Find out what biometric verification is and why it’s important – especially in a new AI-powered era.
Payment Security 101
Learn about payment fraud and how to prevent it
It could be said that the Vendor Master File is the bible of any Accounts Payable (AP) department. It, more than any other file, is relied upon by all members of the AP team as the ultimate source of truth. However, we know that on average 20% – 25% of all data stored in Vendor Master Files is anomalous.
With so much incorrect data residing in many Vendor Master Files, how can your AP team act with confidence? How can your organisation reliably process supplier payments if you cannot be certain that the information contained in your Vendor Master File is accurate and up-to-date?
eftsure will explore what it takes to achieve and maintain your Vendor Master File to stop fraud in this 3-part series.
In this section, we will explore what it takes to assess the current state of your Vendor Master File, as well as the considerations necessary to establish clear rules around how your Vendor Master File should be structured.
In this section, we will explore how you should go about cleaning the existing data in your Vendor Master File in accordance with the rules established in Part 1.
In this section, we will explore what it takes to maintain your Vendor Master File, with a particular focus on adding new suppliers to the database and updating existing suppliers as necessary.
Once you have decided that you need to undertake a comprehensive clean-up of the data contained in your Vendor Master File, you firstly need to assess what information needs cleaning and the rules that will govern how you maintain your data moving forward.
In many organisations, once a supplier is onboarded into a Vendor Master File, they typically stay there forever. This often results in a large number of “inactive” suppliers. This need not necessarily be a problem, however for any organisation struggling to maintain data hygiene standards, having large volumes of redundant data can be an avoidable burden.
It is important to bear in mind that some suppliers may be “inactive” for a protracted period of time, only to become “active” again at a later date. When this occurs, often a new entry for the supplier will be created in the Vendor Master File. This can potentially raise a number of problems, particularly if your organisation does not enforce strict supplier naming conventions. With two or more entries in a Vendor Master File for the same supplier, you run the risk of duplicate payments.
Apart from avoiding duplicate payments, having suppliers listed multiple times in your Vendor Master File can put you at greater risk of internal threats. Should a maliciously inclined employee become aware of an inactive supplier account, they may use this as a cover for fraudulent activities.
Ideally, any supplier accounts that have been inactive for over 12 months should be deactivated in your Vendor Master File. You should, of course, retain vendor record of all prior transactions. However, by deactivating the account so no new records can be added to it, you mitigate the risk of both duplicate payments and internal fraud.
This is a question we often get asked at eftsure.
Ideally, data hygiene should be something that takes place continuously. It is an integral part of the Procure-to-Pay process. However, the reality is that AP staff are busy, and all too often data hygiene standards slip.
Maintaining the integrity of the data in your Vendor Master File really needs to be an ongoing process. Set-and-forget is not a viable option. That’s because you are always going to be adding and removing suppliers, not to mention updating existing supplier records. Furthermore, whilst you verify supplier details, including banking information, when onboarding them, there may be a long period of time before you need to process payments to them. In the interim, hackers or malicious insiders may manipulate the data in the Vendor Master File – causing you to send payments to the wrong recipient. That’s why continuous controls around data integrity are absolutely essential.
Even though organisations should have systems in place to allow ongoing data hygiene, there are events that necessarily trigger a thorough clean-up of Vendor Master File data. These events may include:
Such events should be seen as an opportunity to undertake a deep-clean of your data, enabling you to adopt best practice moving forward.
When it comes to data integrity in your Vendor Master File, having clearly established rules for your entire AP team is absolutely critical.
The procedures for Vendor Master File data should be integrated into your broader Accounts Payable policy. These procedures should be formally written, along with associated implementation guidelines, with training provided to all staff members.
This is the only way to ensure that your entire team handles data in a consistent manner, which is essential for maintaining data integrity and limiting the risks of losses through either fraud or error.
Best practices requires establishing clear conventions for entering supplier addresses in your Master Vendor File, even in an era when communications are overwhelming conducted electronically.
For suppliers with multiple locations, it is important to ensure you register the Australian headquarters, rather than a branch or department address. This practice should be followed even if your contact is based at a location other than the headquarters.
One of the easiest ways to set standards for addresses is to use the standards set by Australia Post. They have given a lot of thought to establishing address naming conventions, so it makes sense to follow their guide.
|The full name used to identify the physical building or property. Usually this information is not abbreviated. Should include any reference to a wing or other components of a building complex, if applicable.
Ideally this information is printed in upper case, however, upper case for the first character and lower case for subsequently characters in the Property Name, is acceptable.
One or two spaces should be left between components, with a preference for two spaces, i.e. North Wing (two spaces) Treasury Building.
|Building / Complex Sub-Unit
|The specification of the type of a separately identifiable portion within a building complex or marina with its associated number or identifier to clearly distinguish it from another. Can either be depicted by numerals or alpha characters, or a mixture of both.
Ideally, in upper case, however, upper case for the first character of a particular word and lower case for subsequent characters of each word, is acceptable.
