Vendor Onboarding Workflow
L1 approval Awaiting approval
- Started24-02-26
- SLA deadline25-02-26 (48h)
- Remaining levels0 level(s)
- Assigned toSunil · Procurement
- Approval chainL1 ⇛ posted to ERP
PTAS Finsuite Vendor Management handles the five checks that actually decide whether a vendor is safe to pay: structural validation, KYC, bank account penny drop, AI risk scoring, and approval. Your procurement team stops chasing PAN cards. The ERP master stays clean.
Every finance team has a story about the vendor that slipped through. Clean paperwork, a plausible bank account, a name close enough to someone real — and six months later a reversed payment and a hard conversation with the auditor. Manual onboarding is where these slip through.
Most teams we audit take between nine and fourteen working days end to end. The time is not spent validating — it is spent chasing. Chasing the GST certificate, the cancelled cheque, the signed MSA, the approver who is on leave, the buyer who needs to confirm the category.
PTAS customer audits across India manufacturing and services, 2024.Same PAN, same bank account, two different names. Or the same legal entity entered under a dba, a typo, and an old acronym. The duplicates do not hurt until the payment team pays both — and even then, not for a while.
Typical duplicate rate on un-cleaned vendor master data.Most platforms validate the IFSC format. That is not a bank account check. A valid-looking IFSC and a ten-digit account number give you nothing if the account does not exist, is frozen, or belongs to someone else. Only a real credit confirms that.
Observed across tools evaluated in 2024–2025.The stages run in sequence, not in parallel. If structural validation fails, KYC does not start. If KYC fails, penny drop does not run. This is deliberate — it keeps the audit trail clean and the cost per record low. By the time a record hits your approver, it has already cleared four gates.
The screenshot above is a real workflow view. The record ID, approver, and risk score change per vendor; the five stages do not.
Each stage writes its own audit line with a reason code. When an auditor asks why vendor 4022-0006 was approved, the answer is one screen and six log entries. Not forty emails.
Format checks on GSTIN, PAN, CIN, IFSC, and MSME Udyam number. Typos are caught here before anything expensive runs.
DocPro reads the uploaded documents, pulls the numbers, and matches them against the entered values. A mismatch blocks the record.
A one-rupee credit goes to the bank account. The returned beneficiary name is fuzzy-matched against the vendor name on record.
The AI model combines sanctions screening, adverse media, director lookups, and network history into a 0–100 score with reason codes.
The cleared record lands in the approver's queue with the full audit trail. One approval posts it to the ERP vendor master.
The wizard collects what we actually need and nothing we don't. Each step can be saved as a draft. Vendors can fill the same wizard themselves through the self-service portal — the fields are identical, and the record lands in the pending queue when they submit.
Each step saves independently. Procurement can start a record, send the portal link to the vendor for the compliance and bank steps, then pick up from review.
Filter by status, sort by risk, search by ERP code or PAN. The list syncs to your ERP vendor master in near real-time, so what your finance team sees is what your ERP sees.
| Sr no. | Name | Vendor code | Type | ERP code | Risk level | Status | Date | Modify date | Actions | |
|---|---|---|---|---|---|---|---|---|---|---|
| 1 | Deloitte Consulting India Ltd | — | finance@deloitte-india.in | Consulting | ERP-A4-015 | — | — | 07-Mar-2026 | — | ✎ |
| 2 | Accenture Advisory India Pvt Ltd | — | ops@accenture-adv.in | Consulting | ERP-A4-014 | — | — | 05-Mar-2026 | — | ✎ |
| 3 | Cognizant Systems India Ltd | — | admin@cognizant-ind.in | IT Services | ERP-A4-013 | — | Initiated | 03-Mar-2026 | — | ✎ |
| 4 | Oracle India Solutions Pvt Ltd | — | finance@oracle-india.in | IT Services | ERP-A4-012 | — | Initiated | 01-Mar-2026 | — | ✎ |
| 5 | Bosch Auto Components India Ltd | — | procurement@bosch-auto.in | Manufacturing | ERP-A4-011 | Low | Failed | 19-Feb-2026 | — | ✎ |
| 6 | Siemens India Technologies Pvt Ltd | — | ops@siemens-india.in | IT Services | ERP-A4-010 | Low | Failed | 18-Feb-2026 | — | ✎ |
| 7 | Larsen Toubro Services Ltd | — | finance@lt-services.in | Manufacturing | ERP-A4-009 | Medium | Rejected | 17-Feb-2026 | — | ✎ |
| 8 | Adani Logistics Pvt Ltd | — | admin@adani-logistics.in | Manufacturing | ERP-A4-008 | Medium | Rejected | 15-Feb-2026 | — | ✎ |
| 9 | Bajaj Finserv Partners Pvt Ltd | — | ops@bajaj-finserv.in | Consulting | ERP-A4-007 | Medium | Pending approval | 14-Feb-2026 | — | ✎ |
| 10 | Mahindra Agri Solutions Ltd | — | finance@mahindra-agri.in | Manufacturing | ERP-A4-006 | Medium | Pending approval | 12-Feb-2026 | — | ✎ |
Every signal has a weight. Every weight is visible. The score on the record is a number, but clicking on it shows you the six or seven factors that pushed it up or down. No black box.
