Purchases Made Without Proper Approval — Responding to Audit Findings

Published: April 14, 2026

The audit report is on the table. Among the observations: purchases totalling several lakh rupees were made without documented approval. Some purchase orders were issued without a preceding purchase requisition. Others had approval obtained after the goods were already received and paid for. In one case, the same person raised the requisition, approved it, and issued the purchase order. The auditor has flagged this as an internal control weakness over procurement.

If this is an internal audit, the finding goes to the audit committee. If it is a statutory audit under the Companies Act, and the organisation falls under CARO 2020, the auditor must report on internal controls over purchase of inventory and fixed assets. Either way, the finding is now on record, and the organisation needs both an immediate response and a structural fix.

1. What Happened

The audit finding covers one or more of these scenarios:

• No purchase requisition: A purchase order was issued directly — the requester contacted the vendor, agreed on terms, and asked someone in procurement to create the PO. No formal request was raised. No one outside the requester's circle evaluated whether the purchase was necessary or budgeted.
• PO without PR approval: A purchase requisition was created but the PO was issued before the requisition was fully approved. The approval came later — after the goods were ordered, sometimes after they were delivered. This is retroactive approval, and auditors treat it as equivalent to no approval.
• Self-approval: The person who raised the purchase requisition also approved it. There was no independent review. This violates the principle of segregation of duties — a foundational internal control requirement.
• Approval outside authority: A manager approved a purchase that exceeded their authority limit. A purchase of eight lakh rupees was approved by someone authorised only up to five lakh. No escalation to the appropriate authority occurred.

The auditor does not need to find evidence of fraud to flag these as control weaknesses. The absence of proper controls is itself the finding — it means fraud, waste, or error could occur without detection.

2. Why It Happened

In most cases, purchases without approval are not the result of deliberate circumvention. They result from process gaps that make it easier to skip the approval than to follow it.

No structured approval matrix. The organisation may have an informal understanding of who approves what, but it is not documented, not enforced, and not consistently applied. New employees do not know the rules. Departments interpret them differently.

Email-based approvals. Approvals are obtained via email — a forwarded chain, a reply saying "go ahead", or sometimes just a CC that is interpreted as tacit consent. These cannot be reliably audited. The auditor cannot determine whether the approval was obtained before or after the purchase. Email approvals are not enforceable — nothing prevents someone from proceeding without waiting for the reply.

No system enforcement. Even where an approval process exists on paper, it is advisory. The procurement system (if one exists) allows POs to be created regardless of whether the PR is approved. Approvals are a checkbox, not a gate. When deadlines are tight, the gate is skipped.

No segregation of duties. The same person can create a requisition, approve it, and issue the PO. In smaller organisations, this happens because "everyone wears multiple hats." In larger ones, it happens because the system does not enforce role-based restrictions.

3. What to Do Now

The audit committee or management expects a structured response — not a vague commitment to improve. The response should cover:

1. Quantify the scope. How many transactions lacked proper approval? What is the total value? Which departments? What time period? This tells the committee whether the issue is isolated or systemic.
2. Classify the transactions. For each unapproved purchase, determine: Was it a legitimate business need that bypassed the process due to urgency? Was it a routine purchase where the process was simply not followed? Or does it show indicators that warrant further investigation — unusual vendor, unusual amount, unusual timing?
3. Retrospectively document rationale. For legitimate purchases that bypassed the process, document the business justification, the urgency, and the authorising person (even if authorisation was verbal). This does not fix the control weakness, but it provides the audit committee with context for their risk assessment.
4. Present a corrective action plan. This is where the structural fix is described — with specific actions, responsible persons, and timelines. The plan should address the root causes identified in the next section.

4. How to Prevent Recurrence

Preventing unauthorised purchases requires controls that are enforced by the system, not by policy documents that rely on people choosing to follow them.

Configurable approval matrix

A structured approval matrix defines who must approve a purchase based on routing dimensions: the amount, the department, the purchase type, and the asset classification. The matrix can have multiple levels — for instance, department manager at level 1 for amounts up to five lakh, and senior manager at level 2 for amounts above that. The matrix is configured once and applied automatically to every purchase requisition.

System-enforced PR to PO chain

In a governed procurement workflow, a purchase order cannot be created unless it references an approved purchase requisition. The system enforces this — it is not a guideline. If the PR is not approved, the PO creation is blocked. If the PR is partially approved (some lines approved, others pending), only the approved lines can be included in the PO. This eliminates the scenario where someone issues a PO and obtains approval after the fact.

Self-approval prevention

The system should prevent the person who created a requisition from appearing in its approval chain. This is a basic segregation of duties control. Even if the approval matrix would normally route the requisition to that person based on their role, the system excludes them for requisitions they created.

Frozen approval snapshots

When a requisition is submitted for approval, the system captures the complete approval chain — who is assigned, at what level, in what sequence — as an immutable snapshot. This snapshot cannot be modified after submission. During audit, it provides definitive evidence: the correct approvers were assigned based on the matrix, each approver explicitly acted, and the sequence was respected.

Approval aging and SLA tracking

Approval bottleneck tracking monitors how long each approval has been pending and which approvers are causing delays. This addresses the root cause of retroactive approvals — people skip the process because approvals take too long. When delays are visible and tracked, they get addressed. When they are invisible, people find workarounds.

Per-line approval topology

For requisitions with multiple items, per-line approval allows each line to be approved or rejected independently. An approver can approve three items and reject two, rather than being forced to approve or reject the entire requisition. This granularity reduces the incentive to bypass the process — requisitions are less likely to be held up by a single problematic line item.

An audit finding about unauthorised purchases is a signal that the organisation's procurement controls are advisory rather than enforced. Policy documents do not prevent unauthorised purchases — system gates do. The difference between "we have a process" and "the system enforces the process" is the difference between an audit observation and audit comfort.

5. Frequently Asked Questions

What does an audit finding of "purchases without proper approval" actually mean?

It means the auditor found purchase transactions where authorisation was missing, incomplete, or retroactive. This includes POs without prior PR approval, purchases without any PO, approval obtained after goods were received, or the same person initiating and approving. Under CARO 2020, auditors must specifically report on internal controls over purchase of inventory and fixed assets.

How should I respond to an audit observation about unauthorised purchases?

Structure the response in three parts: quantify the scope (transactions, value, departments, time period), assess each transaction individually (legitimate urgency vs. process gap vs. potential misuse), and present a corrective action plan with specific steps and timelines. The audit committee expects specificity, not reassurance.

Why do email-based purchase approvals fail as an internal control?

Email approvals are not enforceable (nothing prevents proceeding without them), not reliably auditable (emails can be deleted, chains broken), do not enforce segregation of duties, do not enforce sequence, and have no verifiable time dimension. An auditor cannot confirm whether email approval was obtained before or after the purchase.

What is an approval matrix and how does it prevent unauthorised purchases?

An approval matrix defines who must approve based on dimensions like amount, department, and purchase type. When enforced by a system, a PO cannot be created without the PR being approved through the correct chain. The system routes requisitions to correct approvers automatically and blocks progression until all required approvals are obtained.

How does a frozen approval snapshot help during audit?

A frozen snapshot captures the complete approval chain at submission time — who was assigned, at which level, what decision they made. It is immutable and cannot be modified after the fact. During audit, it provides definitive evidence that correct approvers were assigned, each explicitly acted, the sequence was followed, and no retroactive changes were made.