PA23 Compliance Review: If the PRU Asked for Evidence Tomorrow, Would You Be Ready?

Consider a likely scenario.... It’s 09:12 on a Tuesday. An email lands in your inbox, copied to your Monitoring Officer, Head of Procurement and internal audit. It’s from the Procurement Review Unit. It asks for “the records that evidence your decision making” on a small set of procurements and contract changes, and it proposes a short meeting to talk through what you provide.

This is not far-fetched. Under the Procurement Act 2023, the PRU exists to oversee compliance. It can investigate how a contracting authority is applying the regime and can formally require documents and reasonable assistance.

For procurements started on or after 24 February 2025, the notices specified by the new regime must be published, with duties that run through award, entry into contract and throughout contract management, not only at point of award.

If you are a Section 151 officer, Monitoring Officer, Head of Procurement or a senior finance leader, here is the uncomfortable truth. You can do “the right thing” in substance and still struggle under scrutiny if your evidence trail is fragmented, late, or stored in places you cannot quickly surface. That is the real PA23 compliance test.

Why PA23 compliance is now an evidence test

Most authorities have done the obvious work: updated standing orders and contract procedure rules, refreshed templates, delivered training, and configured systems for the new notices.

‘investigations do not require a prior finding of non-compliance’

Scrutiny, whether from internal audit, external audit, the market, or the PRU, usually does not start with “tell me your process”. It will likely start with “show me what happened”. Under the PRU’s procurement compliance service, formal information requests are built into the oversight design, including the ability to require documents and assistance and to proceed even if cooperation is poor.

The practical problem is that evidence in procurement is rarely held in one place. It is often split across procurement files, finance systems, legal advice, service led project documentation and contract management records. When those sources do not line up, your compliance position feels shaky even if the underlying decision was reasonable.

Recent internal audit reporting in local government has highlighted the same patterns repeatedly: reliance on officers to retain approval evidence themselves, incomplete or inaccurate contract registers, and weak or inconsistent documentation around non-competitive decisions and contract management.

The common evidence failures are not dramatic. They are mundane. And they are exactly the sort of thing that causes panic when you have to assemble a coherent file quickly:

• the only “approval” is an email chain with no explicit delegated authority referenced

• the direct award justification exists, but it was written after the decision, not before it

• the contract register exists, but it is out of date, missing extensions, shows the wrong value, or too often missing contracts entirely

• the legal advice was verbal, or there is an email but it is not linked to the final decision record

• the finance approval exists, but procurement were not sighted and no one recorded route to market rationale

• the supplier started delivering while the paperwork caught up

Internal audit has also found examples of extensions being authorised after the extension had already commenced. That is not unusual in organisations under pressure, but it is exactly the kind of timing mismatch that creates a compliance headache, especially where publication duties or modification controls are engaged.

The point is not to criticise colleagues. These are system design issues. And under the Procurement Act 2023, system design matters because transparency and enforceability mean there is more chance that gaps will be noticed earlier and tested harder.

Direct Awards Under the Procurement Act 2023

Direct awards sit at the sharp end of PA23 compliance because they are, by definition, a decision not to compete.

The law is clear about the direction of travel. Before awarding a contract under the main direct award routes, a transparency notice must be published. The purpose is to put the intention to award directly into the daylight and give interested parties an opportunity to consider the justification.

It means direct award rationale is no longer just an internal file note. It becomes something the market can read, challenge and remember.

Where things usually go wrong is not that the organisation lacks a reason. It is that the organisation cannot evidence the reason in a way that withstands an unfriendly reading.

Be honest about the moments that create pressure: service continuity risks, supplier constraints, a failed competition, or a last-minute request to “just bridge” with a short extension. Those moments happen in every authority. The question is whether your evidence trail is built at the time, or reconstructed afterwards.

Switching from a competed process to direct award

‘Direct awards have already been successfully challenged’

Section 43 allows an authority to switch to direct award only after running a competitive tendering procedure and being unable to award because no suitable tenders or requests to participate were received, and where award through a competitive procedure is not possible in the circumstances.

This is a narrow route. Practitioner commentary has also highlighted that “unsuitable” in law is not the same as “too expensive” or “not what we expected”, and that the real challenge is evidencing why a section 19 award was not possible and who can be awarded to with integrity.

In other words, the compliance risk is not only the switch. It is the story you can evidence about why the switch was necessary.

What does good evidence look like in a direct award file?

Not a perfect document. A coherent narrative that links:

• the ground relied on, in plain English

• what you did to test the market, even if time was short

• what options you considered and why they were not viable

• who approved the decision and under what delegation

• what you published and when

Time limits sharpen this further. For most claims, a supplier must commence proceedings within 30 days from the day it first knew, or ought to have known, of the relevant circumstances.

