As part of the due diligence process, vendors must provide specific documentation as evidence of their risk controls. Whether it's a SOC report to verify information security practices, internal compliance policies, or even a business continuity and testing plan, reviewing vendor-provided documents is an important element of vendor risk assessment.
Unfortunately, there are occasions when a vendor can't or won't furnish the requested information. The vendor may be a new business entity that hasn't gone through the SOC reporting process or a private company that doesn't share financials. In many cases, the vendor is a large organization that serves hundreds or thousands of customers, so answering so many individual requests is neither possible nor practical.
Your vendors may have legitimate reasons why they can't or won't provide the requested due diligence documentation. However, that doesn't mean your organization is off the hook regarding due diligence. So, what can you do? The good news is that there are alternatives. Let's look at some practical strategies for getting the information you need when your requested documents are unavailable.
Due Diligence Document Alternatives
Here are a few scenarios where a vendor will not disclose a document, their reasons, and possible alternatives:
Situation: The vendor is a private company and doesn't share its financials.
Unlike publicly traded companies, private companies aren’t required by law to share their financials.
Alternative 1: Collaborate with your finance team to determine other documents that may substitute for audited financials, such as an accountant's statement.
Alternative 2: Arrange a call between your finance subject matter expert and the vendor's CFO or another senior finance representative to discuss revenue, cash ratios, capital planning, debt to worth and other essential information.
Situation: The vendor won't provide their policies and procedures.
Your vendor's internal policies can cover everything from pay grades to password encryption standards. Understandably, there might be some information your vendor wants to protect.
Alternative 1: Ask your vendor to share the information during a virtual meeting, in which you'll review and discuss the content of their policies and procedures.
Alternative 2: Request a copy of the policy document's outline or table of contents and confirm when the documents were last reviewed or updated.
Alternative 3: Document your requirements and ask the vendor to provide a signed attestation stating the appropriate controls are in place.
Situation: The vendor won't share their business continuity plan or disaster recovery plan.
Business continuity and disaster recovery documents may contain highly confidential information such as undisclosed data storage and backup locations. For this reason, vendors might be hesitant about sharing these documents.
Alternative 1: If the vendor doesn’t provide a hard or electronic copy, you can ask them to host a virtual review session to view and discuss the plan without keeping a physical file.
Alternative 2: Ask them to provide a heavily redacted copy.
Situation: The vendor can't provide a SOC report.
Some vendors won't share their SOC reports unless it's written into the contract or covered under a right-to-audit clause. This is why your contract must include provisions such as due diligence and assessment requirements. Newer organizations may not be ready for, or are in the process of getting SOC audits and reports.
Alternative 1: Ask your vendor to complete a control environment questionnaire and ask them to provide any supplemental documents supporting their answers.
Alternative 2: Arrange a call between your information security expert and the vendor's CIO or another senior information security representative to review required protocols, data protection standards, network diagrams, testing, incident response, and other necessary details.
Situation: The vendor won't let you review the results of a recent audit.
Understandably, vendors might be sensitive when sharing audit results that potentially identify gaps or issues requiring attention. Those issues could negatively influence a prospective client's opinion of the vendor.
Alternative: In some industries, you may be able to request the results through your regulator's office (e.g., banks, credit unions).
Situation: The vendor is a large company that won't respond to your due diligence requests.
Many large companies (Microsoft, Google, AWS or national banks, for example) simply have too many customers to respond to individual due diligence requests.
Alternative: Conduct a web search or go to the company website. Many companies list their certifications, post SOC documents or provide public versions of their internal policies and more. You’ll be pleasantly surprised by the readily available documentation in most cases.
Situation: The vendor won’t provide documentation or provide requested alternatives.
Alternative 1: Ask the vendor to suggest alternatives for demonstrating the required controls. After all, if they desire your organization's business, they must have some skin in the game.
Alternative 2: Work with your risk committee to determine whether forgoing the required due diligence is within your organization's risk appetite. Is the risk proportionate to the potential benefit? If so, who will accept and approve that risk?
Remember: Most vendors understand the need for due diligence and should be willing to work with you to find an alternate method for validating their controls. However, it's important to be wary of those vendors who cannot provide a legitimate business reason why they can't or won't provide documentation. There may be cases where a vendor's hesitation is an indication to move on and find another vendor.
4 Best Practices to Follow
- Utilize non-disclosure agreements (NDA). Ensure that you have a non-disclosure that protects you and your vendor's confidential information. Without an NDA, your vendor will be less likely to share any documentation with your organization.
- Manage future expectations through your contract. If you have been obliged to use alternatives or accept missing due diligence evidence for a potential new vendor, implement language in your contract that will prevent that from happening in the future. Include additional language describing the types of information and documents that are acceptable.
- Always include a right-to-audit clause in your contract. For all new vendor contracts, include a right-to-audit clause, which provides you broad coverage for information required to perform vendor risk reviews.
- Document everything. If you’re unable to obtain requested documentation or use alternative methods to validate controls, you must document the exception to your normal process. In tracking your decisions, you'll show your internal auditors and external examiners that you have exhausted your options before accepting alternatives.
Your documentation may include:
- Copies of any written requests made to the vendor, as well as their responses
- Notes of any verbal vendor communication, including virtual presentations or online meetings
- Documented opinions from subject matter experts who reviewed alternative due diligence evidence
- Meeting minutes specific to the issue of missing or alternative due diligence, including attendees, next steps and any decisions made
- If required by your organization, a formal documented risk acceptance that has been approved and signed by the appropriate senior management level
Even when running smoothly, due diligence can be a complex process. It can be downright complicated if your vendor cannot provide the proper documentation. When you hit a roadblock, it's good to know there may be other alternatives. Remember that no matter which method you use to validate the vendor's control environment, your organization is always accountable for the risks associated with the vendor relationship. So do your homework, get creative, and don't be afraid to say no to potentially risky vendor relationships.