Engaging with suppliers in the new normal
|
|
Before the COVID pandemic, fraud was already a well known issue within the financial ecosystem. When the pandemic hit and business pivoted to more virtual and contactless ways of working, fraud perpetrated by external parties increased and became more sophisticated. Payment fraud tactics capitalized on the changing risk landscape with rampant cases of compromised business email addresses, forged checks, and stolen credit cards. Stanford was not immune and also experienced an increase in potential fraud activity during this period.
Suppliers, which include any vendor or visitor that Stanford engages with, play an important role in the university’s financial ecosystem by providing goods and services needed to teach students, perform research, and run the university. But, they also present significant risks if not properly vetted. As a Stanford community member, we all need to act prudently to protect Stanford from financial, operational, compliance, and reputational harm when working with our suppliers.
Using Stanford’s preferred purchasing methods, such as Amazon Business, SmartMart Catalog Suppliers, or Cardinal Temps will save time and help manage risk. These methods include built-in controls such as pre-validated suppliers, integration with the university's purchasing system, and review and approval workflows, while supporting the university’s commitment to price competition, diversity, and customer satisfaction.
For goods and services that are purchased by other methods, the university has established a set of practices to help address the inherent risks, support your selection of appropriate suppliers, ensure that you receive the goods and services that you procure, and make payments to the intended parties. This may mean that, at times, onboarding of new suppliers may be delayed because information is incomplete or Procurement Services is validating the supplier’s documentation, a critical control, before making the supplier available in the system to all schools and units.
As we enter a new normal, the risks continue to increase and perpetrators of fraud grow more sophisticated. In response, this newsletter provides a summary of the process, considerations for planning your next supplier engagement, links to refreshed guidance, and examples of real stories to support continued stewardship of this critical activity at the university.
I want to thank each of you for your continued diligence in supporting this process. Your efforts have helped us identify real cases of fraud, waste, and abuse before they occur, and our community is safer for it.
|
|
Anne Sweeney-Hoy
Senior Associate Vice President of Finance
|
|
|
|
An overview of the supplier engagement process
|
|
|
Stanford Procurement Services offers a variety of purchasing and payment methods to best support the university’s mission as efficiently as possible, while ensuring that the university meets its compliance requirements.
|
|
|
This includes options such as Amazon Business and SmartMart Catalog Suppliers, which are available in iProcurement and have built-in controls and efficiencies to manage supplier engagement.
If these existing options don't meet your department’s business requirements, suppliers may be selected by the department as long as they comply with university policy and standards for financial stewardship, ethics, and risk management.
Before doing business with a new supplier, several initial steps are required to ensure that the supplier is appropriate and complies with applicable laws, regulations, and policies. In summary, the roles and responsibilities involved in selecting and vetting a supplier include:
|
|
|
|
School/unit:
-
Ensures compliance with the university’s competitive supplier selection process
-
Reviews and discloses any potential conflicts of interest
-
Evaluates supplier engagement risks, such as high risk data or export controls
-
Selects the supplier
|
|
2
|
-
School/unit requests new supplier from Vendor Services
-
Then, the school/unit communicates to the supplier that they will be receiving a request for information from the university
-
Vendor Services (Supplier Enablement team) sends the onboarding email invitation to the supplier
-
The supplier completes the onboarding invitation, including attaching any required setup documentation
-
Vendor Services validates the information and performs a risk assessment
|
|
|
-
Vendor Services manages the supplier record, allowing updates only from appropriate channels
-
The school/unit manages supplier relationships in alignment with the terms and processes of their purchase order and/or contract
|
|
|
Best practices for quick turnaround
|
|
Departments with the smoothest supplier setups and quickest turnaround times shared their top tips and practices:
- Tell your supplier to review the Do Business with Stanford page so they know what’s coming, the documentation they need to prepare, and where to find help.
- When submitting a new request, add detail to the Reason for Request field such as who at Stanford is engaging with the supplier, what good or service they are providing, and the duration of the engagement, so it is clear what you’re requesting.
- As you submit the request, let your supplier contact know that they’ll be expected to respond to Stanford’s onboarding email. Otherwise, your supplier might miss it.