That means your transparency notice and associated publication documents are not “forms”. They are the trigger point for scrutiny.

A common trap is to treat transparency publication as the last admin step. In PA23 compliance, it is part of the decision itself.

Contract Modifications Under PA23

Contract modifications are a risk to compliance.

The Procurement Act 2023 governs when and how public contracts can be modified and brings much greater transparency, including requirements around contract change notices for many modifications.

The operational reality is simple: spend drifts.

It drifts because projects evolve, because delivery conditions change, because budgets are real, and because teams prioritise continuity. None of that is wrong. But if you do not have a disciplined approach to tracking cumulative change, you can drift into a modification that is substantial in legal terms and looks like you have materially changed the deal after the fact.

Why cumulative change is where surprises happen:

PA23 compliance issues arise far more often from the third or fourth small change than from one big renegotiation.

Construction and highways projects are a classic example. Anyone who has lived through delivery knows how quickly scope shifts, whether through design development, ground conditions, programme pressures, or interface issues. In construction, changes to scope often appear as variations or changes, including additions, omissions, substitutions and design change, with direct impacts on cost and time.

External reviews of major roads schemes have shown how scope changes can drive significant cost variance, underlining that drift is not theoretical in complex delivery environments.

IT drifts differently, but it drifts just as easily and often undetected for too long a period.

The modern pattern is not one large licence purchase every few years. It is ongoing annual licence costs and incremental additions as teams scale usage. The National Audit Office has noted how technology cost structures have shifted from periodic capital investments to annual licence costs for cloud-based services.

Add a few licences here, a new module there, an additional environment for a project, and suddenly the total value and risk profile of the contract has changed, but nobody has paused to recalibrate the contract value, term and modification route.

Auto renewals make this harder, not easier.

Automatic renewal clauses are operationally convenient but governance risky. Recent internal audit work has explicitly highlighted automatic renewals as posing a risk of failing to secure best value and noted that extensions can occur outside the established governance framework where renewal controls are weak.

If the renewal happens quietly or undetected and the contract register is not updated, your organisation can end up in a position where:

• spend continues under a contract few people can locate

• the “current term” is not clear

• the published notices do not reflect reality

• procurement are asked to rationalise it after the service has already committed

This is where email-based decisions become toxic. Not because email is inherently bad, but because it is rarely a disciplined record.

When internal audit has found that approvals or dispensation records are not centrally retained and reliance is placed on local officers, the outcome is reduced assurance precisely where the risk is highest.

Spend Visibility and Procurement Engagement

'In PA23 compliance, visibility is everything'

If you cannot see spend building up, you cannot intervene before thresholds and publication duties bite. If procurement are brought in only when a contract is ready to sign, you have already lost most of your control points.

One of the oldest findings in contract management reviews is that organisations struggle when they do not have enough reliable information on the costs, performance and risks of contracts, and do not use that information effectively.

In practice, weak visibility shows up in familiar ways.

Contracts commencing before procurement knows:

This is often due to under resource or late identification of need, and is just how organisations behave when there is pressure to start delivery.

Internal audits are often finding instances of contract extensions being authorised after the extension commenced, which illustrates the same pattern: delivery first, paperwork later.

Once delivery has started, your options narrow. Competitive routes feel “impossible” because stopping the service feels unacceptable, and the organisation drifts towards direct award logic even when it could have planned better.

Spend increasing before anyone notices:

The slow build is the problem. A supplier is engaged for small pieces of work, the purchase orders are separate, the cost centres are different, and nobody sees the aggregated value early enough.

This is why quality contract registers matter. Internal audit reports across the sector have found contract registers to be incomplete, out of date or not accurate and complete, which directly undermines organisational control and the ability to spot drift.

Additionally, spend needs to be registered against specific contracts early, in requisitions and POs. This allows finance to be able to track and report on contract spend as opposed to spend against suppliers.

Finance approvals without procurement context:

A risk that senior leaders recognise is when a project is approved financially before anyone has set out, clearly, the intended route to market and the evidence expectations.

Finance approval is not procurement sign off. But if governance does not force the two to meet early, you create “internal urgency”, and urgency is what produces weak evidence.

The Procurement Act’s transparency direction increases the benefit of aligning financial and procurement data, not only for external scrutiny but for internal control. Contract payment information, when fully in force, is explicitly intended to link payments to specific public contracts to improve transparency and make inconsistencies and reconciliation issues easier to spot.

Even before that, the regime expects procurement and finance to operate from the same version of the truth.

Transparency Notices Under the Procurement Act 2023

‘If procurement does not know, notices cannot be published on time’

Under the old regime, many transparency failures were late and embarrassing, but often survivable.

Under the Procurement Act 2023, transparency is closer to the decision point. Notice types and sequences are built into the regime.

