Cover & Rossiter to Join The Bonadio Group. Learn more.

Vendor Due Diligence Considerations

By Grace Gonzalez, on August 25th, 2022

As the compliance and regulatory world becomes increasingly complex with every passing year, many higher education institutions are seeking outside consulting help. This can be very effective and allow colleges and universities to do what they do best, focus on serving students, without worrying about the day-to-day processing of credit card payments, payroll, retirement distributions, and collections, for instance. The strategy can also result in significant cost savings as organizations can select a value-based outside consulting option, which can be more cost effective than having to hire internal experts. But having an outside partner is not the same as putting things on autopilot and forgetting about them. In most cases, the institution still has a responsibility to safeguard assets and ensure compliance and accurate reporting, even when the outsourced day-to-day operations are managed by another party. So how does one effectively manage third parties?

The first step is assessing the risk involved with each third-party vendor on at least an annual basis. Whether this is done through a scoring rubric, a yes/no checklist or another tool, a few simple questions to ask are: Does this vendor have access to my student, employee, financial data? What type of data – sensitive, protected, etc.? To what extent? If there was an interruption in the vendor service, how long could you manage without experiencing severe consequences or sustaining significant financial loss? If, for instance, the institution’s collection process is done by a third party, interruption in service that lasts a few days may not be as critical as accessing student data on a platform maintained by a third party. The higher the number of “yes” answers, the higher the likelihood that this is a critical vendor requiring annual due diligence. Other items to consider are regulatory requirements as there are different sets of associated expectations. For example, vendor due diligence expectations for a retirement plan sponsored by a college or university may differ based on the number of eligible plan participants. Similarly, expectations for institutions utilizing third-party investment managers increase as the size and complexity of the investment portfolio increases.

Once the critical vendors for the institutions have been identified, it is time to think about the specific due diligence procedures. While the list below is not exhaustive, here are a few ways to get you started:

  • Meet with the vendor annually to discuss needs and strategy— if the vendor is managing your student data, what are they doing to secure the data? What are the new and upcoming regulatory changes and how are the preparing for those? More importantly, how will they help your organization prepare for them? Consider discussing your institution’s strategic goals as well. Perhaps the vendor’s application, technology and/or services that are working for your organization today are different from the ones that will be needed tomorrow. Periodic meetings with the vendor would also give you a perfect opportunity to inquire of any of areas of concerns at the vendor level (turnover, capacity, etc.) that may impact your institution by extension.
  • Ask for and review the vendor’s Service Organization Controls (SOC) 1 report— many service providers such as payroll providers, billing processors, investment managers and retirement plan third party administrators are examined by an independent auditor on an annual basis. The auditor reviews and tests specific controls at the vendor and provides an opinion as to whether or not the checks and balances at the vendor were designed and operated as intended during a period of time. While SOC 1 reports can be lengthy, reviewing them doesn’t have to be overwhelming. Start by reviewing the opinion to ensure it doesn’t include any exceptions or modifications. If the opinion is “clean,” look at the testing exceptions noted by the vendor auditor— are there any exceptions relevant to the functions the vendor performs for your institution? If so, do you have internal controls that would have detected and corrected any issues on your end? Consider discussing the audit exceptions with the vendor and understanding the steps they are taking to prevent them in the future.
  • Ensure there are strong controls over the input information your institution is providing to the vendor. In most cases, the vendor doesn’t independently verify the completeness or accuracy of the information your institution is providing. Even if the vendor has strong checks and balances in place, the output will only be accurate to the extent the input was. Typically, a SOC1 report includes a list of complementary user controls which the vendor assumes your organization has in place. Consider reviewing those on an annual basis and ensuring that they have been properly implemented.
  • Review your contractual agreements and ensure that vendor has responsibility to notify you of any fraud, noncompliance with laws and regulations, adverse actions, etc. within a certain timeframe so your institution has an opportunity to act before it is too late.

Your vendor can be a valuable partner in growing your institution and retaining your best employees. Vendor management doesn’t have to be complicated or overwhelming. Start the conversation today!

If you need further guidance or have any questions on this topic, we’re here to help. Please do not hesitate to reach out to our trusted experts to discuss your specific situation.

This material has been prepared for general, informational purposes only and is not intended to provide, and should not be relied on for, tax, legal or accounting advice. Should you require any such advice, please contact us directly. The information contained herein does not create, and your review or use of the information does not constitute, an accountant-client relationship.

Share on LinkedIn
Share on Facebook
Share on X

Written By

Related Industries