Vendor due diligence checklist: Seven key areas and three approaches
Table of content
Businesses need third-party services and vendors for a number of reasons – to expand their capabilities beyond their in-house teams, or to provide goods they cannot build themselves, such as software solutions.
However, relying on a service that is outside your own business can be risky. For instance, 15% of data breaches occur in third-party IT services, like data custodians, CRM services, or networking services.
One of the ways to mitigate potential risks is to perform vendor due diligence. In this article, we offer helpful insights to help you structure this process and make it less time-consuming. Having read this article, you should understand the following:
- The level of process control, complexity, and expense in vendor risk assessments
- Insights on building a vendor due diligence template including a checklist of vendor investigation areas
- The best way to collect and analyze data from vendors for risk and compliance management
Understanding vendor due diligence
Vendor due diligence refers to a comprehensive investigation of third-party suppliers. It’s an integral part of the vendor selection process and vendor risk management. Organizations conduct due diligence because they want:
- Quality assurance. High quality of supplied goods and services ensures consistent sales and customer satisfaction.
- Compliance assurance. Conducting vendor due diligence helps to uncover hidden risks in supply chains and third-party services.
- Data security. Vendor due diligence aims to mitigate risk in dealing with confidential data, such as when onboarding IT service providers.
- Operational stability. It’s crucial to assess the vendor’s performance to minimize disruption in the delivery of goods and services.
- Vendor termination strategy. In the event of vendor termination, quality due diligence ensures the legal, regulatory, and financial implications are managed thoroughly.
- Reputation protection. Successful vendor due diligence helps companies verify that working with specific vendors won’t harm their reputation.
- Risk-free M&A. Vendor due diligence helps potential buyers uncover third-party liabilities during mergers and acquisitions.
Let’s look at vendor due diligence in different vendor categories.
Vendor category | Key points for vendor risk assessment |
IT service providers | Scalability potential of software systems Cybersecurity measures and risks System reliability and technical support Data protection compliance |
Manufacturers | Quality of goods and services Environmental compliance Production capacity Reliability of distributors |
Wholesalers | Storage conditions Inventory management practices Delivery consistency Distribution compliance |
Importers | Reliability of supply chains Customs compliance Quality of imported goods International trade compliance |
Which regulations require vendor due diligence?
In the United States, these are the main regulations that require vendor due diligence:
- Regulation S-P. Investment companies, broker-dealers, transfer agents, and investment advisors are required to conduct due diligence on third-party service providers.
- HIPAA. Health service providers must ensure the privacy and safety of health records, which requires them to conduct due diligence on IT service providers, telehealth services, and data storage solutions.
- CCPA. Businesses using third-party services to handle the confidential data of California customers must conduct due diligence to ensure the privacy and safety of such information.
Why is vendor due diligence crucial? Addressing the implications of poor due diligence
Poor vendor due diligence is a source of third-party risk. It typically leads companies to work with high-risk vendors. When these vendors violate regulatory requirements, companies working with them face legal and financial implications.
For instance, a company that uses a customer management solution may be penalized if the personal information of its customers leaks as a result. These are the potential penalties:
Regulation | Non-compliance implications |
Regulation S-P | The exact level of penalty depends on the severity of each case and ranges from thousands to millions of dollars. |
HIPAA | Up to $50,000 per violation and up to $1.5 million in annual penalties for uncorrected civil violations Up to $250,000 in fines and up to 10 years of imprisonment for criminal violations |
CCPA | Up to $2,500 for unintentional and up to $7,500 for intentional violations, per incident. |
It’s important to understand that each individual piece of personal information counts as a separate incident under regulations like CCPA. Since a single data breach can affect thousands of pieces of information, the cumulative fines can reach millions of dollars.
The three most common approaches to vendor due diligence
Due diligence is typically conducted on new vendors. However, ongoing vendor evaluation is also necessary, particularly in the event of a service disruption, delivery issue, or data breach. While the timing and circumstances for each due diligence report play a role, it’s crucial to use the most effective due diligence approach. Let’s review the most common ways companies investigate vendors and compare them by complexity, cost, level of control, and other parameters.
In-house due diligence
In-house due diligence is performed by the company’s internal team, typically within several departments, such as risk management, IT, or procurement. In-house, or ‘DIY due diligence’ can be time-consuming and make big demands on employees. However, many organizations opt for this approach due to a greater control of the process and an awareness of internal business matters.
On the other hand, DIY due diligence is only doable when an organization (typically a small one) works with a few vendors. But what if you are a global brand with thousands of suppliers? This requires a shared or outsourced approach.
Shared due diligence
Shared due diligence is when a company joins forces with external partners, leveraging risk management databases for large-scale investigations. Shared due diligence is an option when you have limited internal resources but want to retain greater control of the process. This approach allows companies to scale vendor assessments while supervising the scope and details.
Outsourced due diligence
Outsourced due diligence is when you shift the whole process to third parties. It works when the two previous approaches are too inefficient, time-consuming, or inapplicable.
