In a perfect world, we’d be able to obtain every single document or everything we request of the vendor and it would be done with a speedy turnaround. However, in third party risk, as most of us know, it doesn’t always work like that.
So, what do you do when you’re stuck in a predicament like this? Maybe the vendor doesn’t have a SOC report, yet they should. Or, maybe the vendor is a private company who refuses to share their financials.
Due Diligence Document Alternatives
Good news! You’ve got options. Let’s discuss:
- Issue: The vendor is a private company and won’t share their financials.
Alternative 1: Discuss with your team and see if you can accept a different type of document such as an accountant’s statement.
Alternative 2: You could hold a conference call with them and ask questions like the following to help understand their financial health:
- What does your revenue look like?
- What are your capital plans over the next 12 months?
Alternative 1: Ask them if you can come on-site to discuss.
Alternative 2: If an on-site visit isn’t an option right now, ask them to share some of the information via an online sharing platform like Webex.
3. Issue: The vendor won’t provide their business continuity plan or disaster recovery plan.
Alternative 1: If the vendor won’t provide a hard copy then you can ask them to host a Webex session so that you can view it without keeping a physical file.
Alternative 2: You could request they provide a heavily redacted copy.
4. Issue: The vendor won’t provide a SOC report.
Alternative 1: Sometimes if it’s not in the contract then the vendor won’t provide a SOC report. So, first and foremost you should try to write it into the contract upfront. If you didn’t, then try to write it into the contract renewal.
Alternative 2: You could provide a short control environment questionnaire to them to answer or ask for a supplementary document, if any, that they can share.
5. Issue: The vendor won’t let you review results of a recent audit:
Alternative: In some industries you can request the results through your regulator’s office (e.g., banks, credit unions).
After That
If a vendor will not release a sensitive document that you need to analyze, then you may need to raise their risk rating or seek a new vendor. Remember, one of the most important things you can do is document all of your attempts. Show your regulators that you’ve tried and exhausted all options.
Collect vendor due diligence documents more efficiently. Download the infographic.
