What To Include in Your Third-Party Due Diligence Questionnaire

December 1, 2022
In this article:

There are many reasons why companies must choose their business relationships carefully. From downtime due to supply chain disruption to data breaches due to a lack of strong internal controls, third-party risk comes in plenty of forms.

This makes it essential to have a third-party due diligence process when choosing vendors and service providers. And a due diligence questionnaire is one of the best risk assessment tools businesses have available. 

We've put together this article to help you create a due diligence questionnaire that will identify red flags and lower your company's level of risk. Let's look at what a due diligence questionnaire is, why it's important, and the eight elements that every due diligence questionnaire should include.

What Is a Third-Party Due Diligence Questionnaire?

A due diligence questionnaire is a formal assessment that includes questions intended to help a company assess the risk of its third-party relationships. These questionnaires usually get sent to new vendors during the onboarding process, but many companies choose to send routine follow-up questionnaires to their existing vendors as well. In fact, it's recommended that organizations perform a vendor risk assessment once per year for low-risk vendors and even more frequently for higher-risk vendors.

Cybersecurity risk is the most common focus of a third-party due diligence questionnaire, but there are other types of risk that these questionnaires are designed to highlight as well. This includes risks such as corruption risk, supply chain risk, and regulatory risk.

What Is the Purpose of a Due Diligence Questionnaire?

The reason why vendor due diligence is a vital part of the vendor procurement process is that it helps shield companies against a variety of risks. If a vendor collects and stores customer data or otherwise sensitive information from your company, then any vulnerabilities that the vendor hasn't secured could put your company at risk. At a time when data breaches have become increasingly common, cybersecurity risk management is one key emphasis of a due diligence questionnaire. 

Along with identifying potential cybersecurity risks, a due diligence questionnaire also helps identify numerous other types of risk. This includes ensuring a vendor follows all applicable laws and regulatory requirements, evaluating the vendor's exposure to sanctions and other political risks, and ensuring that the vendor's management is trustworthy.

By enabling companies to evaluate the various risks that vendors or other business partners pose, due diligence questionnaires help ensure that a company is never blindsided by an issue that puts its own data, operations, or reputation at risk.

Download a free third-party due diligence questionnaire template

8 Must-Have Items in Your Third-Party Due Diligence Questionnaire

There is no "one-size-fits-all" approach to creating a security questionnaire, and the exact details of your questionnaire will depend on the vendor you're assessing and your own company's risk management priorities. With that said, there are several elements that security questionnaires will commonly include. Here are eight such must-have items that every due diligence questionnaire should include.

1) Business Profile and History

The business profile and history section of a due diligence questionnaire is intended to provide a broad understanding of a vendor's background to help ensure that you are bringing on a reliable and trustworthy partner. This section will typically include several general questions regarding the details of a vendor's operations and business history. 

It may help to think of this section as a basic background check for vendors: It won't really dive into any specific vulnerabilities, but it will provide you with a broad understanding of who you are jumping into bed with.

Here are a few examples of business profile and history questions that your due diligence questionnaire might include:

  • How many years has the company been in business?
  • How many employees does the company have, and what is its approximate annual revenue?
  • Does the company have a code of ethics,  code of conduct, and/or anti-corruption policies in place?
  • Does the company have a compliance officer?

2) Ownership and Key Employees

A company is only as good as the people behind it, and this is true of any vendor or service provider you might be considering. Along with ensuring that a vendor's ownership and management are trustworthy and reliable, this section of a due diligence questionnaire also identifies any risks that the specific individuals who make up the vendor's ownership/management might pose. 

Politically exposed persons (PEPs) are one example of these potential risks, which is why it's important to ask about any affiliations that a vendor's ownership or management has with a political party or government official. It's also common for due diligence questionnaires to ask about any legal proceedings regarding allegations of fraud, corruption, bribery acts, or other criminal activity that the vendor's ownership or management have been subject to.

