Are due-diligence questionnaires sent and tracked automatically (rather than via email)?
Demonstrate that due-diligence questionnaires are distributed, tracked, and managed through an automated system that provides centralized oversight, audit trails, and status monitoring without reliance on manual email-based processes.
Description
What this control does
This control ensures that vendor and third-party due-diligence questionnaires (DDQs) are managed through a dedicated platform or workflow automation system rather than manual email exchanges. Automated tracking provides centralized visibility into questionnaire distribution, completion status, follow-up requirements, and version control. This reduces the risk of questionnaires being lost, overlooked, or inconsistently applied across the vendor portfolio, and ensures timely completion of vendor risk assessments before onboarding or contract renewal.
Control objective
What auditing this proves
Demonstrate that due-diligence questionnaires are distributed, tracked, and managed through an automated system that provides centralized oversight, audit trails, and status monitoring without reliance on manual email-based processes.
Associated risks
Risks this control addresses
- Vendors bypass security review due to DDQs lost in email threads or sent to incorrect recipients
- Incomplete or outdated questionnaire responses are accepted because no automated tracking flags missing sections or expired submissions
- Third-party onboarding proceeds without completed due diligence because approval workflows lack systematic enforcement
- Audit trails are incomplete or fabricated post-hoc because email-based processes produce fragmented documentation across multiple inboxes
- High-risk vendor relationships are not escalated for additional scrutiny because email-based tracking lacks automated risk-scoring triggers
- Questionnaire versions are inconsistent across vendors, making comparative risk analysis unreliable and enabling vendors to exploit outdated criteria
- Follow-up on overdue questionnaires is delayed or omitted due to lack of automated reminders and escalation mechanisms
Testing procedure
How an auditor verifies this control
- Obtain a list of all vendors onboarded or reassessed within the past 12 months from procurement or vendor management systems.
- Request access to the due-diligence questionnaire platform or workflow system and document its configuration, including automated tracking, reminder, and escalation settings.
- Select a judgmental sample of 15-20 vendor records spanning new onboardings, renewals, and high-risk classifications.
- For each sampled vendor, retrieve the DDQ submission record from the automated system and verify it contains distribution date, recipient confirmation, completion timestamp, and approver sign-off.
- Review system-generated audit logs to confirm that no DDQs for sampled vendors were distributed via email outside the automated platform during the review period.
- Interview vendor management personnel to confirm email-based DDQ distribution is prohibited by policy and verify they access questionnaires exclusively through the automated system.
- Test the platform's automated tracking by reviewing dashboard reports showing overdue questionnaires, outstanding follow-ups, and completion rates across the vendor population.
- Validate that the system enforces completion checkpoints by attempting to approve a vendor record with an incomplete or missing DDQ, confirming the system blocks progression until requirements are satisfied.