4.1 Due Diligence Checklists
Vendor due diligence is the systematic investigation of a potential vendor before engagement. A comprehensive due diligence process identifies risks, validates capabilities, and ensures alignment with organizational requirements and regulatory obligations.
Due Diligence Framework
Effective vendor due diligence examines multiple dimensions of vendor capability and risk:
Due Diligence Categories
| Category | Key Areas | Documentation |
|---|---|---|
| Financial | Stability, profitability, cash flow, credit rating | Audited financials, credit reports, bank references |
| Operational | Capacity, experience, references, processes | Client references, case studies, org charts |
| Technical | Technology stack, infrastructure, expertise | Architecture docs, certifications, resumes |
| Security | Controls, certifications, incident history | SOC 2, ISO 27001, penetration test results |
| Legal/Compliance | Regulatory status, litigation, licenses | Compliance certificates, legal opinions |
| Reputational | Market standing, ethics, ESG factors | News searches, industry reports, ESG ratings |
Financial Due Diligence
Financial assessment ensures the vendor has resources to perform and will remain viable throughout the contract term:
- Revenue trends: Consistent growth or stability over 3 years
- Profitability: Positive operating margins and net income
- Liquidity: Current ratio above 1.5, adequate working capital
- Debt levels: Manageable debt-to-equity ratio
- Customer concentration: No single customer exceeds 20% of revenue
- Contract concentration: Assess dependency risk if your contract is material
Watch for: (1) Declining revenue trends, (2) Negative cash flow from operations, (3) Qualified audit opinions, (4) Frequent changes in auditors, (5) Significant related-party transactions, (6) Going concern qualifications, (7) Late financial statement filings.
Operational Due Diligence
- Reference checks: Contact 3-5 similar customers with comparable requirements
- Site visits: Inspect facilities, meet key personnel, observe operations
- Staff assessment: Review qualifications, experience, retention rates
- Process maturity: Evaluate documented procedures and quality systems
- Scalability: Assess ability to handle growth or demand fluctuations
4.2 Security Questionnaires
Security questionnaires systematically assess vendor security controls and practices. Standardized questionnaire frameworks enable consistent evaluation and comparison across vendors while covering essential security domains.
Standard Security Questionnaire Frameworks
SIG (Standardized Information Gathering)
The Shared Assessments SIG questionnaire is widely used for third-party risk assessments:
- SIG Core: Comprehensive assessment covering 18 risk domains
- SIG Lite: Abbreviated version for lower-risk vendors
- Coverage: Security, privacy, business resiliency, compliance
CAIQ (Consensus Assessments Initiative Questionnaire)
Cloud Security Alliance questionnaire specifically designed for cloud providers:
- Cloud-focused: Addresses cloud-specific security concerns
- CCM alignment: Maps to Cloud Controls Matrix
- STAR Registry: Many providers publish completed CAIQs publicly
Key Security Assessment Domains
| Domain | Key Questions |
|---|---|
| Access Control | Authentication methods, privileged access management, access reviews |
| Data Protection | Encryption at rest/transit, key management, data classification |
| Network Security | Firewalls, segmentation, intrusion detection, DDoS protection |
| Vulnerability Management | Scanning frequency, patching timelines, penetration testing |
| Incident Response | IR plan, notification procedures, forensic capabilities |
| Business Continuity | DR capabilities, RTO/RPO, testing frequency |
| Personnel Security | Background checks, security training, termination procedures |
Maximize questionnaire effectiveness: (1) Request evidence for critical controls, not just assertions, (2) Compare responses against certifications and audit reports, (3) Follow up on "partial" or qualified responses, (4) Assess response quality as indicator of security maturity, (5) Validate key controls through technical testing where possible.
Risk-Based Assessment Approach
Scale assessment depth based on vendor criticality and data sensitivity:
Tier 1 (Critical): Full SIG questionnaire + on-site assessment + penetration test review
Tier 2 (High): SIG Core questionnaire + SOC 2 review + reference checks
Tier 3 (Medium): SIG Lite questionnaire + certification verification
Tier 4 (Low): Self-attestation + basic due diligence
4.3 Risk Scoring Methodology
Risk scoring provides a structured method for quantifying and comparing vendor risks. A well-designed scoring methodology enables consistent evaluation, prioritization of remediation efforts, and informed decision-making.
