Our procurement team used to spend an embarrassing amount of time vetting new suppliers. We're talking 3+ hours per vendor -- pulling business registrations, checking for federal debarment, scanning for SEC filings, verifying nonprofit status if applicable. All manual. All copy-paste. All soul-crushing.
Then I got annoyed enough to actually fix it.
Here's the thing: almost all of the data you need for a solid vendor risk assessment is public. The federal government publishes it. State governments publish it. The SEC publishes it. You don't need a $500/month API subscription to verify a vendor's legitimacy -- you just need to know where to look and how to pull the data programmatically.
What Actually Goes Into Vendor Vetting
Before automating anything, I mapped out what our compliance team was actually checking:
- Is the business legally registered and in good standing?
- Are they on any federal debarment/exclusion lists?
- Have they had any SEC enforcement actions or material filings that suggest financial instability?
- Do they have federal contract history (useful for gauging reliability and scale)?
- If they're claiming nonprofit status, does their 990 filing check out?
That's five separate research tasks, across five separate data sources, done manually for every supplier. No wonder people hate procurement.
Step 1: Business Entity Verification
The first thing I check is whether the vendor is actually a registered business. You'd be surprised how often small suppliers are operating under a DBA or a shell that doesn't match what's on their invoice.
Most Secretary of State portals are publicly searchable -- they just don't have good APIs. I built a scraper that queries the major state SOS databases and returns entity name, registration status, registered agent, and formation date. Takes about 5 seconds per lookup.
I use this US business entity search actor for this. It covers the top 10 states by business entity count. You plug in a company name, it returns structured data you can pipe into a spreadsheet or webhook.
The thing that actually matters here isn't just "are they registered" -- it's "are they in good standing." A vendor whose registration lapsed 18 months ago is a yellow flag worth escalating.
Step 2: Federal Debarment + Contract History
SAM.gov is where the federal government publishes debarment lists, exclusions, and entity registrations for anyone doing business with the government. If a vendor is excluded from federal contracts, that's a serious red flag -- it usually means fraud, ethics violations, or a pattern of non-performance.
It's also just a useful signal for vendor legitimacy in general. Companies that have been through federal vetting (and maintain active SAM registrations) tend to be more stable.
The SAM.gov interface is... not great. Searching it manually is slow and the export options are clunky. I have a scraper for this too: SAM.gov federal contracts search. You can search by company name, check registration status, and pull their contract award history. Seeing that a vendor has $2M in active federal contracts tells you something meaningful about their operational reliability.
Step 3: SEC Filings for Larger Vendors
If you're onboarding a supplier that's publicly traded or large enough to file with the SEC, their EDGAR filings are basically a free financial health report.
10-K and 10-Q filings will tell you things their sales team definitely won't: revenue trends, going concern warnings, material litigation, concentration risk (if 80% of their revenue comes from one customer, that's your problem too if that customer churns).
The SEC EDGAR company filings scraper makes this pretty turnkey -- search by company name, get structured results with filing type, date, and links to the actual documents. I pull the 10-K summary and drop it into our vendor assessment template automatically.
For smaller private vendors this won't return anything, but for mid-market and enterprise suppliers it's often the most useful data point in the whole vetting process.
Step 4: Nonprofit Verification
If a vendor is claiming 501(c)(3) status -- which affects tax treatment, procurement rules in some contexts, and sometimes pricing -- you can verify it directly against IRS 990 filings.
The 990 is a public document that nonprofits file annually. It includes executive compensation, revenue breakdown, program expenses, and financial health indicators. A nonprofit with $50K in revenue and $200K in expenses, three years running, is worth a second look before you commit to a long-term contract.
Nonprofit Explorer 990 search pulls this from ProPublica's Nonprofit Explorer, which aggregates IRS 990 data and makes it actually searchable. Much faster than going to the IRS directly.
Putting It Together
The pipeline I built runs like this:
- New vendor request comes in via a form
- Zapier (or n8n, we use n8n) triggers all four scraper runs in parallel
- Results get written to a shared Airtable base that our compliance team reviews
- If anything flags -- lapsed registration, debarment hit, going concern warning -- it routes to a human for review
- Clean vendors get auto-approved for the next step in onboarding
Total time from form submission to compliance output: about 10 minutes, mostly waiting on the scrapers to run. The manual version took 3 hours minimum and required someone to actually care enough to do it consistently. Spoiler: they didn't always.
What This Doesn't Replace
I want to be honest here: this doesn't replace a full third-party risk assessment for high-stakes vendors. If you're signing a $2M annual contract with a sole-source supplier, you want a human analyst, a questionnaire, and probably a SOC 2 report in there too.
But for the 80% of vendors that are mid-tier suppliers, one-time contractors, and small service providers? This pipeline catches the obvious red flags and does it consistently -- which is more than most procurement teams can say for their current manual process.
The data is public. The scrapers are cheap to run. The only cost was the afternoon I spent wiring it together.
If you want to try the individual pieces, all four actors are on my Apify page. They each have free trial runs so you can test with real data before committing to anything.
Top comments (0)