An $8 Million Question: Why do auditors test changes to Vendor Master Files?

One of the early audit tests that I was responsible for was to review who had access to change our vendor master file, and to make sure that all those changes were logged, reviewed, and approved. Our audit objective were validity - making sure that all changes to the master file(s) were properly authorized. But even authorized changes to the master file create risk.

Case in point: Conde Nast's $8 million email scam, as reported in this Forbes Magazine blog posting from William Barrett and Janet Novack.

What seems to have happened in the Conde Nast case is that a fraudster sent in a change of address / change of banking information request on behalf of a legitimate vendor. But the bank information provided was not the actual vendor; rather it was an account set up by a fraudster with a similar name and address as the real vendor. So properly authorized payments totaling nearly $8 million were misdirected. The fraud was detected when the real vendor called to ask "where's our money?"

A variety of preventive and detective controls began to visualize in my head when I read this story. How are changes to address and/or bank information communicated from your suppliers? How are these changes corroborated?

How might data analysis be used to identify mis-matches between supplier names and addresses? Seems like a good time to ask at your organization, even if an AP audit is not on the current quarter's schedule.

Joe Oringel
Visual Risk IQ
Charlotte, NC USA