Software

Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Overview
Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit

Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

VX LP Sequence USE FOR CORPORATE SITE-thumb
Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.

CREATE FREE ACCOUNT

Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 

Industries

Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

1.7.2020-what-is-a-third-party-risk-assessment-FEATURED
Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.

DOWNLOAD SAMPLES

About

Venminder is an industry recognized leader of third-party risk management solutions. 

Our Customers

900 organizations use Venminder today to proactively manage and mitigate vendor risks.

Get Engaged

We provide lots of ways for you to stay up-to-date on the latest best practices and trends.

Gartner 2020
Venminder received high scores in the Gartner Critical Capabilities for IT Vendor Risk Management Tools 2021 Report

READ REPORT

Resources

Trends, best practices and insights to keep you current in your knowledge of third-party risk.

Webinars

Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

On-Demand Webinars

 

Community

Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.

Subscribe

 

Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

resource-whitepaper-state-of-third-party-risk-management-2022
State of Third-Party Risk Management 2022

Venminder's sixth annual whitepaper provides insight from a variety of surveyed individuals into how organizations manage third-party risk today.

DOWNLOAD NOW

Vendor Due Diligence Document Alternatives

6 min read
Featured Image

As part of the due diligence process, vendors must provide specific documentation as evidence of their risk controls. Whether it's a SOC report to verify information security practices, internal compliance policies or even a business continuity and testing plan, reviewing vendor-provided documents is an essential part of the vendor risk review process.

Unfortunately, there are occasions when a vendor can’t or won’t furnish the requested information. Perhaps the vendor is a new business entity and has yet to go through the SOC reporting process, or maybe they’re a private company not in the practice of sharing financials. Frequently, the vendor is a large organization servicing hundreds of thousands of customers; therefore, it’s not possible or practical for the organization to respond to so many individual requests.

Your vendors may have legitimate reasons why they can't or won't provide requested due diligence documentation. However, that doesn't mean your organization is off the hook regarding due diligence. So, what can you do? The good news is that there are alternatives. Let's look at some practical strategies for getting the information you need when your requested documents are unavailable.

Due Diligence Document Alternatives

Let's take a look at some of the common reasons why and everyday situations where a vendor can't or won't share a document as well as alternative options:

Situation: The vendor is a private company and doesn't share its financials.



vendor financials
Unlike publicly traded companies, private companies aren’t required by law to share their financials.

Alternative 1: Collaborate with your finance team to determine other documents, such as an accountant's statement, which could substitute for audited financials.

Alternative 2: Arrange a call between your finance subject matter expert and the vendor's CFO or another senior finance representative to discuss revenue, cash ratios, capital planning, debt to worth and other essential information.

Situation: The vendor won't provide their policies and procedures.

 

03.01.2022-vendor-due-diligence-document-alternatives-GRAPHIC-2


Your vendor's internal policies can cover everything from pay grades to password encryption standards. Understandably, there might be some information your vendor wants to protect.

Alternative 1: Request that the vendor share the information via a virtual meeting to review and discuss the contents of the policy and procedures.

Alternative 2: Ask for the policy document's outline or table of contents and confirm when the documents were last reviewed or updated.

Alternative 3: Document your requirements and ask the vendor to provide a signed attestation stating the appropriate controls are in place.

Situation: The vendor won't share their business continuity plan or disaster recovery plan.


03.01.2022-vendor-due-diligence-document-alternatives-GRAPHIC-3

Business continuity and disaster recovery documents may contain highly confidential information such as undisclosed data storage and backup locations. For this reason, vendors might be hesitant about sharing these documents.

Alternative 1: If the vendor doesn’t provide a hard or electronic copy, you can ask them to host a virtual review session to view the plan without keeping a physical file.

Alternative 2: Ask them to provide a heavily redacted copy.

Situation: The vendor can't provide a SOC report.

