AI Analysis Results
Vendor Master & Onboarding — Procure-to-Pay (Procurement & AP)
The Vendor Master & Onboarding process exhibits controls that are partially in place or inconsistently operated. Several gaps in design effectiveness and operating consistency were identified that, if left unaddressed, could elevate residual risk beyond the organization's tolerance. Prompt remediation is recommended.
- New vendors are independently validated before being added... has been partially implemented
- Exception reporting is generated and reviewed timely
- Training and awareness programs support control understanding
- Evidence of review lacks timestamp and reviewer identity
- Monitoring controls are not formally documented or tested
- Access recertification cadence does not meet policy requirements
- 1Implement a workflow tool that captures reviewer identity and timestamp for all approvals
- 2Automate exception detection and route alerts to control owners within 24 hours
- 3Establish a quarterly monitoring schedule with documented results and sign-off
Control-Level Breakdown (1)
The control is partially implemented but operates inconsistently. New vendors are independently validated before being added to the vendor master. Gaps in execution or evidence retention reduce assurance over this area.
Redesign the control to address inconsistencies. Specifically: new vendors are independently validated before being added to the vendor master. Assign a control owner and establish a testing cadence.