One or two spaces should be left between components with a preference for two spaces, i.e. Flat 2 (two spaces) 17 Jones St. A “forward slash” (/) may only be used to separate an apartment, flat or unit number from a thoroughfare number.
|Floor / Level
|Descriptors used to identify the floor or level of a multi-storey building or complex.
The Floor/Level is positioned as the first item, located on the same line as the House/Property Number and Street Name. However, it can be placed on a separate address line, above the line containing the House/Property Number and Street Name, if necessary.
Ideally, in upper case, however, upper case for the first character and lower case for subsequent characters of each word, is acceptable.
One or two spaces should be left between components, with a preference for two, i.e. Level 7 (two spaces) 17 Jones St. A “forward slash” (/) should not be used to separate a floor or level number from a thoroughfare number.
|House / property number
|The numeric/alpha reference number of a house or property, also referred to as a street number, must be positioned before the Street Name and Type.
If the house/property number includes a number range, the range of applicable numbers should be included, separated by a hyphen (-), with no spaces between numerals, i.e. 17-19.
Ideally, any alpha characters should be in upper case, with no spaces between numerals, for example 11B.
|Lot / section number
|The Lot/Section Number is positioned before the Street Name and Type, located in the same line containing the Street Name.
Ideally to be in upper case, however upper case for the first character and lower case for subsequent characters, is acceptable.
|Street name and type
|The full street name used to identify the street location of the property, together with the thoroughfare type. Only one street name should be used.
Ideally this information should be in upper case, however, upper case for the first character of a particular word and lower case for subsequent characters, is acceptable.
The street name should be spelt out in full, with the exception of some prefixes which are usually based on common acceptance, for example; St Kilda Rd and McKillop St.
In certain circumstances some street names maybe suffixed, in which case they should be depicted as Browns Rd West or Browns Rd W.
|Postal delivery type
|Where applicable, this is to identify a specific postal address, and the service number.
Ideally the alpha characters should be in upper case, however upper case for the first character of a particular word and lower case for subsequent characters of each word, is acceptable. No punctuation should be used in this line.
|Place name / suburb / locality
|The full name of the placename or Post Office of delivery containing the specific address, which may include a Delivery Centre (DC) or a Business Centre (BC).
This information must be printed in upper case, with no punctuation. Generally, the placename is not abbreviated, however certain elements of the placename may be abbreviated based on common acceptance, i.e. MT for Mount and ST for Saint.
|State / territory
|The defined State or Territory in Australia (in abbreviated format) that the specific placename/address is located.
Must be printed in upper case, with no punctuation.
|A four digit numeric descriptor for a postal delivery area, aligned with placename, suburb or locality and in some circumstances a unique Postal Delivery Type. All numeric, with leading zeros displayed.
Perhaps the most important data point within your Master Vendor File is the organisation name.
It is critical that every member of the Accounts Payable function enters organisation names consistently to avoid duplicate payments and to reduce the risk of fraud.
The Australian Government has developed a comprehensive style guide that covers how organisations should be named. It can provide a useful template for how your organisation enters organisation names into your Master Vendor File.
As an overriding principle, you should seek to follow the way your supplier writes their own organisation’s name. The names of organisations can change. The most efficient way to confirm an organisation’s name is to check its website, annual report or letterhead. If this is unsuccessful, there are other reliable services, including:
Australian Government entities: Government online directory
Directory entries contain links to departmental pages listing annual reports. Annual reports are a good way to find the former names of departments. The government online directory includes the Australian Government Organisations Register and the directories of state and territory governments. There are also website directories for some local governments.
For all entities:
Some additional guidelines for naming conventions include:
|Names all in lower case
|When the organisation name is in all lower case, use an initial capital for these names in your Vendor Master File. This helps people identify the name as a proper noun. Eftsure, rather than eftsure.
|Medial capital letters
|Some names start with a lower case letter but have a medial capital (for example, ‘eBay’). Write the name the same way, including to begin a sentence. A medial capital is enough to identify the name as a proper noun.
|Punctuation and logograms
|Pay attention to the use of capital letters, punctuation (such as apostrophes) and logograms (such as ‘&’). Make sure to include all words in the name. Don’t add additional words.
|Names all in upper case
|Some organisation names appearing on the Australian Business Register have all capitals. Write the name all in capitals as the organisation does.
|Use the organisation’s shortened form only if the organisation regularly uses it in its own content.
For example, the Department of Home Affairs uses ‘Home Affairs’ as the shortened form. It would be inappropriate to use ‘DHA’ to refer to Home Affairs. However, Defence Housing Australia does use the initialism ‘DHA’, so using it to refer to that organisation would be appropriate.
Don’t use full stops between individual letters in an abbreviated name. IBM should be used rather than I.B.M.
Spell out the shortened form the first time unless the organisation’s name is known only by the shortened form, such as “IKEA.”
|Some organisations use shortened forms such as ‘Ltd’, ‘Pty Ltd’, ‘Co’ and ‘Inc’ as part of their legal name. Others use the spelt-out forms.
