What Do Auditors Ask Bookkeeping Firms About Vendor Verification?

A request phrased as “send me your vendor verification documentation” is almost always shorthand for four underlying tests.

Design. Is there a written control that defines how a vendor bank-detail change gets verified, by whom, on what evidence, with what segregation of duties? “We call them” is not a written control. A one-pager that names the steps, the independent-contact rule, and the second approver is.

Operation. Did the control actually run for every change in the period? Auditors typically pull a vendor master file change report from the accounting system, sample a handful of changes, and ask for the verification record behind each. A control that runs 80% of the time and skips the urgent ones is, for audit purposes, a control that doesn’t run.

Evidence quality. Is the record contemporaneous, independent, and tamper-evident? A note typed into a spreadsheet a week after the fact is dramatically weaker than a time-stamped entry written at the moment of the call, on a system the bookkeeper can’t quietly edit later.

Segregation. Did the person who initiated the change also approve it? Most frameworks expect the verifier and the approver to be different people for changes above a threshold — and most small firms either don’t have the structure to enforce that, or they have it but skip it under deadline pressure.

The reason these four show up everywhere is that they map directly to how external confirmations work. Per PCAOB AS 2310, auditors regularly send confirmation letters directly to vendors to verify recorded balances and payment details — and when the confirmation comes back disagreeing with the firm’s records, the verification artifacts you produced become the explanation of how the discrepancy slipped through. No artifacts, no explanation.

This list is what shows up in practice. Not every engagement will request every item, but if you can produce these, you’ve covered the common asks.

• A written vendor-payment-change verification procedure — the policy itself, with a version date.
• The vendor master file change log for the period — from your accounting system (QuickBooks, Xero, Bill.com, Sage, NetSuite). Auditors want the system-generated report, not a manual list.
• For each sampled change: the verification record. Date and time of the callback; who was called at the vendor (name and role); the number called and where it came from (e.g., “from the signed engagement letter dated March 2025”), explicitly not from the change request; what was confirmed verbatim; who approved on your side; who second-approved if required.
• Proof of the independent-contact rule. This is the single most-asked-about detail. The University of North Carolina’s vendor bank-change guidance is one of many public sources that frame it the same way auditors do: the contact details used to verify must come from your own records, not from the request itself.
• Evidence of segregation of duties — that the person who entered the change wasn’t the person who approved the payment that followed.
• A tamper-evident audit trail. If your record is a Word doc or a tab in Excel, the auditor’s reasonable question is “how do I know this wasn’t edited yesterday?” A log where every entry is time-stamped, attributable, and either hash-chained or otherwise verifiably append-only answers that without a conversation.
• Exception handling. What happens when a change fails verification, when the vendor doesn’t pick up, when a payment is urgent. Auditors expect a defined off-ramp, not silence.
• (SOC 2 engagements specifically) Evidence the procedure is reviewed and updated, that staff are trained on it, and that monitoring catches gaps. SOC 2 leans heavily on documented, repeatable processes — see SOC 2’s vendor management criteria for the broader picture.

If you’re running AP for clients, the same list applies twice: your firm’s own control over your clients’ vendor masters, and the artifacts your client’s auditor may ask you to produce when they’re auditing the client.

Two patterns account for almost every “we couldn’t produce it” outcome.

The verification happened but lives in someone’s head. The bookkeeper called, confirmed, processed the change — and made no record, or wrote a one-line note that doesn’t survive scrutiny months later. Functionally, this is identical to not having verified at all: there’s nothing to hand over. The control is invisible.

The verification record exists but isn’t credible. It’s in a shared spreadsheet anyone can edit. It’s dated the day before the change appeared in the master file (probably innocently, but the timeline doesn’t match). The “number called” cell is blank. Auditors aren’t accusatory about this — they just escalate. More samples, deeper testing, and longer engagements.

The fix for both is the same: a single workflow where the verification step is what creates the change in the first place, and the record is generated automatically as you do the call. Done right, you don’t write the log — the log is a byproduct of running the procedure.

The practical version of audit-readiness, for a small firm:

1. Adopt a written procedure that names the independent-contact rule, the callback, dual approval above a threshold, and what to do when verification fails. Date it. If you need one to start from, our free vendor bank-change verification template is exactly that — no signup, no email gate.
2. Make it the only path. A vendor bank-detail change isn’t entered into the accounting system until the callback log entry exists. No log, no change.
3. Use a record format you don’t have to defend. Time-stamped, attributable to the person who made the call, and append-only — meaning entries can’t be silently overwritten. Print or export it on demand.
4. Rehearse the ask. Once a quarter, pretend you’re the auditor. Pull a vendor master file change log for the last 90 days, pick three changes at random, and try to produce the verification record for each in under five minutes. If you can’t, you have your gap before someone else finds it.
5. For the cyber-insurance dimension, see does your cyber insurance require a callback? — the underwriter’s question and the auditor’s question are almost identical, and the same record satisfies both.

The reason this matters even when nothing has gone wrong: the audit happens regardless. The cost of a clean, five-minute production is fixed and small. The cost of a “we’ll have to get back to you” is paid in extended scope, additional sampling, and the credibility you spend explaining a control that should explain itself.