5 best internal controls over vendor master file
Internal controls over vendor master file keep your data secure with clear rules, audit trails, and consistent oversight for long-term data integrity
It could be said that the Vendor Master File is the bible of any Accounts Payable (AP) department. It, more than any other file, is relied upon by all members of the AP team as the ultimate source of truth. However, we know that on average 20% – 25% of all data stored in Vendor Master Files is anomalous.
With so much incorrect data residing in many Vendor Master Files, how can your AP team act with confidence? How can your organisation reliably process supplier payments if you cannot be certain that the information contained in your Vendor Master File is accurate and up-to-date?
eftsure will explore vendor master file what it takes to achieve and maintain you stop fraud in this 3-part series.
In this section, we will explore what it takes to assess the current state of your Vendor Master File, as well as the considerations necessary to establish Vendor Master File best practices around how your data should be structured.
In this section, we will explore how you should go about cleaning the existing data in your Vendor Master File in accordance with the rules established in Part 1.
In this section, we will explore what it takes to maintain your Vendor Master File, with a particular focus on adding new suppliers to the database and updating existing suppliers as necessary.
Once you have decided that you need to undertake a comprehensive clean-up of the data contained in your Vendor Master File, you firstly need to assess what information needs cleaning and the rules that will govern how you maintain your data moving forward.
In many organisations, once a supplier is onboarded into a Vendor Master File, they typically stay there forever. This often results in a large number of “inactive” suppliers. This need not necessarily be a problem, however for any organisation struggling to maintain data hygiene standards, having large volumes of redundant data can be an avoidable burden.
It is important to bear in mind that some suppliers may be “inactive” for a protracted period of time, only to become “active” again at a later date. When this occurs, often a new entry for the supplier will be created in the Vendor Master File. This can potentially raise a number of problems, particularly if your organisation does not enforce strict supplier naming conventions. With two or more entries in a Vendor Master File for the same supplier, you run the risk of duplicate payments.
Apart from avoiding duplicate payments, having suppliers listed multiple times in your Vendor Master File can put you at greater risk of internal threats. Should a maliciously inclined employee become aware of an inactive supplier account, they may use this as a cover for fraudulent activities.
Ideally, any supplier accounts that have been inactive for over 12 months should be deactivated in your Vendor Master File. You should, of course, retain vendor record of all prior transactions. However, by deactivating the account so no new records can be added to it, you mitigate the risk of both duplicate payments and internal fraud.
This is a question we often get asked at eftsure.
Ideally, data hygiene should be something that takes place continuously. It is an integral part of the Procure-to-Pay process. However, the reality is that AP staff are busy, and all too often data hygiene standards slip.
Maintaining the integrity of the data in your Vendor Master File really needs to be an ongoing process. Set-and-forget is not a viable option. That’s because you are always going to be adding and removing suppliers, not to mention updating existing supplier records. Furthermore, whilst you verify supplier details, including banking information, when onboarding them, there may be a long period of time before you need to process payments to them. In the interim, hackers or malicious insiders may manipulate the data in the Vendor Master File – causing you to send payments to the wrong recipient. That’s why continuous controls around data integrity are absolutely essential.
Even though organisations should have systems in place to allow ongoing data hygiene, there are events that necessarily trigger a thorough clean-up of Vendor Master File data. These events may include:
Such events should be seen as an opportunity to undertake a deep-clean of your data, enabling you to adopt best practice moving forward.
When it comes to data integrity in your Vendor Master File, having clearly established rules for your entire AP team is absolutely critical.
The procedures for Vendor Master File data should be integrated into your broader Accounts Payable policy. These procedures should be formally written, along with associated implementation guidelines, with training provided to all staff members.
This is the only way to ensure that your entire team handles data in a consistent manner, which is essential for maintaining data integrity and limiting the risks of losses through either fraud or error.
Best practices requires establishing clear conventions for entering supplier addresses in your Master Vendor File, even in an era when communications are overwhelming conducted electronically.
For suppliers with multiple locations, it is important to ensure you register the Australian headquarters, rather than a branch or department address. This practice should be followed even if your contact is based at a location other than the headquarters.
Perhaps the most important data point within your Master Vendor File is the organisation name.
It is critical that every member of the Accounts Payable function enters organisation names consistently to avoid duplicate payments and to reduce the risk of fraud.
The Australian Government has developed a comprehensive style guide that covers how organisations should be named. It can provide a useful template for how your organisation enters organisation names into your Master Vendor File.
As an overriding principle, you should seek to follow the way your supplier writes their own organisation’s name. The names of organisations can change. The most efficient way to confirm an organisation’s name is to check its website, annual report or letterhead. If this is unsuccessful, there are other reliable services, including:
Australian Government entities: Government online directory
Directory entries contain links to departmental pages listing annual reports. Annual reports are a good way to find the former names of departments. The government online directory includes the Australian Government Organisations Register and the directories of state and territory governments. There are also website directories for some local governments.
Non-government entities:
For all entities:
The legal name of the primary contact at a supplier should also be included in your Vendor Master File.
