6 Questions to Ask About Your Vendor Relationships
Establishing good vendor relationships can be important to a business’ success.
Many small and medium-sized businesses rely heavily on vendors who provide services such as manufacturing, distribution, information technology, printing, telecommunications, consulting, transaction processing, and much more. In order to perform these services, vendors often have access to sensitive information, including customers’ personally identifiable information.
Therefore it is critical for business owners to implement a vendor management program that can help them to mitigate the risks inherent in these relationships.
There have been several recent news stories about cybercriminals hacking into companies by targeting their third-party service providers. Some high-profile security breaches, like that of Target, Goodwill and AutoNation, were linked to the companies’ third-party vendors.
Although small businesses may feel less at risk, they may be just as susceptible to an information security breach as big corporations.
My colleague and Kaufman Rossin’s director of information security, Jorge Rey, CISA, CISM, CGEIT, specializes in information security and compliance. He answered the following questions for small business owners looking to minimize their risks related to third-party service providers
1. Why is vendor management important for businesses?
A good vendor management program can enable a business to mitigate risks, can help a business control costs and can drive service excellence to maximize value from their vendors.
2. How can I better vet my vendors and manage the vendor selection process?
First think about what type of service provider you are hiring and what kind of information they will have access to. If the vendor will have access to any sensitive data, such as customer information or your company’s financial records, or if the vendor will be key to your operations, you may want to take additional precautions when vetting and selecting the company.
Do your due diligence up front. Take your time selecting a vendor by creating a list of possible companies, evaluating their proposals and reviewing your requirements to find a good fit. You might want to pull their credit history and review the background of the company’s executive team. How long has the company been around? Has the company had any significant legal or financial issues? Again, depending on how much access the vendor will have and what type of vendor it is, you may want to look deeper into some of these areas.
Part of due diligence could include looking into the potential vendor’s security practices. You might want to check whether they have comprehensive information security policies and recovery plans in place. You may want to ask if they perform regular data back-ups, internal security audits, and background checks on the employees who will have access to your data.
3. Any tips for vendor contracts?
Vendor contracts typically include the following: services being provided, duration of contract, confidentiality clauses, the right to audit, and contingency plans, but they should be assessed on a case-by-case basis. Contracts should be clear and concise, as well as flexible in case your business wants to change vendors at some point.
As a business owner, it’s important to understand service-level agreements, including ramifications for vendors who fail to meet them. It also helps to set up next-step procedures in case a relationship with a vendor ends.
Extra tip: As is good practice with all of your data, back-up your records and consider keeping a copy of the contract off-site in case of a disaster.
4. What type of ongoing monitoring should I be conducting?
It’s important to monitor your vendors’ performance. Is the vendor meeting the terms of the service-level agreement? Are deadlines being met? Is the quality of the product or service up to the specified standards?
In addition, if you keep track of what you’re seeing on your end related to your company’s financials and data security, you can catch issues early. For example, it’s a good idea to monitor accounts payable on a regular basis and stay aware of what’s happening with cash flowing in and out of your company. Establishing an information security program and implementing proper internal controls can help you detect potential issues – whether with vendors, employees or otherwise.
5. Do I need a non-disclosure/confidentiality agreement with vendors?
You may want to consider including a confidentiality or non-disclosure agreement (NDA) in your vendor contracts. This is especially true if the vendor has access to sensitive company or client data in any form (written, verbal or electronic). An NDA can help protect your company’s critical data which you would not want to end up in the hands of a competitor – or the general public.
6. Any other tips for implementing a vendor management program?
You don’t have to go it alone. A qualified professional with expertise in information security and internal controls can assist your company with assessing your IT security risk and establishing a risk management program that includes vendor management.
_____
Lisa Kahn Little, CPA, is an associate principal in the Entrepreneurial Services department of Kaufman Rossin, where she works with entrepreneurs, high-net worth individuals and nonprofits. She is a certified QuickBooks ProAdvisor, a licensed Certified Public Accountant in the State of Florida, and a member of both the American Institute of Certified Public Accountants and Florida Institute of Certified Public Accountants. Lisa can be reached at lklittle@kaufmanrossin.com.
Lisa Kahn Little, CPA, is a Entrepreneurial Services Associate Principal at Kaufman Rossin, one of the Top 100 CPA and advisory firms in the U.S.