Three Vendor Audits Every AP Team Should Be Running

July 8, 2026

Share

63
31 min
AP expert Debra Richardson joins host Grace Berube to walk through three audits every vendor team should have in place to reduce fraud exposure.
Debra Richardson
Debra Richardson, Accounts Payable Consultant | Speaker | Trainer – Debra R. Richardson, LLC
Grace Berube
Grace Berube, Senior Content Manager, IOFM

In this episode, AP expert Debra Richardson joins host Grace Berube to walk through three audits every vendor team should have in place to reduce fraud exposure. Using the real-world case of a Facebook diversity manager who stole nearly $5 million by exploiting gaps in vendor creation and invoice approval, Debra explains how segregation of duties, security access, and vendor process compliance each address a distinct vulnerability — and why doing only one or two of the three still leaves the door open. She also covers new NACHA fraud monitoring requirements taking effect in 2026 that make documented, auditable vendor processes not just good practice, but a compliance obligation.

WHAT YOU’LL LEARN IN THIS EPISODE

  • How a single employee at Facebook created and approved fraudulent vendors and invoices for years — and what segregation of duties controls would have prevented it.
  • What a segregation of duties audit covers in the vendor process, and why no one team member should be able to create a vendor, approve an invoice, and release a payment.
  • Why a security audit goes hand in hand with segregation of duties, including how access granted years ago (or during the pandemic) may still be sitting in your system unnoticed.
  • What a vendor process audit is, why controls tend to erode over time, and how a regular audit keeps teams following the right steps even during busy periods like month-end or year-end.
  • How new NACHA fraud monitoring rules — and potential insurance requirements — are making it necessary to not only have vendor fraud controls in place, but to document and verify that they’re actually being followed.

Debra Richardson
Accounts Payable Consultant | Speaker | Trainer – Debra R. Richardson, LLC

Debra is an Accounts Payable speaker, consultant, and trainer with over 20 years of experience in AP, AR, general ledger, and financial reporting for Fortune 500 companies including Verizon, General Motors, and Aramark.

For over a decade, Debra has focused on Global Vendor Maintenance.  As an Senior AP Manager at a Global 15 company she lead a team of 17 that over 2,000 vendor requests per month and maintained 140k+ global vendors across seven ERPs. In her consultancy, she focuses on working with vendor teams to add authentication techniques, internal controls best practices and vendor validations to reduce the potential for fraud, compliance fines and bad vendor data in the vendor master file.  She is the President of the Central Atlantic Region IOFM Chapter and the IOFM Ask the Expert for the Vendor Master File Category.  

A Certified Fraud Examiner (CFE), Debra works with vendor management teams to clean their vendor data and update their vendor processes so they pay the right vendor.

She has a YouTube channel where she posts vendor master file tips every Tuesday and hosts a weekly podcast: “Putting the AP in hAPpy”. 


Grace Berube
Senior Content Manager, IOFM

Grace is the Senior Content Manager at the Institute of Finance & Management (IOFM), where she has led content strategy and development since 2022. In this role, she oversees all aspects of IOFM’s digital and event-based content, ensuring it remains timely, relevant, and actionable for all financial operations professionals.

Grace manages IOFM’s robust library of site content, leads the organization’s editorial and member webinar programming, and hosts IOFM’s podcast series. She also oversees a team of subject matter experts who contribute thought leadership and educational articles. In additional, Grace curates and manages all speaker content for IOFM’s in-person and virtual events, ensuring consistency and quality across every touchpoint. With nearly three years in the role, Grace brings a deep understanding of the financial operations landscape and a passion for delivering content that empowers professionals to excel in their roles.

Subscribe Today

Listen below and subscribe on Apple Podcasts today.

b65d517b-5d22-47a4-b892-eac317be49e6.png.small.300x300.png


Transcription

Grace Berube: Welcome to the IOFM podcast. This is a podcast for accounts payable and accounts receivable professionals who want to stay in the know with current AP and AR trends and ideas. We’ll be interviewing professionals in this space on a wide variety of subjects, including automation, artificial intelligence, career growth, compliance, leadership, and much more.

Hey, Debra. How's it going? 

Debra Richardson: Oh, just fine, Grace. How's it going with you?

Grace Berube: Going well. Going good. I'm excited to have you back on the podcast today for another episode, and today we're talking about audits. Is that right?

00:00:44

Debra Richardson: Yes. We're talking about audits that can really close the biggest gaps in the vendor process that can lead to fraud. Some of these you might not think about, right, but I think they are excellent to put into place, and/or excellent to expand if you already have some audits in place or the audit in place, but really just not touching the vendor process. I think this is going to be a good episode.