03.01.2022-vendor-due-diligence-document-alternatives-GRAPHIC-4

Some vendors won’t share their SOC reports unless it is written into the contract or covered under a right to audit clause. This is why you must make sure your contracts include this vital provision. Newer organizations may not be ready for or are in the process of getting SOC audits and reports.

Alternative 1: Ask your vendor to complete a control environment questionnaire and ask them to provide any supplemental documents supporting their answers.

Alternative 2: Arrange a call between your information security expert and the vendor's CIO or another senior information security representative to review required protocols, data protection standards, network diagrams, testing, incident response and other necessary details.

Situation: The vendor won't let you review the results of a recent audit.


03.01.2022-vendor-due-diligence-document-alternatives-GRAPHIC-5

Understandably, vendors might be sensitive when sharing audit results that potentially identify gaps or issues requiring attention.
Those issues could negatively influence a prospective client's opinion of the vendor.

Alternative: In some industries, you can request the results through your regulator's office (e.g., banks, credit unions).

Situation: The vendor is a large company that won't respond to your due diligence requests.

 

03.01.2022-vendor-due-diligence-document-alternatives-GRAPHIC-6
Many large companies (Microsoft, Google, AWS or national banks, for example) simply have too many customers to respond to individual due diligence requests.

Alternative: Do a web search or go to the company website. Many companies list their certifications, post SOC documents or provide public versions of their internal policies and more. You’ll be pleasantly surprised by the readily available documentation in most cases.

Situation: The vendor won’t provide documentation or provide requested alternatives.


03.01.2022-vendor-due-diligence-document-alternatives-GRAPHIC-7
Alternative 1: Challenge the vendor to suggest alternatives for evidencing the required controls. After all, if they desire your organization's business, they must have some skin in the game.

Alternative 2: Work with your risk committee to determine if forgoing the required due diligence is within the organization's risk appetite. Put another way, is the risk in proportion to the potential benefit? If so, who will accept and approve that risk?

 

Remember: Most vendors understand the need for due diligence and should be willing to work with you to find an alternate method for validating their controls. Be wary of those vendors who cannot provide a legitimate business reason for not providing documentation. In some cases, that vendor's hesitancy may be a red flag and a signal to move on.

4 Best Practices to Follow

  1. Utilize non-disclosure agreements. Ensure that you have a non-disclosure that protects you and your vendor's confidential information. Without an NDA, your vendor will be less likely to share any documentation with your organization.
  2. Manage future expectations through your contract. If you have been obliged to use alternatives or accept missing due diligence evidence for a potential new vendor, use the contract to prevent that from happening in the future. Add additional contract language to specify the types of documentation and reviews required from the vendor.
  3. Always include a 'right to audit' clause in your contract. For all new vendor contracts, make sure you include a right to audit clause, which provides you broad coverage for information required to perform vendor risk reviews.
  4. Document everything. When you can’t get requested documentation or use alternative methods to validate controls, you must document this as an exception to your normal process. This documentation will demonstrate to your internal auditors and external examiners that you exhausted your options before accepting alternatives. Your documentation should include:
    • Copies of any written requests made to the vendor, including their responses
    • Notes of any verbal vendor communication, including virtual presentations or online meetings
    • Documented opinions from subject matter experts reviewing alternative due diligence evidence
    • Meeting minutes specific to the issue of missing or alternative due diligence, including attendees, next steps and any decisions made
    • If required by your organization, a formal documented risk acceptance has been approved and signed by the appropriate senior management level

Even when running smoothly, due diligence can be a complex process, but it can become downright complicated when you can't obtain the necessary documentation from your vendor. When you hit a roadblock, it's good to know there may be other alternatives. Remember that no matter which method you use to validate the vendor's control environment, your organization is always accountable for the risks associated with the vendor relationship. So do your homework, get creative and don't be afraid to say no to potentially risky vendor relationships.

Subscribe to Venminder

Get expert insights straight to your inbox.

Ready to Get Started?

Schedule a personalized solution demonstration to see if Venminder is a fit for you.

Request a Demo