.gif?width=1920&name=Sample-Graphic-Animation%20(1).gif)
6 min read
As part of the due diligence process, vendors must provide specific documentation as evidence of their risk controls. Whether it's a SOC report to verify information security practices, internal compliance policies or even a business continuity and testing plan, reviewing vendor-provided documents is an essential part of the vendor risk review process.
Unfortunately, there are occasions when a vendor can’t or won’t furnish the requested information. Perhaps the vendor is a new business entity and has yet to go through the SOC reporting process, or maybe they’re a private company not in the practice of sharing financials. Frequently, the vendor is a large organization servicing hundreds of thousands of customers; therefore, it’s not possible or practical for the organization to respond to so many individual requests.
Your vendors may have legitimate reasons why they can't or won't provide requested due diligence documentation. However, that doesn't mean your organization is off the hook regarding due diligence. So, what can you do? The good news is that there are alternatives. Let's look at some practical strategies for getting the information you need when your requested documents are unavailable.
Due Diligence Document Alternatives
Let's take a look at some of the common reasons why and everyday situations where a vendor can't or won't share a document as well as alternative options:
Situation: The vendor is a private company and doesn't share its financials.
Unlike publicly traded companies, private companies aren’t required by law to share their financials.
Alternative 1: Collaborate with your finance team to determine other documents, such as an accountant's statement, which could substitute for audited financials.
Alternative 2: Arrange a call between your finance subject matter expert and the vendor's CFO or another senior finance representative to discuss revenue, cash ratios, capital planning, debt to worth and other essential information.
Situation: The vendor won't provide their policies and procedures.
Your vendor's internal policies can cover everything from pay grades to password encryption standards. Understandably, there might be some information your vendor wants to protect.
Alternative 1: Request that the vendor share the information via a virtual meeting to review and discuss the contents of the policy and procedures.
Alternative 2: Ask for the policy document's outline or table of contents and confirm when the documents were last reviewed or updated.
Alternative 3: Document your requirements and ask the vendor to provide a signed attestation stating the appropriate controls are in place.
Situation: The vendor won't share their business continuity plan or disaster recovery plan.
Business continuity and disaster recovery documents may contain highly confidential information such as undisclosed data storage and backup locations. For this reason, vendors might be hesitant about sharing these documents.
Alternative 1: If the vendor doesn’t provide a hard or electronic copy, you can ask them to host a virtual review session to view the plan without keeping a physical file.
Alternative 2: Ask them to provide a heavily redacted copy.
Situation: The vendor can't provide a SOC report.
Some vendors won’t share their SOC reports unless it is written into the contract or covered under a right to audit clause. This is why you must make sure your contracts include this vital provision. Newer organizations may not be ready for or are in the process of getting SOC audits and reports.
Alternative 1: Ask your vendor to complete a control environment questionnaire and ask them to provide any supplemental documents supporting their answers.
Alternative 2: Arrange a call between your information security expert and the vendor's CIO or another senior information security representative to review required protocols, data protection standards, network diagrams, testing, incident response and other necessary details.
Situation: The vendor won't let you review the results of a recent audit.
Understandably, vendors might be sensitive when sharing audit results that potentially identify gaps or issues requiring attention.
Those issues could negatively influence a prospective client's opinion of the vendor.
Alternative: In some industries, you can request the results through your regulator's office (e.g., banks, credit unions).
Situation: The vendor is a large company that won't respond to your due diligence requests.
Many large companies (Microsoft, Google, AWS or national banks, for example) simply have too many customers to respond to individual due diligence requests.
Alternative: Do a web search or go to the company website. Many companies list their certifications, post SOC documents or provide public versions of their internal policies and more. You’ll be pleasantly surprised by the readily available documentation in most cases.
Situation: The vendor won’t provide documentation or provide requested alternatives.
Alternative 1: Challenge the vendor to suggest alternatives for evidencing the required controls. After all, if they desire your organization's business, they must have some skin in the game.
Alternative 2: Work with your risk committee to determine if forgoing the required due diligence is within the organization's risk appetite. Put another way, is the risk in proportion to the potential benefit? If so, who will accept and approve that risk?
Remember: Most vendors understand the need for due diligence and should be willing to work with you to find an alternate method for validating their controls. Be wary of those vendors who cannot provide a legitimate business reason for not providing documentation. In some cases, that vendor's hesitancy may be a red flag and a signal to move on.
4 Best Practices to Follow
- Utilize non-disclosure agreements. Ensure that you have a non-disclosure that protects you and your vendor's confidential information. Without an NDA, your vendor will be less likely to share any documentation with your organization.
- Manage future expectations through your contract. If you have been obliged to use alternatives or accept missing due diligence evidence for a potential new vendor, use the contract to prevent that from happening in the future. Add additional contract language to specify the types of documentation and reviews required from the vendor.
- Always include a 'right to audit' clause in your contract. For all new vendor contracts, make sure you include a right to audit clause, which provides you broad coverage for information required to perform vendor risk reviews.
- Document everything. When you can’t get requested documentation or use alternative methods to validate controls, you must document this as an exception to your normal process. This documentation will demonstrate to your internal auditors and external examiners that you exhausted your options before accepting alternatives. Your documentation should include:
- Copies of any written requests made to the vendor, including their responses
- Notes of any verbal vendor communication, including virtual presentations or online meetings
- Documented opinions from subject matter experts reviewing alternative due diligence evidence
- Meeting minutes specific to the issue of missing or alternative due diligence, including attendees, next steps and any decisions made
- If required by your organization, a formal documented risk acceptance has been approved and signed by the appropriate senior management level
Even when running smoothly, due diligence can be a complex process, but it can become downright complicated when you can't obtain the necessary documentation from your vendor. When you hit a roadblock, it's good to know there may be other alternatives. Remember that no matter which method you use to validate the vendor's control environment, your organization is always accountable for the risks associated with the vendor relationship. So do your homework, get creative and don't be afraid to say no to potentially risky vendor relationships.
ebook
Due diligence is a fundamental component of any third-party risk program. Download this eBook to learn the breakdown of vendor due diligence reviews.
Related Posts
8 Questions to Ask If Accepting Shared Vendor Due Diligence Documentation
One of the primary pain points in third party risk management is document collection. Add vendor...
Baseline Vendor Due Diligence Documents to Collect
Due diligence is an indispensable step in the vendor risk management lifecycle. Performing due...
Records Retention: How Long Do You Keep Vendor Documents?
Many of us have a tradition of spring cleaning every year by removing clutter from our homes – both...
Subscribe to Venminder
Get expert insights straight to your inbox.
Ready to Get Started?
Schedule a personalized solution demonstration to see if Venminder is a fit for you.