A common reason for outsourced due diligence may be when a company’s in-house team is understaffed and lacks risk management expertise to supervise shared due diligence.
It also works for large companies with big budgets to investigate thousands of suppliers. The cost of outsourced due diligence can vary from $200 to $20,000 per vendor, depending on the level of automation and detail of due diligence reports.
Vendor due diligence approaches: Summary
Key features | In-house due diligence | Shared due diligence | Outsourced due diligence |
Level of control | Full control over processes and details. | Greater control over scope but medium control over processes. | Limits control over the scope, process, and detail. |
Time investment | It’s resource-intensive and time-consuming. | It reduces internal workload but still requires significant oversight. | An organization is minimally involved in the process. |
Cost | Low to medium | Medium | High |
Scalability | Limited | Medium | High |
Expertise requirement | High | Medium | Low |
Ideal for | Small organizations or companies with powerful risk management capabilities. | Small or medium organizations with the need for large-scale assessments. | Large organizations or companies with limited in-house capabilities. |
Third-party vendor due diligence checklist: Seven areas of investigation
The scope and detail of due diligence generally depends on the vendor type and its contribution to the organization. For instance, a comprehensive software vendor due diligence checklist will be required for critical SaaS providers.
In contrast, basic reliability, product quality, and compliance checks are enough for non-critical vendors, such as suppliers of office furniture. To adjust the level of vendor assessments and create a standardized process, you can use a due diligence checklist that outlines key investigation areas. Let’s list these areas along with sample checklist items.
Investigation area | Vendor due diligence sample items |
General information | Location Years in business Ownership structure Business structure Key personnel Business licenses Track record |
Vendor financial health | General financial information Financial ratios Audited financial statements Market performance Debt and bankruptcy risks |
Operational stability | Resilience of operations Business continuity plan Disaster recovery plan Production and service capacity System uptime Project delivery history Historical performance reports |
Product and service quality | Product specifications Quality control policies and procedures Product lifecycle management procedures Warranty and return policies Product return rates Customer satisfaction rates |
Data security | Results of third-party audits and security reviews (SOC 1, SOC 2, SOC 3) Information security policies Incident response plans Data breach notice policies Security breach history Data security compliance (ISO 27001, HIPAA, HITRUST, CCPA, GDPR, etc.) |
Regulatory compliance for vendors | Internal compliance policies Industry-specific compliance Environmental compliance Customs compliance Validity of licenses and permits Compliance audit history Compliance litigation history |
Reputation and political exposure | Relevance to global sanctions lists Relevance to high-risk industries Relevance to high-risk countries Relevance to politically exposed persons (PEPs) Relevance to government reports Media coverage tone Owner and key employee litigation history |
Simplify the vendor due diligence process with iDeals
Due diligence is naturally time-consuming. The most tedious part is requesting information from vendors and managing due diligence questionnaires. This can be made much more straightforward, secure, and cost-efficient if you transfer your workflows into iDeals. Here is how the iDeals virtual data room features facilitate online due diligence:
- Multi-project management. Switch between unlimited projects and leverage unlimited data storage to scale your investigations. Bulk-rename and copy documents across projects for seamless collaboration and schedule drill-down activity reports.
- Effortless document handling. Automatically index your data room and convert more than 25 file formats into easy-to-review PDFs. Leverage full-text search with optical character recognition and document labels to navigate content.
- Automated collaboration. Replace back-and-forth emails with advanced Q&A workflows, auto-assign experts, and track all questions and answers in an intuitive interface.
- Built-in redaction. Let your vendors streamline document preparations with built-in redaction tools allowing for quick censorship of sensitive information.
- Absolute security. Work in an ISO 27001, SOC 2, SOC 3, HIPAA, CCPA, GDPR, PCI DSS, and LGPD-compliant environment. Secure files with eight levels of access permissions, AES 256-bit encryption, 2FA, watermarking, IP and domain restrictions, Fence View, and IRM security.
- Premier support. Receive unlimited live training with our dedicated project managers and delegate VDR management tasks to the iDeals team. Enjoy a 30-second response time from 24/7 technical support in over 10 languages.
FAQ
Vendor due diligence is typically conducted when companies consider onboarding third-party vendors — service providers, suppliers, wholesalers, retailers and so on. This process is known as initial vendor due diligence. Companies also conduct ongoing due diligence on existing vendors to minimize risks and service disruptions.
Vendor due diligence is integral to third-party risk management. It minimizes operational, supply chain, legal, financial, and reputational risks coming from third parties, like suppliers of goods and service providers.
A vendor due diligence checklist helps an organization ensure vendors match desired criteria in key areas, like data security, product quality, sustainability, and compliance.
Failure to perform quality vendor due diligence exposes a company to financial, operational, legal, and reputational risks. For instance, a poorly examined vendor relationship can put a company at risk of violating data privacy and security regulations.
Revolutionize your deal management
Begin your 30-day full-access free trial today