Carnegie Mellon University
Finance Division  ›  Finance News  ›  Fiscal Year 2024  ›  Important Changes to Supplier Set Up Process
August 30, 2023

Important Changes to Supplier Set Up Process

The frequency and sophistication of business email compromises has increased in recent years, particularly around Accounts Payable (AP) functions. These types of attacks are among the most financially damaging cybercrimes, and the university as a whole must work together to thwart them.

In support of ongoing efforts to mitigate risk, the Finance Division has:

  • Partnered with the Information Security Office (ISO) to host three Business Email Compromise training sessions
  • Added a "New Supplier Request Business Justification Form" as part of the new Procurement Services supplier review process
  • Instituted an AP Supplemental Supplier Information Form to collect “known good supplier information” and enable a process to confirm bank information for spend over $250,000 as well as urgent requests
  • Made several updates to existing AP forms

More information about each of these items is detailed below, as well as on the Procurement Services website. This page can also be accessed via the Accounts Payable website.

Required Business Email Compromise Training

ISO hosted three Business Email Compromise training sessions in June and July that covered business email compromises, including the state of business email scams and best practices for protecting the university. This training was required for members of AP Automation Allies, Administrative Leadership Group (ALG), and/or who have Oracle PO Req Buyer and Approver access. The training was also required for all Finance Division staff.

A recorded session is available for those who were unable to attend any of the scheduled training sessions, and for future members of the above-mentioned groups. Individuals who watch the recorded Business Email Compromise training session titled ‘Phishing Awareness for Financial Roles’ must sign a certification statement to meet this required training obligation.

Note: to view and complete the certification statement, users must be connected to the campus network (CMU-SECURE) or to the CMU virtual private network (VPN).

New Procurement Services Supplier Review Process and Supplier Request Business Justification Form

Effective September 1, 2023, for new procurement suppliers ONLY, the New Supplier Request Business Justification Form must be completed and submitted to Procurement Services for review prior to contacting the University Contracts Office (UCO) to initiate a contract(s) and/or requesting that AP set up a new procurement supplier in Oracle only. Incomplete forms will be returned to the originator, resulting in delays to the process.

Contracts with suppliers not currently in Oracle and/or new supplier set up requests that have not fully completed this new process will be sent back to the requestor. Updates to existing Oracle suppliers do not require this form or Procurement Services review/approval.

In addition to enhanced mitigation of fraud risk, this process change will create a more efficient procurement process by utilizing existing Oracle suppliers and/or those with existing contracts. 

Again, ONLY procurement suppliers will require review from Procurement Services. Procurement suppliers are suppliers that provide goods and services. Suppliers related to royalties, honorarium, tuition payments, rents, or payments made on an AP Payform (e.g., non-qualified scholarships, prize/awards, human subject payments), do not require approval from Procurement Services. 

For questions, please contact Procurement Service at procurement-inbox@andrew.cmu.edu.

Newly Instituted AP Supplemental Supplier Information Form and Bank Information Web Conference Call Confirmation Process for Spend over $250,000

Effective September 1, 2023, a new AP Supplemental Supplier Information Form was created for university buyers to provide AP with known good supplier information, which will be used to contact the supplier in order to complete the bank verification process.

An electronic funds transfer (EFT) payment will not be made to the supplier, nor will the supplier's bank account information be updated, unless this form is completed and submitted to AP along with all other required supplier forms and documentation.

In order to verify the validity of the supplier set-up request, the supplier name on the AP Supplemental Supplier Information Form must match the supplier name provided on the supplier forms, or the form will be returned to the buyer. The supplier name and supplier number for existing suppliers must match the information in Oracle.

In addition to existing supplier information verification processes, if the anticipated annual spend with a supplier exceeds $250,000 or an expedited set up is requested, AP is required to coordinate a web conference call with an AP representative, the supplier, and the university buyer to confirm the supplier’s bank.

Note: The AP Supplemental Supplier Information Form is required for all new supplier setup requests as of September 1, 2023 — there are no exceptions to this requirement.

Updates to Existing Accounts Payable (AP) Forms

Several existing AP forms are also being updated and will be available for use on the Finance Forms website by September 1.

These form updates include:

  • Added a Contact Phone Number field and/or a checkbox in the preparer/reviewer signature section that reads: “I confirm by checking this box that the contact information provided for the recipient on this form is known good supplier information,” to the following forms:
    • AP Non-Employee Prize Award Payment Form
    • AP Non-Employee Gift Form
    • AP Non-Qualified Scholarship Payment Form
    • Honorarium Agreement/Supplier Information Form
    • AP Request for Payment/Refund Form
    • AP Human Subject Participant/Principal Investigator Form (signature checkbox only)

AP will accept the older versions of these updated forms through September 30, 2023 to account for forms in process not submitted prior to September 1, 2023.  However, when submitting the older version of the forms, the requestor must provide the contact phone number and confirm that the contact information provided for the recipient is known good supplier information. As of October 1, 2023, AP will ONLY accept the new forms and will send back all other form versions to the sender for resubmission with the new form.

Thank you to our campus partners who work closely with AP to enhance the robustness of the end-to-end process, strengthen the overall control environment, and prevent fraud.

For questions, please contact Chrissy Moffatt at moffattc@andrew.cmu.edu.