(270) 506-5140 CONTACT US
Best Practices

Vendor Due Diligence Document Alternatives

Jul 31, 2019 by Venminder Experts

In a perfect world, we’d be able to obtain every single document or everything we request of the vendor and it would be done with a speedy turnaround. However, in third party risk, as most of us know, it doesn’t always work like that.

So, what do you do when you’re stuck in a predicament like this? Maybe the vendor doesn’t have a SOC report, yet they should. Or, maybe the vendor is a private company who refuses to share their financials.

Due Diligence Document Alternatives

Good news! You’ve got options. Let’s discuss:

  1. Issue: The vendor is a private company and won’t share their financials.

Alternative 1: Discuss with your team and see if you can accept a different type of document such as an accountant’s statement.
Alternative 2: You could hold a conference call with them and ask questions like the following to help understand their financial health:

  • What does your revenue look like?
  • What are your capital plans over the next 12 months?

 2. Issue: The vendor won’t discuss their policies and procedures over the phone.

Alternative 1: Ask them if you can come on-site to discuss.
Alternative 2: If an on-site visit isn’t an option right now, ask them to share some of the information via an online sharing platform like Webex.

 3. Issue: The vendor won’t provide their business continuity plan or disaster recovery plan.

Alternative 1: If the vendor won’t provide a hard copy then you can ask them to host a Webex session so that you can view it without keeping a physical file. 
Alternative 2: You could request they provide a heavily redacted copy.

 4. Issue: The vendor won’t provide a SOC report.

Alternative 1: Sometimes if it’s not in the contract then the vendor won’t provide a SOC report. So, first and foremost you should try to write it into the contract upfront. If you didn’t, then try to write it into the contract renewal.
Alternative 2: You could provide a short control environment questionnaire to them to answer or ask for a supplementary document, if any, that they can share.

 5. Issue: The vendor won’t let you review results of a recent audit:

Alternative: In some industries you can request the results through your regulator’s office (e.g., banks, credit unions).

After That

If a vendor will not release a sensitive document that you need to analyze, then you may need to raise their risk rating or seek a new vendor. Remember, one of the most important things you can do is document all of your attempts. Show your regulators that you’ve tried and exhausted all options.

Collect vendor due diligence documents more efficiently. Download the infographic. 


Venminder Experts

Written by Venminder Experts

Venminder has a team of third-party risk experts who provide advice, analysis and services to thousands of individuals in the financial services industry.

Follow Venminder Experts

Subscribe to the Venminder Blog