Procurement Audit & Control in Supply Chain Processes
Supply chain risks in mining are not detected with one-time audits
The complexity of supply chains in large-scale mining has grown faster than human oversight capacity. Collusion, nepotism and fraud schemes among suppliers operate silently and persistently over time, hiding in patterns that periodic reviews fail to capture.
"New" suppliers with atypical growth
Companies that in a few months concentrate a disproportionate volume of orders without a track record to justify it.
Purchase splitting below approval thresholds
Orders deliberately divided to circumvent higher authorization levels.
Rotating representatives or shared addresses
Individuals who rotate between different suppliers or share addresses, contacts and email addresses.
"Competitive" tenders with predictable results
Processes where the same suppliers alternate as winners with suspiciously close bids.
Silent concentration in few players
A small group of suppliers that, directly or indirectly, captures a significant percentage of spending.
When risk is detected late, it is no longer an audit finding: it is a consummated financial and reputational damage.
Continuous and intelligent surveillance over contracts, purchase orders and tenders
Our service operates as a permanent algorithmic audit system that monitors your procurement processes, connects corporate relationships between suppliers and prioritizes alerts with explainable and actionable evidence.
Unlike a traditional audit that reviews the past, this service monitors the present and anticipates future risks, delivering to compliance teams, internal audit and the board the information they need to act on time.
Structured protocols for each type of finding
Detecting an anomaly is only the first step. What differentiates an effective control system is the ability to investigate, document and resolve each case with rigor and traceability. Our protocols cover the three main types of findings in procurement processes:
Aligned with the Economic Crimes Act and Data Protection regulations
This service does not operate in a legal vacuum. Every component — from data collection to alert generation — is designed considering the current regulatory framework in Chile, with special attention to two legal bodies that directly impact risk management in mining procurement.
Law No. 21,595 — Economic Crimes Act
Published in August 2023 and fully effective for legal entities since September 2024, this law significantly expanded the catalog of crimes for which a company can be criminally liable — over 200 criminal types classified into four categories.
Direct relevance for mining procurement:
- Collusion between suppliers and internal employees can constitute second or third category crimes, with criminal liability for both individuals and legal entities.
- Incompatible negotiation, private bribery and disloyal administration are criminal offenses directly applicable to nepotism and favoritism schemes in procurement.
- The purchasing company can also be liable if it fails to demonstrate having implemented effective controls to prevent these crimes in its supply chain.
- The Crime Prevention Model (CPM) is the main tool for exemption from criminal liability. An effective CPM must include: risk activity identification, prevention and detection protocols, reporting channels, designated officers and periodic evaluations by independent third parties.
This service functions as a technological and procedural component of the Crime Prevention Model, specifically covering risk identification and detection of anomalous conduct in procurement processes — one of the areas of greatest exposure for mining companies.
Law No. 21,719 — Personal Data Protection
Published on December 13, 2024, this law replaces the former Law 19,628 and will be fully effective on December 1, 2026. It creates the Personal Data Protection Agency and establishes principles, rights and obligations aligned with international standards such as the European GDPR.
Relevance for this service:
- Corporate graph analysis involves personal data (names, tax IDs, addresses, positions, corporate holdings). All processing must have a lawful basis, specific purpose and proportionality.
- Sensitive data: Information about internal investigations, fraud findings and links to individuals requires enhanced protection levels.
- Security and confidentiality duty: Data controllers must adopt technical and organizational measures by design (privacy by design) to protect data.
- Infringement prevention model: Similar to the CPM of the Economic Crimes Act, the new law provides for compliance models whose implementation can be considered a mitigating factor in case of infractions.
Our service incorporates privacy by design and by default principles throughout the entire processing flow: from data ingestion to alert generation. Access is segmented by roles, every query is logged, and personal data is processed exclusively for supply chain risk control purposes, with defined retention periods and anonymization mechanisms when direct identification is not necessary.
Continuous surveillance methodology
Secure data ingestion
Connection with ERP, procurement systems, tender platforms and public sources (corporate registries, SII, CMF, Land Registry). Data is processed in controlled environments with encryption and restricted access.
Relationship graph construction
Automatic mapping of links between supplier companies, individuals, legal representatives, partners, physical addresses, email domains, phone numbers and other indicators. The graph is continuously updated with each new data point processed.
Anomalous pattern detection
Artificial intelligence models trained to identify: purchase splitting, concentration by buyer or area, price deviations, atypical recurrence, accelerated supplier growth, and artificial competitiveness in tenders.
Explainable alert generation
Each alert includes: what was detected, why it is anomalous, the supporting evidence, the estimated risk level, and a recommended action. Alerts are designed to be defensible before audit, compliance and the board.
Investigation protocol activation
Depending on the type of finding (contract, purchase order or tender), the corresponding protocol is activated with responsible party assignment, deadlines and documentation flow.
Reports and traceability
Complete action log: who generated the alert, who reviewed it, what decision was made, when it was closed. Executive reports for the board with trends, risk metrics and case status.
Service components
Gradual implementation based on maturity and data availability
Estimated timelines based on environment complexity and data availability.
Designed for high-demand environments
Role-based access control — Each user accesses only the information their role requires.
Complete audit trail — Who saw what, when and from where.
Environment separation — Production, testing and development data completely isolated.
Encryption in transit and at rest — All information protected with industry standards.
Traceable evidence in every alert — Each finding includes the complete data chain that originated it.
Privacy by design — Anticipatory compliance with Law 21,719 on Data Protection.
CPM compatible — Service aligned with Law 21,595 requirements for Crime Prevention Models.
This service is designed to help compliance, not to compete with compliance. It was built in partnership with procurement, internal audit, risk and legal-tax advisory specialists.
Frequently Asked Questions
Make the invisible visible in your procurement processes
First conversation: feasibility assessment with your data. No commitment.
contacto@escribanoycia.cl | +56 9 3112 2323