Compliance isn't just about whether the right purchases were approved. It's about being able to prove that they were, months or years later.
Federal grant audits can happen years after a grant closes. When an auditor asks for documentation of a purchase — why it was approved, who approved it, what grant it was charged to, whether it was received — that information needs to exist and needs to be retrievable. "We checked at the time" is not a defense against a finding.
What an Audit Trail Has to Contain
The audit trail for a purchase should include:
- Who requested it — the person who placed the request, not just the person who placed the order
- What justification was provided — the stated reason for the purchase at request time
- Who approved it and when — with timestamps, not just "PI approved"
- What account it was charged to — at request time and at payment time (these sometimes differ)
- When it was received — receipt confirmation, not just "ordered and paid"
- The invoice — the actual invoice, matched to the specific orders it covers
Most labs have some of this information scattered across emails, financial systems, and filing cabinets. Very few have all of it in a form that's easy to retrieve on demand. The lab manager who could put their hands on the full paper trail for a specific order from 2022 is the exception, not the rule.
The labs that fare best in audits are the ones where every purchasing decision was recorded in a single system, with all the relevant documentation attached, from the moment of request through payment. Not because they were preparing for an audit — but because that's just how their workflow runs.
A Realistic Path to Get There
If your lab's compliance posture today is "we have a policy document and people roughly follow it," here's a realistic path to something better:
Start with your most restricted accounts. Federal grants with specific restrictions are higher risk than discretionary accounts. Document the rules for each active federal grant explicitly: what's allowable, what requires prior approval, when the period ends. Keep this somewhere accessible — not just in your head.
Define your approval thresholds. For each account, decide what requires your explicit approval vs. what the lab manager or administrator can approve. Write this down. Communicate it to everyone who places orders.
Require justification at request time. "Why is this needed and which project does it support?" is a question that's much easier to answer when placing an order than six months later. Make it a required field, not an optional one.
Create a receiving step. Receipt confirmation is the step between "ordered" and "paid" that many labs skip. It's also a grant compliance control: you can't certify that a charge is allowable if you don't know that the item was received and used for the work being funded.
Keep invoices with orders. Every invoice should be attached to the orders it covers. Not filed separately. Not in a vendor email folder. Attached to the purchasing record so they can be retrieved together.
None of this requires new software. It requires discipline and a system — any system — for recording the information that compliance requires. If that system is a well-maintained spreadsheet, that's better than nothing. If it's a purpose-built lab purchasing platform like Ixion that enforces the rules automatically and maintains the audit trail as a byproduct of normal operations, better still.
The goal in either case is the same: when an auditor asks about a purchase from 18 months ago, you want the answer to take five minutes, not five days.