It depends on how the contract is worded but I annually review my vendors based on the contract date even if the actual implementation of the product/service was a few months later. The reason I do it this way is because of the Term Requirements within the contract (the part where it states you are required to give 30, 60, 90 day written notice of non-renewal). I review the vendor 6 months prior to the 30, 60, 90 day requirement in the contract so if there is consideration of terminating our relationship with that vendor, we can meet the term requirement and have time to find a replacement if necessary. On critical vendors, my annual review date is at least 2 years prior to the term requirement.
This has worked well for me, however following a recent IT Audit, the auditor has now pointed out that on the vendors that I am required to review SOC/SSAE16/SSAE18 reports on, I should be scheduling my annual reviews based on those report dates so that I am always reviewing the most current SOC/SSAE16/SSAE18s for those vendors. So now I'm trying to figure out how to transition my vendor management program to keep in line with my contract term review, while making sure I am reviewing the most current reports. This is challenging!
Anyone else have thoughts or suggestions?
------------------------------
Joni D
------------------------------
Original Message:
Sent: 10-09-2019 06:04 PM
From: Courtney Dettlinger
Subject: Asking the community at large
We do this based on classification/criticality. A guess for you/the group: do you schedule the next due diligence a year after the due diligence was complete or the contract was signed or the project (if applicable) was implemented? For example, we completed a vendor due diligence August 2018 and determined due diligence should be done yearly however, the contract wasn't signed until February 2019 and the product is still being implemented. It is time for due diligence (if we base it off of the due diligence completion date of August 2018) but it doesn't make sense necessarily to do it now if the product isn't even implemented fully. Thoughts?
Original Message:
Sent: 09-11-2019 01:03 PM
From: Branan Cooper
Subject: Asking the community at large
Curious - do you vary the frequency of your due diligence based on the level of risk (e.g., high risk = annual due diligence updates; moderate = every other year; low = every 3 years or contract renewal time)?