~5%
Of annual revenue organisations lose to occupational fraud (ACFE 2024)
Procurement governance is the unglamorous answer to a simple question: who is allowed to buy what, from whom, at what price — and who checks? It is the approval thresholds, the segregation of duties, the supplier vetting, the audit trail. When it works, nobody notices. When it fails, the loss almost never arrives as one dramatic act of fraud. It arrives as a slow leak — a thousand small purchases made outside the rules, each defensible on its own.
That is the part most leaders underestimate. The headline risk is fraud; the everyday risk is erosion — value bleeding out through purchases that skipped the process. And in Malaysia, 2026 changed the stakes on both: a new statutory procurement framework and a corporate-liability regime that no longer stops at the company. It reaches the individual who signed.
5–16%
Of targeted savings lost to off-contract "maverick" buying (Hackett Group)
29%
Of indirect spend sits off-contract in a typical organisation
01 — THE QUIET LEAKMaverick spend, not master criminals
Most governance failure isn't theft. It's people buying things the convenient way. Maverick spend — purchases made outside approved suppliers, channels or contract terms — rarely comes from bad intent. It comes from a slow approval workflow, an unclear policy, or a deadline. But the cost is real: the Hackett Group estimates organisations forfeit 5–16% of their targeted savings to off-contract buying. On RM 500 million of spend, that is RM 25–80 million leaking out every year — not stolen, just unmanaged.
Figure 1 — How the rules get broken
The most common form of off-contract buying isn't fraud — it's convenience
Note what tops the list: unapproved suppliers and bypassed channels — buying from a vendor procurement never vetted, or from an approved one but skipping the e-procurement system. Off-contract pricing sits lower, because most leakage isn't paying the wrong price; it's never going through the process that would have got the right one. Consolidating that spend back onto contracted suppliers is among the highest-return moves in procurement — KPMG finds it can drive 30–40% savings on indirect categories, which is why 38% of organisations tackle maverick spend before anything else.
02 — THE FRAUD TAXThe rarer, costlier failure
The dramatic failure is rarer but far more expensive per event. Across all sectors, the Association of Certified Fraud Examiners estimates organisations lose roughly 5% of annual revenue to occupational fraud, with a median loss measured in the hundreds of thousands and an average case running well over a million ringgit. Procurement is one of its favourite habitats — it sits at the intersection of money leaving the building and a supplier relationship that can be quietly steered.
Figure 2 — The fraud tax
A nickel on every revenue dollar, gone
~5%
of revenue lost to occupational fraud, on average
The classic procurement schemes are familiar: shell vendors invoicing for nothing, kickbacks for steering a contract, split purchase orders engineered to slip under an approval threshold, collusion between a buyer and a supplier on price. What they share is a single structural weakness — one person controlling too much of the transaction. Governance's oldest and best defence against this is also its simplest: make sure no one person can request, approve, and receive the same purchase.
The signature idea — Delegation of authority
A purchase order's value decides who has to sign it
Governance isn't one rule — it's a ladder. Drag the value of a purchase and watch the controls switch on: more approvers, more quotes, segregation of duties, then a committee, then the board.
RequesterRaises the request and justificationAlways
Line managerApproves need and budget≥ RM 1
Procurement reviewSourcing + 3 competitive quotes> RM 5,000
Head of Procurement + FinanceFormal RFQ, segregation of duties enforced> RM 50,000
Tender / Procurement CommitteeOpen or restricted tender, evaluation panel> RM 500k
Board / CEO sign-offIndependent ratification and minuting> RM 5m
1 approver
3 quotes
Segregation of duties
Formal tender
Board ratification
The thresholds above are illustrative — every organisation sets its own — but the shape is universal. It's also exactly where one classic fraud lives: split purchase orders, where a RM 90,000 buy is broken into two RM 45,000 orders to stay under the RM 50,000 review line. A governance system that only checks single transactions will never see it. One that monitors patterns — same vendor, same week, same requester — will.
03 — THE THREE LINESWho watches, and who watches them
Mature governance separates the people doing the buying from the people checking the buying from the people assuring the whole thing works. The widely used "three lines" model makes that separation explicit — and it's the backbone of any credible procurement control environment.
First line
The buyers
Procurement and business teams who own the controls day-to-day: follow the policy, run the quotes, keep the records. The control lives where the work happens.
Second line
Risk & compliance
Sets the policy, monitors adherence, flags exceptions, owns the supplier-vetting and anti-bribery framework. Oversight, not execution.
Third line
Internal audit
Independent assurance that the first two lines actually work — reporting to the board, not to procurement. The check on the checkers.
