Due Diligence and Ongoing Monitoring

 View Only

  • 1.  Due Diligence Cadence

    This message was posted by a user wishing to remain anonymous
    Posted 02-16-2024 09:53 AM
    This message was posted by a user wishing to remain anonymous

    Our due diligence review, originally scheduled for October 2023, was not completed until January 2024 due to a lack of response from the vendor relationship owner. Our system automatically adjusts the next review date to the date the due diligence is completed, rather than retaining the previous due date. Audit has identified this as an issue, recommending that we adhere to the cadence outlined in our policy. We typically conduct reviews annually for highly rated vendors, and the delay in this instance may give the impression of untimely review completion. From a risk perspective, I believe it is reasonable to adjust the review date to align with the most recent due diligence completion because we have obtained the most up to date information. I would appreciate hearing others' thoughts on this matter.

    When do you commence your due diligence for upcoming reviews? Do you adjust the next review date if due diligence is not completed on time, or do you maintain the original due date? What actions can be taken if the relationship owner is unresponsive? Have you established deadlines for due diligence completion, and are these outlined in your policy or procedures?



  • 2.  RE: Due Diligence Cadence

    This message was posted by a user wishing to remain anonymous
    Posted 02-16-2024 11:00 AM
    This message was posted by a user wishing to remain anonymous

    Due diligence schedule is set to the calendar year/commencement date. That essentially is a rule of thumb. Expectation is completion by year end. Due to the vendor (or relationship owner) responsiveness levels, that isn't always possible.

    Our view is that delays by the vendor (or the relationship owner) don't change what the company should be doing. 

    My personal perspective: Delays in responsiveness by the vendor (or the relationship owner) shouldn't be rewarded by extending out the commencement of the next review. If either the vendor or relationship owner essentially opts into year round reviews, so be it.

    On the other hand, there are delays that can be easily understood. System changes that occur during the due diligence review, product or procedural additions, and other assorted adjustments to people or process can cause any given review to be delayed for understandable reasons.


    Original Message


  • 3.  RE: Due Diligence Cadence

    This message was posted by a user wishing to remain anonymous
    Posted 02-16-2024 11:08 AM
    This message was posted by a user wishing to remain anonymous

    A possible remediation plan:

    Audit will review your processes according to your policy/procedures.   Consider updating your policy/procedures

    the discretion to adjust review timing by the appropriate designee.  Or indicate the process in procedures to document late reviews and reset review timing.  This ensures you have appropriate review and alignment with your institutions risk appetite. 


    Original Message


  • 4.  RE: Due Diligence Cadence

    This message was posted by a user wishing to remain anonymous
    Posted 02-16-2024 12:06 PM
    This message was posted by a user wishing to remain anonymous

    Given the way our auditing periods run, if the completion date is within the same calendar year, I adjust it to a year from that date. If it crosses over to the next calendar year, I would not, but I might extend it a little. E.g., an Oct/23 review completed in Jan/24, I'd move it to Nov or Dec/24. My reasoning is that I want to make sure the next review will produce the updated testing/audit reports. Wouldn't want to stick with Oct/24, and get the same exact documents I got in Jan/24. I hope it makes sense.

    Either way, I keep track of all reach out and follow up attempts, so I can show that he untimely completion was due to lack of response, not lack of reaching out. 

    Also, when that happens a warning is noted in the file and Senior Management is made aware. 


    Original Message


  • 5.  RE: Due Diligence Cadence

    This message was posted by a user wishing to remain anonymous
    Posted 02-16-2024 12:18 PM
    This message was posted by a user wishing to remain anonymous

    One thing to look at is MSA/Contract language. If your agreement doesn't include the requirement for an annual security assessment or something similar, it needs to be added. Including it in the agreement means that the vendor may be subject to penalties for failing to complete the assessment in a timely manner. 

    Where the delay is caused internally, the relationship owner needs to be brought to the table to get the assessment completed. If the relationship owner is the delay, their management must be notified. This notification should include the actual or perceived risk to the organisation were there to be an incident originating from that vendor and that our delay will put the vendor in breach of the agreement.


    Original Message