The model is a weighted ensemble, not a neural-net oracle. Weights are tunable per tenant because a consulting vendor and a raw-material supplier do not carry the same risk profile.
Feature lists on product pages are usually aspirational. This is what is in the box today. If you need something here, it works. If it's not here, it's either not a feature or it's on the roadmap — and we'll say which.
GSTIN, PAN, CIN, IFSC, and MSME Udyam format checks plus a live lookup against the respective government portal. Invalid records never reach KYC.
DocPro reads the uploaded KYC documents (certificates, cancelled cheque, company incorporation, Aadhaar, PAN card) and matches the extracted fields to what the vendor entered.
A one-rupee credit hits the vendor account. The bank returns the beneficiary name, which is fuzzy-matched against the vendor name with a tunable threshold.
0 to 100 score combining sanctions, adverse media, MCA data, historical behaviour, and duplicates. Weights are tunable per vendor type and business unit.
Matches across PAN, GSTIN, bank account, registered name, and fuzzy address. Any hit blocks new record creation and shows the existing record for merge.
Configurable by amount, category, BU, and vendor type. Each level has an SLA in hours; misses escalate. Delegation during leave is built in.
Native connectors for SAP, Oracle, Dynamics, Tally, NetSuite, QuickBooks, Xero, Zoho. Changes flow both ways and both systems stay consistent.
Signed link, the vendor fills the same seven-step wizard, uploads documents, submits. Your queue gets the record with the risk score already computed.
Every stage, every field change, every approval and rejection writes an immutable log line. Export to CSV or stream to your SIEM.
We are biased. We also answer these questions honestly during sales calls, so here they are.
| Capability | Manual / spreadsheet | Generic P2P module | Finsuite Vendor Management |
|---|---|---|---|
| GSTIN + PAN live lookup | ✗ format only | ◐ optional add-on | ✓ native |
| Penny drop bank verification | ✗ | ◐ via third party | ✓ native, NPCI rails |
| AI risk score with reason codes | ✗ | ✗ manual risk tagging | ✓ explainable |
| Duplicate detection (PAN + bank) | ✗ | ◐ name only | ✓ multi-field signature |
| Vendor self-service portal | ✗ | ✓ | ✓ |
| Two-way ERP sync | ✗ | ✓ within suite only | ✓ multi-ERP connectors |
| Approval SLA & escalation | ✗ email reminders | ✓ | ✓ with delegation |
| Audit trail per record | ◐ patchy | ✓ | ✓ immutable log |
| Deploy in your own cloud | — | ✗ SaaS only | ✓ SaaS or BYOC |
Native connectors for the ERPs and accounting systems most of our customers run. For anything outside the list, REST APIs and webhooks do the job. Bi-directional, so changes on either side flow the other way.
The workflow does not change much by industry. The weights on the risk score, the approval thresholds, and the document set do. Here is how three common setups look in practice.
Raw-material and contract-manufacturing vendors get stricter structural checks and a lower risk threshold for approval. Plant-level cost centres get their own approvers. SAP S/4HANA syncs on every approved record.
Sanctions and PEP screening weight is high; adverse media scan runs monthly after onboarding, not just once. Bank account change triggers a re-verification through penny drop, always. CMK deployment in the customer's AWS.
Cross-border vendors use a shorter wizard that swaps GSTIN and PAN for the local equivalent (EIN, VAT, ABN). Same risk model, different signals. Oracle Fusion vendor master stays in sync across regions.
The platform handles PAN, bank account numbers, and director IDs. The defaults lean paranoid. If you need stricter, we have an answer.
AES-256 at rest, TLS 1.3 in transit. Customer-managed keys (CMK) on enterprise contracts so you hold the unlock.
India, EU, US, and APAC regions available. Data never leaves the chosen region, including logs and audit events.