Grace Berube: Yeah, I completely agree. And we'll talk about it a little bit as we get more into the details, but we have some great content resources for you, for beyond today's episode, that'll all be in the show notes and on the IOFM landing page for the podcast. If you want more information after we're done with the conversation today, be sure to check in on those links that we have there.

00:01:37

To get us started out, talk to me about the DEI executive who stole from Facebook. I feel like that's going to be a good way, you had mentioned, to start it all off. 

Debra Richardson: Yeah, and I know we have all heard about her, because it was splattered everywhere. She's a former diversity program manager, or was a former diversity program manager at Facebook. She stole, in total, $4.9 million.

What's even stranger is that when she got fired for doing that, she actually went over to Nike in the same position and stole yet another amount. It was a smaller amount. I think it was a little over $120,000. But how do you have the guts to do it at a company like Facebook, but then get caught, get fired, and then go to the next place. And instead of learning your lesson, you do it all over again. 

00:02:47

Grace Berube: Also, how do you get hired at Nike?

Debra Richardson: Well, I'm sure—well, I don't know. I was going to say, I don't know who gave that reference from Facebook. So that happened.

And this should be a lesson to all that are listening. I know you wouldn't do this anyway, but do you know what ended up happening to her? 

Grace Berube: What happened? No, I don't.

Debra Richardson: Yes, and we'll put a link to it in the show notes, but the United States Attorney's office, the Department of Justice, they always post these types of stories and what happens to them, eventually.

00:03:30

They have one here, and she was sentenced to five years and three months in federal prison, and she has to pay back that $5 million total in restitution. And so my question is, when she gets out, she is definitely Google-able. But it's all going to come up. I don't know who's going to hire her. Even if she does get hired, what kind of job can you get that will allow you to pay back over $5 million in restitution? I hope she kept some of that money. I doubt it, but…

00:04:13

Grace Berube: That is crazy.

Debra Richardson: That is very crazy. But what she did, or part of what she did when she was at Facebook—not so much at Nike, because at Nike I think she just linked her credit card to like Venmo/PayPal. But at Facebook she got really involved. She created fraudulent vendors. She submitted fake invoices. And you know she was approving all of those. She was approving the invoices. She was creating the vendor. She shouldn't have been able to do either. She was probably posting the invoices, too, but they didn't necessarily say that.

The fact that she was able to create that loss as one person, just by having the access to create a vendor and post or approve an invoice as one of the reasons why she was able to get away with some of the fraud that she was able to get away with. 

00:05:21

I didn't realize that it went as deep as it went. I knew that she had used like the addresses of her family, of her friends, when she was creating these fake vendors, but it didn't stop there. Or maybe the definition of friends just expanded more than I thought that it would expand. 

These folks included former interns from a prior job, nannies, babysitters, her hair stylist. 

Grace Berube: Oh, my gosh.

00:06:00

Debra Richardson: I just can't believe she was able to convince babysitters and nannies. Okay.

Grace Berube: Oh, my God.

Debra Richardson: So I am sure Facebook thought that—as with many companies, you think that you have processes in place, that your employees won't do these types of things. And so that definitely, or this is definitely a case study where we know that is not the case. Employees will do things and companies
(even like Facebook) don't have the proper controls in place in order to prevent this type of fraud.

00:06:46

Grace Berube: Right. And it's really scary to think how just one person can have all of that loss. I mean, almost $5 million just from one person. So I want to get into the specific gaps that you could be missing in order to make sure that this doesn't happen to your company.

Something we talk about sometimes, I feel like, in some of your sessions, is segregation of duties. So I think that that's something we're going to chat about right now, right? 

00:07:11

Debra Richardson: Yes. We just talked about the gap that that prevents. The gap is the fact that one team member can create a loss. And so the audit that is designed to catch that or prevent that is segregation of duties. Segregation of duties and preventing that one team member from creating the loss really means that no one team member should be able to handle a high-risk transaction from end-to-end, especially in the vendor space. So that means no team member should be able to create a vendor—and I would also say here edit a vendor, too, right, because you can edit a vendor with different payment details. But create/edit a vendor, post/approve an invoice, and then generate a release of payment.

00:08:08

Again, the way that you avoid that is to implement a segregation of duties audit. Now, Grace, already on IOFM.com is an article called "Why is Segregation of Duties (SoD) Important?" The article states that segregation of duties provides two benefits. One is a deliberate fraud, like what she did, is more difficult because it requires collusion of two or more person. And then number two, which you might not even think about, but it does help, is it's much more likely that innocent errors would be found, else they won't be found. So it can also find those types of things as well.

