GST / Procurement

Vendor Onboarding: GST and Control Scorecard

CA Nikhil Gupta·June 2026·3 min readGST / Procurement

Vendor onboarding is the first line of defence against fake invoices, diverted payments and blocked tax credit.

Quick View

Owner

Procurement and finance

Cadence

Before first order, annual refresh

First control

Collect a standard onboarding pack.

Core evidence

PAN, GST and incorporation records.

Why It Matters

Finance should verify legal name, PAN, GSTIN, address, bank account and authorised contact using official records and independent confirmation. A bank-detail change deserves fresh verification.

GST registration alone does not prove that every invoice creates input-tax credit. Supply, receipt, invoice, tax payment, return reporting and legal restrictions all affect eligibility.

Vendor risk also includes MSME status, sanctions, related parties, confidentiality, data access, insurance and subcontracting. The scorecard should change the approval route, not merely assign a colour.

Control Framework

ControlWhat it coversOperating rule
IdentityLegal and tax registrations match the contract.Verify on official portals.
BankingAccount belongs to the contracted vendor.Use maker-checker confirmation.
TaxInvoice and GST reporting support the transaction.Reconcile with GSTR-2B.
RiskConflict, data and service dependence are assessed.Apply enhanced due diligence.

Action Checklist

  1. Collect a standard onboarding pack.
  2. Verify GSTIN and legal name.
  3. Confirm bank details independently.
  4. Capture MSME and related-party status.
  5. Execute contract before service begins.
  6. Review high-risk vendors annually.

Practical Example

A supplier emails a new bank account one day before payment. The name is similar but not identical to the contracted entity. The payment should stop until an authorised contact and independent bank evidence confirm the change.

Evidence to Keep

  • PAN, GST and incorporation records.
  • Cancelled cheque or bank proof.
  • MSME declaration.
  • Conflict and beneficial-owner declaration.
  • Contract and purchase order.
  • Onboarding approval and later review.

Warning Signs

  • Copying bank details from an invoice without verification.
  • Treating active GSTIN as proof of delivery.
  • Ignoring related-party relationships.
  • Onboarding after invoices arrive.
  • Using one score for all vendor risks.

Management Decision

Set enhanced checks for vendors with customer data, high advances, subcontracting, cross-border payments or critical operational dependence.

Block payment when master data changes outside the approved process. Fraud prevention is more valuable than recovering a diverted payment.

Document the decision, owner, due date and evidence expected. A verbal explanation should be converted into a board note, approved working, contract amendment, portal acknowledgement or reconciliation before the item is treated as closed.

Rules, forms, thresholds and interpretations can change. The operating team should use the latest official source and the actual company facts instead of copying a control from another entity or prior year.

Monthly Review Test

Ask four questions: Is the obligation or accounting treatment applicable? Has the underlying transaction been completely recorded? Does the evidence agree with the books and portal? Has an independent reviewer challenged the exception?

The review should distinguish a timing difference from an error, a judgement from a missing document, and a control failure from a one-time operational delay. Repeated small exceptions deserve root-cause action because they often become material during audit, fundraising, notice or distress.

Exception Review

The operating record should connect the control stages—identity, banking, tax, risk—to the same transaction population. If the source list, accounting ledger, tax return, board record and management dashboard use different populations, the review can appear complete while exceptions remain outside the test.

Management should define an exception threshold, but the threshold must not hide repeated failures. A small error occurring every month can signal weak master data, unclear ownership or a broken interface. The reviewer should record root cause, immediate correction and preventive action separately.

Closure requires evidence. At minimum, the file should show who prepared the work, who reviewed it, which source documents were used, what differences remained and when the next follow-up is due. Screenshots without context or spreadsheets without source references are not a durable control record.

Tag every working with the legal entity, tax period and governing law. The filing date alone does not decide which Act, rate, form or limitation period applies, especially during the 2026 income-tax transition or where a notice covers earlier GST periods.

Portal data should be downloaded and preserved with the filing version. Later supplier corrections, updated statements or portal changes can otherwise make it difficult to prove what information management used when the return or response was approved.

Frequently Asked Questions

Can an active GSTIN guarantee ITC? â–¼
No. The transaction must meet the legal conditions and reconcile with supplier reporting.
Why capture MSME status? â–¼
It affects payment and disclosure obligations under applicable law.
Should every bank change be reverified? â–¼
Yes. Vendor-email compromise commonly targets payment-master changes.
Who owns onboarding? â–¼
Procurement owns the commercial need, while finance, tax, legal and security review their risks.