Due Diligence and Ongoing Monitoring

We are evaluating our vendor due diligence requirements and are wondering what the community here deems as acceptable due diligence for the following:

1. Reviewing Financial Condition - Specifically what is acceptable if firm will not share its audited financials?
2. Reviewing Data Security - Specifically what is acceptable if firm has a cloud-based application (w/ NPI) but does not produce a SOC report?
3. Reviewing Policies (Security, BCP, DR etc) - Specifically what is acceptable of firm will not share its actual policies?

This message was posted by a user wishing to remain anonymous

1. P&L Statement, written statement from company with explanation as to why they don't release the statement
2. Security testing results, a letter from their auditor or Director of IT, as well as a written statement with explanation 
3. Annual Testing results & dates of testing & written statement with explanation