We've all seen plenty of examples of how dishonest and corrupt management can be a company's downfall. Along with potentially disrupting your company by derailing a vendor you rely on for a key product or service, getting involved with a vendor run by scandalous ownership or management also creates reputational risk for your company. 

Keep in mind that many customers won't hesitate to judge your brand based on who it associates with, and it's much easier to protect your brand reputation than it is to repair it.

Here are a few examples of ownership and key employees questions that your due diligence questionnaire might include:

  • Who are the key officers and members of your Board of Directors?
  • Who are the company's owners and key employees?
  • Are any of the company's owners or key employees an official of a political party or a candidate for public office?
  • Have any of the company's owners or key employees been subjected to legal proceedings regarding fraud, bribery, corruption, or any other criminal activity?

3) Reference Information

If you fill out an application for a job, you have to provide references from previous employers. If you fill out a rental application, you have to provide references from previous landlords. There's a good reason why providing references is such a common requirement in our society: they serve as a source of unbiased feedback and sometimes uncover details that might have otherwise been swept under the rug.

In a due diligence questionnaire, you will want to ask for two types of references: banking references and references from companies that have done business with the vendor in the past. Asking for banking references helps determine a vendor's financial posture — a key concern regarding vendor reliability since bankruptcy hinders a vendor's ability to continue providing services. 

Requesting references from other companies that have done business with the vendor in the past is a lot like looking at customer reviews before purchasing a product. These references will help you better understand what it's like to work with the vendor and may uncover issues and vulnerabilities that the vendor didn't address in their own disclosures.

But reference information is only valuable if you actually follow up with the references that your vendor provides. This is understandably a tedious process at times, but it will be well worth the effort if it helps your company avoid a landmine.

Here are a couple of reference information requests that your due diligence questionnaire might include:

  • Please provide financial references, including banks, principal suppliers, etc.
  • Please provide the names of other organizations you have had business relationships with. For each, please include the organization's name, address, phone number, email address, and details of your relationship with them.

4) Cybersecurity Implementation

The average cost of a single data breach in the United States is $4.35 million. So it's no surprise that ensuring strong cybersecurity is the number one motivator for most organizations to conduct vendor due diligence.

If a vendor collects and stores sensitive data from your company, then any data breach that the vendor experiences could expose your own company's information. Needless to say, this can create a lot of issues. Perhaps the most costly aspect of data breaches is an expense that's not even included in stats like the one above: reputational damage. 

If your customers trust your brand with their personal information and get burned for it, they likely won't be too keen to do business with you again. They also probably won't care all that much that it's actually your vendor's fault and not your company's directly.

The cybersecurity implementation section of a vendor due diligence questionnaire is designed to assess the vendor's internal security controls and any vulnerabilities they might be exposed to. It includes questions regarding how data is collected and stored, the vendor's cybersecurity policies and procedures, the key employees responsible for overseeing data security, and other related questions.

Here are a few examples of cybersecurity implementation questions that your due diligence questionnaire might include:

  • Has the company experienced any security events
  • Who are the key employees responsible for developing and implementing security requirements?
  • Is the company certified and compliant with a cybersecurity framework such as NIST, SOC 2, or ISO 27001?

5) Disaster Recovery Plans

According to a 2021 survey from the Information Technology Intelligence Consulting Corp, 91% of enterprises report that a single hour of server downtime costs their company $300,000 or more. 

Of course, server downtime isn't the only issue that can grind a company's operations to a halt and create untold expenses in the form of lost revenue and damaged reputation. If you rely on a vendor for a product or service that is critical to your company's operations, any disaster that creates downtime for the vendor could also seriously impact your business.

This is why vendors that provide mission-critical products or services must be classified as higher-risk vendors, even if they don't have a lot of vulnerabilities. It's also why a vendor's disaster recovery plans constitute an essential topic to cover in your due diligence questionnaire. 

