Most businesses have some version of a vendor vetting process. A few questions get asked, someone checks a website, a contract gets signed and the relationship begins. It feels like due diligence. It usually isn’t.
The gaps tend to stay invisible until something goes wrong — a vendor goes dark mid-project, a payment lands in the wrong hands or an audit reveals you’ve been doing business with an entity that was never properly registered to begin with. By that point, the damage is done and the conversation shifts from “how do we prevent this” to “how bad is it.”
The good news is that fixing your vendor due diligence process doesn’t require a compliance team of ten or enterprise-grade software. It requires a framework — and the discipline to actually follow it before contracts get signed, not after.
Here’s what that framework looks like in practice.
The basics: Is this business actually real?
It sounds like an obvious question, but you’d be surprised how often it goes unchecked. Before you evaluate a vendor’s pricing, capabilities or references, the first question to answer is whether the business entity you’re about to engage with is legitimate, active and legally authorized to operate.
For US-based vendors, that means checking two things: their state registration and their federal tax identity. Every legitimate US business should be registered with its state of formation and most have an Employer Identification Number issued by the IRS. Running a quick EIN lookup confirms the business is registered with the federal government, surfaces its official legal name (which may differ from the trading name on its website) and can reveal registration history and ownership structure.
This matters more than most people realize. A vendor operating under a DBA name has a different legal entity behind it. A business with a lapsed or revoked state registration may not be able to legally enter into contracts. And if something goes wrong downstream — a dispute, a refund, a legal claim — knowing the correct legal entity from the start makes everything easier.
Think of it as the foundation. You wouldn’t skip checking whether a building has planning permission before signing a lease. Same logic applies here.
Check their financial health, not just their pitch deck
Once you’ve confirmed the entity is real, the next question is whether it’s financially stable enough to hold up its end of the deal. A vendor who can’t keep the lights on in six months is a liability, regardless of how impressive their deck looks.
For publicly traded companies, this is relatively straightforward — quarterly and annual reports are publicly accessible through the SEC and pulling 10-K and 10-Q filings for any listed company takes minutes. For private companies, it takes a bit more legwork. At a minimum, ask for the last two years of audited financials and look at the basics: revenue trends, profit margins, debt load and cash flow. A business running on thin margins with mounting debt is a risk, especially if they’re a critical supplier.
Beyond the numbers, look for softer signals too. How long have they been in business? Do they have a stable customer base or do they seem overly dependent on one or two major clients? A vendor that loses their anchor customer midway through your engagement is suddenly a very different partner than the one you onboarded. It’s also worth running a UCC lien check on any significant vendor. A recorded UCC lien signals that a lender already holds a claim on their assets — which can indicate heavy debt dependency or constrained financial flexibility before you’ve signed a thing.
You don’t need to be a forensic accountant to do this. You just need to ask the questions and not accept “trust us, we’re doing great” as an answer.
Legal and compliance checks aren’t optional
This is the part most teams skip because it feels like legal’s job. But waiting for legal to flag something at the contract stage — when you’ve already invested time in the relationship and everyone’s ready to sign — is too late. Basic legal and compliance screening should happen early in the process, not at the end.
A few things to look for:
Sanctions and watchlists. The US Treasury’s Office of Foreign Assets Control maintains a list of individuals and entities that US businesses are prohibited from transacting with. Running a vendor’s name against that list takes minutes and can save enormous legal headaches. This is non-negotiable for any vendor with international ties.
Litigation history. A vendor with a string of breach-of-contract suits or regulatory actions on its record is telling you something. Public court records and basic searches can surface this. It won’t always be disqualifying, but it’s information you want before you’re locked in.
Licences and certifications. Depending on your industry, your vendors may need specific licenses to operate legally. A financial services firm, a healthcare vendor, or a data processor working under GDPR or HIPAA each carry regulatory requirements that extend to their partners. Check that they hold what they claim to hold.
Cybersecurity and data practices matter
Vendor-related data breaches are increasingly common and increasingly expensive. According to Verizon’s 2025 Data Breach Investigations report, around 30% of breaches in 2024 involved a third-party vendor — double the rate from the prior year. The idea that only “tech vendors” or “IT partners” carry cybersecurity risk is outdated.
It’s a point federal security agencies have been making for years — third-party vendors are one of the most significant and underestimated entry points for security incidents and organizations need to extend their security standards beyond their own perimeter to include the suppliers they depend on.
If a vendor has access to your systems, your customer data or your internal processes — even a small piece of it — they’re a potential entry point. That includes payroll providers, marketing agencies, logistics partners, and anyone who touches a shared spreadsheet.
At minimum, ask for their data handling policy, confirm they have a written information security policy, and find out how they respond to incidents. Larger or higher-risk vendors should be asked for SOC 2 reports, ISO 27001 certifications, or equivalent third-party security attestations. Don’t accept “we take security very seriously” as a substitute for documentation.
Tier your vendors; not everyone is the same
A full due diligence deep-dive on every vendor, including the company that delivers your office supplies, is neither practical nor necessary. The key is to match your scrutiny to your risk exposure.
A simple three-tier approach works for most organizations::
Tier 1 — Critical vendors: Vendors with access to sensitive data, core systems or who provide services you genuinely can’t function without. These get the full treatment: financial checks, legal screening, security assessments, and regular ongoing reviews.
Tier 2 — Significant vendors: Material relationships but not mission-critical. Standard financial and legal checks, plus periodic re-verification.
Tier 3 — Low-risk vendors: Transactional, low-spend, no data access. Light-touch verification at onboarding, minimal ongoing monitoring.
Tiering isn’t about cutting corners on the important stuff — it’s about directing your team’s time and energy where the exposure actually is. As one risk officer put it, you can outsource work but you can’t outsource responsibility — and that starts with knowing exactly who your vendors are and ranking them by what they can actually cost you.
Due diligence doesn’t end at onboarding
This is probably the most common failure point. A vendor clears the initial vetting process, gets onboarded and then nobody looks at them again for three years. Meanwhile their financial situation deteriorates, a key team member who was your main point of contact leaves, or a regulatory action gets filed that nobody in your organization catches.
Ongoing monitoring doesn’t have to be elaborate. For most Tier 1 and Tier 2 vendors, an annual review is a baseline — checking whether there have been any material changes to their financial position, legal status, or key personnel. It’s also worth revisiting lien status periodically: UCC-1 filings expire after five years and must be renewed, meaning a vendor’s encumbered assets picture can change significantly between your initial check and a contract renewal. Automating alerts for news coverage, court filings, or changes to public records can catch issues between review cycles without requiring manual effort.
The principle is simple: the relationship doesn’t become low-risk just because you approved it once. Circumstances change, and your oversight should keep pace. As risk practitioners are increasingly recognizing, point-in-time assessments aren’t enough — continuous monitoring is what separates teams that catch problems early from those that find out too late.
Make it a process, not a checklist
The difference between a due diligence process that actually protects you and one that just looks like it does comes down to consistency. A ten-point checklist that gets applied selectively — skipped when there’s time pressure, waived for vendors brought in through a trusted referral, or bypassed when the deal is too exciting to slow down — is effectively no process at all.
The teams that get this right treat vendor verification the same way they treat financial controls: as a non-negotiable step, not a suggestion. That means defined criteria for what triggers each tier of review, clear ownership of who runs the checks, and a record of what was verified and when.
It also means being willing to walk away. A vendor that resists basic due diligence, can’t produce documentation, or keeps deferring your questions is already telling you something important. The time to hear it is before the contract is signed, not six months into a relationship that’s going sideways.
Opinions expressed by SmartBrief contributors are their own.