This is a great question and highlights a really important issue about document expiration. I would say the best approach is to have a system in place to make sure you're tracking any documents like insurance certificates or SOC reports that have expiration dates. This can help serve as a reminder to request these documents as they expire.
As far as periodic due diligence reviews, it's generally recommended to follow this cadence:
· Critical and High-Risk: At least annually, but reviews may be more frequent if there have been issues such as declining performance or a security incident
· Moderate: Every 18-24 months, depending on the product or service type
· Low: Every three years, or at contract renewal
So, here's an example of what that might look like. Let's say you've scheduled a due diligence review for your critical vendor on July 1. However, their insurance certificate expires on December 31. You could still keep that July 1 review date to review other due diligence documents and make sure they're current and valid. You would just need to set a reminder and reach out to the vendor closer to the December 31 expiration date to request a new insurance certificate. This could be as simple as an email or calendar notification, although you may need to consider another solution if you need to track dozens or hundreds of dates.
I hope my answer is helpful and I'm interested to see if other members have suggestions on how to set reminders for document collection.
Original Message:
Sent: 07-08-2024 06:07 PM
From: Anonymous Member
Subject: Ongoing Monitoring Tasks (Documents and Due Dates)
This message was posted by a user wishing to remain anonymous
I'm wondering how everyone is completing their ongoing monitoring documents. For example: Do you reach out every time each document is due or doing them all at one point in time?
I'm running into the issue of some documents not being available or already expired by the time the next task date comes up.
Thank you