Vendor Due Diligence Techniques: What to Verify When the Questionnaire Comes Back

TL;DR

• A completed vendor questionnaire is self-reported data. Verification — through document review, independent research, and for critical vendors, site visits — is what separates a defensible TPRM program from a check-the-box exercise.
• The 2023 OCC/FDIC/Fed Interagency Guidance sets a risk-based standard: due diligence depth must match vendor criticality. Critical (Tier 1) vendors require extensive document review, including SOC 2 Type II reports, financials, and pen test results. Tier 3 vendors may get attestation only.
• Six red flags consistently escape questionnaire answers: adverse media, financial distress, SOC 2 scope carve-outs, stale penetration test dates, key-person concentration, and undisclosed subcontractors.
• Documentation is the difference between a defensible program and an exam finding. Capture your reasoning at every step — tier decision, document review notes, independent verification, and the approval decision with date and approver.

The questionnaire came back. Every box is checked. Your vendor scores a 92/100 on the risk tool. The account manager is helpful and the price is right.

Now what?

This is where most TPRM programs stop — and where regulators expect you to keep going. A completed vendor questionnaire is the starting point for due diligence, not the finish line. Vendors answer based on what they believe about themselves, or what they want you to believe. There’s no verification mechanism built into a questionnaire. Security rating firms that measure vendor posture independently routinely find gaps between self-reported scores and measured performance.

The 2023 Interagency Guidance on Third-Party Relationships from the OCC, FDIC, and Fed is explicit: banking organizations should “consider requesting and reviewing documentation that supports vendor representations,” including audit reports, certifications, and financial statements. “We sent them a questionnaire” is not a due diligence program. It’s a data collection activity.

Here’s how to actually verify what you’ve been told.

Scale Your Verification to the Vendor’s Risk Tier

Not every vendor gets the same scrutiny. That’s not laziness — it’s the right approach. The Interagency Guidance is clear that due diligence depth must be “commensurate with the risk and criticality of the activity.” Applying Tier 1 rigor to your logo design vendor wastes resources; applying Tier 3 treatment to your core banking processor creates regulatory exposure.

A three-tier framework works for most organizations:

Your vendor risk tiering methodology determines what tier a vendor lands in before you start due diligence — which determines what you need to verify. If the tier is wrong, the verification depth will be wrong.

The Six Document Categories and How to Read Each One

1. SOC 2 Type II Reports

The SOC 2 Type II is the closest thing the industry has to an independent verification of a vendor’s security and availability controls. But most TPRM teams treat SOC 2 reports as a binary pass/fail (“do they have one?”) rather than actually reading them.

What to look for:

Scope and coverage dates. A SOC 2 report covers a specific time period — often six or twelve months. A report dated 14 months ago with a six-month coverage window leaves an eight-month gap where you have no independent visibility. Request a bridge letter if coverage is more than 12 months old.

Which Trust Service Criteria apply. Security is always included. But if you’re buying from a SaaS vendor, you should ask whether Availability is in scope. If they handle financial data, Confidentiality matters. If they process regulated health data, Privacy. A narrow scope — “Security only, one system” — should raise questions about what wasn’t covered.

Exceptions and qualified opinions. The management response to exceptions matters. A vendor with two exceptions and a credible remediation plan is better positioned than a vendor with no exceptions in a report that covered almost nothing. Read the complementary user entity controls (CUECs) — some controls only work if your organization does its part too.

Type I vs. Type II. A Type I report says controls were designed correctly at a point in time. A Type II says they were operating effectively over a period. For critical vendors, Type II is the standard.

2. Financial Statements

A vendor can check every security box and still be out of business in 18 months. Financial viability is a due diligence requirement under the Interagency Guidance, and it’s one that many teams skip because it feels like finance’s problem, not risk’s.

For critical vendors, request the two most recent years of audited financials — or at minimum, year-end financials with a management discussion. Look for:

• Revenue trends. Consistent decline in a SaaS vendor’s recurring revenue is a concentration-risk signal.
• Customer concentration. If one client represents 40% of revenue and that client is also a competitor, viability risk is real.
• Cash runway and debt load. Startups and mid-market vendors especially. A fintech with 8 months of runway and a major contract up for renewal next quarter may not survive to renew yours.
• Audit qualifications. A going-concern qualification from the auditor is not a routine footnote.

3. Penetration Test Results

A questionnaire might ask “do you conduct annual penetration testing?” A “yes” answer tells you almost nothing. What you actually need to know: who conducted it, when, what scope was covered, and what findings came out of it.

Request the penetration test executive summary (not the full report with exploit details — that’s a security risk to share) from the past 12 months. Evaluate:

• Tester independence. Internal pen tests don’t count. The tester should be an independent third party.
• Test age. Over 12 months is stale for Tier 1 vendors. Some financial services contracts now specify 6-month cadences for critical infrastructure vendors.
• Scope coverage. Did the test cover the systems that touch your data specifically?
• Finding remediation status. High and critical findings should have documented remediation or compensating controls. Unresolved criticals are a negotiating point and potentially a deal-breaker.

4. Insurance Certificates

Request a certificate of insurance (COI) showing active coverage for: general liability, professional liability (errors and omissions), cyber liability, and workers’ compensation. For vendors with significant data access, minimum cyber liability coverage should be in the $1–5M range depending on your data volumes, with your organization named as an additional insured.

Check expiration dates. A COI is a point-in-time snapshot — coverage can be allowed to lapse after the certificate is issued. Consider contractual language requiring the vendor to notify you of any material change in coverage.