This is where many authorities feel exposed, not because they disagree with transparency, but because publication relies on timely knowledge. If procurement does not know, notices cannot be published on time.

There is also a wider reality here: public sector data quality is not consistently good. The National Audit Office has reported that buyers have not always met legal requirements to provide complete, accurate and timely procurement data, and earlier NAO work found only a small minority of departments met a standard for publishing the majority of contract award notices within 30 days.

PA23 compliance does not tolerate “we were busy” as an explanation. It expects you to design workflows that make publication normal. This is an increased challenge for teams that are often under-resourced.

The hard bits of transparency are not the notices you planned for. They are the ones that are triggered by unplanned events:

• a contract change agreed operationally, but not flagged as a contract change notice trigger

• a direct award decision made in a service area, with procurement told late or not at all

• an abandonment of a procurement, requiring a termination notice

• an extension agreed to avoid service failure, which turns into a modification issue

Contract details notices are a good example of how tight the regime is. For most public contracts, a contract details notice must be published within 30 days of entering into the contract (with longer periods for light touch).

If procurement only learns of the signature after the fact, you have just burned most of your compliance window.

The other practical reality is that errors are visible. If the value, term or description in a notice is wrong, it is not only an internal embarrassment. It can become a prompt for external challenge or for oversight queries.

So transparency is not administration. It is governance.

Procurement Governance and Delegation Controls

'This is what most senior people care about'

When things go wrong under PA23 compliance, it is rarely because the organisation had no policy. It is because delegation, record keeping and assurance did not work the way leadership assumed.

The PRU oversight model includes investigation powers, the ability to issue recommendations, and the possibility that investigation findings and progress reporting could be made public.

That is why governance needs to be more than a line in contract procedure rules. It needs to be operational.

The governance weaknesses that show up most often are painfully familiar…..

Email approvals rather than controlled approvals:

Email is where decisions happen because it is fast. The risk is that email is rarely where decisions are properly recorded.

If the only evidence of approval is an email that says “fine”, you may be unable to show:

• who had authority to say “fine”

• what they reviewed

• whether the latest version of the justification was seen

• whether legal or finance were consulted, and what advice was given

Internal audit findings have shown how quickly assurance erodes when central teams do not keep records of dispensations or approvals and rely on local officers to retain them.

No central decision log:

A decision log is not bureaucracy. It is the difference between being able to respond calmly and having to reconstruct decisions under pressure.

If direct awards, waivers, variations and extensions are not logged centrally with basic metadata (date, approver, value, ground, link to documents), you end up with organisational memory that sits in individuals’ inboxes.

Unclear sign off protocols:

Sometimes the protocol exists. It is just not followed consistently.

The most common version of this problem is a mismatch between what governance says and what delivery does. If meetings are not held and minuted, if registers are not updated, and if contract management routines are inconsistent, then the governance does not work. Internal audits continue to identify these exact gaps, including failures to hold or minute key meetings and incomplete registers.

No board level reporting that is decision useful:

Boards and audit committees do not need pages of metrics. They need decision useful information.

That means being able to answer, simply:

• where are we using direct awards, and why

• where are contracts drifting through modifications and extensions

• where is our contract register not reconciled to spend

• where are notice publication duties at risk because procurement are not sighted early

If you cannot answer those questions, you do not have assurance. You have hope.

Investment, Capacity and Governance Maturity

The final truth is the one most organisations avoid: PA23 compliance has increased the operational load.

The regime brings more publication points and more linkage between procurement data, delivery and payments over time. Contract payment information under section 70, for example, is explicitly intended to link payments to specific public contracts and support better reconciliation and transparency, with commencement for procurements from 1 April 2026 in the published government material.

Contract governance duties also expand into performance. There are publication expectations around key performance indicators for certain higher value contracts and the assessment and publication of performance information.

None of this is impossible. But it is not free.

If you expect operational departments to be procurement experts, you will get one of two outcomes:

• good people freeze and avoid making decisions

• good people make fast decisions and record them badly

Neither is safe.

The more robust approach is to treat governance as a corporate capability. That usually means investing in:

• procurement capacity where it reduces corporate risk, not only where it delivers savings

• contract management skills and routines, not just contract award processes

• systems and workflows that make notice publication and contract register updates automatic where possible

• assurance activity that tests whether these controls work in practice, not only on paper

This is where independent assurance and governance reviews can be helpful, not as a compliance theatre exercise, but as a stress test of whether your operating model produces evidence that stands up.

When the Scrutiny Comes…

PA23 compliance is not a test of whether your team has read the Act. It is a test of whether your organisation can evidence its decisions, end to end, at the point scrutiny arrives.

If the PRU email landed tomorrow morning, would you respond calmly, or would you start searching inboxes?