compliance

Vendor Due Diligence and Third-Party Risk Review

Use this vendor due diligence and third-party risk review template to document a critical supplier’s security, financial, continuity, and contract controls in one audit-ready record. It helps you confirm risk tier, capture evidence, and track findings to closure.

Fill it now — Free Get Started

Customize with AI → Live preview →

Trusted by frontline teams 15 years of frontline software AI customization in seconds

Built for: Saas And Technology · Healthcare And Life Sciences · Financial Services · Manufacturing · Retail And E Commerce

9:41

Inspections

1 Inspection Details and Scope

Vendor name and service scope documented Type here…

Review type and date recorded 🕒 mm/dd/yyyy hh:mm

Vendor risk tier confirmed ["choices", [{"la...

Evidence package complete !

2 Security and Access Controls

Access control policy covers least privilege and role-based access !

✓ Yes ✗ No

Multi-factor authentication enforced for administrative and remote access !

✓ Yes ✗ No

Encryption used for data in transit and at rest !

✓ Yes ✗ No

Vulnerability and patch management cadence documented Type here…

Security incident notification timeframe meets contract requirements 0

Independent security assessment current ["choices", [{"la...

3 Financial Condition and Business Co...

Latest financial statements reviewed ["choices", [{"la...

Liquidity or going-concern concerns identified !

✓ Yes ✗ No

Business continuity and disaster recovery plan current !

✓ Yes ✗ No

BCP/DR test date recorded 🕒 mm/dd/yyyy hh:mm

4 Contract Provisions and Legal Safeg...

Contract includes confidentiality and data protection obligations !

✓ Yes ✗ No

Right to audit or assess included !

✓ Yes ✗ No

Subcontractor flow-down requirements included !

✓ Yes ✗ No

Termination and exit assistance provisions documented Type here…

Insurance coverage meets minimum requirements ["choices", [{"la...

5 Compliance, Monitoring, and Findings

Regulatory and contractual obligations mapped ["choices",...×

Open findings from prior reviews tracked to closure !

✓ Yes ✗ No

Overall vendor risk review outcome ["choices", [{"la...

Inspector signature

✏️

Tap to sign

Overview

This vendor due diligence and third-party risk review template is built to document the controls, evidence, and contractual safeguards for a critical supplier or service provider. It walks through the review in the same order a risk owner would typically evaluate a vendor: scope and tiering, security controls, financial condition, business continuity, contract protections, and final findings.

Use it when a vendor has access to sensitive data, supports an important business process, or could create operational, legal, or reputational exposure if something goes wrong. It is especially useful before onboarding, at renewal, after a major incident, or when a vendor’s service scope changes. The template helps you capture objective evidence such as policies, assessment reports, financial statements, continuity test dates, insurance certificates, and contract language, rather than relying on informal assurances.

Do not use this as a substitute for a full legal review, a deep technical security assessment, or a sector-specific regulatory audit. If the vendor is low risk, a shorter questionnaire may be enough. If the vendor handles highly regulated data or performs a safety-critical function, you may need additional controls, deeper testing, and formal approval gates. The value of this template is that it creates a repeatable, audit-ready record that shows what was reviewed, what was missing, and what action was taken.

Standards & compliance context

This template supports third-party risk governance expectations commonly found in ISO 9001:2015 quality systems, ANSI/ASSP Z10 safety programs, and enterprise security review processes.
The security section aligns with common control expectations from information security frameworks that emphasize access control, encryption, vulnerability management, and incident response.
The contract section helps document privacy, confidentiality, audit rights, and subcontractor oversight that are often required under commercial, healthcare, financial, or data processing agreements.
The financial and continuity sections support due diligence practices used to evaluate vendor viability, disaster recovery readiness, and operational resilience.
If the vendor touches regulated data or services, you may need additional review against sector-specific obligations and internal policy before approval.

General regulatory context for orientation only — verify current requirements with counsel or the relevant agency before relying on this template for compliance.

What's inside this template

Inspection Details and Scope

This section establishes exactly which vendor, service, date, and risk tier are being reviewed so the rest of the record is traceable.

