# Purchase Risk Control Matrix

| No.  | R                                      | Category                    | Risk Event                                                   | L    | C    | O                | Cause | Mitigation Type              | Mitigation Strategy                                          | L*   | C*   | Changes | Comments | ES   | EY   |
| ---- | -------------------------------------- | --------------------------- | ------------------------------------------------------------ | ---- | ---- | ---------------- | ----- | ---------------------------- | ------------------------------------------------------------ | ---- | ---- | ------- | -------- | ---- | ---- |
| 1    | Employee                               | Operational Risk (Purchase) | Purchasing not the optimal investment product due to no market research. *"Optimal" includes product/service quality, vendor reliability, price, ...* | 1    | 1    | Many times a day |       | Preventing (Manual)          | Compare products and vendors                                 | 1    | 1    |         |          | yes  | yes  |
| 2    | See purchase approval table            | Operational Risk (Purchase) | Unauthorized purchase (budget risks, fraud, compliance, ...) | 1    | 1    | Many times a day |       | Preventing (Manual)          | Authorize purchases according to the purchase approval table. This functions as control and separation of responsibilities. | 1    | 1    |         |          | yes  | yes  |
| 3    | Employee                               | Operational Risk (Purchase) | Critical information related to a purchase are not stored or difficult to find. | 1    | 1    | Many times a day |       | Preventing (Manual & System) | Documents and important information related to a purchase are stored in the IT system referring the purchase. | 1    | 1    |         |          | yes  | yes  |
| 4    | Purchase                               | Operational Risk (Purchase) | Invalid invoice contents (formal and other mistakes/deviations) | 1    | 1    | Many times a day |       | Preventing (System)          | Automatic IT system checks.                                  | 1    | 1    |         |          | yes  | yes  |
| 5    | Purchase                               | Operational Risk (Purchase) | Invalid invoice contents (formal and other mistakes/deviations) | 1    | 1    | Many times a day |       | Preventing (Manual)          | Additional manual invoice approval by purchase clerk.        | 1    | 1    |         |          | yes  | yes  |
| 6    | Head of department  + Head of purchase | Operational Risk (Purchase) | Deviations between order and invoice                         | 1    | 1    | Many times a day |       | Preventing (Manual)          | Approval by responsible staff.                               | 1    | 1    |         |          | yes  | yes  |
| 7    | Finance                                | Operational Risk (Finance)  | Invalid posting.                                             | 1    | 1    | Many times a day |       | Preventing (System)          | The IT system generates an automatic posting suggestion.     | 1    | 1    |         |          | yes  | yes  |
| 8    | Finance                                | Operational Risk (Purchase) | Invalid posting suggestion.                                  | 1    | 1    | Many times a day |       | Preventing (Manual)          | The accountant can adjust the posting suggestion from the IT system. | 1    | 1    |         |          | yes  | yes  |
| 9    | Head of finance                        | Operational Risk (Purchase) | Invalid posting.                                             | 1    | 1    | Many times a day |       | Preventing (System & Manual) | The head of finance checks a selection invoice postings randomly. | 1    | 1    |         |          | yes  | yes  |
| 10   | Finance                                | Operational Risk (Purchase) | Missing invoice payments.                                    | 1    | 1    | Weekly           |       | Preventing (System)          | The IT system generates a list of invoices for payment.      | 1    | 1    |         |          | yes  | yes  |
| 11   | Finance                                | Operational Risk (Purchase) | Invalid cash back or forex calculations.                     | 1    | 1    | Weekly           |       | Preventing (System)          | The IT system automatically calculates the cash back or forex differences. | 1    | 1    |         |          | yes  | yes  |
| 12   | Finance                                | Operational Risk (Purchase) | Invalid payment suggestion.                                  | 1    | 1    | Weekly           |       | Preventing (Manual)          | The accountant can add or remove payments.                   | 1    | 1    |         |          | yes  | yes  |
| 13   | Finance + Head of finance              | Operational Risk (Purchase) | Invalid payments                                             | 1    | 1    | Weekly           |       | Preventing (System & Manual) | Both accountant and head of finance approve the payments. The payment list shows which invoices got manually added, excluded and adjusted. | 1    | 1    |         |          | yes  | yes  |
| 14   | Purchase                               | Operational Risk (Purchase) | Missing supplier information (e.g. important tax information) | 1    | 1    | Many times a day |       | Preventing (System)          | The IT system requires mandatory information before invoices can be created for a supplier. | 1    | 1    |         |          | yes  | yes  |
| 15   | Purchase                               | Operational Risk (Purchase) | Invalid supplier information                                 | 1    | 1    | Many times a day |       | Preventing (System)          | The IT system performs automatic checks.                     | 1    | 1    |         |          | yes  | yes  |
| 16   | Head of purchase                       | Operational Risk (Purchase) | False positive supplier errors.                              | 1    | 1    | Many times a day |       | Preventing (Manual)          | Manual supplier approval by head of purchase                 | 1    | 1    |         |          | yes  | yes  |
| 17   | Purchase                               | Operational Risk (Purchase) | Critical changes to suppliers (e.g. sanctions)               | 1    | 1    | Daily            |       | Preventing (System)          | The IT system automatically checks suppliers against sanction lists every day. | 1    | 1    |         |          | yes  | yes  |

## Abbreviations

* R: Responsible

* L: Likelihood (1-5)

* C: Consequence (1-5)

* L\*/C\*: Likelihood and Consequence after mitigation

* O: Occurrence (many times a day, daily, weekly, monthly, annually)

* ES: Effective

* EY: Efficient

  

2022-01-01 - Version 1.0