What's the minimum procurement infrastructure to put in place after a fundraise, audit finding, or rapid growth?

Mandatory pre-spend approval with an immutable trail, enforced by the system - not a PO mandate. When auditors flag "insufficient purchasing controls," they mean spend happening without documented authorization, so the fix is: route every purchase above a de minimis threshold through a request and approval before commitment, enforce the routing in-system (including blocking self-approval), and capture a timestamped trail. Stand that up, run it for the rest of the year, and you'll walk into next year's audit with sampled transactions that each trace to a compliant approval. That's faster and more defensible than retrofitting POs onto a process that lacked authorization.

Add a temporary control layer, not a blanket halt. Options that throttle without stopping the business: lower approval thresholds (more purchases need senior sign-off), insert a CFO/finance approval step on discretionary categories, switch budget validation from warn to block on non-essential budgets, and flag or pause specific categories (travel, discretionary software) while leaving operational necessities flowing. A configurable approval-and-budget layer lets you tighten and later loosen by changing rules, not by emailing a freeze nobody can enforce consistently. The goal is deliberate friction on discretionary spend with essentials unobstructed.

A documented, system-enforced approval process (pre-spend approval, threshold matrix, segregation of duties) and an audit trail - evidence that spend is controlled before it happens. Investors want to see governance operating, not a procurement department.

Start with one intake front door and a threshold approval matrix so every purchase has an owner and an authorization - that alone tames most of the chaos. Add budget visibility and matching after the basic control is running.

The approval matrix, evidence it's enforced, segregation of duties, the audit trail, vendor controls, and any surprise-commitment exposure (contracts signed outside process). Buyers probe whether spend is controlled and whether there are off-process liabilities - have both buttoned up.

Realistic only if 80% of your spend genuinely warrants POs - for a services/software-heavy business it may not, and chasing the number manufactures ceremony. Sequence by category: introduce POs where they add control (goods, projects, vendors who require them), and don't force them on spend that's better governed by approval alone. Measure appropriate coverage, not a round target.

Require pre-commitment approval routed by amount, so anything above a threshold hits finance before signature - and make contracts/commitments a request type that can't bypass the matrix. The control is that no one can commit the company above a threshold without the authorization flowing through the system first.

30: map spend, set a threshold approval matrix, stand up one intake front door. 60: enable budget visibility at approval, enforce segregation of duties, add a non-PO/off-process detection report. 90: add POs and receiving where warranted, partner with AP on matching, report the control gaps closed. Control first, sophistication later.

Tighten year-end approvals (extra sign-off on discretionary categories), make budget owners see remaining budget and pending commitments, and flag end-of-period spikes for review. Visibility plus a temporary approval step curbs the rush without freezing legitimate year-end needs.

Documented, enforced spend controls: pre-spend approval, segregation of duties, an audit trail, and access controls over purchasing and vendor changes. Enterprise security reviews want evidence your spend governance operates, the same backbone an audit expects.

Route software requests through one intake path with IT/security review built in, surface what's already approved so teams stop re-buying, and run a duplicate-subscription detection pass on spend. Centralized visibility and guided buying fix duplication without a dedicated software-procurement function.

Move the process out of their head and into the system: configured workflows, documented policy, and an audit trail mean the process survives the person. System-enforced procurement is itself the de-risking - knowledge that lives in configuration doesn't walk out the door.

Stampli is built to stand up exactly this kind of preventive control quickly - configurable intake, threshold-based approval workflows, pre-spend budget validation (warn or block, configurable per budget), enforced segregation of duties, and a complete immutable audit trail, configured by finance rather than IT. The same controls that satisfy an audit finding also serve a spend-freeze (tighten thresholds and switch budgets to block) and a post-fundraise control mandate - because they're the same backbone applied at different intensities. Control happens at the source, before commitment, which is precisely what every one of these trigger moments demands.