
- Membership
- Certification
- Resources
- Events
- Community
- About
- Help
Adding or changing a vendor requires the collection of sensitive information, which can introduce risks if handled by internal team members. These risks include outdated data and exposure of personally identifiable information which can lead to internal and external fraud. If your required vendor documents to add or change an existing vendor are collected from the internal team member, that step in the vendor process can have risks that need to be mitigated.
Documents Required for a Vendor Add or Change to the Vendor Record in the Vendor Master File
As part of the vendor add or change process, documents need to be collected as support for that add or change. Included on those collected documents is vendor information that is needed not only for doing business with the vendor such as issuing a purchase order and paying the vendor, but also for compliance such as when reporting payments made.
Three of the most common forms collected and the vendor information included are listed in this table:
Forms | Data Collected |
IRS W-9 / W-8x | Name DBA Name Tax Address Tax ID Country of Birth Birthdate |
Banking Form/Letter / Voided Check | Bank Account Holder Name (Vendor Legal Name) Bank Account Number Bank Routing Number Bank Address |
Vendor Setup Form | Name DBA Name Address Tax ID Other Registration #’s (DUNS, etc) Remit Address Misc |
Once these documents are received, the vendor team will use the vendor data to add a new vendor or change an existing vendor. The documents are typically stored securely by attaching to the vendor record or on a secure drive.
What Are The Risks When Internal Team Members Collect Vendor Documents?
Many may not believe that there is less risk associated with the internal team members collecting vendor documents. Why? Because they have the relationship with the vendors and the expectation is that since they have that relationship with the vendor, they are more likely to know they are dealing with the real vendor.
This really happened. As a practitioner, our internal team members from a department that submitted a large volume of vendor requests and collected the required vendor documents, not only retained those documents but created a database and entered vendor information including taxpayer identification numbers. Most of these vendors were individuals and submitted their social security numbers. The master data governance team was brought in to document and check with other departments to ensure that there were no other databases or files that housed vendor sensitive information outside of the system of record.
What Should You Do Instead?
Create and implement a process to have the internal team member submit the vendor contact information to the vendor team, then have the vendor team reach out directly to the vendor. This can be a separate form, such as an internal request form, or it can be fields added to an existing form such as a payment request form. At a minimum collect contact information and the reason for the request (add or change). Once submitted, the vendor team will reach out to the vendor and provide the forms that the vendor needs to submit to complete the request, and most importantly, instructions to submit the completed forms directly to the vendor team – not the internal requester.
The internal requester is no longer exposed to vendor sensitive information.
In addition to mitigating the risks noted above, another benefit of using this form means that the vendor team will receive not only contact information, but the contact information that will be used for vendor-related tasks such as that confirmation call, versus the sales or marketing contact that the internal team member may deal with. This eliminates issues that many vendor teams face today when trying to confirm submitted changes to vendor remittance data without appropriate contact information on file.
This does not mean internal team members can’t still be an asset to the vendor team. If you are having trouble getting the vendor to respond or need updated contact information, contact the internal team member who may be actively dealing with the vendor and can assist in getting a response or that updated contact information.
Conclusion
Managing the collection of vendor information is critical to preventing fraud and protecting access to sensitive data. By limiting internal exposure to vendor documents and implementing a controlled process where the vendor team collects required vendor documents, organizations can reduce the risk of external and internal fraud.
What are you waiting for?