Are Your Internal Team Members Collecting Your Required Vendor Documents? It’s Risky

November 24, 2025

Share

Adding or changing a vendor requires the collection of sensitive information, which can introduce risks if handled by internal team members. These risks include outdated data and exposure of personally identifiable information which can lead to internal and external fraud. If your required vendor documents to add or change an existing vendor are collected from the internal team member, that step in the vendor process can have risks that need to be mitigated. 

Documents Required for a Vendor Add or Change to the Vendor Record in the Vendor Master File

As part of the vendor add or change process, documents need to be collected as support for that add or change.  Included on those collected documents is vendor information that is needed not only for doing business with the vendor such as issuing a purchase order and paying the vendor, but also for compliance such as when reporting payments made. 

Three of the most common forms collected and the vendor information included are listed in this table:

Forms

Data Collected

IRS W-9 / W-8x

Name

DBA Name

Tax Address

Tax ID

Country of Birth

Birthdate

Banking Form/Letter / Voided Check

Bank Account Holder Name (Vendor Legal Name)

Bank Account Number

Bank Routing Number

Bank Address

Vendor Setup Form

Name

DBA Name

Address

Tax ID

Other Registration #’s (DUNS, etc)

Remit Address

Misc

 

Once these documents are received, the vendor team will use the vendor data to add a new vendor or change an existing vendor.  The documents are typically stored securely by attaching to the vendor record or on a secure drive.

What Are The Risks When Internal Team Members Collect Vendor Documents?

Many may not believe that there is less risk associated with the internal team members collecting vendor documents.  Why?  Because they have the relationship with the vendors and the expectation is that since they have that relationship with the vendor, they are more likely to know they are dealing with the real vendor. 

  • They have exposure to vendor sensitive data.  As noted on the above table the vendor documents collected contact taxpayer identification numbers which may include social security numbers.  If making electronic payments the banking information is also collected.  Having exposure to this sensitive information means they can be social engineered into revealing it to fraudsters that can lead to external fraud, or worse, replace it with their information leading to internal fraud. 
  • They retain the forms and sensitive information.  When the vendor submits the required forms to the internal team member, sometimes after multiple requests for corrections, the internal team member may retain that form (and any included sensitive information) for any future requests to avoid friction in the future.  This practice can result in not collecting updated information when a change is required since the old form is retrieved and submitted that can contain old vendor information.  

Spilt/Cracked Glass Of Milk with solid fillThis really happened.  As a practitioner, our internal team members from a department that submitted a large volume of vendor requests and collected the required vendor documents, not only retained those documents but created a database and entered vendor information including taxpayer identification numbers. Most of these vendors were individuals and submitted their social security numbers. The master data governance team was brought in to document and check with other departments to ensure that there were no other databases or files that housed vendor sensitive information outside of the system of record. 

  • They can get social engineered too.  Having access to vendor sensitive data means that internal team members are at risk of revealing this information resulting in fraud.  Fraudster may target these team members to reveal vendor social security numbers or banking information that can be used in identity theft or for subsequent fraud attempts.  Further, finance related red flags that vendor team members routinely look for to spot fraudulent emails, or detect fraudsters on telephone calls, may not be familiar or routine to internal team members, making them more susceptible to being social engineered. 

What Should You Do Instead?

Create and implement a process to have the internal team member submit the vendor contact information to the vendor team, then have the vendor team reach out directly to the vendor.  This can be a separate form, such as an internal request form,  or it can be fields added to an existing form such as a payment request form.  At a minimum collect contact information and the reason for the request (add or change).   Once submitted, the vendor team will reach out to the vendor and provide the forms that the vendor needs to submit to complete the request, and most importantly, instructions to submit the completed forms directly to the vendor team – not the internal requester.

The internal requester is no longer exposed to vendor sensitive information.

In addition to mitigating the risks noted above, another benefit of using this form means that the vendor team will receive not only contact information, but the contact information that will be used for vendor-related tasks such as that confirmation call, versus the sales or marketing contact that the internal team member may deal with.  This eliminates issues that many vendor teams face today when trying to confirm submitted changes to vendor remittance data without appropriate contact information on file.

This does not mean internal team members can’t still be an asset to the vendor team.  If you are having trouble getting the vendor to respond or need updated contact information, contact the internal team member who may be actively dealing with the vendor and can assist in getting a response or that updated contact information.

Conclusion

Managing the collection of vendor information is critical to preventing fraud and protecting access to sensitive data. By limiting internal exposure to vendor documents and implementing a controlled process where the vendor team collects required vendor documents, organizations can reduce the risk of external and internal fraud.

Subscribe to our Monthly Insider

You may unsubscribe from our mailing list at any time. Diversified Communications | 121 Free Street, Portland, ME 04101 | +1 207-842-5500