Due Diligence and Ongoing Monitoring

Expand all | Collapse all

Do you request Financials for Ongoing Vendor Oversight?

  • 1.  Do you request Financials for Ongoing Vendor Oversight?

    Posted 11 days ago

    We are early in our formal Vendor Risk Management process. As we roll out our ongoing vendor oversight and monitoring tasks we will request specific reports be provided from our critical ranked vendors. The report requests will vary based on the which risk factor makes the vendor critical. For example a vendor ranked critical for the exchange of PPI or PHI will be asked to provide a SOC 2 - Type 2 report that covers the services provided. A vendor that provided financial related guidance or services would be asked to provide a SOC 1 report.

    The struggle we have as an organization is not having the personnel to support some of these "document" reviews, in particular financial reviews. With that said, here are my questions.

    When doing existing vendor oversight and monitoring tasks, do you routinely request the vendor to provided audited financials? If yes, are there specific risk factors that trigger the request for financials? Are there any vendor specific characteristics where you would not request financials?

    Who or what position(s) in your organization reviews the financials?

    What areas are specifically targeted when conducting a financial review?

    Thank you for providing your input, feedback and best practices suggestions.



  • 2.  RE: Do you request Financials for Ongoing Vendor Oversight?

    Posted 10 days ago
    Hi!  We have a process in place which is similar to what you describe.  

    For document reviews, such as SOC reports, and information security items, we partnered with various stakeholders (like internal audit, information security) to identify thresholds for what is acceptable, and what the red flags are.  We used that to develop checklists, which help us drive efficiency, while also providing evidence of the review for any audit or exam. 

    Yes, for our more critical or material providers, we do request financials. Generally, these are our high risk vendors, or vendors where we would suffer rather significant consequences should the vendor experience a service outage, or crumble completely.  Factors we consider are things like this: How long will it take our institution to transition services away from this provider?  Will there be a customer impact if the provider closes it's doors?  What is the severity of the impact to our institution or our customers if the vendor experienced a material service degradation? 

    We have a credit department who reviews the financials and provides a report back to vendor management.  If the report contains negative items, such as an overall downward trend in financial health (we ask for 3 years financials so we can trend), we notify the business owner and develop a plan for next steps. In the absence of a credit department, perhaps someone in a finance area could assist with the review.  We are exploring options for outsourcing the financial review. There are a variety of services who provide financial health analysis.  

    Hope this helps.


  • 3.  RE: Do you request Financials for Ongoing Vendor Oversight?

    Posted 10 days ago
    Edited by Brittany Padgett 10 days ago

    Hello Mark and welcome to the wonderful world of Vendor Management!

    I'll try to answer your questions with our practices below:

     

    We are early in our formal Vendor Risk Management process. As we roll out our ongoing vendor oversight and monitoring tasks we will request specific reports be provided from our critical ranked vendors. The report requests will vary based on the which risk factor makes the vendor critical. For example a vendor ranked critical for the exchange of PPI or PHI will be asked to provide a SOC 2 - Type 2 report that covers the services provided. A vendor that provided financial related guidance or services would be asked to provide a SOC 1 report.

    The struggle we have as an organization is not having the personnel to support some of these "document" reviews, in particular financial reviews. With that said, here are my questions.

    When doing existing vendor oversight and monitoring tasks, do you routinely request the vendor to provided audited financials? If yes, are there specific risk factors that trigger the request for financials? Are there any vendor specific characteristics where you would not request financials?

    We try to obtain and review financials for all of our vendors during initial due diligence and when they are due for periodic review and risk assessment; Criticals, High and Moderate-High risk rated annually; Moderates every 2 years; Low-Moderate and Low every 3 years. There are exceptions to that. We do not require financials for non-IT vendors such as cleaning contractors, grounds keepers, and service contractors, i.e. HVAC etc. Also, you will find that some privately held companies will not provide financial statements at all or will give you very brief and essentially useless summary reports. For those vendors you should note that as an increased risk factor. For vendors whose financial review reveals significant issues, we will do ongoing monitoring of their business health (Venminder partners with ArgoRisk to provide clients with an excellent monitoring tool). The determination to conduct this ongoing monitoring is made by our internal Subject Matter Experts; which brings us to your next question:

    Who or what position(s) in your organization reviews the financials?

    We task our CFO and/or CEO/President (former CFO) with reviewing financial statements. They are truly the experts in that area. We also utilize Venminder's Financial Analysis service. We will provide Venminder's report to our SME's to review as well as the actual financials. In some cases, like now with the pandemic crisis, our financial gurus do not have the time to do our vendor reviews. In those cases we rely on Venminder's FA's, and any report that returns a rating lower than Satisfactory, we will add them to the ArgosRisk monitoring service. In fact we have the majority of our vendors, especially the most important ones on that service.

    What areas are specifically targeted when conducting a financial review?

    The areas our SME's want to review are Income Statement, Balance Sheet, and Cash Flow. Venminder's analysis focuses on these areas as well.

    In closing, some additional thoughts: Your vendors financial heath is a very important consideration in your Vendor Management Program. Whenever possible get a financial statement for your reviews/assessments. Occasionally, a new vendor will be willing to give you an audited financial statement as part of the initial due diligence, but not on an ongoing basis. Make sure youu get an SLA in your contract requiring them to provide it on request. If they give it to you once, they should be willing to continue to provide it. The initial contracting phase is when you have the most leverage to get what you need.

    Also, for publicly traded companies, you can get their annual or quarterly SEC filings, either from their public website or from SEC directly. When you get those 10K or 10Q reports give them a good read yourself while your financial guys are crunching the numbers. The opening sections of those reports have a lot of valuable insight into the company's operation and especially the risks that they themselves have identified in their business. You'll find a lot of information there that won't be in the SOC reports or policy statements.

    Thank you for providing your input, feedback and best practices suggestions.

     

    Michael Weaver, CRVPM III

    Vendor Management Specialist / Information Security

                              

    image001.jpg@01D497A9.F3DF4570