Vendor onboarding is the first line of defence against fake invoices, diverted payments and blocked tax credit.
Procurement and finance
Before first order, annual refresh
Collect a standard onboarding pack.
PAN, GST and incorporation records.
Finance should verify legal name, PAN, GSTIN, address, bank account and authorised contact using official records and independent confirmation. A bank-detail change deserves fresh verification.
GST registration alone does not prove that every invoice creates input-tax credit. Supply, receipt, invoice, tax payment, return reporting and legal restrictions all affect eligibility.
Vendor risk also includes MSME status, sanctions, related parties, confidentiality, data access, insurance and subcontracting. The scorecard should change the approval route, not merely assign a colour.
| Control | What it covers | Operating rule |
|---|---|---|
| Identity | Legal and tax registrations match the contract. | Verify on official portals. |
| Banking | Account belongs to the contracted vendor. | Use maker-checker confirmation. |
| Tax | Invoice and GST reporting support the transaction. | Reconcile with GSTR-2B. |
| Risk | Conflict, data and service dependence are assessed. | Apply enhanced due diligence. |
Set enhanced checks for vendors with customer data, high advances, subcontracting, cross-border payments or critical operational dependence.
Block payment when master data changes outside the approved process. Fraud prevention is more valuable than recovering a diverted payment.
Document the decision, owner, due date and evidence expected. A verbal explanation should be converted into a board note, approved working, contract amendment, portal acknowledgement or reconciliation before the item is treated as closed.
Rules, forms, thresholds and interpretations can change. The operating team should use the latest official source and the actual company facts instead of copying a control from another entity or prior year.
Ask four questions: Is the obligation or accounting treatment applicable? Has the underlying transaction been completely recorded? Does the evidence agree with the books and portal? Has an independent reviewer challenged the exception?
The review should distinguish a timing difference from an error, a judgement from a missing document, and a control failure from a one-time operational delay. Repeated small exceptions deserve root-cause action because they often become material during audit, fundraising, notice or distress.
The operating record should connect the control stages—identity, banking, tax, risk—to the same transaction population. If the source list, accounting ledger, tax return, board record and management dashboard use different populations, the review can appear complete while exceptions remain outside the test.
Management should define an exception threshold, but the threshold must not hide repeated failures. A small error occurring every month can signal weak master data, unclear ownership or a broken interface. The reviewer should record root cause, immediate correction and preventive action separately.
Closure requires evidence. At minimum, the file should show who prepared the work, who reviewed it, which source documents were used, what differences remained and when the next follow-up is due. Screenshots without context or spreadsheets without source references are not a durable control record.
Tag every working with the legal entity, tax period and governing law. The filing date alone does not decide which Act, rate, form or limitation period applies, especially during the 2026 income-tax transition or where a notice covers earlier GST periods.
Portal data should be downloaded and preserved with the filing version. Later supplier corrections, updated statements or portal changes can otherwise make it difficult to prove what information management used when the return or response was approved.