Vendor Due Diligence and Third-Party Risk Review

Inspection template for evaluating critical vendors' security controls, financial condition, compliance posture, and contract provisions under third-party risk management guidance.

Inspection Details and Scope

• Vendor name and service scope documented
  Record the legal entity name, service description, and business unit using the service.
• Review type and date recorded
  Capture whether this is onboarding, annual review, renewal, or event-driven reassessment.
• Vendor risk tier confirmed
  Confirm the assigned risk tier for this vendor.
• Evidence package complete
  Confirm the due diligence file includes current questionnaires, certifications, SOC reports, financial statements, and contract documents as applicable.

Security and Access Controls

• Access control policy covers least privilege and role-based access
  Verify the vendor maintains documented access control standards aligned to least privilege and role-based access.
• Multi-factor authentication enforced for administrative and remote access
  Confirm MFA is required for privileged accounts and remote administrative access.
• Encryption used for data in transit and at rest
  Verify encryption controls are in place for sensitive or regulated data handled by the vendor.
• Vulnerability and patch management cadence documented
  Document the vendor's vulnerability scanning frequency, patch timelines, and remediation escalation process.
• Security incident notification timeframe meets contract requirements
  Record the required notification window for security incidents.
• Independent security assessment current
  Confirm the most recent independent security assessment or attestation is current.

Financial Condition and Business Continuity

• Latest financial statements reviewed
  Confirm the most recent audited or reviewed financial statements were obtained and analyzed.
• Liquidity or going-concern concerns identified
  Indicate whether any material liquidity, solvency, or going-concern concerns were identified during review.
• Business continuity and disaster recovery plan current
  Verify the vendor has a documented and tested BCP/DR plan appropriate to the service criticality.
• BCP/DR test date recorded
  Record the date of the most recent business continuity or disaster recovery exercise.

Contract Provisions and Legal Safeguards

• Contract includes confidentiality and data protection obligations
  Verify the agreement includes confidentiality, data handling, and privacy obligations appropriate to the data processed.
• Right to audit or assess included
  Confirm the contract grants the organization the right to audit, assess, or obtain independent assurance reports.
• Subcontractor flow-down requirements included
  Verify the vendor must flow down applicable security, confidentiality, and compliance obligations to subcontractors.
• Termination and exit assistance provisions documented
  Summarize termination rights, data return/deletion obligations, and transition assistance terms.
• Insurance coverage meets minimum requirements
  Confirm the vendor's insurance coverage is current and meets contractual minimums.

Compliance, Monitoring, and Findings

• Regulatory and contractual obligations mapped
  Identify the obligations applicable to this vendor relationship.
• Open findings from prior reviews tracked to closure
  Confirm prior deficiencies or non-conformances have documented owners, due dates, and closure evidence.
• Overall vendor risk review outcome
  Document the final disposition of the review.
• Inspector signature
  Signature of the reviewer completing the due diligence assessment.