Vendor Selection & Due Diligence: Authenticating the Vendor

Before a single invoice is approved, accounts payable must have established that the vendor is who it claims to be, that it is authorized to receive payment, and that its risk profile is commensurate with what is being purchased.

The disbursement of funds through accounts payable is not a clerical act. It is the terminal point of a control system whose integrity depends, above all, on one foundational question: is this vendor legitimate? Vendor selection and due diligence are not procurement functions that happen upstream of AP—they are control functions in which AP must be a participant and, in many respects, a gatekeeper. Authentication of the vendor is the prerequisite to all else.

This requires drawing a sharp distinction between two categories of vendor relationship that carry fundamentally different risk profiles and therefore demand different selection processes and levels of due diligence: direct spend vendors, whose goods or services enter the organization's core operations or value chain, and indirect spend vendors, who supply the general support environment in which the organization functions.

The Foundational Distinction: Direct vs. Indirect Spend

The terms are often used loosely in procurement literature, but for purposes of AP control, the distinction carries precise meaning. Direct spend vendors supply what the organization produces, delivers, or depends on operationally. A manufacturer's raw material suppliers, a hospital's pharmaceutical and equipment vendors, a technology firm's critical software licensors—these are direct spend relationships. Disruption, fraud, or substitution in this category affects not merely cost but the organization's capacity to function.

Indirect spend vendors supply the operating environment: office supplies, facilities maintenance, temporary staffing, professional services, travel and expense providers. These are necessary but not operationally singular. Most indirect spend vendors are, in principle, substitutable; the organization can survive their loss or replacement without mission-critical disruption.

Direct Spend

• Operationally critical: inputs that flow directly into the product, service, or core delivery function. Substitution carries operational risk.

• High concentration risk: often a small number of strategic suppliers. Single-source or sole-source situations are common and intensify control requirements.

• Long-cycle, contract-based:Relationships are formalized through negotiated agreements. Onboarding is intensive and recurring review is structured.

• Regulatory & compliance overlay: Often subject to quality certification, supply chain traceability, sanctions screening, and sector-specific compliance requirements.

Indirect Spend

• Operationally supportive: Inputs that support the working environment. Substitution may be inconvenient but is rarely mission-critical.

• Distributed risk: Typically a large number of vendors, many transactional. Risk is diffuse but volume creates exposure to fraud at scale.

• High-turnover, often transactional: Relationships may be initiated quickly, sometimes without formal contract. Onboarding is a primary fraud vulnerability.

• Internal policy overlay: Governed primarily by internal policy rather than regulatory mandate, though ofac/sanctions screening remains universally required.

The ghost vendor, the fictitious payee, and the redirected payment all share a common origin: a failure of vendor authentication at the point of onboarding.

Authenticating the Vendor: The Core Control Obligation

Vendor authentication is the process of establishing, before any payment obligation is created, that a prospective vendor is a real, legally constituted entity; that the individuals representing it are authorized to do so; that its banking and remittance information belongs to it; and that it presents no disqualifying legal, financial, or reputational risk. This is the work of due diligence, and it must be calibrated to the spend category.

Authentication Elements Common to All Vendors

Regardless of spend category, certain authentication steps are non-negotiable for any vendor admitted to the approved vendor master. These represent the minimum control floor.

1. Legal entity verification

Confirm the vendor's legal name, jurisdiction of incorporation or registration, and current good standing through authoritative public records—state secretary of state databases, Companies House, or equivalent. Trade names and DBAs must be traced to their registered legal entities.

2. Tax identity confirmation

Obtain and verify the vendor's taxpayer identification number (EIN/TIN for U.S. entities; equivalent for foreign) through IRS TIN matching or equivalent. W-9 or W-8 series forms must be current, complete, and retained. This is not merely a tax compliance step—it is an identity control.

3. Sanctions and watchlist screening

Screen the vendor name, beneficial owners, and key principals against OFAC SDN and consolidated sanctions lists, FinCEN advisories, and any sector-specific debarment lists. This is a legal obligation under U.S. law and applicable to all vendors without exception.

