How an Accounting Firm Scaled Supplier Risk Reviews Across 80 Clients

The Advisory Firm Problem

Consider a mid-sized accounting practice with offices in Brisbane and Cairns, serving about 400 business clients ranging from sole traders to companies with $50M in annual revenue. Their business advisory team offered a supplier risk review service to approximately 80 of those clients — SMEs that lacked an internal accounts payable compliance function.

The service had grown organically. What began as a value-add for a few key clients became a regular engagement after a client experienced a significant payment fraud event. Word spread. But the manual process hadn't scaled with demand.

The Manual Process Breaking Point

The advisory team's process for a typical client review involved:

1. Export the active supplier list from the client's accounting software
2. Check each ABN on the ABR website
3. Note GST registration status
4. Google the business name to look for a website
5. Check ASIC Connect for company registration (for Pty Ltd entities)
6. Document findings in a Word template

For a client with 80 suppliers, this took 3–4 hours. Across 80 clients, the team was spending over 40 hours per month on supplier review work — the equivalent of a full-time junior staff member. And they were only doing it quarterly for most clients. The more important a client was, the harder it was to schedule the review.

More troubling: the reviews were inconsistent. Different staff applied different levels of rigor. One analyst might spot a young ABN; another might miss it. There was no standardised threshold for escalation, and the manual Google search for web presence was highly subjective.

The Shift to Systematic Verification

The practice integrated Gumshoe into their advisory workflow, initially trialling it on their 20 highest-risk client engagements — those with larger supplier bases or in higher-risk industries (construction, labour hire, hospitality).

The first finding came within the first week. A construction client with 110 active suppliers had six entities flagged with WARN or FAIL status. Two were simply cancelled ABNs that had slipped through — the businesses had closed and the client had forgotten to deactivate them in their system. Neither represented fraud, but both created compliance exposure around the GST treatment of recent invoices.

The third flagged supplier was more significant: a labour hire entity with a 4-month-old ABN, no ASIC registration, no website, and a domain registered three weeks before the first invoice. The assurance score: 29%. The client had been paying this entity $22,000 per month for "project staffing."

The Email Infrastructure Signal

One finding that surprised the advisory team was how useful the email infrastructure checks turned out to be. A legitimate business that has been operating for several years almost invariably has MX records, and many have at least basic SPF configuration. The absence of both — particularly when combined with a young ABN — is a reliable compounding signal.

For the labour hire entity, the email domain had no MX records at all. Invoices were being sent from a Gmail address. When the client was asked about this, they noted that all communications had indeed been via Gmail and a mobile number. No formal business email, no physical address, no account manager name — just a first name and a mobile.

The investigation confirmed this was a phoenix entity — a former subcontractor who had lost their legitimate ABN, registered a new one, and continued trading under a different name while pursuing the same client relationships.

Scaled Workflow and ROI

After the trial period, the practice rolled out systematic verification across all 80 advisory clients. Monthly re-verification of active suppliers above a $5,000 annual payment threshold was added as a standard engagement deliverable.

Time spent on supplier reviews dropped from 40+ hours per month to under 4 hours — a 90% reduction. The saved capacity was redeployed to higher-value advisory work. The practice also introduced a tiered verification service offering: standard (quarterly), enhanced (monthly with email alerts), and premium (real-time with phone verification for high-value suppliers). The enhanced and premium tiers attracted a price premium that more than offset the cost of the service.

One partner noted that the shift also changed client conversations: "Before, we'd hand over a spreadsheet. Now we hand over a structured report with PASS/WARN/FAIL for every supplier, data sources cited, and a clear assurance score. Clients understand it immediately. It looks like a proper audit deliverable — because it is."

"Before, we'd hand over a spreadsheet. Now we hand over a structured report with PASS/WARN/FAIL for every supplier, data sources cited, and a clear assurance score. Clients understand it immediately. It looks like a proper audit deliverable — because it is."

Key Takeaways for Accounting Practices

• Consistency matters more than depth in high-volume reviews — applying the same eight checks to every supplier, every time, is more valuable than occasionally doing a deep review on a subset.
• Email infrastructure is an underrated signal — manual processes almost never check it. Automated verification catches it every time.
• The audit trail is a practice liability management tool — being able to show a client that you verified their supplier base on a specific date, with documented findings, changes the professional liability conversation.
• Cancelled ABN creep is universal — every practice that runs an initial bulk verification finds cancelled ABNs that have slipped through. It is not an edge case.

Uncommon Insights

One often-overlooked aspect of supplier risk reviews is the potential for cancelled ABNs to creep into a client's active supplier base, as seen in the initial bulk verification run. This highlights the importance of regularly checking ABN status, as required by the Australian Business Register (ABR), to avoid GST compliance issues. In fact, the ATO may impose penalties under section 288-25 of Schedule 1 to the Taxation Administration Act 1953 for failure to comply with GST obligations, including those related to cancelled ABNs.

ASIC's enforcement patterns around company deregistration and phoenixing activities underscore the need for accounting firms to scrutinize their clients' supplier bases for FAIL-level entities. The Corporations Act 2001 (Cth) section 601AD requires ASIC to deregister companies that fail to lodge documents or pay fees, and firms should be aware of the risks associated with dealing with deregistered entities. By identifying and addressing these risks, accounting firms can help their clients avoid potential losses and reputational damage.

The use of automated verification tools like Gumshoe can help accounting firms streamline their supplier risk review processes and improve consistency, as required by APES 110 (Code of Ethics for Professional Accountants). However, firms should also be aware of the potential for over-reliance on technology and ensure that their staff understand the underlying risks and thresholds for escalation. This is particularly important in light of ASIC's Regulatory Guide 252 (Hawking Prohibited), which emphasizes the need for firms to have adequate risk management systems in place.

Accounting firms should also consider the benefits of integrating supplier risk reviews with their clients' broader financial reporting and audit processes. By doing so, firms can help their clients identify and manage risks more effectively, in line with the requirements of the Corporations Act 2001 (Cth) section 295(4), which mandates that companies maintain a register of their financial records. This integrated approach can also help firms provide more valuable insights to their clients and differentiate their services in a competitive market.