This message was posted by a user wishing to remain anonymous
How are they notified when a document is about to expire? How are the dates being tracked?
Original Message:
Sent: 10-25-2024 04:48 PM
From: Anonymous Member
Subject: Due Diligence Documentation Schedule
This message was posted by a user wishing to remain anonymous
Hello,
I apologize if my statement was unclear. The Vendor Management team and Business Owners get notified when a document is about to expired. The vendor does not get notified. We tasked the BOs to get the updated documents from the vendor which gives us more time to concentrate on other tasks.
I hope this answered your question.
Thanks!
Original Message:
Sent: 10-25-2024 02:34 PM
From: Anonymous Member
Subject: Due Diligence Documentation Schedule
This message was posted by a user wishing to remain anonymous
Hi,
You mentioned you set up your solution to automatically reach out to the vendor for updated documentation, can you let me know what solution you use for these automated tasks?
Thanks!
Original Message:
Sent: 10-25-2024 01:23 PM
From: Anonymous Member
Subject: Due Diligence Documentation Schedule
This message was posted by a user wishing to remain anonymous
- How often are you collecting things like Certificate of Insurance, SOC Reports, etc.? Are you collecting when the document becomes "expired" i.e., if a Certificate of Insurance ranges from 1/1/2024 - 1/1/2025, do you start collection on 1/1/2025? Or do you collect these types of documents once per year during an Annual Review process, regardless of when the document truly "expires"?
- I request for the updated COI via email post-expiry of the document. We set up our solution whereby we receive email notifications 5-days pre-expiry of the document. The email goes to the BO and the VM team. I follow up with the Vendor should we not receive the updated document after the expiry date. We receive the updated documents in most cases. Best practice is to collect the documents when they expire and not wait for the Annual Review Process.
- On what cadence are you collecting documents such as PCI Compliance, Business Continuity Plans, etc. that aren't your main due diligence documents you would collect on all vendors, but rather those that are determined Critical of if they are processing payments? Every year? Every 2 years? Wondering what the industry standard is as it seems to be a little tricky to nail down any terminology or regulations.
- Depending on the services provided by the vendor and their classifications, i would recommend to collect these documents annually even though the contents of the document might be the same for years. Collecting them annually would keep you in the know with any changes in infrastructure, compliant with regulations, etc..
- What are your thoughts on collecting due diligence documentation once per year during an annual review process versus once they become "expired" based on a certain pre-determined date?
- Best practice is to collect them once they become expired.
Original Message:
Sent: 10-25-2024 08:11 AM
From: Cheryl Turner
Subject: Due Diligence Documentation Schedule
I collect the COI yearly upon expiration and start emailing 5 – 7 days before.
I collect due diligence docs (SOC, etc.) upon review date. Yearly for critical vendors, every other year for significant vendors and every three years (or more) for non-essential, depending on what they do for us. Depends on if they have PII.
Cheryl
Original Message:
Sent: 10/17/2024 6:42:00 PM
From: Anonymous Member
Subject: Due Diligence Documentation Schedule
This message was posted by a user wishing to remain anonymous
Looking for clarification on a few pieces of ongoing due diligence document collection. Any help or insight is welcome!
- How often are you collecting things like Certificate of Insurance, SOC Reports, etc.?
- Are you collecting when the document becomes "expired" i.e., if a Certificate of Insurance ranges from 1/1/2024 - 1/1/2025, do you start collection on 1/1/2025? Or do you collect these types of documents once per year during an Annual Review process, regardless of when the document truly "expires"?
- On what cadence are you collecting documents such as PCI Compliance, Business Continuity Plans, etc. that aren't your main due diligence documents you would collect on all vendors, but rather those that are determined Critical of if they are processing payments? Every year? Every 2 years? Wondering what the industry standard is as it seems to be a little tricky to nail down any terminology or regulations.
- What are your thoughts on collecting due diligence documentation once per year during an annual review process versus once they become "expired" based on a certain pre-determined date?
Thank you for your time and insight!