Vendor name and service scope documented (weight 1.0)
Record the legal entity name, service description, and business unit using the service.
Review type and date recorded (critical · weight 2.0)
Capture whether this is onboarding, annual review, renewal, or event-driven reassessment.
Vendor risk tier confirmed (critical · weight 2.0)
Confirm the assigned risk tier for this vendor.
Evidence package complete (critical · weight 3.0)
Confirm the due diligence file includes current questionnaires, certifications, SOC reports, financial statements, and contract documents as applicable.

Security and Access Controls

This section captures the core technical and administrative safeguards that protect data and systems from unauthorized access or exposure.

Access control policy covers least privilege and role-based access (critical · weight 1.0)
Verify the vendor maintains documented access control standards aligned to least privilege and role-based access.
Multi-factor authentication enforced for administrative and remote access (critical · weight 1.0)
Confirm MFA is required for privileged accounts and remote administrative access.
Encryption used for data in transit and at rest (critical · weight 1.0)
Verify encryption controls are in place for sensitive or regulated data handled by the vendor.
Vulnerability and patch management cadence documented (weight 1.0)
Document the vendor’s vulnerability scanning frequency, patch timelines, and remediation escalation process.
Security incident notification timeframe meets contract requirements (critical · weight 1.0)
Record the required notification window for security incidents.
Independent security assessment current (critical · weight 1.0)
Confirm the most recent independent security assessment or attestation is current.

Financial Condition and Business Continuity

This section checks whether the vendor is financially stable and able to keep operating through disruption without putting your business at risk.

Latest financial statements reviewed (critical · weight 1.0)
Confirm the most recent audited or reviewed financial statements were obtained and analyzed.
Liquidity or going-concern concerns identified (critical · weight 1.0)
Indicate whether any material liquidity, solvency, or going-concern concerns were identified during review.
Business continuity and disaster recovery plan current (critical · weight 1.0)
Verify the vendor has a documented and tested BCP/DR plan appropriate to the service criticality.
BCP/DR test date recorded (weight 1.0)
Record the date of the most recent business continuity or disaster recovery exercise.

Contract Provisions and Legal Safeguards

This section confirms the contract gives you the rights and protections needed to manage confidentiality, oversight, and exit risk.

Contract includes confidentiality and data protection obligations (critical · weight 1.0)
Verify the agreement includes confidentiality, data handling, and privacy obligations appropriate to the data processed.
Right to audit or assess included (critical · weight 1.0)
Confirm the contract grants the organization the right to audit, assess, or obtain independent assurance reports.
Subcontractor flow-down requirements included (critical · weight 1.0)
Verify the vendor must flow down applicable security, confidentiality, and compliance obligations to subcontractors.
Termination and exit assistance provisions documented (weight 1.0)
Summarize termination rights, data return/deletion obligations, and transition assistance terms.
Insurance coverage meets minimum requirements (critical · weight 1.0)
Confirm the vendor’s insurance coverage is current and meets contractual minimums.

Compliance, Monitoring, and Findings

This section ties the review back to obligations, tracks open issues, and records the final risk decision and sign-off.

Regulatory and contractual obligations mapped (weight 1.0)
Identify the obligations applicable to this vendor relationship.
Open findings from prior reviews tracked to closure (critical · weight 1.0)
Confirm prior deficiencies or non-conformances have documented owners, due dates, and closure evidence.
Overall vendor risk review outcome (critical · weight 1.0)
Document the final disposition of the review.
Inspector signature (critical · weight 1.0)
Signature of the reviewer completing the due diligence assessment.

How to use this template

1. Enter the vendor name, service scope, review type, date, and risk tier, then attach the evidence package that supports the review.
2. Review the security and access control section against current documents, confirming least privilege, MFA, encryption, patching, incident notification terms, and any independent assessment.
3. Check the financial condition and business continuity section by reading the latest financial statements, noting liquidity or going-concern concerns, and recording the most recent BCP or DR test date.
4. Verify the contract provisions section by confirming confidentiality, data protection, audit rights, subcontractor flow-downs, exit assistance, and insurance requirements.
5. Map regulatory and contractual obligations, record open findings and remediation owners, and assign the overall vendor risk outcome before signing the review.

