Written by Josh Layne, Vice President of Vendor Management & Compliance
When it comes to due diligence, you can spend countless hours chasing down every possible risk, working yourself and your team into a frenzy. Or you can take a pragmatic approach and become more astute at knowing how to answer to examiners and follow compliance guidance, without losing sight of the purpose of vendor management.
You can review due diligence to solve the problems that are worth solving.
It’s your time, use it wisely.
There are many small risks that vendors aren’t prepared to fix or even address, and examiners don’t generally care about.
The mission is to focus on “big picture” risk that examiners (and you) should care most about. A list of controls you and the vendor have in place to prevent a possible information breach ranks high on the list. The fact that a copy of the vendor’s insurance policy you have on file expired a few days ago shouldn’t.
Focus on what you have in hand, not what you don’t.
Not all vendors treat your compliance needs with the same level of concern. Many of your vendors may not have (or will not share) key due diligence documents you would like to review. A vendor that does not send you a SOC report every year may not perform one annually. Private companies are extremely hesitant or unwilling to open their books to customers, and most of their customers may never ask.
Maple Street sees a lot of our clients get extremely worried about SOC report dates, access to detailed financials, and an insurance certificate that expired a month ago. These can be really important pieces of information for strategically critical vendors, and not having insight is a blind spot in risk. But worrying won’t make the vendor accelerate its audit timetable or open its books.
Instead, make a clear assessment that not having access to this due diligence is unacceptable. Then decide how important the unknown risk is to your overall relationship with the vendor and the criticality of its services to your success.
If it is very important, you may need to work with the vendor to understand access to this information is contingent to your next contract renewal. You may need to find a different vendor that is more transparent.
Stop worrying and chasing things you may never get to see. Your time is better spent monitoring performance and planning your negotiation strategy to get a better contract that gives you more rights and flexibility to mitigate these blind spots, or finding a different vendor who will provide what you need.
Attack SOCs with a pruning shear, not a lawnmower.
It is easy to get caught up in thinking every page of every vendor due diligence document must be read, considered, weighed and measured. You can spend hours lost in a SOC report review, only to come out the other end exhausted with a handful of concerns you can’t do anything about. So don’t. Let the auditors who wrote the report do that, you just need to know where to find their results.
You should zero in on 3 things:
- The opinion of the auditor and summary of findings (Section I),
- The Tests Performed by the Service Auditor and Results of Tests (Section IV), and
- The control considerations (or “UCC’s)
The opinion will give you a clue if the audit was positive or negative, and that will hint at how concerned you should be.
In the testing section your focus should be on anything the audit uncovered and noted, and if the vendor’s response is enough to alleviate your concern. If it is not, then you should plan to monitor the vendor specifically for the failed test result going forward. Otherwise, move on.
The best use of your time is noting the control considerations. These you have power over. A SOC lists the controls the vendor expects you will have in place for the vendor’s controls to work. Not having them in place on your end means the vendor’s controls may not work when and where they were needed. Review the controls, verify they are in place on your side, and make sure if any are not, you have an action item assigned internally to get the control in place.
Decide quickly, assign things you can control, document clearly those you can’t.
The real task is to decide if a concern is in your control or not. If it is a risk you can control, determine a reasonable course of action and assign someone to do it. For those out of your control, document this concern clearly in the review. You can then bring this concern into your decision to change your vendor contract or end it.
Then…move on. You have other things to do.
At Maple Street we have many solutions to help with due diligence. One is our customized Street Smart Vendor Review Kit. It can make the difference between spending hours per vendor or spending just a few minutes and the same detailed results.
The kit contains summaries for SOC audit reports and lists any control considerations that need validation, comparison of insurance policies against market standards and a summary of financial statements, including 3-year trends, plus an OFAC report is pulled on each vendor. The review kit is designed to get you to the serious risk illuminated in vendor due diligence and not waste time on things you can’t control.
If you’re not sure about what’s in your vendor contracts and if they are working for you or against you, we’ll be glad to take a look. Chat with a Maple Street professional at 800-513-6839.