Skip to content

CD Widgets - Procurement Guidelines

Version: 1.0

Effective Date: TBD
Owner: Procurement & Finance (AP)
Approved By: CFO & General Counsel
Applies To: All employees, contractors (where contract permits), and business units purchasing goods/services on behalf of CD Widgets

1) Purpose & Scope

Purpose:
Ensure compliant, ethical, cost-effective purchasing that manages risk, supports supplier diversity and sustainability, and aligns with business goals.

Scope:

  • All purchases of goods, services, software, and subscriptions funded by CD Widgets.
  • Covers vendor selection, competitive sourcing, risk management, contracts, POs, invoice processing, payments, renewals, and record retention.
  • Where local law or client requirements are stricter, the stricter rule prevails.

2) Guiding Principles

  1. Value & Total Cost of Ownership (TCO): Optimize quality, price, risk, lifecycle costs, and support.
  2. Compliance & Ethics: Follow anti-bribery, conflicts of interest, data protection, export control, and local laws.
  3. Fair Competition: Use competitive sourcing and objective evaluation criteria.
  4. Risk-Based Controls: Scale due diligence and approvals to supplier risk and spend.
  5. Sustainability & Diversity: Favor environmentally responsible options and qualified diverse suppliers where feasible.
  6. Transparency & Auditability: Keep clear records, approvals, and decision rationales.

3) Definitions

  • Requestor: Employee initiating a purchase (creates PR).
  • PR: Purchase Requisition submitted for approval before a PO is issued.
  • PO: Purchase Order—formal authorization to buy; required before the supplier delivers.
  • Supplier/Vendor: External entity providing goods/services.
  • SOW/MSA: Statement of Work / Master Services Agreement—contractual documents governing services.
  • SaaS/Software: Cloud or on-premise software, including subscriptions.
  • Risk Tier: Supplier classification (Low/Medium/High/Critical) based on data access, spend, and operational impact.
  • 3-Way Match: PO, receipt of goods/services, and invoice must align before payment.

4) Roles & Responsibilities

  • Requestor: Define requirements, submit PRs with scope/specs, attach quotes, select suggested suppliers, receive goods/services in system.
  • Approver (Manager/Budget Owner): Validate business need, budget, and policy compliance; approve timely.
  • Procurement: Lead sourcing, negotiate, manage vendor onboarding, risk assessments, and POs.
  • Legal: Review/approve contracts, DPAs, and high-risk terms.
  • Security/IT: Review software/SaaS, security controls, and integrations.
  • Privacy/Compliance: Data protection, regulatory checks (e.g., personal data processing).
  • Finance/AP: Vendor setup, 3-way match, invoice processing, and payments.
  • ESG/Supplier Diversity (if applicable): Track sustainability and diverse supplier metrics.

5) When Procurement Is Required

  • Always when spend is ≥ the micro-purchase threshold or when contracts/terms are involved (even free trials with data access).
  • Always for software/SaaS, data services, telephony, payment processing, or services with customer/employee data.
  • Always for multi-year commitments, auto-renewing subscriptions, or when IP, SLAs, or security terms matter.
  • Emergency Buys: Permitted only with Procurement/Legal notification and same-day PR/PO follow-up.

6) Spend Thresholds & Sourcing Requirements (Default Template)

Tailor numbers to CD Widgets; thresholds apply to total commitment (including options/renewals).

  • ≤ $2,500 (Micro-Purchase): One quote; corporate card or PO; no contract unless data access/IP.
  • $2,501–$10,000 (Low): Two quotes (written/email acceptable); simple PO terms.
  • $10,001–$50,000 (Medium): Three competitive quotes or documented sole-source justification; basic contract or PO with standard terms.
  • $50,001–$250,000 (High): Formal RFP/RFQ, evaluation matrix, negotiation led by Procurement; MSA/SOW required; risk assessment.
  • > $250,000 (Strategic): Formal RFP, executive sponsor, Legal review, Security/Privacy assessment (if data), CFO approval; performance KPIs.

Sole-Source Justification: Allowed if unique IP, compatibility constraints, urgent operational need, pilot continuity, or mandated by client; document rationale and alternatives considered.

7) Supplier Selection & Evaluation

  • Criteria: Capability fit, TCO, delivery timeline, security/privacy posture, compliance, ESG/delivery risk, references, and financial health.
  • Conflicts of Interest: Disclose any personal relationships; recuse from decision-making where conflict exists.
  • Supplier Diversity: Include qualified diverse suppliers in competitive bids where available.

8) Supplier Risk Management & Onboarding

  • Risk Tiering (examples):

    • Low: Commodity goods, no data access, low spend.
    • Medium: Professional services, limited data access, moderate spend.
    • High: Customer/employee data, core operations, integrations, payments.
    • Critical: Safety, regulated data (PHI/PCI), material business continuity impact.

  • Due Diligence by Tier:

    • Low: W-9/W-8, tax info, sanctions/denied party checks, basic contract terms.
    • Medium: Add security questionnaire (e.g., SOC 2 summary), insurance COI, references.
    • High/Critical: Full security/privacy assessment, DPA, data flow diagram, pen test summary, BAA/PCI AoC (as applicable), business continuity plan, financial stability check.

