Most finance and procurement functions in Australia have made real progress. The 'no PO, no pay' mandate is now standard. Three-way matching — between purchase order, goods receipt, and invoice — is widely regarded as a key control. And regulatory frameworks like APRA's Prudential Standard CPS 230 (Operational Risk Management), now in full force from July 2025, have sharpened expectations around third-party risk management across the financial services sector.1

These are genuine achievements. But there is a critical distinction that most control frameworks simply do not make:

Matching an invoice to a PO is not the same as matching a payment to a contract.

Three-way matching confirms that what you ordered, received, and were billed for are internally consistent. It does not confirm that the rates on the PO were ever correct in the first place, or that they reflect the commercial terms your procurement team actually negotiated.

If a supplier quotes an outdated rate, or applies the wrong pricing tier, or adds a charge that sits outside scope, and those errors make it into the PO, your controls will approve it — every time.

This is not a control failure in the traditional sense. Your controls are working exactly as designed. The problem is that they are controlling the wrong thing.

‍

In January 2026, World Commerce and Contracting (WorldCC) published Closing the Procurement Value Gap, a landmark study conducted in partnership with Ironclad. The findings are striking.2

Across organisations globally, an average of 11% of contract value is lost after agreements are signed — not through poor negotiation, but through inadequate post-signature governance.

For a large enterprise with $500 million in annual contracted spend, that figure represents $55 million in value that was negotiated, agreed and never realised.

WorldCC breaks the leakage down into identifiable categories:

• Unauthorised or unrecorded scope changes: approximately 2 to 3% of spend
• Missed or incorrectly applied price adjustments: 1 to 2%
• Untracked performance obligations and service level failures: 1 to 2%
• Auto-renewals on unfavourable terms and poor forward planning: 2 to 3%

These are not edge cases. They are the ordinary, predictable outcome of treating a signed contract as a finished product rather than an active commercial instrument. And critically, most organisations do not track leakage in any structured way, meaning these losses rarely appear on a financial or risk dashboard.

Separately, World Commerce and Contracting's broader research on contract management costs indicates that ineffective contract management costs organisations an average of 9.2% of annual revenue, with complex projects seeing losses as high as 15%.3

Even on the conservative end of these ranges, the financial exposure for any organisation with a material cost base is significant. On a $200 million spend base, 1 to 5% leakage represents $2 million to $10 million annually. Undetected. Year after year.

‍

‍

For CFOs in APRA-regulated entities, this is not just a financial efficiency issue. It is a governance, risk, and compliance issue.

CPS 230, effective from 1 July 2025, requires APRA-regulated entities including banks, insurers, and superannuation funds to manage operational risks end-to-end, with explicit obligations around the oversight of material service providers.1 APRA's expectation is clear: entities must be able to demonstrate that risks arising from third-party arrangements are identified, monitored, and controlled throughout the relationship — not just at the point of contract execution.4

Yet the typical control environment in most financial services organisations focuses on:

• Was the invoice approved by the right person?
• Did it match the purchase order?
• Is there a documented audit trail?

What it rarely asks is: Was the invoice contractually correct?

For public sector organisations, the exposure is different in character but no less real. The Commonwealth Procurement Rules (CPRs) and state-based frameworks including Victoria's Buying for Victoria policy mandate value for money and probity as core principles.5 The Australian National Audit Office (ANAO) has consistently found that Australian Government entities face persistent challenges in contract management, with the Joint Committee on Public Accounts and Audit (JCPAA) recommending in March 2025 that Finance produce clearer guidance to address systemic weaknesses in contract management practices.6

The ANAO's own audit insights make the pattern plain: value is negotiated at procurement but not reliably enforced at payment. The gap between procurement intent and financial outcome creates both reputational and audit risk, particularly when overpayments are identified retrospectively.

Value is negotiated upfront. It is not always enforced at payment. That gap is where leakage lives.

WorldCC's research identifies a concept that should resonate with every CFO who has ever asked their team whether a supplier is actually performing to contract: the 'handover gap'.

This is the moment when procurement and legal teams exit the process once the contract is signed, and operational teams assume responsibility without full commercial context, clear accountability, or the tools to manage what they have inherited.2

The knowledge built during sourcing — around pricing mechanisms, rate escalation clauses, performance incentives, and scope boundaries — rarely transfers cleanly. Contracts sit in systems disconnected from the PO and invoice workflows. Obligations live in static documents. And the teams actually managing supplier relationships are often unaware of the specific terms they are supposed to be enforcing.

The result is not misconduct. It is drift. Scope expands without authorisation. Rates update without verification. Performance shortfalls go untracked. And finance, which might be best placed to identify the discrepancy, sees the results — if at all — long after the opportunity to intervene has passed.

As Tim Cummins, President of WorldCC, has noted: the 11% gap is not caused by poor negotiation, but by how contracts are managed after signature. Most value is won or lost during delivery, governance and relationship management.

‍

‍

The good news is that this is a solvable problem. It does not require a wholesale transformation of your procurement or finance function. It requires a deliberate shift in how your organisation thinks about contract compliance — from a legal formality to a financial control objective.

In practice, that means:

• Treating contract compliance as a formal control objective: alongside PO compliance, not instead of it. The control framework should ask not just 'was the invoice approved?' but 'was the invoice contractually correct?'
• Validating invoices against commercial terms, not just POs: This requires linkage between contract repositories and invoice processing workflows, which in most organisations does not currently exist.
• Moving from sample-based audit to continuous monitoring: particularly for high-volume, high-value supplier relationships. A quarterly sample review will not catch systematic billing errors that accumulate over months.
• Elevating leakage as a reportable metric: at CFO and board level. If your organisation does not currently track the gap between contracted value and actual spend, you are not managing a risk that your own numbers cannot yet see.

For APRA-regulated entities, there is an additional imperative: demonstrating to regulators that your oversight of material service providers extends beyond contracting to actual payment compliance. That is the spirit — and increasingly the letter — of CPS 230.

‍

Australian organisations have invested genuinely in procurement governance. The frameworks are real, the controls are functioning, and the audit trails are clean.

But governance that validates process compliance, while leaving financial accuracy unverified, is not governance of what matters most. It is governance of the form, not the substance.

Until contract compliance becomes a core financial control — measured, monitored, and reported — leakage will remain exactly what WorldCC's research describes: compliant, invisible, and systemic.2

The CFOs who move first on this will not just recover value. They will be the ones who can demonstrate, credibly and with evidence, that their organisations are actually receiving what they negotiated. In an environment of heightened regulatory scrutiny, compressed margins, and increasing board focus on financial integrity, that capability will matter more, not less, in the years ahead.

‍