Audit-Ready Procurement — What Your Auditor Actually Samples
Published: April 18, 2026
An Indian statutory audit is not a review of your books. It is a sampling exercise. The auditor picks transactions, traces each one end to end, tests whether your controls caught exceptions before they reached the ledger, and writes up what they found. The findings land in the management letter — read by the CFO, the audit committee, and eventually by any bank or investor who asks for it.
This page walks through the findings that appear most often in procurement-cycle management letters, and shows where the evidence sits when the system is governed instead of reconstructed every March.
1. Management-Letter Findings This Closes
Each row below is a finding that shows up in real management letters for Indian companies. Each one maps to a control or record that a governed procurement system maintains as part of normal work.
| Typical finding in the management letter | What closes it |
|---|---|
| "Supporting documents could not be made readily available for sampled transactions" | Quotations, invoices, and supporting documents attached to the requisition, purchase order, goods receipt, or invoice entity — inherited down the chain, so sampling a goods receipt also surfaces the purchase order quotation and supplier invoice in one view. |
| "Approval matrix history not maintained; cannot verify approver authority at transaction date" | Two layers. Every change to the approval matrix is logged with user and timestamp. Every document freezes the approval chain as a snapshot at submission, preserved even if the matrix changes later. |
| "Instances of goods receipt quantity exceeding purchase order quantity noted" | System-enforced guard — the goods receipt cannot accept more than the remaining receivable quantity against the purchase order line. |
| "Self-approval instances observed in sampled transactions" | The submitter of a requisition cannot appear as an approver on the same document. Blocked at the system level, not by policy alone. |
| "Purchase register does not reconcile with general ledger" | Every posting generates a system-generated voucher for the accounting software — purchase, tax, TDS, debit note. The purchase register and the ledger are fed from the same source, so reconciliation is a query. |
| "Manual journal vouchers for procurement not routed through approval workflow" | Procurement-originated journal entries (goods receipt, invoice booking, TDS, GST, debit notes) are system-generated vouchers derived from approved source documents — there are no ad-hoc journal entries on the procurement side, and SA 240 journal-entry testing can shift from volume sampling to control testing. |
None of these findings are about software features on their own. They are about whether the organisation has a governed process. A system that enforces the process makes each finding harder to raise.
2. ICFR-Grade Controls Built Into the Workflow
Section 143(3)(i) of the Companies Act requires the statutory auditor to opine on whether internal financial controls are operating effectively. In the procurement cycle, auditors test a defined set of controls — authorisation, segregation of duties, three-way matching, and completeness of records. The following controls are built into the workflow rather than relying on manual discipline.
2.1 Quantity integrity
- A purchase order line cannot claim more quantity than the originating requisition line offers.
- A goods receipt line cannot accept more quantity than the purchase order line's remaining receivable quantity.
- Within a goods receipt, received quantity must equal accepted plus rejected — no silent shortfalls.
- No two active purchase orders can claim the same requisition line — the second attempt returns an error.
2.2 Authority controls
- Self-approval is blocked — the submitter cannot appear in the approval chain on the same document.
- Approval levels are sequential — all approvers at level N must complete before level N+1 can act.
- The approval chain is frozen at submission. Subsequent changes to the approval matrix do not alter an in-flight document.
- Posted documents are immutable — no retroactive edits to requisitions, purchase orders, or goods receipts that have been posted.
2.3 Document integrity
- Quotations and supplier invoices are attached to the relevant entity — requisition, purchase order, goods receipt, or invoice — and inherited down the chain so a goods receipt shows the full document trail.
- Every upload generates a document-upload audit log entry with user, timestamp, and filename.
- Every approval action, rejection, edit, posting, reversal — and every blocked attempt — is recorded in an immutable audit log.
2.4 Approval matrix governance
- Every create, upload, patch, toggle, delete, and restore action on the approval matrix is audit-logged with actor and timestamp.
- Matrix rows carry validity windows, so an auditor can reconstruct who the authorised approvers were at any given date.
- Each document carries its own frozen approval snapshot — even if the matrix is later replaced, the historical chain for that document is preserved.
2.5 System-generated accounting entries
- Every procurement-side journal entry — goods receipt posting, invoice booking, TDS, GST, debit notes, asset movement, depreciation — is generated from an approved source document, not typed manually.
- Each voucher carries a reference to its source — the purchase order, the goods receipt, the approval chain, the posting user — embedded in the narration.
- Under SA 240, journal-entry testing remains mandatory; but when entries are system-generated the auditor can shift from sampling individual entries to testing the system that produces them. See the deeper treatment in the manual accounting entries and audit risk guide.
These are not discretionary practices. They are constraints enforced by the code path that creates, approves, or posts the document. Auditors call these "in-built application controls" — the kind they move sampling away from, because the system prevents the error from occurring in the first place.
