A Risk-Based Supplier Onboarding Framework for Australian Accountants

Why a Uniform Approach to Supplier Onboarding Fails

Many organisations respond to supplier fraud risk by implementing uniform verification requirements for all new vendors: the same checklist, the same approval steps, the same documentation requirements, regardless of the supplier's profile. This approach has two failure modes. It applies insufficient scrutiny to high-risk suppliers — because the checklist is calibrated to what is achievable at volume — and it creates unnecessary friction for low-risk suppliers, damaging the supplier relationship before it has begun.

A risk-based framework solves both problems. It calibrates the verification effort to the risk profile of the specific supplier relationship, ensuring that high-risk onboardings receive the scrutiny they warrant while routine onboardings can be processed efficiently.

The Four Risk Dimensions

Supplier onboarding risk can be assessed across four dimensions. Each dimension contributes to an overall risk tier that determines the appropriate verification response.

1. Payment Exposure

The higher the potential payment amounts, the higher the risk associated with a fraudulent or non-performing supplier. A cleaning contractor billing $800 per month presents different exposure than an IT services provider billing $80,000 per quarter. Payment exposure thresholds should be calibrated to your organisation's specific context, but a common starting point is:

• Low: < $10,000 per annum expected
• Medium: $10,000 – $100,000 per annum expected
• High: > $100,000 per annum expected

2. Relationship Novelty

How was the supplier introduced? A supplier referred by a long-standing client or business associate presents lower risk than a supplier who approached your business speculatively or through an unusual channel. A supplier you have dealt with for years in a different capacity (for example, a contractor becoming a vendor) presents lower risk than a completely unknown entity.

3. Entity Characteristics

Several characteristics of the supplier entity itself contribute to risk:

• ABN age — new registrations require additional scrutiny
• Entity type — companies have ASIC oversight; sole traders do not
• GST registration status — inconsistency with entity type or claimed turnover is a red flag
• Web and email infrastructure maturity — young domains and missing authentication records increase risk
• Reputation signals — threat intelligence database listings are disqualifying

4. Service Type

Suppliers providing professional services (legal, accounting, IT, consulting) present different risks than suppliers of physical goods. Service invoices are harder to verify against delivery, making fictitious invoice fraud easier. Suppliers with access to your systems or facilities present data security risks beyond financial fraud. Suppliers operating internationally present additional jurisdictional risk in recovery scenarios.

A Practical Three-Tier Framework

Tier 1: Standard Onboarding

Applies to: Low payment exposure, known referral source, established entity with mature web and email infrastructure

A Gumshoe automated verification covering all eight free checks, reviewed by the responsible AP staff member. The assurance score and report are saved to the vendor record. Banking details are confirmed by a brief phone call or email to a previously confirmed contact.

Target processing time: 15 minutes.

Tier 2: Enhanced Onboarding

Applies to: Medium payment exposure, or any risk dimension that cannot be assessed as low

Automated verification (all eight free checks), plus a manual review of the supplier's web presence and any publicly available information. A phone call to the supplier using a number independently sourced (not from the invoice or email) to confirm business details, banking information, and the identity of the key contact. Consider requesting trade references for relationships expected to exceed $50,000 per annum.

Target processing time: 30–45 minutes.

Tier 3: Full Due Diligence

Applies to: High payment exposure, unusual referral channel, any significant anomaly in the automated verification, or any combination of risk factors

Automated verification, manual research, trade references, a face-to-face or video meeting with the supplier's principal, and potentially engagement of a specialist due diligence provider for corporate structure verification. Documentation of every step, with approval required from a senior manager or director before the vendor is created in the accounting system.

Target processing time: 1–3 business days.

Banking Detail Changes Require Special Treatment

Banking detail changes should be treated as a Tier 2 or Tier 3 event regardless of the payment exposure. This is the single highest-risk event in the AP cycle — the moment when a fraudster is most likely to intervene. Requirements for banking detail changes should include:

• Written request from a known contact at the supplier
• Phone confirmation to a number already held (not provided in the request)
• Re-verification of the supplier's domain and email infrastructure (a change request from a recently-registered domain is a disqualifying red flag)
• Approval from at least two authorised signatories

Making the Framework Work in Practice

The risk tier assignment should happen at the point of initial onboarding request — before the verification process begins — so that the appropriate level of scrutiny is clear. Automating the initial verification (Gumshoe's assurance score and detailed check results) gives the person making the tier assignment an objective data point to work with rather than relying on gut feel.

The framework should be documented in your AP policies and procedures manual, reviewed annually, and audited for compliance. In the event of a fraud event, evidence that a risk-based framework was in place — and that the supplier in question was appropriately verified — is the strongest possible demonstration of reasonable due diligence.