00:08:58

But what I look at or what I think it means in the vendor process is, again, [that] no one team member should be able to, in this order, create a fraudulent vendor, or (if we just think about the bank change fraud) enter unauthorized bank changes for existing vendors, and then turn around and submit a fake invoice (or manipulate a real vendor's invoice), and then, lastly, release payment without proper review. In other words, kind of everything that Barbara Furlow-Smiles, the former DEI exec from Facebook, did.

00:09:49

Grace Berube: Yeah, that's crazy. So, if they had just implemented, in order, like you said, those three things, they would've saved themselves a lot. So we'll definitely have that article there, linked in the show notes, like you mentioned. If you want to follow up on those things, you can do so.

Debra Richardson: Yeah. And one thing, too, I didn't mention is that she worked at Facebook from January 2017 to September 2021, which is a long time for that type of thing not to be caught. And then even for Nike, she worked there from November 2021 to February 2023, so that's over a year. And just think about this: She left Facebook in September 2021, and by November she had another new job at a great place.

00:10:46

Grace Berube: Right. That is really crazy to think about. Like I said, I don't know how she got hired there. And like you said, I don't know what she's going to do when she gets out to pay off that $5 million. That's crazy.

And so another gap that we can chat about is team members having more access than they need. And what can we do about that? 

Debra Richardson: Yes. And so the audit that helps with that is a security audit. You may not think about it, but it really does go hand-in-hand with the segregation of duties audit. Even if your team members have the applicable security roles for their function, like the vendor add/edit role, the payment disbursement role, the purchasing role, accounts payable role—and you have assigned these specific roles to these specific positions so that they do follow the segregation of duties processes or controls that you have in place. But the problem is: Do you really know what those roles actually do?

00:11:54

So I always tell this story, that when I was in my last practitioner position, as a senior AP manager over global vendor setup and maintenance, I was two years into that role until I realized, or when I realized that the purchasing team had access to edit our contact information. 

Grace Berube: Ooh, okay.

Debra Richardson: And I was like, wait, what? And I know why—I figured out why they did it. I think someone that had been there a while remembered why they had it. And it was because the contact information is where the fax number was and that fax number needed to be updated whenever it needed to be updated so that they could fax over the automated purchases orders, or whatever that process was called.

00:12:58

Purchasing thought it took the vendor team too long once they submitted the request to go in and updated it. They needed it done immediately. So somebody somewhere asked IT to add that access to the purchasing role. The problem is that, number one, even though security or IT may have control over the security roles, they may not be looking at it like that. They may take whatever request that whatever manager or director, or whomever at the time thought was appropriate, and just added it. 

In the meantime, positions rotate, people leave, other people come in and have no idea that that was done. So you don't always know what roles or what functions or what—in SAP, I think they call them objects that you could just take away and add to each of these roles. 

00:14:11

And so you do need to make sure that you're looking at what those roles have access to. And I will tell you, too, another big thing was during the pandemic. Remember when everybody just went home abruptly? What was it, end of March/mid-April, somewhere around there? 

Grace Berube: Yeah, that was probably early March.

Debra Richardson: Yeah, and a lot of folks in the AP space, in the vendor setup and maintenance space, they abruptly went home, but it took 'em a while to get set up and to be able to work. During that time, maybe some additional access was given to either people and/or roles. After the pandemic, or after we all came back to work, or it went back to kind of normal, did that get taken away? Are the folks who did that still there? Or maybe they're not still there and the folks who came in afterward had no idea that this stuff was being done.

00:15:23

So you do need to make sure that you're always doing a recurring security audit to, number one, look at what is included in the roles that are assigned to these specific positions. And then, two, look at the personnel, the team members that these roles are given to. Even before all the pandemic, fraud and everything kind of trended upward, you still had folks that left the company or went to a different department, and you just forget to remove roles. 

Grace Berube: You do.

Debra Richardson: It's a great thing to do. I don't know if I mentioned it, but I recommend that it be done on a quarterly basis. The part where you're looking at the security roles themselves, that is actually really good to do—you don't necessarily have to do that one on a quarterly basis, but it's really great to know that if you have a specific position, these are the specific roles that they need and that they don't have—those roles don't have more access than is needed for the position that's being done.

Grace Berube: Got it. That's great advice. And you have an article here, too, from 2025, right?

00:16:47

Debra Richardson: Yeah, I just did it last year. It was "Implement a Security Audit to Prevent Fraud." It's all there. I do have a question, though, for you.

Grace Berube: Yeah?