4. Banking information authentication

Verify remittance details—bank name, routing number, account number—through a callback to a number independently obtained from the vendor's verified records, not from the onboarding documentation itself. Changes to banking information after onboarding must trigger re-verification. This step prevents the most common form of business email compromise fraud in AP.

5. Authorized representative confirmation

Confirm that the individuals signing agreements, submitting onboarding documentation, or providing banking instructions have authority to bind the vendor entity. This may involve reviewing corporate authorization documents or obtaining a letter of authorization on the vendor's letterhead.

Each of these is defined and explained in greater detail elsewhere in this resource.

Due Diligence for Direct Spend Vendors

Because direct spend vendors are operationally critical, their due diligence must go substantially further than identity verification. The selection process for a direct spend vendor is, in effect, a risk underwriting exercise—one in which AP's role is to confirm that financial, legal, and operational realities are consistent with what the procurement or business unit has represented.

Financial Viability and Stability

A direct spend vendor whose financial condition is deteriorating presents operational risk that may materialize without warning. AP should require and review recent financial statements—audited where available, or at minimum reviewed statements from a CPA firm—for any direct spend vendor above a materiality threshold. Key indicators include liquidity ratios, leverage, accounts receivable aging (which may signal customer concentration risk), and any going-concern qualifications in auditor reports. For privately held vendors, this review may require negotiation, but the organization's operational dependence justifies the ask.

Legal and Litigation Review

A structured review of litigation history, regulatory actions, and any pending enforcement proceedings is appropriate for direct spend vendors. Court records searches, state licensing board records, and industry-specific regulatory filings (FDA warning letters, EPA violations, OSHA citations) can surface material risks. The presence of litigation is not automatically disqualifying, but undisclosed litigation that materializes post-onboarding raises both financial and reputational exposure.

Supply Chain and Subcontractor Transparency

For direct spend vendors who themselves rely on subcontractors or second-tier suppliers, AP and procurement should require disclosure of that dependency structure. A sole-source vendor whose own supply chain is undisclosed and fragile is a concentrated risk at two removes. Where regulatory requirements apply—conflict minerals reporting, forced labor due diligence under the Uyghur Forced Labor Prevention Act, or supply chain traceability requirements in regulated industries—written representations and supporting certifications are required.

Quality, Certification and Qualification Review

Industry certifications (ISO standards, FDA establishment registration, AS9100 for aerospace, SOC 2 for technology vendors handling sensitive data) should be verified directly with issuing bodies where possible, not merely accepted on the vendor's representation. Certificates can be altered, expired, or fabricated. The validation must be independent.

Control Note

Sole-source direct spend vendors demand the most intensive due diligence and the most rigorous ongoing monitoring. When there is no alternative supplier, the consequences of vendor failure or fraud are undiversifiable. The concentration of operational dependence requires a commensurate concentration of control attention.

Periodic Re-Qualification

For direct spend vendors, initial due diligence does not remain valid indefinitely. Financial conditions change, ownership changes, regulatory status changes. A re-qualification cycle—annually for high-criticality vendors, biennially at minimum for others—should be built into the vendor management program as a standing AP control responsibility.

Due Diligence for Indirect Spend Vendors

The risk profile of indirect spend is different in kind, not merely in degree. Where direct spend presents concentrated operational risk, indirect spend presents distributed fraud risk. The large number of indirect vendors, the frequency of new vendor onboarding, and the often-transactional nature of the relationships create precisely the conditions that ghost vendor schemes, fraudulent invoicing, and payment diversion attacks exploit.

The due diligence framework for indirect spend vendors is therefore calibrated primarily around authentication and fraud prevention, rather than the operational and financial depth required for direct spend.

