A Due Diligence Workflow for China Sourcing

Assign supplier checks to procurement, quality, legal, finance, and business owners across sourcing stage gates, with clear handoffs and event-driven refresh rules.

A sourcing due diligence workflow should show who can stop an order, what evidence must cross each handoff, and which change reopens a decision. A long checklist cannot do that by itself. When every department assumes that “the supplier was already checked,” a correct company record can coexist with an unapproved bank account, an untested product change, or a contract signed by the wrong entity.

Procurement, quality, legal, and finance specialists reviewing one supplier across a physical sourcing lifecycle board
One supplier file moves through several decisions. Each function adds evidence and either clears, conditions, or returns its own gate.

This article is about the operating rhythm behind the checks. For the underlying risk categories and source-by-source investigation, use the full China supplier due diligence guide. The workflow below gives those checks owners, deadlines, handoffs, and reopening rules.

Treat due diligence as stage gates, not one approval date

The OECD's introductory due diligence material for upstream actors describes risk management as an ongoing process whose form depends on context. A sourcing team can use that process discipline without pretending that one universal checklist covers every product, market, or order value.

Start by separating approval objects. The team may approve a company identity for contact, a sample for testing, a factory for one process, a contract for one product family, and a payment to one beneficiary. Those approvals can have different owners and expiry conditions. None should silently approve all the others.

Give five functions a defined decision

Sourcing or procurement owns the exact candidate identity, commercial rationale, contact history, quotation, proposed transaction structure, and completeness of the handoff. It should not certify manufacturing capability merely because a salesperson arranged a factory visit.

Quality or engineering owns the specification, sample result, process capability, factory or subcontractor evidence, inspection plan, and product-change control. It does not decide whether an unexplained third-party beneficiary may be paid.

Legal or compliance owns transaction-specific legal and compliance issues, contract allocation, restricted or high-risk structures, escalation, and any requirement for specialist advice. It should distinguish a verified fact from a legal conclusion.

Finance owns beneficiary authentication, invoice and contract reconciliation, payment milestone, amount and currency controls, bank-detail changes, and release evidence. A green supplier profile is an input, not a release instruction.

The business owner decides whether the documented residual risk is commercially acceptable. That role can accept a properly described risk within authority, but it should not override an unresolved identity, safety, sanctions, fraud, or payment hold by changing the colour in a spreadsheet.

Use a lifecycle responsibility matrix

Gate Accountable owner Required handoff Decision
Lead and candidate Sourcing Exact legal identity, source, commercial rationale, initial risk screen Reject, shortlist, or request identity evidence
Sample and feasibility Quality/engineering Sample passport, drawing or specification, test result, factory/process hypothesis Fail, rework, conditional technical pass, or pass
Onboarding and contract Legal/compliance with business owner Entity map, risk findings, agreed seller/manufacturer roles, contract deviations Decline, escalate, approve conditions, or approve scope
PO and deposit Finance Approved contract/PO, invoice, beneficiary evidence, milestone and callback result Hold, return, or release this payment
Production and shipment Quality/operations Approved revision, inspection status, nonconformities, shipping release conditions Rework, waive with authority, hold, or ship
Repeat order or change Sourcing coordinates; changed-risk owner decides Change log, refreshed evidence, performance history, open claims Reuse approval, reopen selected gates, or full reassessment
Exit Business owner with legal/operations Open orders, tooling, confidential data, warranty, claims, access and records Transition, recover, retain, settle, or close

`Accountable` means the function that must close the gate, not the only contributor. For example, sourcing may collect the bank letter, but finance should authenticate and approve the beneficiary. Quality may raise a product-compliance concern, while legal or a qualified specialist determines the applicable rule. The pre-shipment inspection guide owns the detailed production-release procedure.

Make each handoff small enough to inspect

A useful handoff is a short decision packet, not an email saying “documents attached.” Its cover note should identify the supplier and order, the decision requested, evidence checked and dates, unresolved questions, conditions, next owner, and deadline. Link to the source files rather than pasting conclusions without provenance.

Keep a single evidence manifest in the supplier approval file. Each item needs a source, collection date, owner, related entity, applicable product or transaction, and replacement history. The separate internal approval memo can summarise the decision, but it should not become an orphaned snapshot.

