Guide
How to Audit Vendor Onboarding Records
By Keelstar Team · Updated July 11, 2026
The short answer
An onboarding audit verifies that vendors received appropriate due diligence before first payment and that evidence is complete, dated, and approved. Sample by tier and spend — not random only. For each vendor, trace: intake approval, tier assignment, document collection timestamps, validation sign-offs, ERP activation date, and first payment date. First payment before W-9 validation is a critical finding. Check exclusion screening where required. Confirm packet versions match policy effective dates. Report deficiency rate by document type and business unit, with remediation owners and deadlines. Run pre-audit self-tests quarterly so external audit is confirmation, not discovery.
Define the audit trail standard
Before sampling, document what 'complete onboarding' means per tier. Auditors test against published policy — not informal practice.
Trace payment timing
Compare first payment date to W-9 validation and approval timestamps. Gaps of even one day may violate policy and create 1099 risk.
Test access controls
Verify who can bypass gates, approve vendors, and change banking. Segregation of duties findings often accompany onboarding gaps.
Exclusion and screening evidence
Healthcare and government-funded orgs must show screening date and result in packet. Missing screening on staffing vendors is high-severity.
Remediation and re-performance
Findings should close with corrected documents or process changes — not notes that 'we will do better.' Re-sample failed population after remediation.
Frequently asked questions
- What sample size is reasonable?
- For large populations, 30–50 vendors stratified by tier and spend often suffices for internal audit. Include all tier-one vendors onboarded in the period for critical coverage.
- What is the most common onboarding audit finding?
- Payment released before validated W-9 or missing COI for on-site vendors. Both indicate broken gates between procurement and AP.
- How far back should onboarding audits reach?
- Align with retention policy — typically current year plus open vendor relationships. Merger years need explicit scope for legacy entity records.
- Who remediates audit findings?
- Procurement owns process fixes; AP owns tax gaps; business units own sponsor compliance. Track open findings to closure with evidence.
Related guides
Put this into a monitored workflow
Vendor Packet handles this continuously — with reminders and an audit trail.