Vendor Due Diligence Checklist: 31 Steps to Selecting a Third Party
Kim Johnson | April 23, 2019
Due diligence processes for vendor procurement vary by company, industry, and region. Some regulatory bodies dictate due diligence practices, and some industry groups have adopted standardized processes. In addition, requirements may change based on the type of vendor being assessed.
While there is no universal standard, there are certain pieces of information which all procurement and risk professionals should consider gathering while conducting vendor due diligence.
We’ve compiled this vendor due diligence checklist as an overview of the types of information that should play a role in procurement decision making. Not every item in this list is a necessity, but the more you complete, the more thoroughly you’ll be able to mitigate risk in the vendor selection process.
Third-Party Vendor Due Diligence Checklist
Basic Company Information
Collecting this information helps ensure that the company is (1) legitimate and (2) licensed to do business in your area. You’ll also want to collect information on key personnel for use in further risk assessments.
Articles of incorporation (or similar corporate charter)
Company structure overview
Biographical information of executives and Board members
Location (are they located in a high-risk country?)
Proof of location, such as photographs or an on-site visit
Assessing financials isn’t as important for vendors as it would be for other due diligence targets, like potential acquisitions. However, you do want to check whether the vendor is financially solvent and paying their taxes. There’s no sense working with a vendor that won’t be in business next month. Conversely, a strong growth pattern could forecast an increase in prices down the line.
Loans and other liabilities
Political & Reputational Risk
Vendors that will have access to important information or systems must be subject to an added level of scrutiny. Corruption or political weaknesses could potentially be dangerous, and their scandals could quickly become your scandals.
Check the organization against key watch lists, global sanctions lists, and lists published by regulators
Check key personnel against politically exposed persons (PEP) lists and law enforcement lists
As part of the third-party due diligence process, you’ll want to assess whether the vendor is exposed to operational risks that could negatively affect your company. One example of this type of risk would be downtime for a SaaS provider which could impact operations at the organizations in their network.
If you’re using a “one-size fits all” approach to managing your vendor lifecycle, you are missing opportunities to save money and operate more efficiently. Vendor management efficiencies don’t end in the onboarding stage: using a...
If you’re experiencing frustrating delays and procedural roadblocks during your vendor management process, you’re not alone. Security managers are seeing an increase in the number of third-parties integrating with their business, and ...
During this dynamic and stressful workplace environment 2020 has brought us, finding the most efficient ways to perform in your job has never been more important. When it comes to managing your vendor lifecycle, there are three ways you...