Every vendor your organisation adds is a potential access point, compliance liability, or financial exposure if onboarded without a structured process. Third-party vendor involvement in data breaches doubled between 2023 and 2024, to 30% of all breaches — and research shows that more than 80% of organisations detect supplier risks only after onboarding has already begun. By then, the contract is signed, the access has been granted, and the leverage to demand compliance has largely disappeared. A structured vendor onboarding process also addresses the operational failures that are less dramatic but more common: the vendor whose invoices are held up for payment because their bank details were never captured correctly, the supplier whose insurance expired two years ago without anyone noticing, and the service provider who started delivering before the contract was signed. Manual vendor onboarding costs organisations an estimated $35,000 per supplier in staff time and administrative cost; a structured, consistently applied process brings that to below $2,500. This free checklist gives procurement managers, operations managers, and finance teams a structured framework for the full vendor onboarding lifecycle.
Definition: High spend, significant data access, business-critical dependency, or regulated sector involvement.
Examples: IT infrastructure providers, payroll processors, key professional services partners, cloud service providers with data processing agreements.
Onboarding requirements: Full compliance documentation (insurance, SOC 2/ISO 27001 for data processors, financial health check), thorough contract review by legal, data processing agreement (for GDPR), IT security review, senior approval, 1–3 week timeline.
Definition: Moderate spend or moderate dependencies; limited data access; replaceable within a reasonable timeframe.
Examples: Most professional services suppliers, regular vendors with annual contracts, facility management providers.
Onboarding requirements: Standard documentation (insurance, W-9/tax form, bank details), contract review, standard compliance check, finance team approval, 1–2 week timeline.
Definition: Low spend, no data access, easily replaceable, commodity product or service.
Examples: Office supplies vendors, courier services, minor one-off purchases.
Onboarding requirements: Basic details (business name, bank details, tax identification), standard terms and conditions, straightforward approval, 1–2 day timeline.
Seven phases covering the complete vendor onboarding lifecycle — from need confirmation and risk tiering through documentation collection, compliance checks, contract execution, AP setup, relationship kickoff, and ongoing management.
The documentation collected at onboarding is the baseline for the entire vendor relationship. Missing documents at onboarding become missing protections when something goes wrong.
Invoice redirection fraud (also called business email compromise in the payment context) is one of the most common and costly fraud vectors affecting organisations. It typically works as follows: a fraudster intercepts a new vendor onboarding communication, or spoofs the vendor’s email address, and substitutes fraudulent bank details for the genuine vendor’s bank details. Finance enters the fraudulent details into the AP system. The first payment goes to the fraudster. The fraud is typically only discovered when the genuine vendor chases payment — by which point the funds are unrecoverable.
The preventive control is straightforward: bank details provided by a new vendor are always verified by phone call to a number obtained independently of the email that provided the bank details — directly from the vendor’s website or a previously used number. This single control eliminates the vast majority of invoice redirection fraud at the onboarding stage. The control is documented in the onboarding checklist as a required step before bank details are entered into the AP system.
Vendor onboarding quality that depends on which procurement team member handles the process produces inconsistent outcomes — thorough for some vendors, minimal for others. CheckFlow runs the same structured onboarding sequence for every vendor at its assigned risk tier — from documentation collection through compliance checks to AP setup — with every required step confirmed before the vendor is marked active.
The compliance check that happens after onboarding is already complete — after the contract is signed and access is granted — is a check that can identify a risk but cannot prevent it. CheckFlow’s compliance phase is positioned before contract execution, maintaining the leverage to require remediation or decline the vendor while it still exists.
The vendor whose insurance expired unnoticed, the service agreement that auto-renewed without review, the SOC 2 certificate that lapsed — all of these are renewal failures. CheckFlow sets insurance renewal reminders, contract renewal alerts, and compliance refresh tasks automatically at the point of onboarding — creating a vendor register that actively manages the relationship rather than archiving it.
Vendor contracts require review before execution. CheckFlow’s Contract Review & Approval Checklist in the Legal & Contract Management series covers the structured contract review process. See the Contract Review & Approval Checklist →
The equipment servicing vendors who maintain your facilities are the first vendor type to onboard in a new premises. CheckFlow’s Equipment Servicing Workflow covers the ongoing management of service vendor relationships. See the Equipment Servicing Workflow →
A vendor onboarding checklist covers seven phases: vendor identification and need confirmation (checking existing approved vendors, making a justified selection, and assigning a risk tier), documentation collection (legal entity details, tax documentation, bank details, insurance certificates, and tier-specific compliance documents), compliance and risk assessment (sanctions screening, anti-bribery check, data protection assessment, IT security review for data processors), contract execution (review, standard terms for lower-tier vendors, data processing agreement, approval, and filing), system setup (AP/ERP vendor record, verified bank details, payment terms, system access configuration), vendor relationship kickoff (welcome communication, contact confirmation, performance expectations), and ongoing management (insurance and contract renewal alerts, performance reviews, annual compliance refresh).
Invoice redirection fraud (a form of business email compromise) is among the most common and financially damaging payment frauds. Fraudsters intercept or spoof vendor email communications during onboarding and substitute fraudulent bank details for genuine ones. Finance enters the fraudulent details into the AP system, and payment is made to the fraudster. The funds are typically unrecoverable once transferred. The preventive control is to verify bank details by phone call to a number obtained independently of the email that provided the details — from the vendor’s website or a previously verified source — before entering them into the AP system. This control should be a required, documented step in the onboarding checklist.
A data processing agreement (DPA) is a legally required contract under GDPR (EU/UK) and similar privacy laws whenever a controller (your organisation) shares personal data with a processor (a vendor that processes that data on your behalf). Any vendor who processes, stores, or accesses personal data about your employees, customers, or users requires a DPA before data is shared. This includes cloud service providers, payroll processors, IT systems vendors, HR software providers, email marketing platforms, and any other vendor with access to personal data. Under GDPR, using a processor without a valid DPA is a regulatory violation that can result in investigation and fines by the relevant supervisory authority.
Vendor risk tiering assigns every vendor to a risk category based on the potential impact if the vendor fails, commits fraud, suffers a data breach, or becomes non-compliant. Tier 1 (high risk) vendors are those with significant spend, critical business dependency, or data access — they require the most thorough onboarding documentation and compliance assessment, and the most active ongoing management. Tier 2 (medium) requires standard documentation and review. Tier 3 (low) requires only basic details and streamlined setup. Tiering ensures that resources are concentrated on the vendor relationships that pose the greatest risk — not applied uniformly to every supplier regardless of significance.
You can start a free 14-day trial with no credit card required, giving you full access to all features including this template. The Business plan is $10 per user per month after the trial. Full details at checkflow.io/pricing.
