Vendor master Maintenance - operational or financial? 1485

  • Hi All
    Question for gurus out there -
    Is vendor master maintenance an operational or financial risk?

  • Hi,
    I’ve never seen Vendor Master File Maintenance other than as a Financial Risk. It is typically addressed when assessing controls in the Procurement-to-Payables Cycle. You will also see in a typical Risk Register for this cycle. It may be considered as an application control for testing purposes and tested accordingly.
    If you need specifics why it is generally considered to be a Financial Risk, kindly reply to this post. Otherwise, I am confident that I have accurately answered your question.
    Hope this helps,

  • I agree with Milan that it’s definitely a Financial risk.
    As working with 3rd party contractors and vendors are very complex , I’m wondering if in certain cases there might also be an operational risks as well? I saw this good article on Operational Risk Management as it relates to SOX compliancy:
    Article: Operational Risk Management
    What many companies are missing is the inclusion of this long-term thinking in how they are attacking Sarbanes-Oxley. For most, it is another regulation to be attacked one-off. Yet SOX presents an opportunity to create a disciplined approach to organizing around a problem. That problem can be driven by regulation or for any good business reason. More importantly, it forces an operational risk approach that includes the ongoing assessment and testing of relevant control frameworks.
    This is not an ideal or theory. Leading companies are doing this now - albeit in measured incremental steps, but with an eye to the long term. Companies see that they can attack key process groups, whether manufacturing, R-and-D, marketing and sales, G-and-A and certainly IT. Ultimately, companies that can truly move to an operational risk approach most effectively will perform best and will have the greatest value.

  • Milan and HarryWaldron - Thanks.
    My argument is that it is an operational risk because the process of setting up vendors master file does not have a financial risk of impacting the financials until disbursment or payment is made to the vendor. And this operational risk is mitigated through separation of duties; selecting vendors (procurement team) is separate from team creating vendor maintainence function and there’s a separate accounts payable team as well.
    Am i right?
    Please advise.

  • If you follow COSO and break up your risks into the three categories of -
    Financial, Operational, or Compliance, how does vendor master maintenance fall into the operational bucket? The only reason that you would set up a vendor is so that you can pay him (financial), not because your business will run more efficiently (operational) or profitable (operational). I agree with HarryWaldron and Milan that this is a financial control. As long as you are testing segregation of duties and are comfortable that control is effective, you might be able to argue that the vendor master maintenance is a secondary control and does not need to be tested. The steps you need to follow to support this basically require you to make certain that you have controls to mitigate risks for applicable financial statement assertions. If you have overlap for the assertions related to specific risks, then you do not have to test every control, only the most significant controls.

  • I wonder if the vendor master file maintenance activity might emcompass BOTH areas of risk. The financial risks are present as discussed, as these are monetary values that must be accurately reported to the SEC and other controlling entities.
    In thinking about the operational aspects, some companies rely very heavily on 3rd party contractors. These companies would be more at risk on an operational basis than others. If improper setup or recordkeeping were to occur, it could lead to dissatisfaction by the vendor and potential impacts to contractual agreements in place.
    For example, if a vendor in the area became dissatisfied and the company had to go outside the area for supplies, this could present production risks to the operations, as a scarce resource is no longer available. In the past, I’ve seen sloppy recordkeeping actually impact vendor-company relationships. It’s a real risk and hopefully it’s a rare one in most companies.
    I may be thinking too far out-of-the-box on this one 😉 For SOX purposes if you only had one category to choose from, I’d choose the financial categorization, as the chief purpose of SOX based controls is assurances in no one is ‘cooking the books’.
    However this may be important enough to ascertain this as BOTH a financial and operational risk. It might be applicable for some companies that have a high degree of reliance on the services of 3rd party vendors. I don’t see how it’d hurt to evaluate this from both perspectives if warranted.

  • Hi Erika,
    Not to further belabor the issue, but was your question answered? It appears that we have consensus from those who provided feedback–all persons posting a reply agree that vendor master file maintenance is appropriately classified as MOST directly impacting the

    1. Reliability of Financial Reporting
      The other two categories of internal control as defined in the COSO ‘Cube’ are,
    2. effectiveness and efficiency of operations, and
    3. compliance with applicable laws and regulations.
      Although operating activities surrounding maintenance of the Vendor Master File may have some bearing on the effectiveness and efficiency of operations, the relationship is not as direct or to the degree of causality impacting the reliability of financial reporting.
      However, this does not mean that there is no relationship whatsoever. A Venn Diagram containing the following entity objectives, financial reporting, regulatory compliance, and operatiions would appropriately show some OVERLAP in the three objectives. This demonstrates that some control processes address multiple objectives.
      Thus, you were not entirely incorrect in your logic–just not as definitive as the current consensus among practicing SOX professionals.
      Kind Regards,

  • Objective:
    Restricted Access
    Accounts payable processing duties are NOT segregated from vendor master file maintenance duties.
    Failure to establish proper controls of purchasing records through established procedures and segregation of duties may result in ERRORS, OMISSONS, and/or UNAUTHORIZED PURCHASES caused by unfamiliarity with job responsibilities, reporting relationships, required approvals, and processing requirements.
    Additions, changes or deletions to the vendor master file are NOT properly approved by the authorized individual.
    Records may be misused or altered by unauthorized personnel.
    Procedures may be implemented that circumvent existing internal control techniques.
    Payment may be made to unauthorized or nonexistent suppliers.
    The potential for theft, errors and irregularities, related party transactions and/or conflict of interest is increased substantially
    Completeness, Validity
    All vendors in the vendor master file are NOT properly approved or are NOT supported with appropriate documentation (i.e. reasons for selection, financial investigations, etc.)
    May result in errors, omissions and/or unauthorized purchases caused by unfamiliarity with job responsibilities, reporting relationships, required approvals, and processing requirements.
    Completeness, Accuracy
    Vendor master files are NOT periodically updated to reflect only current authorized vendors.
    May result in errors, omissions and/or unauthorized purchases caused by unfamiliarity with job responsibilities, reporting relationships, required approvals, and processing requirements.
    Hope this concludes your concern,

  • Milan, HarryWaldron and Kymike (sorry I forgot to include your name earlier)
    Thanks for the advise. You’ve all been of great help. It’s really good to have this forum for knowledge transfer and sharing.

Log in to reply