Whether you have one or ten Vendor Maintenance employees , whether vendor maintenance is in Procurement or Accounts Payable (AP) or under the same Global Process team, or whether you have a manual process or a global vendor portal, restricting access to sensitive vendor data should be on your radar. There are two processes that the Vendor Maintenance team can implement today to protect vendor sensitive data without intervention from the IT or Systems group. Still printing 1099s? Very timely.
What is Considered Sensitive Vendor Data in the Vendor Master File?
Tax ID – Can either be the Employer Identification Number (EIN), the Social Security Number (SSN) or a Foreign Tax Identification Number (TIN). Both the Social Security Number and Foreign Tax Identification Number can be assigned to an individual, and as such they are considered sensitive personal information. Since some accounting systems have one field for either tax identification number, the Tax ID should still be considered sensitive personal information.
Banking Details – Many companies include banking details on their invoices (especially International vendors) because the accounts that AP sends payments to is a “deposit only” account. That is not always the case. Many Individuals, Single Member LLCs do not have “deposit only” accounts, so banking details should still be considered sensitive personal information.
Birth Date – In specific scenarios, the IRS requires the collection of a birthdate for Foreign Individuals. Birthdates are considered sensitive personal data that should only be collected for regulatory requirements. Go to www.irs.gov for more information.
Two Ways to Protect Sensitive Vendor Data
Secure Print - Depending on the purchasing, invoicing and vendor setup and maintenance processes, collecting vendor supporting documentation comes with the added risk of that documentation including sensitive data. If your current process requires that supporting documentation to be printed, and secure print is available on your printer, enable that functionality. Sensitive data will then be printed only when the user arrives at the printer to key in the code, preventing the document from sitting in the print tray for unintentional eyes of other employees innocently retrieving their print job.
Desk Audit – Now that the document is printed it goes back with the user to their desk, or does it? If it does, it needs to be protected from view of those that do not need to see it. The purpose of the desk audit is to randomly check desks, printers, any common areas to ensure that employees are always in the mindset of security and protecting sensitive data by discarding (locked shredder) or securing those documents after use. No documents with sensitive data should remain on the employees desk once it has been processed or after they leave for the day. In addition to vendor sensitive data, also include employee sensitive data, passwords, any data that can threaten security.
Schedule the desk audits randomly after business hours, and at recurring intervals such as monthly. Write up a formal process and guidelines, then work with your team to walk through expectations, including a review process for infractions. You can make it more palatable by tying team member recognition or rewards for low or no incidents. Soon, protecting sensitive data will be second nature for your employees.
These are two process changes that do not involve IT to help protect vendor sensitive data. Remember to reach out to your leadership and/or your audit group prior to making any process changes.
Episode 14 of the “Putting the AP in hAPpy” Podcast includes two extra ways to protect your vendor sensitive data that involve the IT team. Also, you want to listen if you have Non-Vendor Maintenance employees collecting vendor supporting documentation to submit to Vendor Maintenance. What do you think those employees are doing with the documents after they submit to Vendor Maintenance? Hint, they are not safely disposing of that data.
#stayhappy #puttingtheapinhappy #Vendorsetup #vendormasterfile #accountspayable
Debra R. Richardson,
MBA, APM, APPM, CPRS
Debra is an accounts payable speaker, consultant, and trainer with over 20 years of experience in AP, AR, general ledger, and financial reporting for Fortune 500 companies including Verizon, General Motors and Aramark.
For the past eight years, Debra has focused on Global Vendor Maintenance, and implemented a vendor self-registration portal for 140k+ global vendors across five Accounting Systems/ERPs. In her consultancy, she focuses on internal controls and authentication to prevent fraud in the vendor master file.
Want a handy Cheat Sheet that includes the links to vendor validation resources? Sign up for my mailing list below, download the Vendor Validation Reference List and share with your entire team! All Subscribers are entered into a monthly drawing to win a Putting the AP in hAPpy coffee mug.