Due Diligence and Ongoing Monitoring

 View Only
Expand all | Collapse all

Redundant Documents

  • 1.  Redundant Documents

    Posted 06-06-2022 11:43 AM
    Hi all, 

    I'm new to the Vendor Management world, so forgive me if this question is ignorant: 

    I am wondering what your thought process/approach is when gathering documents for a risk assessment, initial due diligence, etc. Specifically, do you request policies such as Information Security Policies, Background Check Policies, etc. when they may be defined within a SOC Report?

    Or, do you typically request these documents only if it is not listed in a SOC report? Basically, I am trying to determine if a policy being detailed in a SOC report is typically 'good enough' to satisfy obtaining specific policies. Until now, I've been requesting specific policies, only to find them detailed within the SOC report, so I didn't know if asking for both was a redundant effort. 


  • 2.  RE: Redundant Documents

    Posted 06-06-2022 11:51 AM
    Honestly I would say just the SOC report. If they don't have a SOC yet or if you have any special policy concerns related to your line of business, then go for the individual policies.

  • 3.  RE: Redundant Documents

    Posted 06-06-2022 12:05 PM

    Welcome to the exciting world :) 

    Points to covered when your requesting for documents :

    My approach is in 2 ways if your doing a audit for a vendor :

    1. If you're sending SIG ( Lite / High ) which is questionnaire to vendor based on the response from the vendor, you can request the proofs.


    2nd Approach

    If your doing in without any tool

    1. MSA / SOW - To find out the contract / Clauses within the project . Start date & end date of the project.
    2. Understand the business / Service / Product which is outsourced from your organization.
    3. Understand all the policy which are intact with your contract & organization.
    4. Check for the exceptional controls which are mentioned in the SOC 2 report.


    I have missed few points, but hope this will give you a start.



  • 4.  RE: Redundant Documents

    Posted 06-06-2022 12:11 PM
    Depending on the level of risk, I will request both the actual policy and a SOC report.  For our highest risk vendors, I want the expanded detail of the actual policy and the verification that processes and procedures described within the policy are being followed based on testing from the SOC.

    Shelly Chase
    AVP Operational Risk

  • 5.  RE: Redundant Documents

    This message was posted by a user wishing to remain anonymous
    Posted 06-06-2022 01:18 PM
    This message was posted by a user wishing to remain anonymous

    Below is our Vendor DD request list.  During our recent FDIC exam, it was recommended to request more consumer compliance related policies on our vendors as well.  

    My outlook is that it never hurts to ask for everything.  The more you have, the better review you can do and it shows th auditors you're looking at all aspects of the vendor.  

    • Latest SOC report (SOC 2 is preferred) or equivalent third-party audit for applicable products/programs utilized by the bank
      • If another vendor is critical to support the delivery of your services/products, and you are providing due diligence for that vendor, please briefly describe the relationship between your company and the supporting critical vendor.)
    • SOC Report Gap/Bridge Letter(s)
    • Information Security Policies
    • Cyber/Network Security Policies with Testing Requirements and Results (i.e., Vulnerability and/or Penetration Testing)
    • Incident Response Policies with client notification protocols
    • Disaster Recovery/Business Continuity Plan(s)
    • Disaster Recovery Documentation and Testing Results
    • Current Certificate of Insurance
    • Red Flags Regulatory Compliance Policy
    • Complaint Logs/Summary of any past complaints/customer satisfaction issues
    • Compliance Management System Policy
    • UDAAP Policy
    • Reg E Policy
    • AML/BSA/CIP/OFAC Policy
    • Latest Annual Financial Statement with period end date 2021 (audited financial statements, including two comparative years of results, with notes preferred)
    • W-9

    Good luck!

  • 6.  RE: Redundant Documents

    Posted 06-06-2022 01:23 PM
    Do you send a questionnaire like a SIG or SIG lite, or just request the documents listed?

    Greg A

  • 7.  RE: Redundant Documents

    This message was posted by a user wishing to remain anonymous
    Posted 06-06-2022 01:50 PM
    This message was posted by a user wishing to remain anonymous


    We send a 76 question questionnaire where they can also upload the documents.

  • 8.  RE: Redundant Documents

    Posted 06-06-2022 01:51 PM
    At this point we are just requesting documents. We have some pre-existing questionnaires, but haven't really familiarized ourselves with this yet. The individual who was performing this duty for my organization retired early this year and didn't have much in place in terms of succession, so we're still in the process of figuring out what our process is going to be.

    Thanks for your response.

  • 9.  RE: Redundant Documents

    Posted 06-06-2022 02:06 PM

    Greg A

  • 10.  RE: Redundant Documents

    Posted 06-06-2022 01:47 PM
    Thank you!

  • 11.  RE: Redundant Documents

    This message was posted by a user wishing to remain anonymous
    Posted 06-07-2022 08:04 AM
    This message was posted by a user wishing to remain anonymous

    We have just started to ask for information on how the supplier ensures that vulnerable customers are identified and treated appropriately as well as asking for confirmation of what adjustments are made in service delivery for customers who have a disability