How Vendor Due Diligence Is Conducted

Collecting due diligence on vendors can feel like an impossible task, comprised of document rabbit holes and infinite checklists — one big, monotonous game of tag as you constantly call, email and chase vendors to obtain the X,Y,Z report you’ve needed for weeks. Then, once you think you finally have everything you need, analyzing the documentation can become overwhelming. Sometimes, it’s difficult to determine where to begin, what to review and how to interpret what it all means. Sound familiar? We thought so…

Not to worry! We’ve put together an approachable method for how to best conduct vendor due diligence by breaking down five important documentation categories to focus on.

How to Conduct Vendor Due Diligence

1. Review Your Contracts

A contract is an agreement between parties creating a legal obligation for your organization and vendor to perform specific activities. Each of the parties to the contract are legally bound to perform the specified duties outlined within the contract. Contract reviews are a very important component of your due diligence: if the expectation isn’t set in the contract, then it isn’t in agreement between the parties.

Before you sign the contract make sure to:

• Review the scope of services
• Review SLA requirements
• Confirm accuracy of contract duration
• Consider costs and price increase language
• Confirm security/confidentiality provisions
• Assess audit requirements
• Understand reporting and any associated feeds
• Assess business continuity language
• Analyze subcontracting policies
• Review ownership/license information
• Indemnification clauses
• Review limitation of liability
• Confirm provisions around dispute resolution
• Include standards around complaints management
• Review general provisions (e.g., survival, governing law, contract conflict, severability, etc.)
• Collect all foundational vendor due diligence documentation (e.g., MNDA, tax ID, business license, credit report, etc.)

2. Review Vendor SOC Reports

SOC stands for system and organization controls. It’s an independent audit report performed by a certified public accountant (CPA) that shares additional details around the vendor’s controls in place. It’s an attestation that your vendor has a control to safeguard your data, and if the safeguards are operational, they would effectively mitigate part of the risk inherited by using the vendor.

To help you with conducting a SOC review,  from a high-level, you’ll want to:

• Use the reporting period to confirm it’s the most current report available
• Assess organizational and administrative set up
• Confirm products and services
• Gain a deeper knowledge of the information system
• Review data center infrastructure
• Analyze control objectives and activities
• Review any audit findings, or control exceptions and how management responded

3. Review Business Continuity, Disaster Recovery & Pandemic Plans

Business continuity planning assists vendors (or any business) in ensuring that their significant operations and products/services continue to be delivered in a full, or at a predetermined and accepted, level of availability. The expected level of availability is typically outlined in the Service Level Agreement (SLA) that your organization has with the vendors.

When conducting due diligence around business continuity plans make sure the vendor has a formal plan that accounts for:

• Strategy for personnel loss
• Pandemic contingencies
• Relocation plans
• Breach/notification policy
• Business continuity impact analysis
• Recovery time objectives
• Recovery point objectives
• Maximum tolerable downtime
• Data around testing and ongoing maintenance of the plan

The vendor should also consider pandemic planning, which focuses on:

• Strategies and procedures in the event of a pandemic
• Preventative measures
• Implementation guidelines in the event of a prolonged health crisis

And, a disaster recovery plan, which primarily focuses on systems as well as:

• Gathering of disaster recovery personnel at the command center
• How the vendor will decide if the incident is a disaster
• Salvage operations, recovery operations, communications and restoration to normal operations

You’ll want to make sure all three of these areas are accounted for.

4. Review the Cybersecurity Posture

A cybersecurity program helps protect your organization and the vendor from potential vulnerabilities like a data breach. Evaluating your vendor’s cybersecurity posture will help you identify potential weaknesses. From there, you can effectively communicate with the vendor about those weaknesses and develop strategies to strengthen controls prior to a breach happening.

Here you’ll want to be sure and account for:

• Security testing (vulnerability, penetration and social engineering)
• Sensitive data security
• Data retention/destruction, declassification and privacy policies
• Employee, contractor and vendor management team data protection training (e.g., annual security training, access management policies)
• Incident and response plan

5. Review Financials

Financial statements should be reviewed to identify the financial health of any vendor you outsource a product or service to. This helps you determine if the vendor can continue to provide secure, safe and quality products or services that meet your organization’s expectations.

Make sure to determine/review:

• If the vendor is a public or private company so that you know what report type to request
• If regulatory action has been taken
• If there are outstanding legal proceedings or lawsuits associated with the vendor
• The vendor’s net worth (balance sheet)
• Revenue and gross margin (income statement)
• How the vendor funds operations (cash flow statement)
• Likelihood of bankruptcy (ratios)

Pro-tip: It’s also important to get an auditor’s opinion on the vendor’s financial statements and internal controls; as well as to have a CPA write up the assessment.

To write up an assessment for what was reviewed, why it was reviewed and the results of the review, make sure to have a subject matter expert (SME) involved. While this process most definitely includes a lot of lists, you should never have a check-the-box mentality when it comes to due diligence. It’s easy to fall into, but a check-it-and-forget-it sort of approach which can lead to some nasty consequences.

Due diligence is a fundamental component of any third-party risk management program. When conducted effectively, it can truly be one of the most powerful tools in your risk management arsenal.

Make sure you have everything you need when collecting vendor due diligence. Download the checklist.