
Internal Audit of Procurement Process in Construction Companies
Overview
In a construction or EPC(Engineering, Procurement and Construction) organisation, procurement is rarely a single linear activity confined to a purchase department. A large share of project cost flows through subcontracting - engaging specialised subcontractors for civil, structural, piping, electrical and instrumentation works, procuring construction materials locally at site, and managing the bank guarantees and retention money tied to each contract. For an internal auditor, this makes procurement one of the highest-risk, highest-value areas to examine, because weaknesses here directly translate into cost overruns, duplicate or unauthorised payments, and disputes with subcontractors.
This article discusses a practical and experience-based approach to auditing procurement in a construction business. Rather than viewing procurement as only a purchasing activity, it follows the entire subcontracting lifecycle—from inviting quotations and evaluating bids to processing payments and releasing bank guarantees. The focus is on the key controls that internal auditors should examine at each stage.
What Does 'Procurement' Cover in a Construction Business?
Procurement in construction is broader than the purchase of goods. For most internal audit purposes, it covers four distinct streams that need to be looked at together:
- Subcontracting of construction works - engaging subcontractors for civil, mechanical, piping, electrical, insulation and painting works through a defined enquiry, bid evaluation and work order process.
- Local procurement of construction materials at site- ordering consumables and minor construction materials directly from site, typically within a defined value threshold, where Goods Receipt Notes (GRNs)are prepared on receipt.
- Management of bank guarantees - tracking Mobilisation Advance Bank Guarantees and Performance Bank Guarantees taken from subcontractors, and releasing them only on satisfaction of defined conditions.
- Subcontractor payment processing - monthly progress payments, advance recoveries, retention money and final payment on work completion, routed through the accounting department.
Background
Construction companies operate under a documented Business Process framework that defines who does what, in what sequence, with what authorisation, for every stage of subcontracting. Such frameworks typically map each process step to a named control - identifying the control owner, the control activity, its frequency.
The Procurement /Subcontracting Workflow - Stage by Stage
A typical construction subcontracting workflow runs through the following stages, each of which carries its own control points that internal audit should test.
- Stage 1 - Subcontracting Plan and Shortlisting: an Engineer drafts a Basic Subcontracting Plan defining scope of work discipline-wise, which is reviewed and approved. A list of subcontractors is then prepared and investigated before being shortlisted for the enquiry.
- Stage 2 - Preparation and Floating of Enquiry: the Bill of Quantities (BOQ) is compiled from inputs given by respective divisions as per a Responsibility Matrix, and combined with construction specifications and a commercial section (general and special conditions of contract, price form, split of responsibilities) into a complete enquiry document. The enquiry document is reviewed and approved before being floated to the shortlisted bidders.
- Stage 3 - Bid Evaluation and Negotiation: offers received from bidders are evaluated through a Techno-Commercial Bid Evaluation Sheet, with technical clarification routed through the relevant discipline. Negotiations are carried out by authorised personnel as per the organisation's Authorisation Matrix, and a Final Price Comparison Sheet is prepared based on the final offer received.
- Stage 4 - Approval and Issue of Work Order: a Form for Clearance of Work Order is prepared, reviewed and approved at successive levels as per the Authorisation Matrix, before the Letter of Intent/ Work Order is issued to the successful bidder, who is then termed the subcontractor for that scope of work.
- Stage 5 - Subcontractor Information Registration: the subcontractor's master information (name, address, registration details, MSME status, bank account details) is registered in the accounting/ERP system by a designated accountant, with the request and supporting documents (PAN, GST certificate) retained as evidence.
- Stage 6 - Monitoring and Management of Additional Work: ongoing monitoring tracks subcontractor claims for extra work, and any amendment to the work order value or scope is approved through the same authorisation hierarchy as the original work order, using a Form for Clearance of Amendment to Work Order.
- Stage 7 - Work Progress Confirmation and Payment: the Manager at site reviews and approves the Progress Sheet, on the basis of which the subcontractor's monthly invoice / Proforma Invoice is authorised for payment by personnel designated under the Authorisation Matrix, and forwarded to accounting for processing.
- Stage 8 - Completion, Final Acceptance and Bank Guarantee Release: on completion, a Completion Letter is issued and final progress payment processed, with Performance Bank Guarantees and retention money released only after the all conditions for release are satisfied.
Best Practices for Auditing the Procurement Process
- Map every process step to its control number and control owner before starting fieldwork, so that sample testing can be tied back to a specific documented control rather than tested in the abstract.
- Always test the Authorisation Matrix itself first -confirm that the matrix in use is the current approved version, since procurement controls built on an outdated authorisation matrix will not hold upto scrutiny.
- Treat work order amendments as a distinct, higher-risk population from original work orders - cumulative amendments are a common route through which the originally competitive nature of a contract is eroded.
- Cross-check subcontractor master registration against vendor due diligence records (PAN, GST, MSME status, bank details) to identify duplicate or unauthorised vendor creation.
- Reconcile bank guarantees held against work orders outstanding, rather than relying on a standalone bank guarantee register, since gaps between the two are an early indicator of control breakdown.
Features of a Sound Procurement Control Framework
Across the stages above, four features distinguish a procurement process that will stand up to audit scrutiny:
- Segregation of duties: the engineer preparing the enquiry, the function evaluating bids, and the authority approving the workorder are distinct, with no single individual able to take a subcontract from enquiry to award unchecked.
- Documented authorisation levels: every approval point -enquiry, work order, amendment, payment release, bank guarantee release - is tied to a named Authorisation Matrix rather than informal sign-off.
- Evidence retention at each stage: enquiry documents, bid evaluation sheets, price comparison sheets, work order clearance forms are retained as auditable evidence, not just emails or verbal approvals.
Common Findings Observed in Practice
- Enquiries floated to subcontractors not on the approved shortlist.
- Work order amendments processed without a documented Form for Clearance of Amendment, particularly for minor value changes treated informally.
- Subcontractor master data created in the accounting system without complete supporting documents, with PAN or GST verification completed only after the first payment had already been processed.
- Performance Bank Guarantees not released, or released late, due to the absence of a reconciliation between bank guarantees held and work orders closed - leading to either unnecessary banking costs for the subcontractor or premature release exposing the company.
- Local site procurement processed above the defined value threshold without the higher-level approval that ought to apply beyond that threshold.
Conclusion
In reality, procurement in a construction company extends well beyond issuing purchase orders and making vendor payments. It includes subcontractor selection, bid evaluation, workorder administration, progress-based payments, and management of bank guarantees. Each stage presents different operational and financial risks, making a structured, risk-based audit approach essential. When auditors align their testing with the actual procurement workflow, they are better positioned to provide practical, evidence-based recommendations that strengthen governance and improve project performance.