Field-level permissions on bank details and director data. SSO via SAML and OIDC. SCIM user provisioning for enterprise.
Controls mapped to 27001. DPAs signed before any data moves. SOC 2 Type II evidence pack shared under NDA on request.
Single-tenant deployment in your AWS, Azure, or GCP account. Air-gapped option for defence and regulated workloads.
Every record mutation — field change, bank update, approval, rejection — writes a signed log line. Stream to your SIEM on syslog or webhook.
We answer the rest on a call. These are the ones that come up first.
Penny drop sends a one-rupee credit to the vendor bank account and reads the beneficiary name that comes back from the bank. The returned name is matched against the vendor name on the record using fuzzy match with configurable thresholds. A mismatch blocks the record until a human reviews it. This is the single most reliable way to catch fake or mistyped bank accounts before you ever pay into them. Format checks on IFSC codes do not catch any of that.
The score combines signals from structural checks (valid GSTIN, PAN, MSME), sanctions and PEP screening, adverse media scanning, MCA director lookups, historical payment and dispute patterns across the anonymised Finsuite customer base, and behavioural changes like bank-account updates. Each signal has a weight you can tune by vendor type and business unit. The output is a 0 to 100 number with the contributing reason codes visible, so a reviewer can see exactly why a vendor scored 72.
GSTIN format validation and live lookup against the GSTN portal, PAN format check and Income Tax authenticity call, MSME Udyam registration verification, CIN lookup against MCA, TDS section and rate applicability, and 80G or 12A certification checks for NGO payees. The checks run in parallel where the upstream APIs allow it, take under forty seconds per vendor on average, and each writes its own audit line.
Yes. The vendor portal takes a signed link by email. The vendor fills the same seven-step wizard your team would fill, uploads KYC documents, and submits. Your team sees the record in the pending queue with the AI risk score already computed and the penny drop already complete. Self-service cuts the onboarding touch time on your side by roughly 60 to 70 percent on typical accounts. The wizard does not hide anything — what the vendor fills is what your team sees.
Two-way, near real-time. When a record is approved in Finsuite, it creates or updates the vendor in SAP (ECC or S/4HANA), Oracle Fusion, E-Business Suite, Dynamics 365, Tally Prime, NetSuite, QuickBooks, Xero, or Zoho Books through a native connector. Changes made directly in the ERP flow back into Finsuite, which keeps both systems consistent. For anything outside the connector list, the sync runs over REST API or scheduled file drops.
A new vendor record is checked against every existing record on PAN, GSTIN, bank account number, registered name, and a fuzzy match on address. Any hit blocks the creation and shows the matching record for merge. This catches the common case of the same legal entity getting onboarded twice under slightly different names, which otherwise shows up as a payment ambiguity six months later when the same invoice gets paid twice.
Up to five levels, configurable by amount threshold, business unit, vendor type, and category. Each level has an SLA in hours. If an approver misses the SLA, a reminder goes out; if they miss it again, the record escalates to the next level or a named backup. Delegation during leave is built in — the approver sets it up once in their profile. Every approval or rejection writes an audit line with the reason code.
For a clean vendor with complete documents, the five workflow stages complete in under an hour of processing time — structural, KYC, penny drop, risk scoring, and waiting for the approver is the slowest part. The total elapsed time depends on your approval SLAs. A single-approver setup with a responsive manager closes the same day. The old average for manual Indian vendor onboarding is nine to fourteen days; Finsuite customers typically run at 24 to 72 hours.
Yes. Standard SaaS runs on our multi-tenant cloud in your region of choice. For regulated workloads, Finsuite ships as a single-tenant deployment in your AWS, Azure, or GCP account, or fully on-premise with an air-gap option. CMK (customer-managed keys) are available from single-tenant onwards. A DPA is signed before any vendor data moves, regardless of the deployment model.
Vendor Management owns the vendor master — who the vendor is, whether they are safe to pay, what their terms are. AP Automation owns the invoice flow — what they billed, whether it matches the PO, whether it should be paid now. They share the same vendor record, and the same DocPro extraction engine underneath. You can license them separately. Most finance teams run both because the same vendor fraud that Vendor Management catches at onboarding also surfaces in AP Automation as a bank-account change on an invoice.
Fifty of your pending vendor records, the messier the better. We run them through Finsuite Vendor Management and send back the structural validation, penny drop outcomes, AI risk scores, and the duplicates we would have flagged. No slide deck. Just output you can put next to what you have now.