Why did the fraudster cross the road to Accounts Payable? Because that’s where the money is.
I remember the days when requiring an IRS Form W-9 and comparing the Legal Name and Tax ID using IRS TIN Match was considered the gold standard for setting up a vendor in the Accounting System or ERP in Accounts Payable (AP). With the AP Help Desk and Vendor Maintenance team receiving phishing emails regularly, steps have to be put into place to not only make sure the vendor compliant with regulatory agencies, but now AP Vendor Maintenance teams have to make sure that the source of the vendor documents is real and the vendor data submitted is real. That takes additional time.
When the Vendor Maintenance team receives a request to add a new vendor or update an existing vendor the first step is to Authenticate that the request did not come from a fraudster. How do you do that?
By reviewing the email carefully to determine if there is an additional letter in the email domain, by hovering over the documents attached are true documents and not a linked to a fraudulent site.
By requiring authentication data such as a combination last four digits of the tax Id or bank account, plus the last three deposit dates and amounts or the purchase order number. These can be added to required forms if change requests are submitted.
By adding internal controls. No one will be 100% thorough 2,080 hours a year to catch fraudulent emails. Adding internal controls such as requiring a 2nd approval for wire transfer requests via email as noted in Kip Boyle’s book “Fire Doesn’t Innovate: The Executive’s Practical Guide to Thriving in the Face of Evolving Cyber Risks” will reduce the many incidents of business email compromise scams. Here is one published this week where a City Treasurer wired $128K to a fraudster.
Once the source is authenticated, now the team needs to ensure the vendor is real and the vendor data submitted is real, which also serves as a double check if a phishing email made it this far (again, employees can’t be 100% 2,080 hours a year). Checking against IRS records, OFAC, USPS and/or Google Earth for address validation, and System for Award Management (for governments) are some of the validations that can be used. Red flags to look for:
Legal Name and Tax ID do not match
Address is PO Box or does not exist
Your Vendor Master File is vulnerable because fraudsters try to update existing real vendors with fraudulent remit data (banking, remit address) to redirect payments. An internal control is to reduce the volume of active vendors at least monthly by inactivating vendors that have not been active for a # of predetermined time period such as 15 or 18 months. How does it extend the time it takes to change an existing vendor?
The vendor may be inactive and will have to resubmit required documentation, triggering the authentication and validation process.
A confirmation process should be required to confirm that the change was initiated by the vendor. This is an internal control that is a final attempt to ensure that the request is real. A telephone call or an email communication using the contact information already on file should be used.
Once the update to the existing vendor is made, a notification should be sent to the vendor as the final step in the process. We all get emails when we make changes to our Amazon, Netflix or Utility company profiles. Same thing. See my blog post: “Send a Notification to Vendors After Updates in the Vendor Master File”
Changing Mindsets of Internal and External Stakeholders
Yes, the Vendor Master Team will take longer to process new vendor adds and existing vendor change requests. Communicate this to all Stakeholder groups and Internal Employees to reset expectations for the Vendor Setup and Maintenance process timelines. Along with the IRS Tin Match being the gold standard, also gone are the days where internal and external pressure to quickly process requests for a “simple bank change”, etc should be tolerated.
Haven’t performed a vendor inactivation or Vendor Master File clean lately? See my 5 Day Vendor Master File Clean-Up.
Want a handy Cheat Sheet that includes the links to vendor validation resources? Sign up for my mailing list to download the Vendor Validation Reference List and share with your entire team!
Protect the Vendor Master File from Fraud. Keep it Clean.
#stayhappy #puttingtheapinhappy #Vendorsetup #vendormasterfile #accountspayable
Debra is an accounts payable speaker, consultant, and trainer with over 20 years of experience in AP, AR, general ledger, and financial reporting for Fortune 500 companies including Verizon, General Motors and Aramark.
For the past eight years, Debra has focused on Global Vendor Maintenance, and implemented a vendor self-registration portal for 140k+ global vendors across five Accounting Systems/ERPs. In her consultancy, she focuses on internal controls and authentication to prevent fraud in the vendor master file.