Finance Index
What do auditors test in the vendor master, and how do I prepare?
Reference guide to vendor master audit controls, including vendor records, onboarding requirements, compliance checks, fraud controls, and payment readiness.
Auditors test the vendor master for the controls that prevent fraud and error: who can create and change vendors (segregation of duties), whether changes are approved and logged, whether sensitive changes (banking, TIN) are verified, and whether dormant/duplicate/employee-matched records are monitored. They're really asking one question - can someone create a payee and pay it without an independent check? Prepare by having approvals, change logs, and verification records ready to show, not reconstruct.
At a Glance
| Aspect | Short Answer | Why It Matters |
|---|---|---|
| What do auditors test | Auditors test the vendor master for the controls that prevent fraud and error: who can create and change vendors (segregation of duties), whether changes are approved and logged, whether sensitive changes (banking, TIN) are verified, and whether dormant/duplicate/employee-matched records are monitored. | Keeps evidence clear and reduces control risk. |
| Audit evidence | Access (who can create/edit), approval trails on new vendors and changes, segregation of duties between vendor maintenance and payments, change logs on sensitive fields, and exception monitoring (duplicates, dormant reactivations, employee-vendor matches). | Keeps evidence clear and reduces control risk. |
| Prepare for an audit | Assemble the evidence in advance: the access list (who has create/edit rights and why), approval records for a sample of new vendors and banking changes, the change log showing old/new values with user and timestamp, your verification records (call-back logs), and your. | Keeps evidence clear and reduces control risk. |
| Approval path | Enable change logging immediately if it's off, route sensitive changes (banking, TIN) through approval going forward, document the new process, and do a one-time review of recent changes made under the old gap. | Keeps evidence clear and reduces control risk. |
| What vendor-related controls belong | Key controls: segregation of duties between vendor creation/change and payment, approval of new vendors and banking changes, change logging on sensitive fields, and periodic access reviews. | Keeps evidence clear and reduces control risk. |
What do auditors test in the vendor master and what are they really looking for?
Access (who can create/edit), approval trails on new vendors and changes, segregation of duties between vendor maintenance and payments, change logs on sensitive fields, and exception monitoring (duplicates, dormant reactivations, employee-vendor matches). Underneath it all: evidence that no single person can introduce a fraudulent payee and pay it undetected.
How do I prepare for an audit of vendor setup controls?
Assemble the evidence in advance: the access list (who has create/edit rights and why), approval records for a sample of new vendors and banking changes, the change log showing old/new values with user and timestamp, your verification records (call-back logs), and your exception reports. An audit you can answer from existing records is a controlled process; one you scramble to reconstruct is a finding.
Auditor flagged that vendor changes have no approval trail - fastest credible remediation?
Enable change logging immediately if it's off, route sensitive changes (banking, TIN) through approval going forward, document the new process, and do a one-time review of recent changes made under the old gap. The remediation evidence auditors want is: you found the gap, closed it, and verified nothing bad happened in the window - not perfection retroactively.
How do I run a periodic vendor-master access review?
Pull the list of everyone with create/edit rights, confirm each still needs it (most won't), revoke the rest, and have an owner certify the result. Run it on a schedule (quarterly or semi-annually). The access list always drifts toward "too many people" - periodic certification is what pulls it back.
What vendor-master exception reports should run monthly?
New vendors created, banking changes, vendor reactivations, employee-to-vendor data matches (address/bank), PO-box-only vendors, and vendors with missing tax/verification data. Each surfaces a different fraud or error pattern; reviewing them monthly turns the vendor master from a static file into a monitored control.
What is a vendor confirmation in an audit and what should AP prepare?
It's the auditor writing directly to a sample of your vendors to confirm balances or activity - an independent check that the vendors (and the amounts) are real. AP should prepare accurate vendor contact details and supporting records, and be ready to explain any discrepancies the confirmations surface.
Stampli perspective
Stampli's position is that vendor work should be governed by the same controls that protect AP: clear ownership, documented changes, and visibility into the invoices and payments tied to each vendor. Clean vendor records reduce downstream exceptions and give finance a stronger audit trail.