The model fails in a predictable way: when the second and third lines exist on an org chart but the first line never actually has to pass through them. A compliance team that reviews a sample once a quarter is not a control — it is a report. Which brings us to the real gap.
04 — POLICY VS. ENFORCEMENTThe control that lives in a PDF
Here is the quiet truth of procurement governance: the policy is almost never the problem. Most organisations have a perfectly good procurement manual. The problem is the distance between the rule and the moment of purchase. A control written in a document depends on a human remembering it, choosing to follow it, and not being in a hurry. A control encoded into the buying workflow simply happens — the system won't route the order forward until the quote, the approval and the budget check are all present.
The distinction that matters
A detective control finds the problem after the money's gone — the quarterly audit, the exception report. A preventive control stops it at the point of purchase — the system that won't let the order through. Governance that relies mostly on detection is governance that has already paid for the lesson.
This is why so much governance investment underperforms. The spend on policy, training and audit is real, but the leak is at the keyboard, in the half-second where someone decides whether to raise a proper purchase order or just email the supplier. The organisations that close the gap don't write better policies. They move the policy into the system that everyone already has to use to buy anything — so compliance is the path of least resistance, not the path of most friction.
05 — THE MALAYSIA LAYERWhy the approver now has skin in it
For Malaysian enterprises, procurement governance stopped being optional hygiene and became statutory exposure — on two fronts that landed close together.
Jun 2020In force
MACC Act Section 17A — corporate liability for corruption. A company is guilty if an associated person (employee, director, agent, even a JV partner) bribes for the company's benefit. Penalty: a fine of at least 10× the gratification or RM 1 million, whichever is higher, and/or up to 20 years' imprisonment.
The catchPersonal reach
Under 17A(3), the directors and officers managing the company are deemed guilty too — unless they can prove the act happened without their consent and that they exercised due diligence. The only real defence is having had "adequate procedures" in place.
Aug 2025Passed
Government Procurement Act 2025 — passed by Parliament on 28 August 2025, coming into force in 2026. Malaysia's first comprehensive statutory framework for public procurement, aligned with UNCITRAL Model Law principles, with formal transparency, documentation, a procurement Tribunal, and named liability for controlling officers.
The phrase that should anchor every Malaysian procurement policy is "adequate procedures." It is the statutory defence to Section 17A, and the guidance built around it is summarised by the acronym TRUST: Top-level commitment, Risk assessment, Undertake control measures, Systematic review, and Training. It is, in effect, a governance checklist with legal weight — the difference between a company that can defend itself and one that cannot.
Figure 3 — The adequate-procedures gap
Most programmes are strong on intent, thin on enforcement
The shape of the gap is consistent across organisations. Top-level commitment and training are easy to demonstrate — a signed policy, an annual e-learning module. The two principles that actually decide a Section 17A defence — undertaking real control measures and systematic review, monitoring and enforcement — are exactly where most programmes are thinnest, because those are the ones that have to live inside the buying process rather than in a binder.
The exposure in one line
A weak control was once a finding in an audit report. Under Section 17A, it can be the thing standing between a director and a criminal charge — with the burden of proof on the director to show the procedures were adequate.
06 — THE GOVERNANCE PLAYBOOKWhat actually moves the needle
Governance maturity isn't a thicker manual. It's a small number of controls that are enforced rather than encouraged.
- Move the policy into the workflow.If a purchase can't proceed without the approval, the quote and the budget check, you don't need to police compliance — the system does. Preventive beats detective every time.
- Enforce segregation of duties.No single person should request, approve and receive the same purchase. It's the cheapest, oldest defence against the most common procurement fraud.
- Set and automate authority thresholds.A clear delegation-of-authority matrix, wired into the system, means the right people sign at the right value — and split-PO tricks get flagged automatically.
- Vet suppliers before they're buyable.The strongest control against unapproved-vendor spend is making unvetted vendors impossible to pay through the system in the first place.
- Make the audit trail automatic.Every approval, quote and exception logged by default. Under the Government Procurement Act and Section 17A, the documentation is the defence.
- Build for the TRUST defence on purpose.Map your controls explicitly to the five adequate-procedures principles — and put your real effort into the two everyone skimps on: control measures and systematic review.
The through-line, as with most of procurement, is that governance only works when it lives where the buying happens. A policy in a document and a control in a system are not the same thing — one depends on everyone choosing to comply, the other makes compliance the default. In 2026, with the approver's own name now attached to the outcome, that distinction stopped being a matter of efficiency. It became a matter of who is liable when something goes wrong.