Risk Assessments

 View Only
  • 1.  Locating vendors

    This message was posted by a user wishing to remain anonymous
    Posted 08-10-2021 08:56 AM
    This message was posted by a user wishing to remain anonymous

    I'm helping a client with vendor tiering and they are struggling with identifying all the vendors in their ecosystem. Outside of using output from an AP system, any other best practices for locating vendors in an ecosystem?

    Thanks!


  • 2.  RE: Locating vendors

    Posted 08-10-2021 09:20 AM

    Using the AP list is the best way, truthfully.

    It's the method recommended by auditors, in my experience, and it's the best way to find them.

     

    Of course, that doesn't catch any freeware out there, which technically might not be a vendor per se.

                    Those would be caught by a software inventory, but that is generally more for an IT Risk Assessment program or InfoSec rather than Vendor Due Diligence.

                    Technically, if there's no money exchanged, it's not a vendor...

     

    Thanks,

          Dave

     

    David Howe

    Chief Information Officer

     

     






  • 3.  RE: Locating vendors

    Posted 08-10-2021 09:32 AM
    I conduct a review of our vendor spend reports a couple times a year to look for vendors I am not familiar with and then track back to the business area to get a copy of the contract, conduct risk reviews and of course provide instruction on the corporate purchasing policy. Education and leadership support is key and has proven to be helpful in reducing this type of activity. 

    Keep an eye out for corporate credit card spend as it may not appear on your vendor reports.  More frequently, I have noticed business areas entering into agreements on line and paying with a credit card.  Hard to track and worrisome if the services auto-renews.  If your company requires a purchase order for any type of spend, this might be an alternate way to track your vendors.


  • 4.  RE: Locating vendors

    Posted 08-10-2021 09:37 AM
    The AP system is a great first start and should allow you to identify the majority of your vendors.  Someone else mentioned reviewing vendors on company credit cards can identify others that do not show up in the AP system.  Also be aware of vendors that your company does not have to directly pay because their fees are netted from something else (i.e. custodial bank fees, investment fees, banking service fees can be netted from an account instead of paid directly out of an AP system).


  • 5.  RE: Locating vendors

    Posted 08-10-2021 09:53 AM

    I would also ensure that the AP reports include vendors being paid by ACH.

     

     

    The information transmitted in this email, including all attachments, is intended only for the individual(s), entity or entities to which it is addressed and might contain confidential, proprietary and/or privileged information. All electronic mail messages, which may have been established as expressed views and/or opinions (stated either within the electronic mail message or any of its attachments), are left to the sole responsibility of that of the sender, and are not necessarily attributed to VyStar Credit Union or its subsidiaries. Any review, retransmission, or dissemination in any form, or other use of this information by individual(s) or entities other than the intended recipient(s) is prohibited. If you received this email in error, please contact the sender and delete the information from all computers.





  • 6.  RE: Locating vendors

    Posted 08-10-2021 09:51 AM
    I agree AP is a great way to find them, also if you use Single Sign On for applications your IT team may be able to track down some other rogue systems in use but not necessarily being paid for 

    Hannah
    _________________________
    monzo - the bank of the future



     
    --
     
    This email is confidential and protected by copyright, and might contain privileged information. The same goes for any attachments.
     
    If we've sent it to you by mistake (sorry), please don't copy it or show it to anyone. You also shouldn't use it to make a decision, and you shouldn't rely on the contents.  Let the sender know as soon as you can, and then delete the email. Thank you!





  • 7.  RE: Locating vendors

    This message was posted by a user wishing to remain anonymous
    Posted 08-10-2021 10:37 AM
    This message was posted by a user wishing to remain anonymous

    For belt & braces approach, I'd also do a periodic review of expenses spend to identify any spend with a third party that should have been onboarded and paid via PO


  • 8.  RE: Locating vendors

    This message was posted by a user wishing to remain anonymous
    Posted 08-10-2021 10:52 AM
    This message was posted by a user wishing to remain anonymous

    Once you discover all vendors, it's a good idea to make it policy that only certain/limited persons are authorized to sign contracts/agreements, and AP should not pay any invoice for a vendor that does not exist in the vendor database (with some appropriate exceptions).


  • 9.  RE: Locating vendors

    Posted 08-11-2021 09:38 AM

     

    Depending on your industry the definition may be "Third Party" relationships not "Vendor" relationships. 

     

    AP listing as a place to start and ten add a periodic review of AP's New Vendors.  AP typically has a setup process that can be reported on a regular basis (monthly, quarterly, etc.).

    Be on the lookout for Net Revenue generating relationships (referral agent, Joint marketing, activity happens in a "settlement" account, etc.).

     

    Best practice suggests to reconcile these periodically:

    • BCP/DR vendors
    • Vendors with Network or facility access
    • Vendors with SSO or API connectors (someone in Technology or cyber configures this or allow it in the firewall)

     

     

     

    Thanks

     

     

    Greg Schmeisser

    Corporate Contract & Procurement Director

     

     

    ------------------------------------------------
    FMC CONFIDENTIALITY NOTICE:
    This e-mail and any attachments are confidential.
    In the event that you have received this e-mail in error, please notify us
    immediately by returning it to the sender and then deleting all copies from your system.