Due Diligence and Ongoing Monitoring

 View Only
  • 1.  Due Diligence Documentation Schedule

    This message was posted by a user wishing to remain anonymous
    Posted 10-17-2024 07:01 PM
    This message was posted by a user wishing to remain anonymous

    Looking for clarification on a few pieces of ongoing due diligence document collection. Any help or insight is welcome!

    • How often are you collecting things like Certificate of Insurance, SOC Reports, etc.? 
      • Are you collecting when the document becomes "expired" i.e., if a Certificate of Insurance ranges from 1/1/2024 - 1/1/2025, do you start collection on 1/1/2025? Or do you collect these types of documents once per year during an Annual Review process, regardless of when the document truly "expires"? 
    • On what cadence are you collecting documents such as PCI Compliance, Business Continuity Plans, etc. that aren't your main due diligence documents you would collect on all vendors, but rather those that are determined Critical of if they are processing payments? Every year? Every 2 years? Wondering what the industry standard is as it seems to be a little tricky to nail down any terminology or regulations. 
    • What are your thoughts on collecting due diligence documentation once per year during an annual review process versus once they become "expired" based on a certain pre-determined date? 

    Thank you for your time and insight! 

  • 2.  RE: Due Diligence Documentation Schedule

    This message was posted by a user wishing to remain anonymous
    Posted 10-18-2024 01:08 PM
    This message was posted by a user wishing to remain anonymous

    We use a matrix based on the criticality and risk rating of a vendor to determine the frequency and amount of due diligence performed.  All of our vendors are risk assessed annually, and the risk rating - High, Moderate, or Low - drives the level and frequency of the oversight tasks to be completed.  We also perform a criticality assessment initially at onboarding to set the Critical vs. Non-Critical flag.  We collect COIs for all vendors at least annually when they expire to ensure we have a current copy on file.  Our system tracks the effective and expiration dates to ensure when a document expires it prompts us to reach out for a new one.  We only require SOC report reviews, BCP / DR reviews for our Moderate and High-risk vendors, as well as any Critical vendors, and we collect and review those annually.  I think is would be completely appropriate to conduct a full review annually and collect all documents once per year to review.  

  • 3.  RE: Due Diligence Documentation Schedule

    This message was posted by a user wishing to remain anonymous
    Posted 10-21-2024 08:58 AM
    This message was posted by a user wishing to remain anonymous

    I start sending emails to gather a new COI 5 days prior to expiration. All other docs yearly when their vendor is due for review. 

  • 4.  RE: Due Diligence Documentation Schedule

    Posted 10-25-2024 08:16 AM

    I collect the COI yearly upon expiration and start emailing 5 – 7 days before.


    I collect due diligence docs (SOC, etc.) upon review date. Yearly for critical vendors, every other year for significant vendors and every three years (or more) for non-essential, depending on what they do for us. Depends on if they have PII.



  • 5.  RE: Due Diligence Documentation Schedule

    This message was posted by a user wishing to remain anonymous
    Posted 10-25-2024 01:41 PM

    This message was posted by a user wishing to remain anonymous

    • How often are you collecting things like Certificate of Insurance, SOC Reports, etc.? Are you collecting when the document becomes "expired" i.e., if a Certificate of Insurance ranges from 1/1/2024 - 1/1/2025, do you start collection on 1/1/2025? Or do you collect these types of documents once per year during an Annual Review process, regardless of when the document truly "expires"?
      • I request for the updated COI via email post-expiry of the document. We set up our solution whereby we receive email notifications 5-days pre-expiry of the document. The email goes to the BO and the VM team. I follow up with the Vendor should we not receive the updated document after the expiry date. We receive the updated documents in most cases. Best practice is to collect the documents when they expire and not wait for the Annual Review Process. 
    • On what cadence are you collecting documents such as PCI Compliance, Business Continuity Plans, etc. that aren't your main due diligence documents you would collect on all vendors, but rather those that are determined Critical of if they are processing payments? Every year? Every 2 years? Wondering what the industry standard is as it seems to be a little tricky to nail down any terminology or regulations.
      • Depending on the services provided by the vendor and their classifications, i would recommend to collect these documents annually even though the contents of the document might be the same for years. Collecting them annually would keep you in the know with any changes in infrastructure, compliant with regulations, etc..
    • What are your thoughts on collecting due diligence documentation once per year during an annual review process versus once they become "expired" based on a certain pre-determined date?
      • Best practice is to collect them once they become expired.

  • 6.  RE: Due Diligence Documentation Schedule

    This message was posted by a user wishing to remain anonymous
    Posted 10-25-2024 02:39 PM
    This message was posted by a user wishing to remain anonymous


    You mentioned you set up your solution to automatically reach out to the vendor for updated documentation, can you let me know what solution you use for these automated tasks?


  • 7.  RE: Due Diligence Documentation Schedule

    This message was posted by a user wishing to remain anonymous
    Posted 10-25-2024 05:07 PM
    This message was posted by a user wishing to remain anonymous


    I apologize if my statement was unclear. The Vendor Management team and Business Owners get notified when a document is about to expired. The vendor does not get notified. We tasked the BOs to get the updated documents from the vendor which gives us more time to concentrate on other tasks.

    I hope this answered your question.


  • 8.  RE: Due Diligence Documentation Schedule

    This message was posted by a user wishing to remain anonymous
    Posted 10-28-2024 12:29 PM
    This message was posted by a user wishing to remain anonymous

    How are they notified when a document is about to expire? How are the dates being tracked?