Written by Josh Layne, Vice President of Compliance, and Rashida Cohen, VCS
One of the advantages of working with Maple Street professionals is our insights in helping clients make short work of due diligence and ensuring they pass their exam. Of course, nobody likes work that’s painful or seems to be work for work’s sake. But if you pull back the curtain, compliance is more than checking the boxes or pleasing examiners – it’s a critical component of your vendor management program. Done correctly, good compliance is a stepping stone to expense reduction.
Our team has put together a list of our top tips when it comes to due diligence reviews.
PRO TIP #1
All due diligence reviews should begin with reviewing your vendor’s contract and mitigating risks through the vendor’s contract.
Your contract tells you everything you can or can’t do with a vendor. No matter what vendors promise, if it’s not in the contract, it doesn’t exist. No amount of monitoring can fix a bad contract or overcome a poor vendor selection.
PRO TIP #2
To understand how the vendor will protect you from breach and interruptions to service, zero in on these 3 Sections of SSAE-18 SOC Reports
The following sections are the best due diligence documents to review to get a deep understanding of how the vendor will protect you from breach and interruptions to service. However, SOC Reports can be intimidating. They’re long, wordy, complex and frankly, pretty boring. The good news is the SOC auditors did all of the work for you. You just need to know where to look and how to interpret their findings.
Section I – Independent Service Auditor’s Report (Opinion)
Here’s what to do:
In the first few pages, there will be the auditor’s opinion. Scan it to see if it was negative or positive. If it was negative, there will always be a set of reasons why and generally what was uncovered. Do the issues uncovered concern you? Are they big deals?
The truth is, most SOCs you’ll read will rarely, if ever, be negative. Most vendors would prefer to sink it and send a GAP letter while they correct the issues for the next audit.
Section II – Complementary User Entity Control Considerations
UCCs are the controls the vendor expects YOU to have in place for the vendor’s controls to work. This may be the most time-consuming area of the review, but it’s the place you have the most control over. You don’t want to ever be in a position to have to defend yourself if a vendor’s control failed because your institution didn’t have the UCC set up on your end.
Here’s what to do:
Read the UCCs closely – any listed UCC you are unsure about, whether or not it’s in place, you should communicate internally to verify with the right team. Note and escalate any control consideration you can confirm isn’t in place.
It’s pretty rare a UCC isn’t already in place, as these were usually hashed out during the implementation process with the vendor.
Section IV – Control Objectives/Related Controls and Testing
This is one of the most informative sections of the SOC to accept or reject a vendor’s risk. It’s the section where, after the auditors tested the controls, they list the results of the tests.
Here’s what to do:
You don’t need to review each and every test. Instead, focus on any findings. Findings, in auditor speak, can be listed as “deviations” or “exceptions.” A finding isn’t necessarily bad. What you should make your judgement on is the vendor’s RESPONSE to the finding: Is it acceptable? Is it vague, wishy washy or unclear that it will be resolved and when?
If you have concerns after reading the documents, note them and reject the document in the system you’re using. Communicate and escalate the issue if it’s something that’s unacceptable. You may need to work directly with the vendor to get assurance it’ll be corrected.
Unacceptable findings are exceedingly rare. A bad SOC audit would most likely never see the light of day because the vendor is probably fixing the issue before its next SOC audit.
PRO TIP # 3
Where to look and what to look for in financial reviews
Any one of the items below is a potential red flag, but risk becomes unacceptable if you see a combination of these issues.
Here’s what to look for:
- Are the net income and net profit margin trending down?
Obviously, you want to ensure your vendor is profitable and stable in the market. A down year is expected, continued downward trending is a major concern. Profit margin should be steady or trending up in stable companies.
- Are liabilities consistently higher than assets?
A company that consistently assumes more liability without relative increases in assets is a big sign it’s overleveraged.
- Is the current ratio < 1?
A current ratio below one suggests a company cannot pay off obligations due at that point.
- Is the debt equity over 100 percent consistently?
Unless this is a bank or a telecom company, this generally means the company is financing its growth with debt. A continued high ratio means a software and services company has difficulty generating enough cash to cover its debt obligations.
- Is the ROA under three percent consistently?
This is key in how efficient a company uses its assets to generate revenue. A low ROA suggests poor management or assets, especially if this is trending downward consistently.
- Are outstanding shares rising year over year?
This is only for public companies. If share count is rising every year, the company is typically selling more shares and diluting the company’s value, which isn’t a sign of a healthy company.
PRO TIP #4
Insurance – it’s not about how much, but about the right mix of coverage
Here’s what to do:
Ask yourself if the policy coverage is a good mix and reflects the areas you need the vendor to protect itself from, as it relates directly to what they’re doing for your institution.
Types of coverage and what they do:
- GL, or General Liability, should be a must for all vendors. It’s standard business insurance that everyone should have, relative the size of their business. Policies usually come in $5m, $1m and $500k.
- E&O, or Errors & Omissions, covers any advice the vendor is giving you as part of your contracted services. Is the vendor consulting? Is the vendor giving you information you use for strategic decisions
- Automobile/vehicle – Is the vendor running service vehicles you depend on? Armored carriers, ATM techs and maintenance services would need this.
- Workers’ comp – This can be easy to overlook, but you always want to make sure anyone working on site or on property carries workers’ comp to cover their employees.
- Fidelity bond isn’t very common, but important for major, critical platforms like your core and payment processors. You want to make sure the vendor is protected against employee fraud, embezzlement or negligence that would impact you.
- Umbrella – These policies aren’t very common but it’s good to know if your most critical vendor partners have big policies for big events. At minimum your core, payments and internet banking partners should have umbrella policies.
- Technology – This is where the mix is important. For your technology partners, additional, technology specific policies are very good to see. They come in many flavors, the most common being in cybersecurity, network protection and privacy liability.
Want more help with due diligence reviews? If you’re tired of throwing money down the drain with all the hours you’ve wasted in preparing for the auditor, let the Maple Street pros do the heavy lifting for you. Make due diligence reviews easy with our Vendor Advantage System®, a proven system that changes vendor management from an expense into an expense reduction program. Save more than you spend and pass your exam, guaranteed. Call 800-513-6839 or email mssales@maplestreetinc.com to get started. Learn more: www.maplestreetinc.com/learn