Maple Street’s got your back, especially when it comes to due diligence and passing your exam. We know that no one likes the grunt work and seemingly endless drudgery associated with compliance. So, we’ve done something about it.
Here is Maple Street’s checklist of items that will help you make short work of due diligence and pass your exam without breaking a sweat.
_____ Review vendor contracts to mitigate risk.
What’s written in your contract states exactly what your vendor will and won’t do, which, in turn, will tell you how much exposure to risk you have with that vendor.
_____ Breach and interruption of service
Reviewing the following three sections of the SSAE-18 SOC reports will give you the best understanding of how your vendor will protect you from breach and interruptions to service. Look at sections I, II and IV to breeze through this portion of due diligence.
_____ Section I – Independent service auditor’s report (opinion)
Scan the auditor’s opinion. Were any negatives uncovered? Do they matter? Most vendors will prefer to send in a GAP letter while they correct the issues rather than take a negative.
_____ Section III – Complementary user entity control considerations (CUECs fka UCCs)
CUECs/UCCs are the controls the vendor expects YOU to have in place for the vendor’s controls to work. Any listed UCC you’re unsure of, whether or not it’s in place, should be communicated internally to verify with the right team. Note and escalate any control consideration you confirm isn’t in place.
_____ Section III – Subservicers/4th party vendors
Review the subservicers, also known as fourth-party vendors, and note the controls your direct vendors are using to manage and monitor the vendor’s vendors. You should note any that seem insufficient or any subservicers that you perceive will open you up to unacceptable risk.
_____ Section IV – Control objectives/related controls and testing
Focus on the response, not the test. Is it vague or unclear if or when it will be resolved? You may need to work directly with the vendor to get assurance it’ll be corrected.
_____ Red flags in financial reviews
While any one of the items below is a potential red flag, risk becomes unacceptable if you see a combination of these issues:
- Are the net income and net profit margin trending down? A down year is expected, continued downward trending is a major concern.
- Are liabilities consistently higher than assets? More liability without relative increases in assets is a big sign of overleveraging.
- Is the current ratio < 1? A current ratio below one suggests a company cannot pay off obligations due at that point.
- Is the debt equity over 100 percent consistently? A continued high ratio means a vendor has difficulty generating enough cash to cover its debt obligations.
- Is the ROA under three percent consistently? A low ROA suggests poor management of assets, especially if this is trending downward consistently.
- Are outstanding shares rising year over year? This is only for public companies. If share count is rising every year, the company is typically selling more shares and diluting the company’s value.
_____ Does the vendor have the right mix of insurance coverage?
Make sure the vendor’s policy coverage is a good mix and reflects the areas you need the vendor to protect itself from, as it relates directly to what it’s doing for your institution.
We hope this checklist helps relieve you of some of the burden of due diligence. But we can do more.
Maple Street experts can lift the weight of due diligence off your shoulders and do almost all the work.
Ask about our Vendor Advantage System®, a proven system that changes vendor management from an expense into an expense reduction program. You’ll save more than you spend and pass your exam, guaranteed.