  • Sanctions & Export Controls: No business with sanctioned parties/countries; escalate to Legal for screening.

9) Contracts & Terms

  • Templates: Prefer CD Widgets’ MSA, SOW, PO Terms, DPA, and Security Addendum.
  • Mandatory Clauses: Confidentiality, IP ownership/licensing, data protection, information security, audit rights (risk-based), SLAs/credits, termination (cause/convenience), assignment, compliance (ABAC, sanctions), insurance, and governing law.
  • Redlines: Legal negotiates; track issues list; document final compromise.
  • Auto-Renewals: Must be calendared in system with 90-day review reminder.
  • Click-Through Terms: Prohibited for high-risk purchases without Legal approval.
  • Open-Source/Third-Party Components: Ensure license compliance and security posture.

10) Software, SaaS, & Data Services

  • Pre-Approval: IT/Security & Privacy required before purchase or renewal.
  • Security Controls: Access controls, SSO/SAML, encryption in transit/at rest, data retention/deletion, logging, breach notification.
  • Data Protection: DPA if processing personal data; regional addenda (e.g., SCCs) as dictated by law.
  • Integrations: Architecture review for APIs, webhooks, and data flows.
  • Shadow IT: Prohibited; route all software through Procurement/IT.

11) Purchase Orders (PO) & Receiving

  • PO Required: Before ordering goods/services (except approved micro-purchases on corporate card).
  • Change Orders: Required for scope/price/time changes.
  • Partial Receipts/Milestones: Record receipt of goods or services milestones (e.g., 30/30/40 payments).
  • 3-Way Match: PO ↔ Receipt ↔ Invoice must align before payment.

12) Invoicing & Payment

  • Invoice Requirements: PO number, supplier legal name, remit info, itemization, date, tax details, currency.
  • Payment Terms (Default): Net 30; early pay discounts encouraged (e.g., 2/10 Net 30).
  • Disputes: Log within 10 business days of receipt; hold payment until resolved.
  • Duplicate Invoices: AP will reject duplicates (same PO, date, amount).

13) Budgeting & Approvals

  • Budget Check: All PRs must include charge codes and pass budget validation.
  • Approval Matrix:
    • Manager approval at or below their delegated limit.
    • Department head for > $50k (example).
    • CFO for > $250k or non-budgeted spend.
    • Legal for contracts and any non-standard terms.
    • IT/Security/Privacy for software/data services.
  • Emergency Exceptions: CFO + Legal notification; retroactive PR/PO within 1 business day.

14) Ethics, ABAC, Gifts, & Hospitality

  • No bribery, kickbacks, or facilitation payments.
  • Gifts/Hospitality: Modest, infrequent, lawful, and reported; never during RFPs or active negotiations. Public sector rules are stricter—Legal pre-approval required.
  • Supplier Conduct: Suppliers must adhere to CD Widgets’ Supplier Code of Conduct (labor, safety, environmental, integrity).

15) Sustainability & ESG

  • Favor energy-efficient, recyclable, low-carbon options and suppliers with credible ESG practices.
  • Capture supplier ESG data when feasible (certifications, emissions reporting, conflict minerals).

16) Records & Retention

  • Retain PRs, POs, contracts, evaluations, approvals, and invoices for 7 years (or local statutory period).
  • Maintain an auditable trail of decisions, exceptions, and communications.

17) Renewals & Vendor Lifecycle

  • Renewal Clock: Track terms and auto-renew dates; initiate review 90 days before renewal.
  • Performance Reviews: For High/Critical suppliers—review SLAs, incidents, value, and market benchmarks annually.
  • Termination/Exit: Ensure data return/deletion, IP transfer, and transition assistance are enforced.

18) Non-Compliant Purchases (Always Prohibited)

  • Purchasing without required approvals or PO (except approved micro-purchases).
  • Splitting purchases to avoid thresholds.
  • Shadow IT/software without IT/Security review.
  • Engaging sanctioned parties or illegal activities.
  • Personal purchases with company funds.

19) Exceptions Process

  • Submit exception request before committing spend.
  • Include: business justification, alternatives considered, risk mitigations, duration (one-time/ongoing), and approvals required.
  • Store exception records with the purchase and vendor files.

20) Audits & Consequences

  • Audits: Random and targeted audits by Procurement/Finance/Compliance.
  • Consequences:
    • Level 1: Coaching, process correction.
    • Level 2: PO cancellation/denial, repayment, card suspension.
    • Level 3: HR action up to termination (fraud, willful policy breaches).

21) FAQs

Q1: Can I buy software with a corporate card?
A: Not without IT/Security/Privacy approval and a PO. Shadow IT is prohibited.

Q2: What if a supplier won’t sign our MSA?
A: Legal will negotiate; at minimum, include mandatory clauses and risk mitigations for the supplier’s paper.

Q3: Can I renew a subscription without review if we like the tool?
A: No—submit a renewal PR, ensure usage/seat right-sizing, and complete risk checks for changes in scope or data.

Q4: Are trials free from this policy?
A: No—any data access or terms acceptance requires review.