What Is Third-Party Due Diligence?

Third-party vendor due diligence is an essential vendor risk management process, not just before you begin a business relationship, but throughout that relationship as well. Due diligence provides your organization the data to validate that the vendor can reasonably mitigate the risks associated with the product or service provided and has a solid reputation. But, the due diligence process is not a “one-and-done” process. Instead, it’s a continuous part of the vendor-risk management lifecycle. Per many regulatory requirements and overall best practices, it should be a standard component in your ongoing monitoring routines.

It’s recommended that all vendor relationships undergo vetting and review before a contract is signed. And, after that, the vendor should have periodic due diligence reviews. So, what does that mean? How often should you review the vendor and what is required to do that effectively? A few factors determine the answer, including risk level, type of service or product provided and if there have been any regulatory changes.

The Basics of Third-Party Due Diligence

Let’s cover some of the basics so you’ll have a good understanding of what, when, and why of collecting third-party due diligence.

Collecting Third-Party Due Diligence

The due diligence documents you’ll need to collect will vary depending on your organization type, industry regulations and various other factors. The following is simply a guideline with examples, not all inclusive, of what many organizations should expect to collect from their vendors.

• All risk levels: Certain baseline information and documents should be collected on all vendors, regardless of their risk level. Consisting of basic information, including:
  • Legal name, address, website, tax ID, etc.
  • State, and articles, of incorporation
  • Secretary of State check
  • Dun & Bradstreet report (if available)
  • A list of any subcontractors/fourth parties they will use to service your company
  • OFAC check
• Moderate Risk: Collect all baseline documents and information plus the following:
  • Three years of audited financials
  • Insurance certificates
  • Third-party management processes
  • SOC reports
  • Information security policy
  • Reputational review using internet search and/or Better Business Bureau
• High Risk: You’ll want to collect all of the baseline documents, all moderate risk items and add the following:
  • All policies and procedures, especially concerning business continuity/disaster recovery, regulatory compliance and training, incident management and data classification and handling
  • Penetration and vulnerability testing results
  • Reports of previous outages and SLA violations
  • Complaints and resolution (if they interact with the customer)
  • Litigation summaries for the last five years and any current or pending litigation

When to collect: Initial vs. Ongoing

• Initial: Due diligence information and documents must be collected and reviewed before you negotiate or sign a contract. Persons with relevant subject matter expertise should evaluate the vendor information and control environment to determine they’re sufficient. If the subject matter experts should identify any issues for mitigation, legal should include them in the contract.
• Ongoing: Once your vendors are under contract, they enter the ongoing monitoring phase. The vendors under ongoing monitoring must go through regular due diligence reviews to confirm that their control environment remains sufficient and look for any new or emerging risk. Primarily the risk rating assigned to the relationship determines how frequently due diligence is required. However, other factors can trigger a review, such as pending contract renewal, declining vendor performance or new regulatory requirements.

Guidelines Related to the Type of Information to Gather and Frequency

Here are some guidelines related to the type of information to gather and how often to collect it.

Due Diligence Red Flags

Performing regular due diligence is a simple and straightforward way to identify any problem areas with your existing or potential vendors.

Here are a few issues to watch out for in your collection and review process:

• Business continuity/disaster recovery plans are outdated: Do not take an outdated, untested or incomplete BC/DR plan lightly. It’s crucial to ensure that your third-party vendor has a proper plan in place to prepare for any business disrupting event.
• Financial statements have inconsistencies between net income and sales: Identify and review inconsistencies between net income and sales. If these two factors don’t align, this could indicate a variety of issues with the vendor. You should also be aware of a negative net cash flow and unusually high dividends.
• Cybersecurity plans are incomplete or untested:  Cybersecurity third-party audits have expired or vulnerability testing has not been done, is incomplete or issues were revealed through testing.
• Declining performance, increasing complaints or slower response times. These issues can signal financial decline, change of management priority, staff cut and other problems the vendor may not admit openly.

Practicing regular third-party due diligence is the best way to systematically identify, assess and manage vendor issues before they potentially become significant problems for your organization. Due diligence efforts should reflect the risk and complexity of the product and service. Ensuring you practice regular performance and risk reviews is an excellent way to seek out and find new and emerging risks in between due diligence cycles.

Vetting your vendors is an important step of third-party due diligence. Are you doing everything you should be when vetting them? Download the eBook.