Vendor Due Diligence Document Alternatives

As part of the due diligence process, vendors must provide specific documentation as evidence of their risk controls. Whether it's a SOC report to verify information security practices, internal compliance policies, or even a business continuity and testing plan, reviewing vendor-provided documents is an important element of vendor risk assessment.

Unfortunately, there are occasions when a vendor can't or won't furnish the requested information. The vendor may be a new business entity that hasn't gone through the SOC reporting process or a private company that doesn't share financials. In many cases, the vendor is a large organization that serves hundreds or thousands of customers, so answering so many individual requests is neither possible nor practical.

Your vendors may have legitimate reasons why they can't or won't provide the requested due diligence documentation. However, that doesn't mean your organization is off the hook regarding due diligence. So, what can you do? The good news is that there are alternatives. Let's look at some practical strategies for getting the information you need when your requested documents are unavailable.

Due Diligence Document Alternatives

Here are a few scenarios where a vendor will not disclose a document, their reasons, and possible alternatives: 

Situation: The vendor is a private company and doesn't share its financials.

Unlike publicly traded companies, private companies aren’t required by law to share their financials.

Alternative 1: Collaborate with your finance team to determine other documents that may substitute for audited financials, such as an accountant's statement.

Alternative 2: Arrange a call between your finance subject matter expert and the vendor's CFO or another senior finance representative to discuss revenue, cash ratios, capital planning, debt to worth and other essential information.

Situation: The vendor won't provide their policies and procedures.

Your vendor's internal policies can cover everything from pay grades to password encryption standards. Understandably, there might be some information your vendor wants to protect.

Alternative 1: Ask your vendor to share the information during a virtual meeting, in which you'll review and discuss the content of their policies and procedures. 

Alternative 2: Request a copy of the policy document's outline or table of contents and confirm when the documents were last reviewed or updated.

Alternative 3: Document your requirements and ask the vendor to provide a signed attestation stating the appropriate controls are in place.

Situation: The vendor won't share their business continuity plan or disaster recovery plan.

Business continuity and disaster recovery documents may contain highly confidential information such as undisclosed data storage and backup locations. For this reason, vendors might be hesitant about sharing these documents.

Alternative 1: If the vendor doesn’t provide a hard or electronic copy, you can ask them to host a virtual review session to view and discuss the plan without keeping a physical file.

Alternative 2: Ask them to provide a heavily redacted copy.

Situation: The vendor can't provide a SOC report.

Some vendors won't share their SOC reports unless it's written into the contract or covered under a right-to-audit clause. This is why your contract must include provisions such as due diligence and assessment requirements. Newer organizations may not be ready for, or are in the process of getting SOC audits and reports.

Alternative 1: Ask your vendor to complete a control environment questionnaire and ask them to provide any supplemental documents supporting their answers.

Alternative 2: Arrange a call between your information security expert and the vendor's CIO or another senior information security representative to review required protocols, data protection standards, network diagrams, testing, incident response, and other necessary details.

Situation: The vendor won't let you review the results of a recent audit.

Understandably, vendors might be sensitive when sharing audit results that potentially identify gaps or issues requiring attention. Those issues could negatively influence a prospective client's opinion of the vendor.

Alternative: In some industries, you may be able to request the results through your regulator's office (e.g., banks, credit unions).

Situation: The vendor is a large company that won't respond to your due diligence requests.

Many large companies (Microsoft, Google, AWS or national banks, for example) simply have too many customers to respond to individual due diligence requests.

Alternative: Conduct a web search or go to the company website. Many companies list their certifications, post SOC documents or provide public versions of their internal policies and more. You’ll be pleasantly surprised by the readily available documentation in most cases.

Situation: The vendor won’t provide documentation or provide requested alternatives.

How should you proceed if the vendor refuses to provide requested documentation or cannot or will not meet your alternative requirements? What actions could you take? 

Alternative 1: Ask the vendor to suggest alternatives for demonstrating the required controls. After all, if they desire your organization's business, they must have some skin in the game.

Alternative 2: Work with your risk committee to determine whether forgoing the required due diligence is within your organization's risk appetite. Is the risk proportionate to the potential benefit? If so, who will accept and approve that risk?

Even when running smoothly, due diligence can be a complex process. It can be downright complicated if your vendor cannot provide the proper documentation. When you hit a roadblock, it's good to know there may be other alternatives. Remember that no matter which method you use to validate the vendor's control environment, your organization is always accountable for the risks associated with the vendor relationship. So do your homework, get creative, and don't be afraid to say no to potentially risky vendor relationships.