Vendor Information Management Risk Survey Question Title * 1. Do you have a policies and procedures manual that provides comprehensive guidance on vendor onboarding, including registration, verification, approvals and set up? Yes No Question Title * 2. Rate the degree to which your personnel follow the policies and procedures in vendor onboarding – where 1 is “Yes - Consistently” and 5 is “No, not at all.” 1 - Yes consistently 2 3 4 5 - No, not at all Question Title * 3. How frequently do you review and update your written policies & procedures? We review the written policies & procedures against actual practices and update annually. We review the written policies & procedures against actual practices and update every two years. We review the written policies & procedures against actual practices and update every three years. We review the written policies & procedures against actual practices and update every four years. We review the written policies & procedures against actual practices and update every five years. We update written policies & procedures whenever needed to reflect changed needs or better controls. We seldom make changes to our written policies & procedures. We have not revised our written policies & procedures in the last five years. Other (please specify) Question Title * 4. Do you set up new vendors from a completed New Vendor Set-Up Form that is not a standard IRS-issued W-9? Yes No Question Title * 5. Do you have a required approval process or processes for new vendors? Yes No Question Title * 6. Does your approval process have an audit trail? Yes No Question Title * 7. Is access to the vendor master file restricted to assigned, authorized staff only? Yes No Question Title * 8. Do you compare new vendor addresses to employee addresses and resolve any matches? Yes No Question Title * 9. Do you segregate duties, preventing those who approve or process invoices from entering or updating vendors in the vendor master file? Yes No Question Title * 10. When entering new vendors, do you follow a specified vendor naming convention? Yes No Question Title * 11. Do you apply USPS and UPU address standardization to vendor addresses? Yes No Question Title * 12. Do you perform a search of the vendor master file for a duplicate vendor entry before adding a new vendor? Yes No Question Title * 13. Do you have a conflict-of-interest policy whereby an employee must disclose any conflict of interest with any of your company’s vendors? Yes No I don’t know Question Title * 14. Are employees with a conflict of interest prevented from selecting vendors? Yes No I don’t know Question Title * 15. Are employees with a conflict of interest prevented from access to the vendor master file? Yes No I don’t know Question Title * 16. When information change requests are received, do you contact the vendor independently to confirm the change? Yes No Not always (please explain): Question Title * 17. When you receive a vendor information change request, does it require approval prior to change being made in the vendor master? Yes No Question Title * 18. Do you retain documentary evidence of change requests? Yes No Question Title * 19. Do you retain documentary evidence of verifications? Yes No Question Title * 20. Do you retain documentary evidence of approvals? Yes No Question Title * 21. Do you verify the vendor's bank account information with a trusted vendor contact? Yes No Question Title * 22. Do you verify a vendor’s bank account information for electronic payments with the vendor's bank? Yes No Question Title * 23. Does management receive and review periodic reports of changes to the vendor master file? Yes No Question Title * 24. Do you deactivate/change status of vendors in the vendor master file that have not had any activity after some specified period? Yes No Question Title * 25. After how long a period of inactivity do you change a vendor’s status to inactive? 13 months 19 months We do not inactivate vendor records. Other (please specify) Question Title * 26. Does management periodically review the vendor master file for incomplete, incorrect, duplicate and superfluous records. Yes No Question Title * 27. Do you perform background checks on employees who handle sensitive vendor data such as tax identification numbers or bank information? Yes No Next