# Purchase Risk Control Matrix

| No.  | R                           | Category                    | Risk Event                                                   | L    | C    | O                | Mitigation Type              | Mitigation Strategy                                          | L*   | C*   | Changes | Comments | ES   | EY   |
| ---- | --------------------------- | --------------------------- | ------------------------------------------------------------ | ---- | ---- | ---------------- | ---------------------------- | ------------------------------------------------------------ | ---- | ---- | ------- | -------- | ---- | ---- |
| 1    | Employee                    | Operational Risk (Purchase) | Purchasing not the optimal product due to no market research. *"Optimal" includes product/service quality, vendor reliability, price, ...* | 1    | 1    | Many times a day | Preventing (Manual)          | Compare products and vendors                                 | 1    | 1    |         |          | yes  | yes  |
| 2    | See purchase approval table | Operational Risk (Purchase) | Unauthorized purchase (budget risks, fraud, compliance, ...) | 1    | 1    | Many times a day | Preventing (Manual)          | Authorize purchases according to the purchase approval table. This functions as control and separation of responsibilities. | 1    | 1    |         |          | yes  | yes  |
| 3    | Purchase + Employee         | Operational Risk (Purchase) | Invalid invoice contents (formal or other mistakes)          | 1    | 1    | Many times a day | Preventing (Manual & System) | Automatic system checks and manual checks.                   | 1    | 1    |         |          | yes  | yes  |



2022-01-01 - Version 1.0