Vendor Due Diligence Services


Vendor due diligence is a critical component of managing vendors. In pre-contract and post-contract stages of the lifecycle, you should be gathering and analyzing due diligence. Efficiently send due diligence questionnaires directly from our ID GRC platform and track which vendors have been sent DDQs. Our GRC tool and team of expert will manage, monitoring, validating, and remediating risks presented by third-party vendors. Ensuring your vendors protect your data, comply with regulations, and provide sustainable services that meet your requirements.

Identifying and assessing factors affecting capital allocation and growth potential is critical during the diligence process. For private equity and corporate acquirers, risks associated with IT can consume significant post-close investment or impair long-term revenue gains.

Risk Cognizance provides financial organizations cost-effectively comply with FINRA, FinCEN, SEC, OCIE, FTC, and NFA requirements. Our staff have years of FINRA, FinCEN, SEC, OCIE, FTC, and NFA experience.

Vendor Diligence and Management

  • Initial Due Diligence: Involves analyzing and verifying that your prospective vendor meets your needs and is in regulatory compliance. You need to determine if a relationship would help achieve your organization’s strategic and financial goals and then mitigate identified risks to the best of your ability.

  • Ongoing Due Diligence: Involves the ongoing monitoring of your vendor to ensure they continually meet your needs. Not only should due diligence be performed prior to selecting a vendor, but it should also be performed periodically during the course of the relationship. The more critical the vendor is to your operation, the higher the frequency of your ongoing due diligence schedule.

  • Automated & Standardized: Vendor Due Diligence Assistant allows companies to auto-assess their vendors against regulatory and internal guidelines, e.g. to identify potential money laundering risks. The tool ensures a consistent approach and documentation.


Our IT due diligence services include:

  • Buy-side IT diligence. This is a holistic, deep dive assessment done by an onsite team of Risk Cognizance professionals. It looks at the strategy of the IT function and alignment with the business, business applications and whether key processes are supported and effective, the condition of infrastructure, capabilities and sufficiency of leadership, staff, and vendors, and sufficiency of budget. The report includes considerations during acquisition, the hold period, and for eventual sale.

  • Limited-scope IT diligence. This is a customized assessment that targets a limited portion of the items covered in a full buy-side diligence. A limited scope review is often performed as an exploratory measure before an official letter of intent (LOI) is signed or when deal-size or IT complexity does not warrant a more robust analysis.  The report includes considerations during acquisition, and may provide recommendations for areas warranting deeper exploration post-LOI execution.

  • Sell-side review. This is a buy-side-like diligence performed on the company, which then turns into a workshop to review risks and prioritize near-term investments.  Sellers are also provided a buy-side request list, so they can begin preparing core materials to improve and accelerate the buy-side processes. Coaching of the IT leadership may occur at this point.

Information-security Servuces.jpgInformation-security Servuces.jpg

Due Diligence Protects your business from REPUTATION RISK

Reputation risk refers to negative public opinion or customer perception that stems from irresponsible vendor practices. Unsecure vendor remote access can lead to a number of problems that may destroy customer relationships and harm your company’s reputation, including:

  • Customer complaints

  • Dissatisfied customers

  • Interactions inconsistent with company policies

  • Security breaches resulting in the disclosure of customer information

  • Violations of laws and regulations


Operational risk results from internal breaches, processes, and system failures. Third-party vendors are increasing as an extension of operational risk since they are closely tied to operational processes and business practices. Operational risks may be caused by:

  • Employee error

  • Failure to adhere to internal policies

  • Internal and external fraud or criminal activity

  • System failures

Due Diligence Compliance Assessment Services

Risk Cognizance can help your organization meet the security, confidentiality, availability and privacy requirements of one or more regulations. We offer a modular approach based upon your needs, consisting of one or more of the following components:

  • FERPA Security Assessment

  • SOX & SOC Security Assessment

  • ISO 27001 Security Assessment

  • NIST Security Assessment

  • FEDRAMP Assessment

  • COBIT GAP Assessment

  • ITIL Assessment

  • GLBA Security Assessment

  • GDRP Security Assessment

  • FISMA Security Gap Assessment

  • HIPAA Security Assessment

  • HITECH Security Assessment

  • PCI DDS Security Assessment

  • FINRA Cybersecurity Assessment

Third-party Due Diligence For Financial Services

Within a Vendor Due Diligence Assistant, all collected vendor information, due diligence reports and next steps are tracked and documented in a centralized audit trail. This allows businesses to prove and document compliance efforts, if needed. Vendor monitoring is often the forgotten pillar of third party risk management. It’s easier to do the initial vendor due diligence on the upfront, onboarding side of the equation. While initial due diligence is critical and can be a trying experience you don’t want to repeat, the ongoing monitoring and constant oversight of your vendors is the real meat and potatoes of any third party risk management program. Your vendor risk management program will earn its reputation, good or bad, with ongoing monitoring. If your program is operational and the board thinks everything is great, keep it that way by keeping your finger on the pulse of your vendors.