This article is part of our complete procurement guide series. For a policy that also governs your vendor relationships post-contract, see our vendor management policy guide — the two documents should be aligned and cross-referenced.
Why a Procurement Policy Exists
A procurement policy serves three distinct purposes — each of which justifies its existence independently:
Financial Control
Defines who has authority to commit the organization's money at what levels. Without a purchasing authority matrix, the organization has no reliable control over who is authorized to spend — and fraud risk increases exponentially.
Risk Management
Vendor vetting, compliance documentation, and competitive bids are risk controls, not red tape. A vendor who isn't screened before contracting is a liability that hasn't been quantified yet. The policy makes screening mandatory, not optional.
Legal Defensibility
When a procurement decision is challenged, a documented process that was followed is the answer. The NCMA Contract Management Standard (ANSI-approved) provides the professional benchmark for contract provision requirements at each spend level.
The Eight Provisions That Matter Most
A procurement policy that covers all eight of these provisions covers everything that matters. A policy that misses any of them has a material gap that will eventually be exploited — either through fraud, compliance failure, or litigation.
1. Purchasing Authority Matrix
Typical US structure: Line manager — up to $5,000; Director — $5,000–$25,000 with 3 quotes; VP/CPO — $25,000–$100,000 with RFQ/RFP; C-suite — $100,000–$500,000; Board — over $500,000. Include explicit prohibition on order splitting.
2. Vendor Approval Requirements
No PO to a vendor not approved through the vendor management process. Define approval: legal entity verification, OFAC screening via SAM.gov, required compliance documents, tier-appropriate due diligence.
3. Competitive Bidding Requirements
Under $5K: preferred vendor; $5K–$25K: three written quotes; over $25K: formal RFQ or RFP. Use our
Disclosure of any personal, financial, or relationship interest in a vendor under consideration. Recusal from the selection process for disclosed conflicts. Annual COI certification for all procurement and AP staff.4. Conflict of Interest
5. Contract Requirements
PO terms under $10K; signed SOW from $10K–$50K; fully executed MSA from $50K+; legal review above $250K. The NCMA Contract Management Body of Knowledge provides the authoritative framework. The GSA Acquisition.gov framework serves as a useful benchmark for thorough commercial contract governance.
6. Anti-Fraud Controls
Explicitly prohibit: order splitting; verbal vendor authorization without written PO; bank account changes via email without verification; payments to vendors not in the approved vendor master. These are the four most common fraud vectors in AP and procurement.
7. Compliance Documentation
Define the documents required for active vendors by tier. Payments can be held for vendors with expired critical documents. Automate this enforcement using
Written request, CPO or CFO approval, documented rationale, time-limited. Undocumented exceptions are indistinguishable from non-compliance — and in a litigation or audit context, they become evidence of a broken process rather than a managed one.8. Policy Exceptions
Standard US Purchasing Authority Matrix
Adapt thresholds to your organization's size and risk profile. The key is that thresholds are defined, documented, and enforced — not that they match any specific number.
Anti-Fraud Controls: The Four You Must Name Explicitly
These four controls must be stated explicitly in the policy — not implied by the authority matrix. Fraud most commonly occurs in the gaps between what the policy says and what it explicitly prohibits.
Order Splitting Prohibition
Breaking one purchase into smaller transactions to avoid approval thresholds is explicitly prohibited. Define order splitting clearly — same vendor, same project, same period. Require managers to attest to this at sign-off for POs above a defined threshold.
No Verbal Authorization
No vendor may commence work, deliver goods, or provide services without an issued, written PO or executed contract. Verbal authorizations are not binding on the organization and create personal liability for the employee who gave them.
Bank Account Change Protocol
Any request to change a vendor's bank account information must be verified via a phone call to a known number — not via email, not via the same channel the request arrived. BEC (Business Email Compromise) targeting vendor payment redirects is one of the fastest-growing fraud categories.
Approved Vendor Master Only
No payment may be processed to a vendor not in the approved vendor master. AP should be configured to reject invoices from vendors not in the approved list. This single control eliminates a large class of payment fraud and unapproved spend.
Making the Policy Enforceable
Configure your ERP and free procurement policy template as your drafting starting point. The CIPS procurement governance framework provides the professional standard for policy structure and enforcement mechanisms.
The Enforcement Principle
A policy that relies entirely on human compliance will be inconsistently applied. Configure your systems to enforce the policy automatically — approval thresholds in your ERP, vendor master requirements in your VMP, PO hold rules in AP. Human enforcement is a backup, not the primary control. When the system enforces the policy, compliance is the default, not the exception.
Frequently Asked Questions
A procurement policy defines who has authority to commit the organization's money at what levels, what vendor vetting and compliance documentation is required, what competitive bidding thresholds apply, and what constitutes a violation and how exceptions are handled. It is the governance framework that turns procurement strategy into daily operating rules.
The eight provisions that matter most are: Purchasing Authority Matrix, Vendor Approval Requirements, Competitive Bidding Requirements, Conflict of Interest, Contract Requirements, Anti-Fraud Controls, Compliance Documentation, and Policy Exceptions. A policy that covers all eight covers everything material.
Configure your ERP and vendor management platform to enforce approval thresholds and vendor master requirements. AP holds — no payment to unapproved vendors or vendors with expired critical documents — are the most effective enforcement mechanism. A policy that relies entirely on manual compliance will be inconsistently applied.
A procurement policy governs how the organization buys — spending authorities, competitive bidding requirements, approved vendor process, and anti-fraud controls. A vendor management policy governs how the organization manages vendor relationships post-contract — tiering, compliance monitoring, performance management, and offboarding. The two documents should be aligned and cross-referenced.
Order splitting is the practice of breaking one purchase into smaller transactions to avoid the approval threshold that would otherwise apply. For example: a $30,000 purchase split into three $9,999 transactions to avoid the $10,000 director approval requirement. It circumvents the financial controls the policy is designed to enforce, and in a regulated industry or government context, can constitute a legal violation. It must be explicitly prohibited — not just implied by the authority matrix.