Risk Scoring Components
Effective vendor risk scores incorporate multiple factors:
Inherent Risk Factors
- Data sensitivity: Type and volume of data accessed (PII, financial, health)
- System access: Level of access to customer systems and networks
- Business criticality: Impact of vendor failure on operations
- Regulatory exposure: Compliance obligations applicable to services
- Geographic risk: Vendor locations and data residency
- Substitutability: Difficulty of replacing the vendor
Risk Scoring Matrix
| Risk Category | Low (1) | Medium (2) | High (3) | Critical (4) |
|---|---|---|---|---|
| Data Access | No customer data | Non-sensitive data | PII/confidential | Sensitive PII/financial |
| System Access | None | Limited/read-only | Significant access | Admin/privileged |
| Business Impact | Minimal disruption | Some impact | Major disruption | Operations halt |
| Regulatory | No compliance scope | Limited scope | Significant scope | Critical compliance |
Control Assessment Scoring
Evaluate vendor controls against each inherent risk to determine residual risk:
- Control existence: Does the vendor have controls addressing the risk?
- Control design: Are controls appropriately designed to mitigate risk?
- Control effectiveness: Do controls operate effectively (per audit evidence)?
- Control maturity: How mature and sustainable are the controls?
Calibrate risk scores across assessors through: (1) Documented scoring criteria with examples, (2) Regular calibration sessions, (3) Quality review of completed assessments, (4) Benchmark scores against peer organizations, (5) Annual methodology review and refinement.
4.4 Ongoing Monitoring
Initial due diligence is insufficient; vendor risk changes over time. Ongoing monitoring detects emerging risks, validates continued compliance, and ensures vendors maintain expected security and operational standards throughout the relationship.
Continuous Monitoring Framework
Effective ongoing monitoring combines multiple information sources:
Monitoring Components
- Periodic reassessments: Annual security questionnaire updates based on tier
- Certification tracking: Monitor expiration and renewal of key certifications
- Performance monitoring: Track SLA compliance and service quality
- Financial monitoring: Quarterly or annual financial health checks
- News and event monitoring: Track breaches, lawsuits, leadership changes
- Regulatory monitoring: Watch for enforcement actions or compliance issues
Monitoring Frequency by Tier
| Activity | Critical Vendors | High-Risk | Medium-Risk | Low-Risk |
|---|---|---|---|---|
| Full reassessment | Annual | Annual | Biennial | Triennial |
| Financial review | Quarterly | Semi-annual | Annual | As needed |
| Performance review | Monthly | Quarterly | Semi-annual | Annual |
| News monitoring | Continuous | Continuous | Monthly | Quarterly |
Trigger-Based Reviews
Certain events should trigger immediate vendor risk review:
Immediate review required: Security breach at vendor, significant leadership changes, M&A announcement, regulatory enforcement action, material litigation, credit rating downgrade, service outage affecting customer.
Expedited review: Major contract changes, significant scope expansion, new data types shared, vendor sub-contracting changes.
Risk Monitoring Tools and Services
- Security ratings services: BitSight, SecurityScorecard, RiskRecon for external security posture
- Financial monitoring: D&B, credit rating agencies for financial health
- News aggregation: Automated alerts for vendor mentions in news and filings
- Regulatory tracking: Services monitoring enforcement actions and compliance status
- Dark web monitoring: Watch for vendor credentials or data on dark web
Integrate monitoring outputs with vendor management: (1) Automatic alerts to vendor owners for score changes, (2) Escalation workflows for significant risk increases, (3) Documentation of monitoring activities for audit, (4) Integration with contract renewal decisions, (5) Reporting to governance committees.
Key Takeaways
- Due diligence must cover financial, operational, technical, security, legal, and reputational dimensions
- Use standardized questionnaires (SIG, CAIQ) for consistent security assessment
- Risk scoring should incorporate inherent risk and control effectiveness to determine residual risk
- Ongoing monitoring frequency should align with vendor criticality tier
- Trigger events require immediate review regardless of scheduled assessment cycle
Knowledge Check
Test your understanding of vendor risk assessment frameworks