- Follow up with your supplier to see if they submitted their information or have any questions. If there is an urgent need to set up a vendor, let Vendor Services know by submitting a ticket to the Financial Support Center.
|
|
Real stories about supplier risk management
|
|
|
Below are real situations that will give you a glimpse into the importance of the supplier vetting process, performed in partnership with Procurement’s Vendor Services team.
|
|
|
Conflict of Interest Implications
|
|
|
Cal (not his real name) is a principal investigator (PI) in one of Stanford’s labs. The lab wanted to purchase some processing services from a company that is more than 50 percent owned by Cal. Procurement Services partnered with the lab to connect with the Conflict of Interest (COI) Director for a review of the situation.
|
|
|
Prior to requesting the supplier setup, Cal had properly disclosed his ownership interest in the company. The lab made an effort to find similar services from other providers. However, other providers were more expensive and would not guarantee the level of quality that Cal’s company could provide. Cal’s company additionally agreed to provide the service to Stanford at their direct cost as part of efforts to mitigate any conflict of interest. The COI Director confirmed that this plan would effectively manage any actual or perceived risks of fraud, waste, and abuse for this transaction. Procurement Services then independently verified the value of the services to the university, approved the supplier setup, and signed the purchase contract so the research could move forward.
Key takeaways:
- It is important to disclose all conflicts of interest and commitment and to appropriately address the perceived and real conflicts. For guidance, refer to:
- A conflict of interest doesn’t necessarily prevent a supplier from transacting with Stanford; however, the transaction will be subject to review, vetting, and potential mitigations by the appropriate COI contacts.
|
|
|
A university department requested a change to the contact information of an approved supplier. While reviewing the request, Procurement’s Vendor Services team noticed that the new email domain was similar but slightly different from the original contact information provided when the supplier was first set up in Stanford’s system.
|
|
|
Vendor Services alerted the department, explained that the request appeared to be a phishing attack using a fraudulent email account, and provided advice for avoiding scams from fake accounts.
The department then received a series of unusually urgent, antagonistic emails from the supplier demanding that invoices be paid immediately. The department contacted Vendor Services and the Information Security Office to report the incident. Vendor Services noticed that the recent payment demands referenced an unrecognized bank account and immediately blocked payment activity until the supplier record was revalidated. The anti-phishing advice previously offered helped the department identify and block a follow-up phishing attack demanding a fraudulent payment of hundreds of thousands of dollars.
Key takeaway:
To help prevent the university from being defrauded:
- Be familiar with how to Identify Signs of Potential Fraud, and contact the Vendor Services team if you suspect potential fraudulent activity related to a supplier.
- Know your suppliers and be aware of out-of-character behaviors (e.g., change in tone or urgency).
- Always verify that you’re communicating with legitimate contacts; watch out for unusual or unfamiliar email addresses, especially if they contact you first.
- Understand what documentation is required to validate bank account information. If your supplier is requesting a change to their record or an exception to Stanford’s requirements, refer them to the Financial Support Center. Vendor Services will verify requests prior to making any changes.
|
|
Stanford Financial Management Services (FMS) recently updated supplier-related resources on Fingate to help schools and units more efficiently set up and onboard a supplier while continuing to protect the university from financial, operational, ethical, and reputational harm.
As a part of this effort, Procurement's Vendor Services team hosted an information session that provided an overview of the supplier setup and onboarding process, vendor risk, available resources, and continuous improvement plans. Visit the Procurement Services Events page on Fingate to view the recording and presentation slides.
|
|
Approvers Must Complete New Course to Maintain Authority
|
|
|
Financial approvers play a key role in the financial ecosystem at Stanford. In addition to playing one of the most significant roles in managing financial risk, approvers enforce compliance of financial policies and procedures and guide their teams in proper expenditure management.
|
|
|
To that end, Financial Management Services (FMS) recently launched an approver toolkit with an updated course, FIN-PROG-0103: Approving Financial Transactions, which reinforces the key expectations, concepts, and resources that surround financial approval.
Beginning October 2022, the course is required for all existing requisition, expense journal, and labor distribution approvers. All current requisition, expense journal, and labor distribution approvers must complete FIN-PROG-0103: Approving Financial Transactions by Jan. 31, 2023 to maintain the corresponding approval authorities. The course takes approximately 25 minutes to complete, with an optional 20 minutes for those who would like to review a system demo.
Take action today
All applicable approvers who have not yet completed the course were pre-enrolled on Oct. 4. This will make the course available from the STARS All Learning page. Check that page today to verify if the requirement is still outstanding, and take the time to complete it as soon as possible.
FMS is committed to supporting and promoting excellence in financial stewardship at the university. Financial approvers are encouraged to review the toolkit and share the information with their teams.
|
|
|
Don’t miss out on the latest news, updates, and tools to help you stay informed.
|
|
|
|
|
|
|
|
