Baseline Vendor Due Diligence Documents to Collect

Due diligence is an indispensable step in the vendor risk management lifecycle. Performing due diligence on your vendors isn’t only a sensible business practice, but for many industries, is regulated by law. Of course, not all vendor relationships pose the same risks to an organization, but there are baseline or foundational documents you should be collecting to further evaluate most vendor engagements.

Have you repeatedly heard about the criticality of due diligence, but still wonder how due diligence goes from being a conceptual best practice to an actionable process? If that sounds like you, you’re not alone. Most vendor risk managers recognize the importance of due diligence to identify and assess risk, and are somewhat familiar with the due diligence process, but it’s not uncommon for vendor risk managers to be perplexed about where to start or what documents and information to request from their vendor. Defining an accurate inventory of the exact vendor due diligence information to gather and assess can be overwhelming.

How to Start Collecting Vendor Due Diligence

To simplify this process initially, it’s always wise to focus on the basics and build from there. To get started, let's review what you likely already know. Both the scope and rigor of due diligence should align with the risks associated with the vendor relationship. However, you must collect some basic information on all vendors, regardless of their risk level, criticality or business type.

No matter the relationship's risk level, verifying that your vendor is a legitimate business entity with a good reputation is the first due diligence objective. Let's take a look at what information you will need to collect from the vendor and the research you must do to meet that first objective.

The Foundational Due Diligence Documents to Collect

The process for collecting some of this data may vary depending on your organizational processes. And, in some organizations, the information for items 1-5 may be logged in your accounts payable system instead of a vendor management system. Ensure you know about parallel information systems or processes to help you avoid rework and redundant requests to the vendor.

Here are documents and information you should be collecting as a starting point:

1. Legal name: Including any “doing business as” or “also/previously known as” (d/b/a, aka, pka).

2. Basic information: Including addresses such as the corporate headquarters, physical location where all work will be performed (a picture or map view of the facility may also be required for some vendors), website URL, corporate contact information such as an email and phone number, etc.

3. Tax ID: A vendor's tax ID proves that they are registered with the IRS.

4. Ownership structure and affiliated companies: It's necessary to understand the overall structure of the organization. You may find that a parent company or an affiliate has a different risk profile than the vendor you’re vetting, which might increase or decrease the risk.

5. Biographies of key managers and owners: This may be needed when the relationship has elevated risk or reputational concerns.

Moving along, you’ll also need to collect items 6 and 7 if there is an elevated risk in the relationship.

In other words, if the vendor will be accessing any of your systems or data, reviewing your organizational business strategies, plans, code or any intellectual property these are foundational documents needed. These items are also required when the vendor collects payments, interfaces with your customers or employees, or is considered a critical vendor.

6. Confidentiality agreement: This can also be referred to as a mutual non-disclosure agreement (MNDA) or a privacy statement. It's used to protect both parties' trade secrets and confidential information. This agreement may not be necessary for low-risk, low-dollar spend relationships. However, a confidentiality agreement is recommended any time you request sensitive or confidential information from a vendor.

7. List of pertinent subcontractors/fourth parties: Suppose your vendor provides critical or high-risk products or services for your organization. It’s essential to know if they’re dependent on other vendors to complete and deliver a product or service to you. If so, you’ll need to be aware of the extended risks present because products and services (or a portion of them) for your organization are performed by a vendor with which you do not have a direct contract.

Visibility to these fourth parties (the vendors of your vendor) also alerts your organization to include specific terms and conditions to the contract, including requiring your vendor to get written before adding or changing fourth parties. A well-written contract should require your vendor to notify you if their vendors (subcontractors) have a data breach, business interruptions or any other situation that can potentially impact your organization.

When you have obtained the vendor's necessary information like the above, you’ll still need to do your homework. Doing further research allows you to identify risks that aren’t always obvious. It may give you extra data points that your vendor may not automatically provide. Research is also the best way to validate a vendor's good reputation.

All of the items below may not always be necessary for every vendor. However, they’re highly recommended.

8. OFAC check: Required by the U.S. Treasury to determine if an organization is owned or managed by a sanctioned person or nation.

9. Complaint research: Use websites like bbb.org, the CFPB (their complaints database), and ripoffreport.com to research the type and volume of customer complaints that the vendor has received.

10. Negative news search: Running a Google News search will help you avoid any surprises if your vendor has had troubling incidents in the past.

11. Secretary of State check: You can validate the vendor's authenticity by confirming that they're correctly registered in their state.

12. Business License: This is a fundamental item to ensure your vendor is licensed to provide the product/service for which you’re contracting.

13. State of Incorporation: This can easily be found online through each secretary of state's website. This information confirms that the vendor is a legitimate business and is filing tax returns.

14. Credit report: A quick credit check could identify underlying issues like a decline in the vendor's financial condition or failing business operations. You can obtain this from sites like Equifax.com, Transunion.com or Experian.com.

15. Dun & Bradstreet (D&B) report: You can obtain this business credit and trade report directly from D&B or other providers. This report can show you payment habits and trends that may not yet be revealed in audited financials.

16. Certificate of Good Standing: Your local Better Business Bureau (BBB) and state treasurers will be able to provide two different types of certificates. The state will show whether the organization is current on tax obligations. The BBB will confirm that the company is ethical and doesn’t have excessive complaints against them.

Depending on the risk associated with the product and service, you may not need to ask for some information or research every point. Each vendor is vetted differently, and it's important to carefully assess which due diligence information you’ll request from each vendor. You don't want to risk overlooking anything that may impact your organization. Still, you also don't want to spend valuable time collecting and researching data that isn't significant. That’s why tailoring due diligence is important.

For further reading, view our comprehensive Third-Party Risk Management Checklist for an in-depth look at other documentation you may want to collect during the due diligence stage. Download the checklist.