Best practices

Tie every yes or no answer to a dated document, report, or contract clause so the review is evidence-based.
Flag any vendor that lacks MFA for administrative or remote access as a high-priority deficiency until remediated.
Record the exact date of the most recent security assessment, BCP test, and financial statement review instead of using vague status language.
Separate critical control failures from minor documentation gaps so the risk decision reflects actual exposure.
Confirm that incident notification timing in the contract is realistic for your internal escalation and reporting requirements.
Review subcontractor use carefully, because downstream processors can create the same risk as the primary vendor.
Require a clear exit and data return plan for vendors that store customer, employee, or operational data.
Close the loop on prior findings before renewal, or document an approved exception with an owner and due date.

What this template typically catches

Issues teams running this template most often surface in practice:

No current evidence that MFA is enforced for administrative or remote access.

Security assessment is outdated, incomplete, or based only on vendor self-attestation.

Incident notification language is missing, vague, or too slow for internal escalation needs.

BCP or DR plan exists, but the last test date is missing or the test was not documented.

Financial statements show liquidity pressure, late filings, or unresolved going-concern concerns.

Contract lacks audit rights, exit assistance, or clear data return and deletion obligations.

Subcontractors are used without flow-down requirements or visibility into downstream controls.

Prior findings were carried forward without closure evidence or an approved exception.

Common use cases

SaaS procurement manager reviewing a customer data processor

Use the template before signing a software contract that will store customer records or support a core workflow. It helps the reviewer confirm security controls, incident terms, and exit rights before the vendor is approved.

Healthcare compliance lead renewing a claims or billing vendor

Use it to document due diligence for a vendor that handles protected information, business continuity, and contractual safeguards. The review record helps show that the organization checked access controls, continuity readiness, and legal protections before renewal.

Manufacturing operations team assessing a contract manufacturer

Use the template when a supplier is essential to production continuity and quality. It helps capture financial stability, disaster recovery readiness, subcontractor oversight, and any open findings that could affect supply.

Finance and procurement team onboarding a payroll provider

Use it to verify that the provider has strong access controls, timely incident notification, and adequate insurance. The financial and contract sections are especially useful when the vendor will handle employee data and recurring payments.

Frequently asked questions

What vendors should use this template?

Use it for critical or high-risk third parties that handle sensitive data, support core operations, or could disrupt service if they fail. It fits SaaS providers, payroll processors, logistics partners, contract manufacturers, and other vendors with access to systems, facilities, or regulated information. For low-risk suppliers, a lighter questionnaire may be enough. The key trigger is business impact, not vendor size.

How often should a vendor due diligence review be completed?

Run it before onboarding a critical vendor, then repeat on a risk-based cadence such as annually for high-risk vendors and less often for lower-risk ones. Re-review sooner after a major incident, control change, acquisition, contract renewal, or scope expansion. If the vendor stores regulated data or supports essential operations, shorter review cycles are usually justified. This template also works well as a renewal checkpoint.

Who should complete the review?

A cross-functional owner usually works best: procurement or vendor management for coordination, security for technical controls, legal for contract terms, and finance for solvency checks. In smaller organizations, one reviewer can complete it if they can gather evidence from the right stakeholders. The important part is that the reviewer can validate the evidence, not just collect answers. The final sign-off should come from the risk owner or approver.

Does this template align with third-party risk management expectations?

Yes. It is structured to support common third-party risk management programs and audit expectations by documenting scope, control evidence, contractual safeguards, and open findings. It also helps map vendor obligations to internal policy and external requirements from frameworks such as ISO 9001, ANSI/ASSP Z10, and sector-specific privacy or security obligations. It is not a substitute for legal review, but it gives you a defensible review record. That makes it useful for audits, renewals, and governance reporting.

What are the most common mistakes when using this template?