For Chinese company identity, the Ministry of Justice's Enterprise Information Publicity Regulation provides the public-information framework. SAMR describes the National Enterprise Credit Information Publicity System as the statutory platform for annual and immediate enterprise disclosures and a public enterprise-information query platform. Record what was observed and when; do not label the profile permanent approval.

Reopen only the gates affected by a change

Annual review can be a backstop, but material events should drive the workflow. Reopen the relevant gate when the legal name, status, address, ownership or representative changes; when a new factory or subcontractor appears; when bank details, payee, country or currency changes; when the product, material, design, destination market or order value changes; or when quality, delivery, legal, safety or integrity events alter the risk.

A minor phone-number update does not require a factory audit. A new beneficiary does require a payment-path review even if the company record is unchanged. A substituted motor requires technical approval even if the bank account is stable. The repeat-order review explains how to perform a targeted refresh rather than restarting blindly.

Case: the supplier is green, but the deposit is not

Fictional buyer `Northfield Controls` shortlists `Suzhou Meridian Motion Co., Ltd.` for a geared-motor project. Sourcing confirms the exact Chinese entity, current registration details, commercial rationale, sales contact, and sample quotation. Quality tests two samples and records an acceptable torque curve. The legal team agrees the seller and manufacturer roles in the contract. Those three gates are green for the defined product.

Hours before the 30% deposit is due, the salesperson sends a revised invoice naming a Hong Kong beneficiary. The email says the group uses that account for exports and asks for urgent payment. Finance opens a new beneficiary event. It does not ask sourcing to change its earlier identity result, and sourcing cannot approve the payment because it knows the salesperson.

The payment remains on hold while finance and legal reconcile the Hong Kong entity, authority to collect, contract, invoice, bank-country rationale, refund obligations, and an independent callback. The team follows the beneficiary workflow and the wider pre-payment gate. If the chain is supported, the file records a scoped approval for that beneficiary and transaction. If not, the deposit does not move.

Two months later the supplier proposes a lower-cost motor. That event returns to quality and engineering, not finance. The legal entity and approved beneficiary remain valid unless another fact changes, but the old sample result cannot approve a new component.

Use conditions and expiry, not only red or green

Three states are usually too crude. A practical record can use: `open`, `waiting for evidence`, `cleared`, `cleared with conditions`, `expired`, `superseded`, and `declined`. A condition needs an owner, due date, verification method, and consequence if unmet. “Monitor supplier” is not a control; “quality manager reviews first-production inspection before shipment release” is.

Define escalation thresholds in advance. Examples include an unexplained legal-entity mismatch, personal beneficiary, sudden bank change, refusal to identify the factory, undisclosed subcontracting, safety-critical specification change, adverse legal event, or deposit outside the approved milestone. Route each to the function capable of resolving it, not automatically to the most senior person.

Measure whether the workflow works in practice

The U.S. Department of Justice's 2024 compliance-program evaluation asks whether third-party controls cover business rationale, appropriate contract and payment terms, timely vendor review, actual performance, data used during the relationship, and ongoing monitoring. The DOJ's broader corporate compliance principles also distinguish a programme that is implemented, reviewed, and revised from one that exists only on paper. These are evaluation questions, not a legal template for every buyer.

Useful sourcing measures include the share of files arriving complete at each gate, time spent resolving material exceptions, late bank or entity changes, payments correctly held and resolved, shipments released with overdue conditions, suppliers with stale risk reviews, and repeat failures traced to an earlier weak handoff. Raw counts of checks, documents, or green cells can reward activity while hiding whether anyone stopped a bad decision.

Start with one order and preserve the decision trail

Map a recent order from first contact to shipment. Mark every decision, owner, input, output, hold, override, and change. Where the chain depends on memory or forwarded email, define the missing handoff. Then test the workflow on one new supplier before changing every form.

Keep the result proportionate. Low-risk catalogue purchases need fewer gates and lighter evidence than regulated products, custom tooling, large deposits, or opaque multi-entity structures. The standard is not maximum paperwork. It is a decision trail in which each specialist knows what was already established, what remains outside that evidence, and what event sends the file back.