The vendor due diligence process inherently means some heavy lifting when it comes to data collection… and with so many different moving parts, it can be easy to miss one or two (or let’s face it — a lot of) important pieces of information. Certain information may not be as necessary for your non-critical or lower risk vendors. But when it comes to the vendors you rely on every day, there are some key provisions you’ll need to consider and documents to collect.
So, what’s the most important?
Due Diligence You Need to Collect and Analyze for Critical Vendors
1. Foundational Documents/Baseline Due Diligence
A vendor’s set of foundational documents are not only used with upfront vetting, these are the core documents you’ll refer to throughout the ongoing oversight and monitoring. Aside from the basic information, you’ll need a MNDA, or a mutual non-disclosure agreement, as well as a credit report, site confirmation (Google map check), references and business ratings. It’s also a good idea to check on the ownership structure as well as prior aliases and the names of affiliated companies.
Some specific documents include:
- Tax ID
- Business license
- State of incorporation
- Secretary state check
2. Secondary Due Diligence
Your secondary documentation is just as important as your foundational research and encompasses several major categories, including financials, exams/reports, licensure, policies and procedures and insurance. It may also include doing biographic research, reports from on-site visits and requests for organizational charts or diagrams.
There is often a substantial amount of documentation to collect within each of these major categories, however some of the highlights include:
- Financial Statements
- Annual report
- 3 years of audited financials
- Accountant statements
- Business continuity plan and testing
- Information security penetration testing
- Vulnerability testing
- SSAE 18, SOC 1, 2 or 3
- Internal/external audits
- Licenses, Professional Certifications, Policies and procedures
- Any required license (e.g., state money transmitter license)
- PCI and ISO certifications/QSA letter
- Data protection
- Hiring/background check
- Media policies
- Compliance policies
- Data Protection policies
- Employee malfeasance
Before signing on the dotted line, it’s crucial to review your vendor contracts and make sure they include several pieces of information — things like scope of service and minimum service level requirements, terms of renewal/termination, right-to-audit, pricing, among several others.
5 major questions and information that requires collecting during the contract phase are:
- Does the vendor contract contain a measurable SLA?
- Does the vendor contract have sufficient security and confidentially provisions?
- Does your vendor contract identify sub-contractors or fourth parties?
- Are there provisions for annual reporting?
- Is there a business resumption or disaster recovery plan clause?
Of course, there are a lot more documents that could be included as the level of due diligence collection very much depends on your vendor’s type and the risk posed to the organization. However, this is a good list to get you started.
Your due diligence process should be based on the risk level of your vendor. Download this checklist to help.