Debra Richardson: I noticed something on this one that I actually really like. There's a six-minute listen, like a recording audit. I noticed that those have been added. I kind of like that. It's not like a podcast; it's just like listening to the article.

00:17:15

Grace Berube: Exactly. That's a new initiative that we had. So you're able to listen to the article, if that's how you prefer to take in content. Obviously, it's just going to be read to you, which is great. It's not going to be as off-the-cuff or as [much of] easy listen [that] I feel like a podcast would [be]. But people like to digest content in different ways, too.

Debra Richardson: Well, I love that because I know when I was in the office, I would want to get up and just take a walk around, get some steps in, take a quick break. So you can listen to that; get your steps in while you're listening to the article. I actually really like that.

Grace Berube: Yeah, exactly. In between meetings, if you're just looking to quickly listen to something, I think it's easy. Just checking your email just to quickly listen. Yeah, we really like that feature.

00:18:08

Debra Richardson: I just saw it on that one, but I'm sure there's some other ones out there. Yeah, I love that new feature.

Grace Berube: Yeah, absolutely.

Debra Richardson: And another gap here—and this is kind of interesting—what if you have internal controls in place, vendor validations, best practices—you're already doing everything that we've talked about today. But I feel like something to think about is if your team members are actually following all of those steps, and how do you make sure that they're doing that?

00:18:37

Debra Richardson: Yes, and that's the thing. You may have all of these processes or these internal controls, best practices, right authentication techniques, vendor validations in place, but do you know for sure that your team members are following it? I will tell you, I've had a couple of clients, and I've also seen some other press releases about payment fraud that has happened, and it has happened because the processes that were put in place to prevent them just weren't being done.

And sometimes it's like human nature, right? If you have a fraud event, right after the fraud event, you put these things in place. It's still fresh in everybody's mind and so they're still doing it. But as it fades and other priorities come, other priorities are there, other events—non-fraud, hopefully—happen, so the priority of it starts to fade, especially when you get into things like year-end that we just went through, month end, tax reporting. 

00:19:49

It kind of starts to fail. So how do you know that it's actually still being—that everything that you put into place, or that's in place, is really still being done every time, 100% the correct way? And the answer is that you don't. But what you can do is you can put a vendor process audit process in place. That's what I call it, but what I really mean is doing an audit at the level of checking to verify that when a vendor is added to the vendor master file, when existing vendor data is updated, that you're verifying that all the steps in that process were followed. 

00:20:44

Unfortunately, sometimes it takes the—I won't say threat of an audit, but it takes the existence of an audit process in place in order to make sure that the team members are following it, because they don't want to have an audit where they fail because they didn't follow the correct process. 

And so it's kind of a—I won't say deterrent, but—

Grace Berube: I know what you mean.

Debra Richardson: Yeah, it's something to make sure that the team members will follow it when all the hoopla has died down—and when no one's looking, and when it's year-end, and when it's month-end, and when it's any other busy time—that it won't just get thrown out.

00:21:40

The example I like to use is they'll still do that process on a Tuesday at 4:30, when someone comes rushing in and they need a vendor setup because an invoice has to be paid. The process will still be done. 

Grace Berube: Yeah, absolutely. I think that's really great advice. You also mentioned when we were chatting, right before we started recording, that there's another reason that we may need to be doing that sort of audit, correct?

Debra Richardson: Yes. So, NACHA, who is the governing body over the U.S. ACH network, where all of our ACH activity goes through, all of our payroll, all of our vendor payments—they have been implementing rules around those ACH payments and generating those ACH payments, and even storing the information that's needed for those ACH payments, because they are trying to reduce the amount of fraud.

00:22:53

They have rules for folks that are generating those payments from the banks, from third-party payment providers, and now even for corporations or organizations that are generating payments. The whole idea is to reduce fraud, and so they are putting a rule into place, the risk-management fraud monitoring rule. There are two phases. One is March 20th and the second phase is June 19th.

00:23:34

[For] March 20th, any non-consumers originators (which is corporations or organizations that are paying their vendors via ACH), it says that they have to have a risk-based approval to implementing fraud-monitoring processes and procedures. What that really means is that they have to have processes and procedures in place to attempt to detect fraud. You can't just generate an ACH without having some controls in place that you have identified that will try to prevent, or that will mitigate the risk of fraud. It doesn't mean that you have to check it when you generate the ACH, but a great example is you have to have a control in place when a vendor wants to update their banking information. So you have to have some type of a process in place, and it's risk-based, so you can determine what that process is based on what level of risk you think that that particular vendor has.

00:24:56

That whole piece has to be documented, and you have to verify that it is being done. How do you do that? With an audit. 

