Create Exception Record →
CT Ultramax · Compliance Note

Missing Supplier Approval: The Documentation Gap for Industrial Emergency Purchases

When maintenance buys an urgent PLC outside approved supplier channels, finance later asks a question most teams cannot answer cleanly: what evidence proves the purchase was reviewed before money left the company?
Published 19 May 2026 · CT Ultramax · Reading time: 7 min

Most procurement organizations handle authorized-supplier purchases well. A vendor is on the approved list, a PO is raised, the parts arrive, and the audit trail is intact. The category that consistently breaks down — and the one that surfaces in audit findings — is the small but unavoidable share of industrial exception purchases: parts bought from eBay, brokers, surplus dealers, Amazon Business or an unfamiliar reseller because the authorized distributor cannot deliver in time.

These purchases are not anomalies; they are routine in any plant with continuous operations. The line is down at 02:00, the maintenance engineer finds a Siemens, Allen-Bradley or Mitsubishi part on a secondary-market listing, the corporate card pays for it, and the line restarts before sunrise. Three weeks later, finance circulates expense reports for review and the question lands on the quality manager's desk: what supplier approval document supports this transaction?

What the standards actually require

ISO 9001:2015, Clause 8.4 — "Control of externally provided processes, products and services" — requires organizations to determine controls applied to external providers and retain documented evidence of those controls. The standard does not specify a tool; it specifies that evidence must exist and be retrievable.

NIS2 Directive (EU) 2022/2555, Article 21(2)(d) — supply-chain security measures — applies to essential and important entities and supports controls around the acquisition, development and maintenance of network and information systems. Industrial control hardware procured outside approved supplier channels falls within the spirit of that requirement when those systems are part of operational technology in scope.

Neither framework prohibits exception purchases. Both expect documented control evidence. The gap most teams discover during an internal or external audit is not that exceptions happen — it is that the record of how the exception was reviewed before approval does not exist.

The analogy from corporate expense control

Finance teams have already built a parallel concept for similar situations. When an employee cannot produce a receipt for a corporate-card transaction, most accountable expense systems (SAP Concur, Ramp, BILL and others) accept a Missing Receipt Affidavit — a structured declaration attached to the transaction record, approved by a manager, retained for audit.

The procurement equivalent for industrial exception purchases is missing. Most teams handle these informally: an email thread, a Slack message, a verbal "OK" from the plant director. None of these stands up cleanly during an ISO 9001 audit, a NIS2 supervisory review, or a post-incident investigation.

The practical gap

A typical industrial site processes 2–10 exception purchases per month for unplanned maintenance. If each one lacks a structured pre-approval control record, the cumulative audit exposure grows quietly until it surfaces in a corrective-action finding.

What a defensible control record looks like

Whatever tool, template, or system is used, an exception purchase control record should contain — at minimum — the following elements before money leaves the company:

Built in-house, this is a spreadsheet, a form, and a manual log. Maintainable, but easy to skip when the line is down. When skipped, the audit gap re-opens.

An aftermarket parallel worth noting

The aftermarket repair industry encountered a similar question decades ago and built a documentation convention. When a customer brings a part to a workshop, the workshop typically requires a customer-supplied parts declaration — a record that documents what was provided, by whom, and what review was performed before installation. The purpose is not to authenticate the part; it is to document that a control process was applied.

The aftermarket analogy shows why a documented review matters when a critical component comes from a source the buyer cannot fully verify. The record is the control, not the verdict.

Industrial OT procurement is not aftermarket repair, and the legal framework is different. But the structural insight transfers: when a part enters a critical system from a source the organization has not pre-qualified, the documented review at the point of decision is the artifact that finance, manager and auditor will later ask for.

How CT Ultramax fits

CT Ultramax exists to produce this record in a structured, retrievable form, in roughly three minutes per case, for OT parts sourced from eBay, brokers, surplus dealers and other unauthorized secondary-market channels.

A CT Supplier Exception Record contains: the listing review, the documented risk signals, the buyer-stated reason for the channel choice, the asset criticality classification, the named manager approval with timestamp, and a public verification URL that can be attached to a PO, a reimbursement form, or an audit file. The record is retrievable indefinitely; an API endpoint validates the Case ID for finance and audit systems.

CT reviews listing-level risk signals only. CT does not physically inspect, authenticate, certify, insure or guarantee the part. The Record documents the pre-purchase review process, not the physical condition of the item.

Create a Supplier Exception Record

Audit-ready documentation in 3 minutes — before PO approval, card payment or reimbursement.

Start now →
€29 per record · Stripe invoice with VAT included · No subscription

Three timing scenarios

In practice, the documentation gap shows up at three distinct moments — and the right record depends on when in the cycle the question is asked:

Before purchase: Supplier Exception Record (€29)

The cleanest case. The buyer identifies the part, runs CT before payment, the manager approves with a documented rationale, and the Case ID attaches to the PO.

After purchase, before reimbursement: Reimbursement Justification Record (€49)

The card transaction has already cleared, but finance is now asking for documentation before processing the expense report. A retroactive record reconstructs the review using the listing snapshot available at the time of purchase.

After delivery, during dispute or audit: Evidence Pack (from €199)

The part has been installed and a question has emerged — a failure, a counterfeit allegation, an audit inquiry, a warranty dispute. The Evidence Pack consolidates the listing record, decision history, manager actions and post-delivery observations into a single retrievable file.

What this is not

CT is not authentication. It does not certify that a part is genuine. It does not guarantee that a part will perform in a given application. It does not replace the judgment of the engineer, the quality manager, or the auditor.

What CT produces is the documented control record that the standards expect to exist and that most organizations currently maintain only informally for this category of purchase.

About the author: CT Ultramax is a pre-purchase compliance evidence layer for industrial exception procurement, founded in 2025. The reference framework mapping CT controls to ISO 9001 §8.4 and NIS2 Article 21 is available at ct-ultramax.com.

Disclaimer: This article is published for informational purposes. It does not constitute legal, audit, or compliance advice. Organizations should consult their certification body, internal auditor or legal counsel regarding specific obligations under ISO 9001, NIS2, or other applicable frameworks.