A Risk-Based Supplier Onboarding Framework for Australian Accountants

Why a Uniform Approach to Supplier Onboarding Fails

Many organisations respond to supplier fraud risk by implementing uniform verification requirements for all new vendors: the same checklist, the same approval steps, the same documentation requirements, regardless of the supplier's profile. This approach has two failure modes. It applies insufficient scrutiny to high-risk suppliers — because the checklist is calibrated to what is achievable at volume — and it creates unnecessary friction for low-risk suppliers, damaging the supplier relationship before it has begun.

A risk-based framework solves both problems. It calibrates the verification effort to the risk profile of the specific supplier relationship, ensuring that high-risk onboardings receive the scrutiny they warrant while routine onboardings can be processed efficiently.

The Four Risk Dimensions

Supplier onboarding risk can be assessed across four dimensions. Each dimension contributes to an overall risk tier that determines the appropriate verification response.

1. Payment Exposure

The higher the potential payment amounts, the higher the risk associated with a fraudulent or non-performing supplier. A cleaning contractor billing $800 per month presents different exposure than an IT services provider billing $80,000 per quarter. Payment exposure thresholds should be calibrated to your organisation's specific context, but a common starting point is:

• Low: < $10,000 per annum expected
• Medium: $10,000 – $100,000 per annum expected
• High: > $100,000 per annum expected

2. Relationship Novelty

How was the supplier introduced? A supplier referred by a long-standing client or business associate presents lower risk than a supplier who approached your business speculatively or through an unusual channel. A supplier you have dealt with for years in a different capacity (for example, a contractor becoming a vendor) presents lower risk than a completely unknown entity.

3. Entity Characteristics

Several characteristics of the supplier entity itself contribute to risk:

• ABN age — new registrations require additional scrutiny
• Entity type — companies have ASIC oversight; sole traders do not
• GST registration status — inconsistency with entity type or claimed turnover is a red flag
• Web and email infrastructure maturity — young domains and missing authentication records increase risk
• Reputation signals — threat intelligence database listings are disqualifying

4. Service Type

Suppliers providing professional services (legal, accounting, IT, consulting) present different risks than suppliers of physical goods. Service invoices are harder to verify against delivery, making fictitious invoice fraud easier. Suppliers with access to your systems or facilities present data security risks beyond financial fraud. Suppliers operating internationally present additional jurisdictional risk in recovery scenarios.

A Practical Three-Tier Framework

Tier 1: Standard Onboarding

Applies to: Low payment exposure, known referral source, established entity with mature web and email infrastructure

A Gumshoe automated verification covering all eight free checks, reviewed by the responsible AP staff member. The assurance score and report are saved to the vendor record. Banking details are confirmed by a brief phone call or email to a previously confirmed contact.

Target processing time: 15 minutes.

Tier 2: Enhanced Onboarding

Applies to: Medium payment exposure, or any risk dimension that cannot be assessed as low

Automated verification (all eight free checks), plus a manual review of the supplier's web presence and any publicly available information. A phone call to the supplier using a number independently sourced (not from the invoice or email) to confirm business details, banking information, and the identity of the key contact. Consider requesting trade references for relationships expected to exceed $50,000 per annum.

Target processing time: 30–45 minutes.

Tier 3: Full Due Diligence

Applies to: High payment exposure, unusual referral channel, any significant anomaly in the automated verification, or any combination of risk factors

Automated verification, manual research, trade references, a face-to-face or video meeting with the supplier's principal, and potentially engagement of a specialist due diligence provider for corporate structure verification. Documentation of every step, with approval required from a senior manager or director before the vendor is created in the accounting system.

Target processing time: 1–3 business days.

Banking Detail Changes Require Special Treatment

Banking detail changes should be treated as a Tier 2 or Tier 3 event regardless of the payment exposure. This is the single highest-risk event in the AP cycle — the moment when a fraudster is most likely to intervene. Requirements for banking detail changes should include:

• Written request from a known contact at the supplier
• Phone confirmation to a number already held (not provided in the request)
• Re-verification of the supplier's domain and email infrastructure (a change request from a recently-registered domain is a disqualifying red flag)
• Approval from at least two authorised signatories

"A uniform approach to supplier verification fails twice: it under-scrutinises high-risk suppliers and creates unnecessary friction for low-risk ones. A risk-based framework calibrates effort to the actual risk profile."

Making the Framework Work in Practice

The risk tier assignment should happen at the point of initial onboarding request — before the verification process begins — so that the appropriate level of scrutiny is clear. Automating the initial verification (Gumshoe's assurance score and detailed check results) gives the person making the tier assignment an objective data point to work with rather than relying on gut feel.

The framework should be documented in your AP policies and procedures manual, reviewed annually, and audited for compliance. In the event of a fraud event, evidence that a risk-based framework was in place — and that the supplier in question was appropriately verified — is the strongest possible demonstration of reasonable due diligence.

Uncommon Insights

A risk-based supplier onboarding framework must account for the nuances of Australian anti-money laundering (AML) and counter-terrorism financing (CTF) regulations. For instance, under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act), reporting entities must conduct customer due diligence (CDD) on all customers, but the Act also allows for a risk-based approach to CDD. This means that Australian accountants can tailor their supplier onboarding process to the specific risk profile of each supplier, rather than applying a one-size-fits-all approach.

The Australian Securities and Investments Commission (ASIC) has noted that companies must maintain a register of their 'related parties' under section 213 of the Corporations Act 2001. This requirement can inform the risk assessment of a supplier, particularly if the supplier is a related party or has relationships with related parties. A risk-based onboarding framework can take into account these relationships and adjust the verification requirements accordingly.

When assessing the risk of a supplier, Australian accountants should also consider the supplier's Australian Business Number (ABN) and Australian Company Number (ACN) status. Under the A New Tax System (Australian Business Number) Act 1999, all entities carrying on a business in Australia must have an ABN, unless exempt. A supplier without an ABN or ACN may indicate a higher risk profile, and the onboarding process should be adjusted accordingly.

The Australian Taxation Office (ATO) has identified 'red flags' for potential phoenix activity, which can inform the risk assessment of a supplier. For example, if a supplier has a history of non-compliance with tax laws or has undergone a sudden change in business structure, this may indicate a higher risk profile. A risk-based onboarding framework can take into account these red flags and adjust the verification requirements to mitigate the risk of phoenix activity.