Whilst naming conventions around the primary contact are not as critical as the organisation name, it is nonetheless important to establish common standards.
Depending on the system you use for your Vendor Master File, it may be possible to set specific rules that restrict how data is entered.
These can be particularly useful for ensuring consistency.
For example, you can limit the number of characters that can be entered into a field, or the type of characters. You may also be able to stipulate whether all letters in a particular field appear in capital or lower case.
Wherever possible, if you can set up fields as drop down menus (for examples have States and Territories of Australia as a drop down menu), this can also aid in establishing consistency.
These types of rules can be particularly useful when it comes to fields for phone numbers, BSBs, Account Numbers or government registration numbers, such as the ABN, CAN, TFN, etc. By preventing staff from entering hyphens, spaces or other alphanumeric symbols, it is possible to ensure greater consistency.
Ensuring the accuracy of supplier banking records in your Vendor Master File is critical to preventing incorrect payments and fraud.
More than any other data points in your Vendor Master File, these are the records that are most vulnerable to malicious actors who will seek to manipulate them for financial gain. When preparing to clean-up your Vendor Master File, you need to carefully consider strategies for ongoing veracity of supplier banking records.
That’s why it’s best practice to demand the implementation of continuous controls monitoring. You cannot assume that because you verified a supplier’s banking records at the onboarding stage, that these records have not subsequently changed or been tampered with.
Segregation of duties and restricting access to these records on a Need-to-Know basis will limit the risk. However, in addition, you should also have a system in place than can efficiently verify these records in real-time, immediately prior to processing a payment.
By integrating eftsure into your accounting processes, you will gain visibility into whether other organisations have used the same banking records to pay the same supplier. If so, you can be confident that the banking records are accurate, even if there has been a significant time lapse since the supplier was onboarded. When processing large volumes of invoices, eftsure saves your Accounts Payable team countless hours of manual verifications, giving you significantly greater assurance than the alternative of manual spot-checks.
One of the key objectives when undertaking a clean-up of your Vendor Master File is to identify the inactive suppliers.
Whether you opt to delete these suppliers from your files, or simply mark them as inactive, is a decision each organisation needs to make. Making them inactive retains all their records in your systems but ensures no new invoices will be assigned to them.
Determining which suppliers should be considered inactive will vary for each organisation. Typically organisations exclude suppliers with no activity in last 12 or 18 months, except those added in last 90-180 days.
In addition, you should also exclude supplier records that can be identified as:
Once you have clear definitions for which suppliers should be defined as “inactive,” you will be able to proceed to the clean-up stage.
One of the easiest ways to set standards for addresses is to use the standards set by Australia Post. They have given a lot of thought to establishing address naming conventions, so it makes sense to follow their template guide.
Address Convention | Standards |
---|---|
Building Name | The full name used to identify the physical building or property. This information is usually not abbreviated and should include any reference to a wing or other components of a building complex, if applicable. Ideally, this information is printed in uppercase, though using uppercase for the first character and lowercase for subsequent characters is acceptable. One or two spaces should be left between components, with a preference for two spaces, e.g., North Wing Treasury Building. |
Building / Complex Sub-Unit | The specification of a separately identifiable portion within a building complex or marina, with its associated number or identifier to clearly distinguish it. It can be depicted by numerals, alpha characters, or a combination. Ideally, use uppercase, though using uppercase for the first character of each word and lowercase for subsequent characters is acceptable. One or two spaces should be left between components, with a preference for two spaces, e.g., Flat 2 17 Jones St. A forward slash (/) may only be used to separate an apartment, flat, or unit number from a thoroughfare number. |
Floor / Level | Descriptors used to identify the floor or level of a multi-storey building or complex. The Floor/Level is positioned as the first item, located on the same line as the House/Property Number and Street Name. It can also be placed on a separate line above the House/Property Number and Street Name if necessary. Ideally, use uppercase, though using uppercase for the first character and lowercase for subsequent characters of each word is acceptable. One or two spaces should be left between components, with a preference for two spaces, e.g., Level 7 17 Jones St. A forward slash (/) should not be used to separate a floor or level number from a thoroughfare number. |
House / Property Number | The numeric/alpha reference number of a house or property, also referred to as a street number, must be positioned before the Street Name and Type. If the house/property number includes a range, the applicable numbers should be included, separated by a hyphen (-) with no spaces between numerals, e.g., 17-19. Ideally, any alpha characters should be in uppercase, with no spaces between numerals, e.g., 11B. |
Lot / Section Number | The Lot/Section Number is positioned before the Street Name and Type, located on the same line. Ideally, it should be in uppercase, though using uppercase for the first character and lowercase for subsequent characters is acceptable. |