Tiered Due Diligence by Spend Threshold

A blanket approach to indirect vendor due diligence is neither practical nor risk-proportionate. A tiered framework, indexed to anticipated spend volume, is the standard approach. A vendor engaged for a one-time, low-value service requires less investigation than a recurring indirect vendor with an annualized spend in the six figures. A reasonable framework might tier vendors as follows: under a defined low-spend threshold, basic identity and sanctions screening with W-9 are sufficient; above that threshold, independent entity verification, reference checks, and a business purpose attestation are added; above a higher threshold, elements drawn from the direct spend framework apply.

Conflict Of Interest Screening

Indirect spend is a frequent vehicle for related-party transactions that are not disclosed as such. Employees who establish or control vendors through which they then process purchases represent a classic internal fraud pattern. Requiring vendor onboarding documentation to include disclosure of any beneficial ownership interest held by employees or their immediate family members—and cross-referencing this against HR records—is a baseline control. Annual conflict of interest certifications for employees with procurement authority reinforce this.

Business Purpose Documentation

Every indirect vendor admitted to the vendor master should have a documented business purpose—a clear statement of what is being purchased and from whom and why this vendor was selected. This may seem administrative, but it serves a critical control function: it makes fictitious vendors difficult to sustain. A vendor master entry without a documented business purpose is an unexplained liability.

Vendor Master Hygiene as an Ongoing Control

The indirect spend vendor master is typically larger, more volatile, and more vulnerable to stale or unauthorized entries than the direct spend list. Active vendor master hygiene—periodic purging of inactive vendors, review of vendors with no recent payment activity, systematic de-duplication, and flagging of entries with common addresses, bank accounts, or taxpayer IDs—is an AP control function that must be performed on a defined schedule, not on an ad hoc basis.

Fraud Pattern

The most common ghost vendor scheme exploits the gap between procurement's vendor request and AP's onboarding review. When onboarding is treated as an administrative formality rather than a control checkpoint, the authentication step that should detect fabricated vendors is effectively removed. AP must own the authentication step independently of procurement's vendor request.

The Approved Vendor Master as the Control Boundary

The approved vendor master is not a directory. It is a control list. Admission to the vendor master is the event at which authentication is certified and the organization's financial exposure to that counterparty is authorized. Every vendor on the master has, in effect, passed a control checkpoint. Every payment is validated against that master.

This means that the integrity of the vendor master is the integrity of the disbursement control. An unauthorized entry in the vendor master is an authorized fraud. Controls over who can add, modify, or inactivate vendor master records are therefore of the same order of importance as controls over payment authorization itself. Addition of new vendors and modification of existing vendor records—especially banking and remittance information—must require dual authorization and leave an auditable trail.

The segregation of duties principle applies with full force: the employee who requests a vendor, the employee who performs due diligence and authenticates the vendor, and the employee who authorizes admission to the vendor master should not be the same individual or the same function. In smaller organizations where complete segregation is not feasible, compensating controls—supervisory review of all new vendor additions, independent notification to a senior officer of banking information changes, and periodic external audit of the vendor master—must substitute.

"The vendor master is a control list, not a directory. Admission to it is an act of authorization with the same financial consequence as signing a check."

Conclusion: Authentication Is Not a Procurement Function

Procurement selects vendors on the basis of price, quality, capability, and relationship. Accounts payable authenticates them on the basis of legal identity, financial integrity, and disbursement safety. These are related but distinct functions, and confusing them creates a control gap through which fraud reliably flows.

Procurement selects vendors on the basis of price, quality, capability, and relationship. Accounts payable authenticates them on the basis of legal identity, financial integrity, and disbursement safety.

The discipline of vendor due diligence, properly understood as a control function rather than a procurement formality, requires that AP maintain independent authentication capability—its own verification processes, its own access to authoritative data sources, its own records of what was verified and when—rather than relying solely on the representations of the requesting business unit or the vendor itself.

The distinction between direct and indirect spend does not alter this principle; it calibrates its application. Direct spend demands depth. Indirect spend demands breadth and vigilance at scale. Both demand that the question "Is this vendor who it says it is?" be answered with evidence, not assumption, before any payment obligation is incurred.