attached to contract file | Original bond/certificate present and valid; extends 90 days beyond completion |
6. Red Flag Indicators
The following patterns or exceptions trigger heightened scrutiny:
- Single-Source Procurement without justification (not emergency, not sole-source category).
- Split Orders: Multiple POs to same supplier for similar items, totaling above DOA threshold (attempting to circumvent approval).
- PO After Delivery: Invoice received and GRN recorded before PO created (circumventing approval controls).
- Retrospective Approvals: PO approved after goods received or invoice processed (failure of preventive control).
- Missing Documentation: PR lacks supporting quotations, business case or HSE clearance.
- Duplicate Invoices: Same invoice number or amount submitted multiple times.
- Vendor Blacklist: Transactions with vendors on the blacklist or sanctioned entity list.
RED FLAG ESCALATION Any red flag triggers immediate escalation to the Head of Procurement and, for material matters (above AED 100K), to Internal Audit for investigation. |
7. Non-Conformance Classification & Corrective Action
Audit findings are classified by severity:
Class | Definition | Response Timeline | Authority |
|---|---|---|---|
Critical | Control failure enabling fraud, significant financial loss or HSE risk | Immediate corrective action; escalate to CFO/CEO | CEO / CFO |
Major | Policy breach, control failure not yet resulting in loss, repeated violations | Corrective action plan within 30 days | BU Head + GSC Head |
Minor | Single policy deviation, low financial impact, training opportunity | Observation noted; corrective action within 90 days | BU Procurement Lead |
Corrective Action Requests (CARs) are issued and tracked in a register; follow-up audits verify closure.
8. Audit Reporting & Escalation
Audit findings are reported to:
- BU Head of Procurement and BU Head (responsible for operational response).
- Group Head of Supply Chain (oversees remediation across the Group).
- Group Internal Audit (tracks findings and follow-up across all audits).
- CFO and CEO (for Critical findings or repeat major violations).
Quarterly summary reports are presented to the Audit Committee (Board-level governance).
9. Follow-Up Audits & Escalation for Repeat Offenses
Open audit findings are tracked and followed up:
- 30-Day Follow-Up: CARs due within 30 days; evidence of closure is reviewed.
- 90-Day Follow-Up: If not closed, BU Head is asked to provide remediation update and revised target closure date.
- Repeat Violations: If the same finding recurs in subsequent audits, the matter is escalated to the CEO with recommendation for disciplinary action.
- Persistent Non-Compliance: BU or individual buyer with 3+ repeat violations may be escalated to Human Resources for formal performance management.
10. Annual Compliance Dashboard
GSC and Internal Audit prepare an Annual Procurement Compliance Dashboard for the CFO and Board:
- Summary of audit coverage: # of process audits, transaction audits, supplier audits, investigations.
- Key metrics: Compliance rate (% of transactions fully compliant), defect rate (% of transactions with findings), red flag volume.
- Trend analysis: Year-over-year comparison of finding frequency and severity.
- Root cause summary: Common violations (e.g., DOA breaches, split orders, documentation gaps).
- Remediation status: % of CARs closed on time, outstanding findings.
11. Reference Forms
- Form F-AUD-01 — Process Audit Program & Scope
- Form F-AUD-02 — Transaction Audit Checklist
- Form F-AUD-03 — Corrective Action Request (CAR) Form
- Form F-AUD-04 — Supplier Audit Report Template
12. Definitions & Acronyms
Acronym / Term | Definition |
|---|---|
ASL | Approved Supplier List |
BU | Business Unit |
CAR | Corrective Action Request |
CEO | Chief Executive Officer |
CFO | Chief Financial Officer |
DOA | Delegation of Authority |
GSC | Group Supply Chain |
HSE | Health, Safety & Environment |
KPI | Key Performance Indicator |
Oracle | Enterprise Resource Planning System |
PO | Purchase Order |
PR | Purchase Requisition |
RFQ | Request for Quotation |