Due Diligence and Ongoing Monitoring

  • 1.  Tax software- due diligence

    This message was posted by a user wishing to remain anonymous
    Posted 06-24-2021 02:48 PM
    This message was posted by a user wishing to remain anonymous

    Our vendor management team has been working on pulling together vendor profiles with periodic reviews on vendors that have not been reviewed in the past. Our organization has a long standing relationship with a software providing tax services for annual tax returns.   We have been working on obtaining due diligence documentation from the vendor and have not been successful.  They use a standard product license agreement that does not include audit rights.   A lot of NPPI is entered into their system.  Has anyone else had success in obtaining due diligence documentation from a similar vendor?  Any recommendations?

  • 2.  RE: Tax software- due diligence

    Posted 07-06-2021 08:50 AM
    This is not an uncommon issue, and my best advice would be to keep trying, get any assurance you can and document your efforts. If there is NPPI shared on their platform, I'm confident that their responsibility to assure data responsibility will soon come around. We've been seeing this occur slowly but surely with other large organizations with similar products. I wouldn't hold your breath on getting a custom questionnaire completed, but perhaps they'll put together a due diligence package to review. Sometimes it's a matter of making the right request at the right time and getting a hold of the right person, so I wouldn't give up. Keep them on the appropriate periodic review schedule, document what you are able to accomplish for assurance, keep them on the appropriate reports for risk that hasn't been effectively mitigated, and be sure your leadership is knowingly accepting that risk. Again, documentation is key.
    Hope this is helpful - it's a great question and I would love to hear what others in the industry have to add!


  • 3.  RE: Tax software- due diligence

    Posted 07-07-2021 11:14 AM
    Does anyone have a recommendation for an automated email retention program?


    The information contained in this communication from the sender is confidential. It is intended solely for use by the recipient and others authorized to receive it. If you are not the recipient, you are hereby notified that any disclosure, copying, distribution or taking action in relation of the contents of this information is strictly prohibited and may be unlawful.

    This email has been scanned for viruses and malware, and may have been automatically archived by Mimecast, a leader in email security and cyber resilience. Mimecast integrates email defenses with brand protection, security awareness training, web security, compliance and other essential capabilities. Mimecast helps protect large and small organizations from malicious activity, human error and technology failure; and to lead the movement toward building a more resilient world. To find out more, visit our website.