3. The Six Statutory Surfaces
The controls above feed into six distinct statutory obligations. Each has its own evidence requirement; the system produces each from the same underlying records.
| Statutory surface | What the system produces |
|---|---|
| MCA audit trail — Rule 3(1) of the Companies (Accounts) Rules | Immutable audit log on every action. Approval chain versioned as snapshots — superseded versions preserved, not overwritten. Auditor can report the feature was operational throughout the year. |
| Internal financial controls — Section 143(3)(i) | Approval matrix with amount and dimension thresholds. Three-way match between purchase order, goods receipt, and supplier invoice. Segregation of duties and self-approval prevention enforced at the system level. |
| CARO 2020, Clauses 3(i) and 3(ii) | Fixed asset register assembled automatically from every goods receipt — identity, classification, location, custodian, cost, depreciation. QR tagging and mobile scanning produce dated verification evidence. |
| Form 3CD — Clauses 21, 34, 44 | Per-line TDS section code, rate, amount from purchase order to invoice. HSN and SAC captured at line level. Vendor GSTIN frozen on purchase order. Clean per-line dataset for your chartered accountant. |
| GSTR-2B reconciliation | Purchase register with locked vendor GSTIN, invoice number and date, and CGST/SGST/IGST split at line level — the clean side of the reconciliation against the auto-drafted 2B. |
| Year-end cut-off testing | Goods receipt timestamps, reversal trail, gate entry log — independent records of when goods physically arrived. |
For the deep treatment of CARO, internal financial controls, and the audit trail rule — applicability thresholds, penalty sections, auditor consequences — see the CARO 2020 and Internal Financial Controls guide.
4. What Your Auditor Sees, Practically
| What the auditor asks during fieldwork | Without a governed system | With a governed system |
|---|---|---|
| Show me the approval for this purchase | Email thread, verbal recollection | Snapshot of the approval chain at submission — every level, every approver, every timestamp |
| Show me the supplier invoice for this goods receipt | Search three inboxes and a shared drive | Attached to the goods receipt, inherited from the purchase order, one click |
| Show me the TDS deducted on this expense | VLOOKUP across three spreadsheets | Section code, rate, and amount on the purchase order line itself |
| Show me the fixed asset register | Excel, reconstructed for the audit | Register built from every goods receipt — live |
| Show me physical verification evidence | "We walked through last year" | Scan log with date, scanner, condition — campaign-level reports |
| Show me that approver was authorised at the transaction date | Current matrix, back-dated reconstruction | Frozen snapshot on the document plus matrix audit log |
| Show me the audit trail | "We don't delete anything" | System-generated log with user, timestamp, before and after — cannot be disabled |
5. Who This Applies To
- Every company using accounting software — Rule 3(1) of the Companies (Accounts) Rules applies with no exemption.
- Private companies above Rs 50 crore turnover or Rs 25 crore borrowings — auditor reporting on internal financial controls under Section 143(3)(i) applies.
- Every company where CARO 2020 applies — Clauses 3(i) and 3(ii) require proper asset records and physical verification.
- Every company subject to tax audit under Section 44AB — Form 3CD Clauses 21, 34, and 44 need per-line expense data with TDS and GST details.
- Every GST-registered taxpayer — monthly reconciliation of purchase register with GSTR-2B.
Directors of all companies remain responsible under Section 134(5)(e) for stating that internal financial controls are adequate and operating effectively, regardless of turnover. The evidence this system generates supports that directors' statement in every case.
6. What This System Does, And Does Not, Replace
Does replace
- Scattered purchase files across email, shared drives, and individual inboxes
- Manual maintenance of the fixed asset register in spreadsheets
- Reconstructed approval evidence at audit time
- Side-spreadsheets tracking TDS per vendor, per invoice
- Ad-hoc journal vouchers for procurement-originated entries
Does not replace
- Your accounting software — Tally (or whatever holds the general ledger) must still have its own audit trail under Rule 3(1)
- Your statutory auditor — this is the system your auditor audits, not an alternative to one
- Your chartered accountant for Form 3CD — we produce clean per-line data; the form is filed by your CA
- GSTR-2B reconciliation in your GST practice — we produce the clean purchase register; matching against the 2B happens in the GST tool
- Standalone accounting journal vouchers — provisions, depreciation, and finalisation entries happen in the accounting software and rely on that software's own audit trail
This honesty is deliberate. Audit readiness is about governed controls and retrievable records — not about promising specific numbers or replacing the professionals who sign off on them.
A qualified auditor reading this page should find nothing to disagree with. Every claim maps to a specific control or record. Nothing claims a compliance outcome that the auditor must still verify.