the right vendors and properly managing vendor
relationships can help protect your company from
damages and long-term losses.
As more work is
outsourced to specialized vendors, companies face
greater exposure to fraud, security breaches and the
possibility of financial losses. When companies
outsource, they are still responsible for protecting
sensitive information belonging to customers and the
company. Consider these tips:
Invite many vendors to participate in the
request for proposals (RFP). Prepare
an RFP that covers the majority of business concerns
while setting expectations for the vendor from a legal
perspective. The RFP often forms the basis of the
contract. Vendors with the most flexible terms and
highest desire will bubble up to the short list.
Prepare a detailed questionnaire
to determine the level of sophistication
of the vendor’s operations, policies and security. The
responses can be a barometer of the vendor’s level of
compliance with policies important to your company and
can also be used as written representation of vendor
abilities in the future event of a breach and/or legal
Review three years of the potential vendor’s
audited financial statements,
including the audit opinion and trends
in profitability and cash flow. For software
companies, review the level of research and
development spending on products. Determine the
vendor’s largest customers and solicit opinions from
them on the company’s performance.
Ensure the contract terms are beneficial to
your company. Often the vendor will
produce the contract. Review it for penalties and
termination clauses, warranties offered, and
maintenance and annual increases required. Ensure that
there is a return of confidential data at termination,
remedy for breach, conversion assistance at
termination, a right to audit, favorable payment
terms, disaster recovery plans and test sites.
Make sure the contract prohibits assignment
without permission and allows for escrow
agreements and the avoidance of unfavorable evergreen
(or automatic renewal) clauses. Service-level
agreements should benefit your company and be
measurable and enforceable.
Ensure you can protect sensitive information
belonging to your customers or company.
Obtain SysTrust reports, which attest to
a system’s reliability and ability to operate without
material error, flaw or failure, and type II SAS 70
reports and review the tests of controls.
Review perimeter controls and
policies related to how the vendor restricts access
through passwords, patching and encryption, as well as
through segregation of duties. Ascertain the tools
used to protect against viruses and detect intrusion
to ensure they exist and are adequate. Review the
mechanisms the vendor uses to protect itself when it
engages third parties.
After selecting a vendor,
track statistics on invoice disputes and
errors to determine how effectively the recipient of
the vendor’s services within your company is reviewing
details on the invoices. If your in-house contact is
doing his or her job, it is highly likely there will
be invoice disputes. Publish those statistics within
your company and identify vendors with persistent
Review volumes and related statistics.
Ensure that the company can validate
invoice amounts using independent statistics that are
internally generated. These amounts should be
reconciled to the invoices, and differences should be
resolved before payment.
Track vendor performance and compliance.
Periodically solicit from the recipient
of the vendor’s services an assessment of the vendor’s
performance. Responses to these performance
evaluations should stimulate discussions, and in some
cases, new RFPs.
Maintain an inventory of contracts
that includes the vendor’s certificate
of insurance; initial contracts; current contract
amendments and addendums; privacy protection forms;
dates of notification, termination or renewals; and
the total annual value of the contract.
— Joseph P. Savidge, CPA,
is senior vice president of finance and
administration, technology and operations for
Webster Financial Corp., in Bristol, Conn.