The biggest mistake is treating it like a questionnaire and accepting vendor self-attestation without evidence. Another common issue is skipping financial or continuity review for vendors that would be hard to replace. Teams also miss contract gaps such as weak incident notification language, no audit rights, or missing subcontractor flow-downs. This template works best when every answer is tied to a document, report, or dated assessment.

Can I customize the controls and evidence requirements?

Yes. You should tailor the review to the vendor’s risk tier, data sensitivity, and service criticality. For example, a cloud provider may need deeper security evidence, while a logistics vendor may need stronger continuity and insurance checks. You can add fields for SOC 2 reports, penetration tests, privacy addenda, or industry-specific certifications. Keep the core sections intact so reviews stay comparable over time.

How does this compare with an ad hoc vendor questionnaire?

An ad hoc questionnaire usually captures answers, but not the full decision trail. This template adds structure for evidence, risk tiering, contract safeguards, prior findings, and final outcome, which makes reviews easier to defend and trend over time. It also reduces the chance that a critical area gets skipped because the process depends on memory. If you need repeatable vendor governance, this is the better starting point.

What integrations or attachments should I include with the review?

Attach the vendor’s security assessment, insurance certificate, financial statements, BCP or DR test evidence, and the executed contract or addendum. If your process uses GRC, procurement, or ticketing tools, link the review record to the vendor profile and any remediation tasks. You can also connect it to renewal workflows so open findings block approval until closed. The goal is to keep the review and the evidence in one traceable chain.

Related templates

Inspections

Vulnerability Scan Remediation Tracking

Track critical and high vulnerability findings from scan discovery through ticketing, SLA timing,...

Inspections

ADR Driver Certificate and Training Verification

ADR Driver Certificate and Training Verification checks that the assigned driver’s ADR certificat...

Inspections

ISO 14001 Aspect Impact Register Review

Review an ISO 14001 aspect-impact register with a structured walk-through of coverage, scoring, c...

Inspections

Duty Drawback Eligibility and Recordkeeping Review

Review import, export, destruction, and inventory records to determine whether shipments support ...

Inspections

Cross-Connection Control Survey

Use this Cross-Connection Control Survey template to document potable water cross-connections, ba...

Forms

Employee Onboarding Form

Employee Onboarding Form for collecting new hire details, tax references, direct deposit, emergen...

Sop

Fire Evacuation Procedure

A fire evacuation procedure that tells each role exactly what to do from alarm to accountability....

Hr Policy

Anti-Harassment & Anti-Discrimination Policy

Anti-Harassment & Anti-Discrimination Policy template for defining prohibited conduct, reporting ...

Go deeper on the topic

Related concepts

Predictive Scheduling Law

Predictive scheduling laws — also called fair workweek laws or secure scheduling — require employers in covered industries to publish employee schedules...
Overtime Calculation

Overtime calculation is the process of applying federal, state, local, and contractual rules to hours worked to determine the correct pay — including...
Near-Miss Reporting

A near-miss is an event that could have caused injury or damage but didn't — a slip that didn't fall, a load that shifted but didn't drop, a machine that...
Lockout/Tagout

Lockout/tagout (LOTO) is the procedure for controlling hazardous energy — electrical, hydraulic, pneumatic, mechanical, thermal, chemical — before...

Related guides

How Bank Managers Keep Every Shift Covered with Scheduling

See how bank branch managers use MangoApps scheduling to fill shifts, communicate policy updates, and eliminate last-minute coverage chaos.
Closing the Accountability Gap in Workforce Operations

See how connected 1:1 tracking, employee audit history, and LMS completion records turn scattered processes into verifiable workforce documentation.
How Customers Use The MangoApps Projects Module

See how customers use MangoApps Projects Module to collaborate, track progress, and share knowledge across teams.
MangoApps Now Available in Okta Integration Network to Automate User Provisioning, Access and Authentication

MangoApps in Okta Integration Network automates user provisioning, SSO, and access management for stronger security and less admin work.

Ready to use this template?

Get started with MangoApps and use Vendor Due Diligence and Third-Party Risk Review with your team — pricing built for small business.

Get Started Customize with AI