13 Aug Vendor Maintenance
For Improved Vendor Management, Be Sure To Regularly Review Your Vendor Maintenance Process For Appropriate Controls
Vendor Maintenance Requests: Can your team communicate the status of each new Vendor Maintenance request, how many have been received by day, their age, the status of due diligence, and when the requestor can receive confirmation of the change or addition? These questions are critical control points for Vendor Maintenance changes. So often companies receive requests for new vendors or vendor master changes via Email. As the volume of these emails increase, it becomes impossible to quickly answer status or metric type questions. To help with this issue, some companies consider installing a standard vendor request template that perhaps feeds a system to automatically assign a control number and capture the data on the request. We see our clients design and install systems to do just that and easily provide metrics, status of requests, incorporate related due diligence documents, and even track and automatically send applicable related communications.
Vendor Maintenance Due Diligence: Is your due diligence for adds or changes to your Vendor Masterfile extensive enough to help mitigate risk of fraud? Would your team recognize if they received an email request appearing to be from an existing vendor for a change (that truly was not ‘from’ them)? This is such an important area in today’s environment as cybersecurity risk continues to increase. One of the most critical due diligence steps in evaluating a vendor maintenance request is to ensure your team is using the contact phone #’s & email addresses from your Vendor Masterfile and ‘initiating’ the contact to the vendor to validate the request received. Bank account numbers have the most serious risk and extra due diligence is needed for changes involving bank accounts. There is a defined process to evaluate due diligence processes that require applicable controls for consistency and mitigation of fraud risk.
Vendor Masterfile Clean-up: Have you had mergers or acquisitions in your history where Vendor Masterfiles have been combined? Do you confirm that a similar vendor is not already in existence when new vendor requests are received? When a vendor changes a name and is given a new vendor number, are controls in place to ensure the prior vendor number is deactivated? A Vendor Masterfile can easily get out of control and should regularly be reviewed for potential duplications, inactivity, and completeness. Some companies have a practice of deactivating vendors not used for a certain period of time and new requests to use a deactivated vendor require special approval and applicable due diligence. Companies also download their Masterfile & prepare various analyses to identify potential duplicate vendors. Our preference generally is to use auditing software to identify potential duplicate vendors and maintain a clean Vendor Masterfile.
Duplicate and Improper Disbursements: Do your vendors return checks indicating this invoice has already been paid; or they do not show a receivable from your company; or this payment belongs to a related organization? When expense type invoices are processed that do not include an invoice number (i.e. a monthly service for March), are invoice numbers consistently created (i.e. Mar-2020 vs March 2020)? Does your system allow for partial payments & how are these controlled? Duplicate or improper payments result when appropriate processing and disbursement controls are not in place. Performing root cause analysis of voids, or other errors, is one method to help assess whether appropriate controls are in place. This process also permits adding prevention steps to improve controls. Often the Vendor Masterfile causes the issues, and disbursement analysis / auditing tools can be used to aid with the identification of improper disbursements.
Ilene Kappel, Director – Sirius Solutions, L.L.L.P.
If you would like further information about Improving Vendor Management, please complete the form below.