Don’t add a full stop at the end of ‘Co’ and ‘Inc’ unless they finish a sentence. Don’t insert a comma between the name of the organisation and the company designation. Eftsure Pty Ltd, rather than Eftsure, Pty Ltd.
|Use an apostrophe only when it forms part of the official name of an organisation, as in Laing O’Rourke.
|Handle “The” consistently. As a rule, only use when the supplier uses “The” in their official name.
The legal name of the primary contact at a supplier should also be included in your Vendor Master File.
Whilst naming conventions around the primary contact are not as critical as the organisation name, it is nonetheless important to establish common standards.
Once again, Australia Post has given consideration to this and offers a useful template.
|Primary Contact Convention
|The Person Title is the first item, positioned before the Given Name.
Ideally in upper case, however upper case for the first character and lower case for subsequent characters, is acceptable.
|A legal name given, also referred to as Christian name or first name.
If initial/s are used they should be printed in upper case. Full stops can be used to separate initials, if required. If the full name is used it should ideally be printed in upper case, however upper case for the first character, and lower case for subsequent characters in the name is acceptable. It is also acceptable to mix a given name in full with initials, i.e. Robert J.
|The family name of the addressee also referred to as last name and surname. This information should not be abbreviated unless the abbreviation is based on common acceptance.
Ideally in upper case, however upper case for the first character and lower case for subsequent characters in each name, is acceptable. Dual family names should be separated by a hyphen (-).
Depending on the system you use for your Vendor Master File, it may be possible to set specific rules that restrict how data is entered.
These can be particularly useful for ensuring consistency.
For example, you can limit the number of characters that can be entered into a field, or the type of characters. You may also be able to stipulate whether all letters in a particular field appear in capital or lower case.
Wherever possible, if you can set up fields as drop down menus (for examples have States and Territories of Australia as a drop down menu), this can also aid in establishing consistency.
These types of rules can be particularly useful when it comes to fields for phone numbers, BSBs, Account Numbers or government registration numbers, such as the ABN, CAN, TFN, etc. By preventing staff from entering hyphens, spaces or other alphanumeric symbols, it is possible to ensure greater consistency.
Ensuring the accuracy of supplier banking records in your Vendor Master File is critical to preventing incorrect payments and fraud.
More than any other data points in your Vendor Master File, these are the records that are most vulnerable to malicious actors who will seek to manipulate them for financial gain. When preparing to clean-up your Vendor Master File, you need to carefully consider strategies for ongoing veracity of supplier banking records.
That’s why it’s best practice to demand the implementation of continuous controls monitoring. You cannot assume that because you verified a supplier’s banking records at the onboarding stage, that these records have not subsequently changed or been tampered with.
Segregation of duties and restricting access to these records on a Need-to-Know basis will limit the risk. However, in addition, you should also have a system in place than can efficiently verify these records in real-time, immediately prior to processing a payment.
By integrating eftsure into your accounting processes, you will gain visibility into whether other organisations have used the same banking records to pay the same supplier. If so, you can be confident that the banking records are accurate, even if there has been a significant time lapse since the supplier was onboarded. When processing large volumes of invoices, eftsure saves your Accounts Payable team countless hours of manual verifications, giving you significantly greater assurance than the alternative of manual spot-checks.
One of the key objectives when undertaking a clean-up of your Vendor Master File is to identify the inactive suppliers.
Whether you opt to delete these suppliers from your files, or simply mark them as inactive, is a decision each organisation needs to make. Making them inactive retains all their records in your systems but ensures no new invoices will be assigned to them.
Determining which suppliers should be considered inactive will vary for each organisation. Typically organisations exclude suppliers with no activity in last 12 or 18 months, except those added in last 90-180 days.
In addition, you should also exclude supplier records that can be identified as:
Once you have clear definitions for which suppliers should be defined as “inactive,” you will be able to proceed to the clean-up stage.
The Vendor Master File is a business-critical system that cannot be neglected. The risks associated with incorrect data are that you will make incorrect payments and be vulnerable to fraud.
Ongoing data hygiene is a must. However, this can be a time consuming activity. As a result, many Accounts Payable departments delay dealing with the issue. This only exacerbates the risks.
eftsure’s Vendor Master File Health Check service is initial step for all organisations that integrate our platform into their accounting processes. We undertake a thorough cleansing of your Vendor Master File data, with particular emphasis on verifying supplier banking records.
This process not only saves your team a significant amount of time, it gives you confidence that your data is accurate and up-to-date.
For a full demonstration of eftsure’s Vendor Master File Health Check and how it can help protect your organisation, contact us today.
You may have heard of the term “FinOps” being thrown around. But what exactly is it? Why is it important for finance …
Financial leaders face an escalating risk of cyber-crime, with tactics becoming more and more sophisticated. As threats grow, it’s increasingly critical for …
Eftsure provides continuous control monitoring to protect your eft payments. Our multi-factor verification approach protects your organisation from financial loss due to cybercrime, fraud and error.