Street Name and Type | The full street name used to identify the street location of the property, together with the thoroughfare type. Only one street name should be used. Ideally, this information should be in uppercase, though using uppercase for the first character of each word and lowercase for subsequent characters is acceptable. The street name should be spelled out in full, with the exception of some prefixes based on common acceptance, e.g., St Kilda Rd and McKillop St. In certain circumstances, street names may be suffixed, e.g., Browns Rd West or Browns Rd W. |
Postal Delivery Type | Where applicable, this identifies a specific postal address and the service number. Ideally, the alpha characters should be in uppercase, though using uppercase for the first character of each word and lowercase for subsequent characters is acceptable. No punctuation should be used in this line. |
Place Name / Suburb / Locality | The full name of the place or Post Office of delivery containing the specific address, which may include a Delivery Centre (DC) or a Business Centre (BC). This information must be printed in uppercase with no punctuation. Generally, the place name is not abbreviated, though certain elements may be abbreviated based on common acceptance, e.g., MT for Mount and ST for Saint. |
State / Territory | The defined State or Territory in Australia (in abbreviated format) where the specific place/address is located. Must be printed in uppercase with no punctuation. |
Postcode | A four-digit numeric descriptor for a postal delivery area, aligned with place name, suburb, or locality, and in some cases, a unique Postal Delivery Type. All numeric, with leading zeros displayed. |
Organisation Convention | Standards |
---|---|
Names all in lower case | When the organisation name is in all lower case, use an initial capital for these names in your Vendor Master File. This helps people identify the name as a proper noun. For example, use “Eftsure” rather than “eftsure”. |
Medial capital letters | Some names start with a lower case letter but have a medial capital (for example, “eBay”). Write the name the same way, even at the beginning of a sentence. A medial capital is enough to identify the name as a proper noun. |
Punctuation and logograms | Pay attention to the use of capital letters, punctuation (such as apostrophes), and logograms (such as “&”). Ensure all words in the name are included and don’t add any additional words. |
Names all in upper case | Some organisation names appearing on the Australian Business Register are in all capitals. Write the name in all capitals as the organisation does. |
Shortened names | Use the organisation’s shortened form only if the organisation regularly uses it in its own content. For example, the Department of Home Affairs uses “Home Affairs” as the shortened form, but not “DHA”. However, Defence Housing Australia does use the initialism “DHA”, so using it to refer to that organisation would be appropriate. Don’t use full stops between individual letters in an abbreviated name (e.g., “IBM” rather than “I.B.M.”). Spell out the shortened form the first time unless the organisation’s name is known only by the shortened form, such as “IKEA”. |
Company designations | Some organisations use shortened forms such as “Ltd”, “Pty Ltd”, “Co”, and “Inc” as part of their legal name. Others use the spelled-out forms. Don’t add a full stop at the end of “Co” and “Inc” unless they finish a sentence. Don’t insert a comma between the name of the organisation and the company designation (e.g., “Eftsure Pty Ltd”, not “Eftsure, Pty Ltd”). |
Apostrophe | Use an apostrophe only when it forms part of the official name of an organisation, as in “Laing O’Rourke”. |
The | Handle “The” consistently. As a rule, only use “The” when the supplier uses it in their official name. |
Primary Contact Convention | Standards |
---|---|
Person Title | The Person Title is the first item, positioned before the Given Name. Ideally, it should be in uppercase, though using uppercase for the first character and lowercase for subsequent characters is acceptable.
Accepted abbreviations:
|
Given Name | A legal name given, also referred to as a Christian name or first name. If initials are used, they should be printed in uppercase. Full stops can be used to separate initials, if required. If the full name is used, it should ideally be printed in uppercase, though using uppercase for the first character and lowercase for subsequent characters is acceptable. It is also acceptable to mix a given name in full with initials, e.g., Robert J. |
Family Name | The family name of the addressee, also referred to as the last name or surname. This information should not be abbreviated unless the abbreviation is based on common acceptance. Ideally, it should be in uppercase, though using uppercase for the first character and lowercase for subsequent characters is acceptable. Dual family names should be separated by a hyphen (-). |
The Vendor Master File is a business-critical system that cannot be neglected. The risks associated with incorrect data are that you will make incorrect payments and be vulnerable to fraud.
Ongoing data hygiene is a must. However, this can be a time consuming activity. As a result, many Accounts Payable departments delay dealing with the issue. This only exacerbates the risks.
eftsure’s Vendor Master File Health Check service is initial step for all organisations that integrate our platform into their accounting processes. We undertake a thorough cleansing of your Vendor Master File data, with particular emphasis on verifying supplier banking records.
This process not only saves your team a significant amount of time, it gives you confidence that your data is accurate and up-to-date.
In the next two parts of this series, we will explore the process of Vendor Master File clean-up, and post-clean-up strategies to maintain data integrity.
Internal controls over vendor master file keep your data secure with clear rules, audit trails, and consistent oversight for long-term data integrity
The vendor master data cleansing process is a critical activity every AP team should periodically undertake to stop payment errors and fraud.
In recent years, the banking industry has undergone significant transformations that have changed how we manage our finances. The shift from traditional …
Eftsure provides continuous control monitoring to protect your eft payments. Our multi-factor verification approach protects your organisation from financial loss due to cybercrime, fraud and error.