Make Your Next Audit Boring
The best compliment an audit can pay your supplier process is silence. That silence is bought in advance — at onboarding — not reconstructed under pressure at year-end.
The best compliment an audit can pay your supplier process is silence. No follow-up questions. No "can you show me how you verified this?" Just a tick and a move-on. That silence is bought in advance, at onboarding — not reconstructed under pressure at year-end.
Most finance teams discover this too late. A supplier gets paid, time passes, and months later someone needs to demonstrate that the supplier was checked before money moved. If the verification happened informally — a glance at a website, a "looks fine" in a Teams message — there's nothing to produce. So the team scrambles to recreate a paper trail that should have existed all along. Auditors notice the scramble. Insurers notice the gap. Directors notice the liability.
The Failure Mode No One Plans For
Here is the failure mode finance teams know too well, usually after experiencing it once. A supplier onboards. Invoices are approved. Time passes. Twelve months later, during the annual audit or following a fraud event, someone asks: how was this supplier verified? The honest answer is: informally, at the time, by someone who is no longer in the role, using a browser tab that no longer exists in anyone's history.
The downstream consequences of this gap are predictable. The auditor records a control deficiency. The insurer, if a fraud claim is in play, uses the absence of documentation to dispute or reduce coverage. The director responsible for the control is exposed. And the team spends significant time trying to reconstruct what happened — not because the verification wasn't done, but because it left no trace.
The fix is not more vigilance. It is structural. If verification produces an artefact — a dated, scored, exportable report — at the moment of onboarding, the audit answer is already written before the question is asked. You don't try to remember whether you checked. You open the file.
What "Reasonable Due Diligence" Looks Like in 2026
| Risk Type | Risk Level | Control Type |
|---|---|---|
| Compliance | High | Regulatory |
| Operational | Medium | Process |
| Financial | Low | Insurance |
| Reputation | High | Monitoring |
| Strategic | Medium | Alignment |
The standard for reasonable due diligence in supplier verification has moved. The Australian Payments Network, ASIC guidance, and ACCC best-practice recommendations all point to a standard that goes beyond an ABN check. Reasonable due diligence in 2026 includes domain verification, email infrastructure assessment, ASIC cross-referencing, and reputation checking — and it requires evidence that these checks were performed at a specific point in time.
"The businesses that recover fastest from fraud events are those that can hand the auditor a timestamped report on day one. The ones that can't spend months in the investigation phase instead."
In practical terms, this means your verification process needs to cover at minimum: ABN status, GST registration, ASIC company status, web presence, domain age, email infrastructure, domain reputation, and address consistency. And it needs to produce a record of having done so — not a mental note, not a browser history, but a structured document with a timestamp and a result on each dimension.
The Seven Elements of an Audit-Ready Verification Record
An audit trail that satisfies an auditor, an insurer, and a regulator contains seven things:
- Timestamp — the exact date and time the verification was performed
- Operator identification — who performed it
- Entity identification — ABN, registered name, and case reference
- Checks performed — not "supplier verified" but the specific checks and data sources
- Results — the outcome of each check, including the specific data retrieved
- Data sources — ABR, ASIC, RDAP, DNS, Spamhaus, crt.sh — cited explicitly
- Assurance score — an aggregated rating against defined thresholds
Manual verification produces almost none of these. A printout of an ABR lookup shows the current state of the record — not its state at the time of verification. Browser history is not maintained for six months. Notes in a shared spreadsheet are not timestamped or authenticated. A Teams message saying "checked the ABN, looks fine" is not evidence of what was checked, when, or what the result was.
How Systematic Verification Changes the Audit Conversation
When a Gumshoe verification runs, it produces a report that contains all seven elements above — timestamp included — for every check across ABR, ASIC, WHOIS, DNS, and threat intelligence databases. That report lives in the dashboard, accessible by case reference, for as long as you need it.
The audit conversation changes completely. Instead of "we checked the ABN at the time, I believe," it becomes "the verification was run on [date], the assurance score was 84%, and here is the report showing each check, the data retrieved, and the source." That is a demonstrable control. That is what "we verified the supplier" actually means.
The Re-Verification Habit
An audit trail is not a one-time event. Best practice — and the recommendation of most professional indemnity insurers — is to re-verify active suppliers annually, and immediately upon any change to banking or payment details. Each re-verification creates a new case record, timestamped, with its own results. Over time, this builds a history of the supplier relationship that is itself evidence of an ongoing, systematic control.
There is a practical benefit beyond the audit trail: a supplier whose assurance score declines over successive annual verifications is providing early warning of a deteriorating situation. A domain that was clean last year but is now appearing in threat databases, a DMARC policy that has been removed, a company that has changed ASIC status — these are signals worth catching before they become problems. Systematic re-verification catches them automatically.
Fraud Prevention Is the Headline. The Audit Trail Is the Safety Net.
Good supplier verification prevents fraud. But even the best verification process will not catch every sophisticated attack. The audit trail is what protects you in the scenarios where prevention was not enough — where fraud succeeded despite reasonable controls, and the question becomes whether you did what you were supposed to do.
"We verified the supplier" means nothing without the record. With the record, it means everything. A timestamped, structured report produced in 60 seconds is the difference between a covered insurance claim and a disputed one, between a clean audit and a qualified opinion, between a defensible position and an expensive one.
Make the verification boring. Make the audit conversation boring. The boring result means the process worked.
Uncommon Insights
One often-overlooked aspect of supplier verification is the requirement to maintain records under Section 286 of the Corporations Act 2001 (Cth), which mandates that companies keep financial records for at least seven years. However, auditors typically request a minimum lookback period of six months for supplier verification records, which can be a challenge for companies that do not have a robust record-keeping system in place.
The ATO's guidelines on taxable payments reporting (TPAR) also have implications for supplier verification. While the TPAR requirements are primarily focused on reporting payments to contractors, the ATO's guidance on verifying the identity of contractors can also inform best practices for verifying suppliers more broadly. Specifically, the ATO recommends using a combination of government-issued identification documents and other verification methods to ensure the accuracy of contractor information.
ASIC's Regulatory Guide 252 on the use of external complaints data in financial services also has relevance for supplier verification. While the guide is primarily focused on complaints handling, it highlights the importance of using data and analytics to inform risk-based decision-making. In the context of supplier verification, this means using data on supplier performance and risk profiles to inform the verification process and ensure that high-risk suppliers are subject to more rigorous verification procedures.
The Australian Prudential Regulation Authority's (APRA) guidance on information security also has implications for supplier verification. APRA's Prudential Standard CPS 234 requires regulated entities to implement robust information security controls, including controls related to third-party suppliers. In the context of supplier verification, this means ensuring that suppliers have adequate information security controls in place and that these controls are verified as part of the onboarding process.
Every Verification. Timestamped. Exportable. Forever.
Gumshoe generates a structured verification report — timestamp, methodology, results, data sources, assurance score — for every check. Saved to your dashboard. Accessible when the auditor asks.
Start verifying suppliers →