Grace Berube: Right, exactly.

Debra Richardson: Yes, with an audit. Not only NACHA, but maybe also your insurance company or a future insurance company. Maybe, like other companies have done, there are listeners out there whose organizations either have a policy to protect them in the event that they make a fraudulent payment or they're searching for one. A lot of these insurance companies now won't just take, "Well, we have controls in place." You have to have a process in place. That process has to be documented, and you have to make sure that you have a way to show that the process is actually being done.

00:26:02

So, for those two reasons, if you have an insurance policy, that's one great reason. Then if you're generating ACH payment, which most of our listeners are doing it in-house, right? So now they have to have a process. It has to be documented for that. And it could be things in the future, right, because there are always—just like the fraudsters are always evolving, these organizations or agencies that are governing the payment processes, the ACHs and other things as well—maybe even, too, your check payments. I saw something out there about the Fed and the Federal Reserve Board looking at mitigations for check fraud. 

00:27:06

And so all of these things will contribute to you having to document your processes. Well, first of all, putting the controls in place, documenting them, and then verifying that your folks or your team members are following those processes. So it's not just good for them, too, but it's also good for your company because now you'll have less potential for payment fraud, if you can put those in place and then verify that your folks will continue to do that, even when nobody's looking, even when the threat is long forgotten. Those things are still being done. 

00:27:50

Unfortunately, it's not until things are measured and looked at [that that] will happen, or will the processes continue to be done. So I think a vendor process audit is something that everyone should be doing. We used to do it when I was a practitioner, and so it was not only good for that, but it was also good for training, too. If everybody—if it was found that when this one thing was done, everyone kind of did it in the wrong way, or didn't do it at all, that could expose—you may have thought that you put a control in place that was needed. Maybe it wasn't. You may have thought you put a vendor validation in that could be done. Maybe it can't be done, right? 

00:28:43

So it's a good thing for you, too, to find out what's wrong in the process if your team members don't speak up that there's a problem with doing it. So it's a great way to find that, too. So, it's great for the organization, and it's also great because now you can be compliant with other agencies, your insurance company, that type of thing. 

00:29:04

Grace Berube: Yeah, that really just sounds like a win-win for everything. Really great advice here. So our three audits that we're looking for: The-segregation-of-duties audit, the security audit, and then the vendor process audit. And then you're saying, really, final notes here, you really have to do all three.

Debra Richardson: Yes, you do. You have to do all three because let's say if you only do a segregation-of-duties audit, then you might miss that process you put in place. It's just being bypassed. If you only do the security audit, you might miss the roles that are designed in a way that still allows end-to-end activities. And then if you only do a vendor process audit, you might miss that users have access to just ignore the process.

00:29:59

And so you really do need to do all three. And again, we do have links for how you could implement a segregation-of-duties audit, how you can implement a security audit, and then, I didn't mention it, but we also have a link with key steps to implement a vendor process audit. 

Grace Berube: Yeah, so lots of additional reading (or listening) if you'd like to further your knowledge on this subject. This was really, really amazing, Debra. Thank you so much. Lots to learn here and lots for people to think about. Thank you so much for being on.

Debra Richardson: All right, thanks, Grace. I always love being on, and I'm sure we'll talk later.

Grace Berube: Oh, absolutely. Thank you.

Thank you so much for listening to the IOFM podcast. Remember to head on over to the Member Forum to discuss today's episode and provide ideas for our next one. And to stay up-to-date on IOFM's current events, both in-person and virtually, head on over to IOFM.com

Continuing Education Credits available:

Receive 1 CEU per hour of listening time towards IOFM programs:

AP CertificationPP-OC_seal_APP_outline.FNLReceive 1 CEU per hour of listening time towards maintaining any AP and P2P related program through IOFM! These programs are designed to establish standards for the profession and recognize accounts payable and procure-to-pay professionals who, by possessing related work experience and passing a comprehensive exam, have met stringent requirements for mastering the financial operations body of knowledge.

Continuing Education Credits available:

Receive 1 CEU per hour of listening time towards IOFM programs:

AP CertificationPP-OC_seal_APP_outline.FNLReceive 1 CEU per hour of listening time towards maintaining any AP and P2P related program through IOFM! These programs are designed to establish standards for the profession and recognize accounts payable and procure-to-pay professionals who, by possessing related work experience and passing a comprehensive exam, have met stringent requirements for mastering the financial operations body of knowledge.

Subscribe to our Monthly Insider

You may unsubscribe from our mailing list at any time. Diversified Communications | 121 Free Street, Portland, ME 04101 | +1 207-842-5500