5. Regulatory and Legal History

Vendors won’t voluntarily list their enforcement actions and consent orders in a questionnaire. Run independent checks through:

• CFPB enforcement database for any fintech or consumer-facing vendors
• SEC EDGAR for any public company vendors — look for material legal proceedings disclosures
• State licensing portals if the vendor is a licensed entity (money transmitter, insurance, etc.)
• Adverse media search — Google, LexisNexis, or a purpose-built screening tool. Search the company name plus principals’ names with terms like “fraud,” “sanction,” “lawsuit,” “settlement,” “investigation”
• OFAC and sanctions screening — especially for vendors with international operations or ownership

This step is quick and consistently catches things questionnaires miss. A vendor may truthfully answer “no material legal proceedings” while having a pattern of BBB complaints, state AG investigations, or former employee lawsuits that tell a different story about how the company operates.

6. Business Continuity Documentation

If a critical vendor goes offline for 72 hours, what happens to your operations? The Interagency Guidance specifically calls out business continuity as a due diligence factor. For Tier 1 vendors, request:

• BCP/DR plan summary (not the full plan — an executive summary or attestation)
• Most recent BCP test results and date of last full test
• Recovery time objective (RTO) and recovery point objective (RPO) commitments for your specific services
• Data backup frequency and restoration testing results

Compare their RTOs against your own recovery objectives. A vendor with a 24-hour RTO supporting a process where you’ve committed to a 4-hour internal RTO is a problem waiting to happen.

Red Flags That Don’t Appear in Questionnaire Responses

Six patterns consistently escape questionnaire-based due diligence:

1. Adverse media on principals, not the company. Vendors sanitize company answers but can’t control what’s searchable about their founders, executives, or key technical staff. A CTO with a prior securities fraud conviction won’t appear in the vendor questionnaire.

2. Financial distress signaling without a balance sheet. Even without audited financials, signals like mass layoffs (LinkedIn), significant leadership departure, office downsizing, or price-cutting behavior signal viability risk.

3. SOC 2 scope carve-outs for the exact systems you care about. “Our SOC 2 covers our main application” might exclude the API layer, the data warehouse, or the infrastructure tier that actually processes your data.

4. The 14-month pen test. Questionnaires ask “do you conduct penetration testing” — not “when was your last test completed.” Vendors with an 18-month gap will answer “yes.”

5. Undisclosed subcontractors with data access. The vendor you’re vetting may rely on a fourth party — a cloud data processor, a customer support platform, a background check vendor — that also touches your data. The Interagency Guidance requires visibility into subcontractor chains for critical vendors. Questionnaires rarely capture this adequately.

6. Key-person concentration. A five-person security team where the one person who built the entire infrastructure is also the CEO’s brother-in-law is a concentration risk. It doesn’t show up in a questionnaire.

When to Do a Site Visit or Virtual Walkthrough

For new Tier 1 vendors — particularly those with access to large volumes of sensitive data or involvement in critical business processes — a site visit or structured virtual walkthrough adds verification that documents can’t provide. You’re looking for evidence that stated controls are actually operational, not just documented.

A structured walkthrough covers: physical security controls (data center access, clean desk policy), personnel practices (security training evidence, background check documentation), operations center maturity (monitoring tools, incident response procedures), and a live demo of the access control and logging environment.

Virtual walkthroughs via screen share have become standard practice. They’re not as rigorous as on-site visits for a $50M cloud infrastructure dependency, but they’re far better than document review alone.

Documentation That Survives an Exam

The most common due diligence finding in OCC and FDIC examinations isn’t missing documents — it’s missing reasoning. Programs often collect documents but fail to document what they found, what they concluded, and who approved the relationship.

A defensible due diligence file for a critical vendor includes:

1. Risk tier assignment with documented rationale
2. Completed questionnaire with date received and version
3. Documents requested vs. documents received (with follow-up notes on gaps)
4. Review notes for each document category — what you found, any concerns noted
5. Independent verification steps taken (security rating pull date, adverse media search date and results, financial analysis notes)
6. Overall risk rating with supporting justification
7. Approval decision — approver name, date, any conditions attached

The “conditions attached” item is underused. If a vendor’s penetration test is six months old and they’ve committed to sharing the new one within 30 days of completion, document that commitment and the follow-up trigger. That’s evidence of a functioning program, not a gap.

So What?

Questionnaire-based due diligence catches the vendors who aren’t paying attention. Document-based verification catches the vendors who are misrepresenting. Independent research catches the vendors who are optimistic about themselves. And structured walkthroughs catch the vendors who are well-intentioned but organizationally chaotic.

The OCC’s 2023 Interagency Guidance set a clear standard: due diligence rigor must match vendor risk. That’s not a compliance exercise — it’s the logical requirement for a program that’s supposed to protect you from the operational failures, data breaches, and compliance violations of companies you’ve chosen to rely on.

The practitioner reality: most TPRM programs are better at collecting questionnaire responses than at verifying them. The ones that hold up under examination — and more importantly, under an actual vendor failure — are the ones that treat the questionnaire return as the beginning of the process, not the end.

The RiskTemplates Third-Party Risk Management (TPRM) Kit includes a complete vendor due diligence document request checklist, risk tiering matrix, due diligence questionnaire, scorecard template, and approval documentation framework — built to 2023 interagency guidance standards.

Further Reading

• Vendor Risk Management: The Complete Process from Onboarding to Offboarding
• Vendor Risk Assessment Template: What to Ask Vendors Before You Sign
• Fourth-Party Risk: When Your Vendor’s Vendor Becomes Your Problem

Sources:

• OCC Interagency Guidance on Third-Party Relationships: Risk Management (2023)
• SOC Reports as a Due Diligence Tool: Best Practices for TPRM Teams — Panorays
• Third-Party Risk Management Guide 2026 — UpGuard
• Best Practices for Screening and Due Diligence — 3rdRisk
• Vendor Due Diligence Question and Answer — Venminder