A disaster recovery plan details the policies, tools, and procedures that an organization will use to respond to a disaster, emphasizing limiting downtime and disruption. As for the specific disasters that a disaster recovery plan covers, these can include data breaches, power outages, and natural disasters.

Here are a few examples of disaster recovery plan questions that your due diligence questionnaire might include:

  • Who are the key stakeholders and decision-makers involved in the disaster recovery process?
  • What is the scope of the company's recovery test process, and when was the last time you completed a full recovery test?
  • What types of disasters does the company have disaster recovery plans in place for?
  • What are the company's recovery time objectives (RTOs) by facility and application?

6) Regulatory Compliance

From anti-bribery and anti-corruption laws to environmental regulations, there is an exhaustive list of state, federal, and international laws and regulations that organizations are required to abide by. And when choosing your vendors, it's important to ensure that they abide by all of them.

While your company probably won't be on the hook legally if a vendor you use gets itself into legal trouble, it can still create plenty of headaches. "Guilt by association" might not always apply in the courtroom, but it's much more commonly applied in the court of public opinion. This means that associating your company with a vendor that ends up in legal trouble may significantly damage your own company's reputation. It may also disrupt your business if the vendor's legal issues disrupt their operations.

While there's no way to guarantee a vendor's future compliance with applicable laws and regulations, looking at their past compliance can serve as a predictor. Such is the focus of regulatory compliance questions in a vendor due diligence questionnaire.

Here are a few examples of regulatory questions that your due diligence questionnaire might include:

  • What states and countries does the company operate in?
  • Are there any regulatory or legal proceedings pending against the company?
  • Are there any regulatory or legal proceedings that the company has been involved with in the past?
  • Has the company ever made settlements out of court for matters related to corruption, facilitation payments, or fraud?

7) Security Management

Data security management is an element of a vendor's overall cybersecurity posture, but it's important enough to deserve its own emphasis in a due diligence questionnaire. Confidential employee data, sensitive data on your company's intellectual property, and customer data (like credit card or bank account information) are just a few examples of sensitive information that needs to be secured if shared with third-party vendors.

In your due diligence questionnaire, be sure to include questions regarding the type of data that the vendor collects and stores, how it is stored and utilized, and the policies/procedures that the company has in place to ensure data security.

Here are a few examples of security management questions that your due diligence questionnaire might include:

  • What data does the company collect and store, and how is that data utilized?
  • Who has the authorization to access third-party data?
  • How is confidential data stored?
  • Who is responsible for maintaining, storing, and destroying confidential data?

8) Network Management

Another key element of strong cybersecurity, proper network security ensures that bad actors won't be able to access a vendor's network. Without the right tools and procedures for preventing unauthorized access, any data communicated across the vendor's network could be exposed to theft.

Network access control and network monitoring are the two key components of network security. Access control policies, strong passwords, and two-factor authentication can all be used to control who can access the network, while ongoing network monitoring can pinpoint any instances of unauthorized access.

Here are a few examples of network management questions that your due diligence questionnaire might include:

  • What network access controls does the company have in place?
  • What network monitoring tools or procedures does the company utilize?
  • What antivirus solutions has the company implemented?

Download a free third-party risk assessment questionnaire template

Manage Third-Party Vendor Risk With the Power of HyperComply

Vendor due diligence is vital for managing your company's risk, but creating, sending, and analyzing due diligence questionnaires is often a mountain of a task. But with HyperComply, this doesn't have to be the case.

HyperComply streamlines the vendor due diligence process by providing companies with comprehensive security questionnaire templates, the ability to send security questionnaires and track their progress from a single, user-friendly dashboard, and a vendor knowledge base for organizing important vendor information. 

HyperComply also makes the due diligence process easier for your vendors by helping them autofill the answers to security questionnaires via advanced machine learning tools. This speeds up security questionnaire response times and further streamlines the due diligence process.

To get started managing the risk of third-party vendors and sending security questionnaires completely free of charge, sign up for HyperComply today.