Opportunity Knocks: Vendor Master File


Based on the Fraud Triangle, developed by criminologist Dr. Donald Cressey, three factors must be present for an ordinary person to commit occupational fraud:

Opportunity, Rationalization and Pressure.

  • Opportunity – The ability of the individual to commit the fraud against a company (i.e. lack of controls at the company make it possible for fraud to go unnoticed).
  • Rationalization – The ability of the individual to come to terms with why it is acceptable for him/her to commit the crime (i.e. underpaid/overworked, deserve the extra money).
  • Pressure – The motivation of the individual to commit the crime (i.e. cannot pay bills, has an addiction that requires additional cash, living beyond means, etc.).

Without going into too much more detail regarding the Fraud Triangle, let’s assume that Rationalization and Pressure are for the most part outside of a company’s control and concentrate on a company’s ability to eliminate the Opportunity.

Today I’d like to concentrate on one specific area of a company’s business operations where fraud (and money loss) can rear its ugly head, the Vendor Master File.  Have you looked at the makeup of your Vendor Master File lately?  I asked this question recently of the Controller of a large division of a manufacturing company.  Specifically, I asked him how many active vendors he thought he had (or should have) at the present time.  His answer: about 1,000.  After an analysis of the Vendor Master File the real answer: about 20,000.  It is amazing how quickly the numbers can add up.  And this was for a company who has the proper vendor change/add controls in place.  The lesson: take a quick snapshot of your Vendor Master File and determine if it is exactly where it needs to be for your company to run efficiently and avoid potentially fraudulent situations.  Having this knowledge can go a long way to preventing potential financial loss and fraud.

If not properly controlled, the Vendor Master File is ripe for financial loss and/or fraud.  A couple examples include:

  • Duplicate Payments – Payment of invoices to the same or similar vendor names can often go unnoticed.
  • Phantom Vendor Schemes – Employees may have the ability to set up fictitious vendors to funnel payments to others or their own addresses or bank accounts.

5 Simple Steps to Understanding and Controlling Your Vendor Master File

  1. Take a picture, it lasts longer. Work with your IT department to get a file that lists every vendor in your Vendor Master File (both active and inactive).  Depending on how long your company has been in business, this could be an incredibly long file.  Be sure to include fields showing name, address, whether the vendor is active or inactive (usually a yes/no or 1/0), date of last transaction, who set up the vendor and date of entry (or last change).  Including more fields is better than not enough (so you don’t have to go back to IT).
  2. In short, export and sort. Getting the file in a format where you can export it to Excel, ACL or IDEA is imperative.  Once the data is in the software, sort it by Active Vendors, Name, Address and then by Date of Last Transaction.  Take note of the number of active vendors.  Is it more than you thought you’d see?  Most likely it is, if this is the first time you are doing this type of analysis.
  3. Inactivate, name and date. Several trends will begin to emerge.  You will most likely see several vendor names that appear similar and/or have similar addresses.  Make duplicate or unused vendors Inactive.  Sort the active list again by last transaction date.  Pick a date in time (I like 365 days in the past) and make any vendor whose last transaction date is prior to that date Inactive.  Finally, take a moment to scan through the list of active vendors for any unusual or fictitious sounding vendors and investigate.  It is important to note that each vendor should be made Inactive as opposed to deleting so that history will be saved for each vendor used by your company.
  4. The list of users or abusers. If proper controls are in place only a one or a few users should be able to change or add vendors.  Sort by list of users inputting or changing data and summarize by user.  Do you see any names you didn’t think had access or shouldn’t have made any additions/changes?  Reconfirm your list of users who have proper access to add or change vendors.  You may also want to check into any users who added only a few vendors as this may have been for fraudulent purposes (if suspicious vendor names, dates or details exist).
  5. Keep your eyes on the monitor. You should now have an established and updated active vendor list.  Create a report showing new or changed vendors to periodically (monthly) monitor all additions/changes or deletions.  It may take time to establish a clean list of vendors, but once you have that the monitoring of it should not take long at all and will be well worth the effort.

In summary, preventing fraud is the most efficient and cost effective approach to dealing with the potential loss attributed to fraud.  By the time a fraud is committed, the ability to discover it and recoup the money lost is incredibly time consuming and costly.

Has your company analyzed its list of active vendors recently?  Are you satisfied with which vendors are on it, who has the ability to change that information and it is being monitored periodically?  Did I miss anything?  I would love to hear your comments…