Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit

Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.


Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 


Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.



Trends, best practices and insights to keep you current in your knowledge of third-party risk.


Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

On-Demand Webinars



Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.



Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

State of Third-Party Risk Management 2023!

Venminder's seventh annual whitepaper provides insight from a variety of surveyed individuals into how organizations manage third-party risk today.


Vendor Due Diligence Document Alternatives

7 min read
Featured Image

As part of the due diligence process, vendors must provide specific documentation as evidence of their risk controls. Whether it's a SOC report to verify information security practices, internal compliance policies, or even a business continuity and testing plan, reviewing vendor-provided documents is an important element of vendor risk assessment.

Unfortunately, there are occasions when a vendor can't or won't furnish the requested information. The vendor may be a new business entity that hasn't gone through the SOC reporting process or a private company that doesn't share financials. In many cases, the vendor is a large organization that serves hundreds or thousands of customers, so answering so many individual requests is neither possible nor practical.

Your vendors may have legitimate reasons why they can't or won't provide the requested due diligence documentation. However, that doesn't mean your organization is off the hook regarding due diligence. So, what can you do? The good news is that there are alternatives. Let's look at some practical strategies for getting the information you need when your requested documents are unavailable.

Due Diligence Document Alternatives

Here are a few scenarios where a vendor will not disclose a document, their reasons, and possible alternatives: 

Situation: The vendor is a private company and doesn't share its financials.

due diligence documents
Unlike publicly traded companies, private companies aren’t required by law to share their financials.

Alternative 1: Collaborate with your finance team to determine other documents that may substitute for audited financials, such as an accountant's statement.

Alternative 2: Arrange a call between your finance subject matter expert and the vendor's CFO or another senior finance representative to discuss revenue, cash ratios, capital planning, debt to worth and other essential information.

Situation: The vendor won't provide their policies and procedures.


vendor policies
Your vendor's internal policies can cover everything from pay grades to password encryption standards. Understandably, there might be some information your vendor wants to protect.

Alternative 1: Ask your vendor to share the information during a virtual meeting, in which you'll review and discuss the content of their policies and procedures. 

Alternative 2: Request a copy of the policy document's outline or table of contents and confirm when the documents were last reviewed or updated.

Alternative 3: Document your requirements and ask the vendor to provide a signed attestation stating the appropriate controls are in place.

Situation: The vendor won't share their business continuity plan or disaster recovery plan.

business continuity

Business continuity and disaster recovery documents may contain highly confidential information such as undisclosed data storage and backup locations. For this reason, vendors might be hesitant about sharing these documents.

Alternative 1: If the vendor doesn’t provide a hard or electronic copy, you can ask them to host a virtual review session to view and discuss the plan without keeping a physical file.

Alternative 2: Ask them to provide a heavily redacted copy.

Situation: The vendor can't provide a SOC report.

vendor soc report

Some vendors won't share their SOC reports unless it's written into the contract or covered under a right-to-audit clause. This is why your contract must include provisions such as due diligence and assessment requirements. Newer organizations may not be ready for, or are in the process of getting SOC audits and reports.

Alternative 1: Ask your vendor to complete a control environment questionnaire and ask them to provide any supplemental documents supporting their answers.

Alternative 2: Arrange a call between your information security expert and the vendor's CIO or another senior information security representative to review required protocols, data protection standards, network diagrams, testing, incident response, and other necessary details.

Situation: The vendor won't let you review the results of a recent audit.

right to audit

Understandably, vendors might be sensitive when sharing audit results that potentially identify gaps or issues requiring attention. Those issues could negatively influence a prospective client's opinion of the vendor.

Alternative: In some industries, you may be able to request the results through your regulator's office (e.g., banks, credit unions).

Situation: The vendor is a large company that won't respond to your due diligence requests.


due diligence request

Many large companies (Microsoft, Google, AWS or national banks, for example) simply have too many customers to respond to individual due diligence requests.

Alternative: Conduct a web search or go to the company website. Many companies list their certifications, post SOC documents or provide public versions of their internal policies and more. You’ll be pleasantly surprised by the readily available documentation in most cases.

Situation: The vendor won’t provide documentation or provide requested alternatives.

due diligence documentationHow should you proceed if the vendor refuses to provide requested documentation or cannot or will not meet your alternative requirements? What actions could you take? 

Alternative 1: Ask the vendor to suggest alternatives for demonstrating the required controls. After all, if they desire your organization's business, they must have some skin in the game.

Alternative 2: Work with your risk committee to determine whether forgoing the required due diligence is within your organization's risk appetite. Is the risk proportionate to the potential benefit? If so, who will accept and approve that risk?

Remember: Most vendors understand the need for due diligence and should be willing to work with you to find an alternate method for validating their controls. However, it's important to be wary of those vendors who cannot provide a legitimate business reason why they can't or won't provide documentation. There may be cases where a vendor's hesitation is an indication to move on and find another vendor.

vendor due diligence best practices

4 Best Practices to Follow

  1. Utilize non-disclosure agreements (NDA). Ensure that you have a non-disclosure that protects you and your vendor's confidential information. Without an NDA, your vendor will be less likely to share any documentation with your organization.
  2. Manage future expectations through your contract. If you have been obliged to use alternatives or accept missing due diligence evidence for a potential new vendor, implement language in your contract that will prevent that from happening in the future. Include additional language describing the types of information and documents that are acceptable.
  3. Always include a right-to-audit clause in your contract. For all new vendor contracts, include a right-to-audit clause, which provides you broad coverage for information required to perform vendor risk reviews.
  4. Document everything. If you’re unable to obtain requested documentation or use alternative methods to validate controls, you must document the exception to your normal process. In tracking your decisions, you'll show your internal auditors and external examiners that you have exhausted your options before accepting alternatives. 

    Your documentation may include:
    • Copies of any written requests made to the vendor, as well as their responses
    • Notes of any verbal vendor communication, including virtual presentations or online meetings
    • Documented opinions from subject matter experts who reviewed alternative due diligence evidence
    • Meeting minutes specific to the issue of missing or alternative due diligence, including attendees, next steps and any decisions made
    • If required by your organization, a formal documented risk acceptance that has been approved and signed by the appropriate senior management level

Even when running smoothly, due diligence can be a complex process. It can be downright complicated if your vendor cannot provide the proper documentation. When you hit a roadblock, it's good to know there may be other alternatives. Remember that no matter which method you use to validate the vendor's control environment, your organization is always accountable for the risks associated with the vendor relationship. So do your homework, get creative, and don't be afraid to say no to potentially risky vendor relationships.

Subscribe to Venminder

Get expert insights straight to your inbox.

Ready to Get Started?

Schedule a personalized solution demonstration to see if Venminder is a fit for you.

Request a Demo