Vendor Risk Assessment: 30 Questions Before You Onboard

A mid-market logistics company approved a new carrier in 2023. The onboarding was fast — a W-9, a certificate of insurance, and a wire to confirm bank details. Fourteen months later, an audit found they'd been paying a shell company $6,200 per month for "fuel surcharges" that matched no actual shipments. Total loss: $87,000. The vendor passed every check at onboarding — because nobody asked the right questions.

Most vendor risk assessments treat onboarding as a one-time screening event. That's the wrong frame. A good vendor risk assessment checklist does two things: it screens out bad actors before you sign, and it establishes baseline commitments that give you grounds to terminate when something changes later.

Here are the 30 questions that do both.

Financial Stability (Q1–6)

A vendor who goes under 8 months into your contract isn't just an operational headache — if you've prepaid, it's a write-off. Financial stability questions confirm the vendor can actually deliver.

1. What is the vendor's D&B credit risk rating? Dun & Bradstreet's PAYDEX score (80+ is good) and their Financial Stress Score tell you how this vendor handles its own obligations. A PAYDEX below 70 means they're frequently late paying their suppliers — which predicts how they'll treat your contract.

2. Is the vendor's business registration active (not dissolved or suspended)? State secretary of state websites let you verify this for free in 60 seconds. One in twelve new vendor relationships involves a business with a lapsed, suspended, or dissolved registration — often the vendor doesn't even know.

3. Does the vendor have at least 2 years of operating history? Vendors under 2 years old have 3× the failure rate of established businesses. For contracts over $25,000, require proof of operating history. Startups providing critical services need a contingency plan built into the contract.

4. Are there court records of judgments, liens, or bankruptcy filings against this entity? Search PACER (federal courts) and your state's court system. Judgment liens against a vendor's assets mean creditors come before your contract in a liquidation. Active bankruptcy proceedings require legal review before you sign anything.

5. Is their revenue large enough that your contract isn't their primary concentration risk? If your $300,000 contract represents 40% of a vendor's revenue, their financial health and your contract health are the same thing. If they lose another major customer, they lose the capacity to serve you. Ask for approximate revenue range for contracts over $50,000.

6. Can they provide audited financial statements or a bank reference letter for large contracts? For contracts over $100,000, request two years of audited financials or a reference letter from their primary bank. This isn't aggressive — it's standard practice, and any legitimate vendor will comply.

Compliance & Legal (Q7–12)

A single OFAC hit can result in civil penalties up to $1 million and criminal liability for the executives who approved the payment. This is the category where "we didn't know" is not a defense.

7. Is the vendor on the OFAC Specially Designated Nationals (SDN) list? Free search at sanctions.ofac.treas.gov. Run this on every new vendor and re-run it quarterly for active vendors. OFAC publishes updates regularly, and a vendor who was clean at onboarding can appear on the list later.

8. Do they appear on SAM.gov's Excluded Parties List? SAM.gov's System for Award Management lists entities barred from government contracts. If you're a government contractor or subcontractor, paying an excluded party violates federal acquisition regulations. Check sam.gov directly.

9. Do they hold current general liability insurance — and can they add you as an additional insured? Request a Certificate of Insurance naming your company as additional insured. The certificate must show the policy is current, not a prior-period document. Minimum general liability of $1 million per occurrence is standard for most service vendors.

10. Do they hold professional liability (E&O) insurance for the services they provide? General liability covers bodily injury and property damage. Professional liability (errors & omissions) covers financial losses from mistakes in the vendor's work. Any vendor providing financial, legal, technology, or advisory services needs E&O coverage.

11. Have you verified their EIN or business tax ID matches IRS records? The IRS TIN matching program lets you verify EINs before issuing payments. Mismatched TINs are a common indicator of shell company fraud and also trigger 1099 backup withholding liability for your company. This also matters for accurate 1099 vendor reporting.

12. Are there pending lawsuits or regulatory actions involving this vendor? Search PACER and your state court system. Regulatory actions from financial regulators, labor departments, or industry bodies signal operational and ethical problems. Pending class actions against a vendor can affect their financial stability and their ability to perform.

Cybersecurity & Data (Q13–18)

Third-party vendors are the entry point in 29% of data breaches, according to Verizon's 2024 Data Breach Investigations Report. You can have excellent internal security and still be compromised through a vendor's weak controls.

13. What company systems, networks, or data will this vendor have access to? List every system explicitly — your ERP, payment systems, customer data, HR files. Access you don't track is access you can't revoke when the relationship ends. Minimum necessary access is the rule; document the scope before onboarding.

14. Do they hold SOC 2 Type II certification if they handle your financial or customer data? SOC 2 Type II means an independent auditor verified their controls actually worked over a 6–12 month period. SOC 2 Type I only verifies the controls exist — not that they function. Require Type II for any vendor with access to sensitive data. Ask for the actual report, not just their attestation that they have one.

15. Have they experienced a data breach in the past 3 years? Require a written attestation signed by a company officer. A breach isn't automatically disqualifying — what matters is how they responded and what controls they implemented afterward. A vendor who hid a breach is a serious red flag; one who disclosed it promptly and remediated properly may be fine.

16. Do they subcontract services to fourth parties — and who are those parties? Your vendor assessment covers their controls. It does not automatically cover the subcontractors they use for delivery, hosting, or support. Require a list of subcontractors with access to your data and the right to approve material subcontractor changes.

17. What is their employee access termination process? Ask specifically: "When an employee leaves, how quickly is their access to your systems — and your customers' systems — revoked?" Same-day revocation is the standard. Vendors who say "within a week" or "we handle it through IT" without a defined SLA are waving a red flag.

18. What is their incident response notification timeline? If they experience a breach affecting your data, how quickly do they notify you? 72 hours is the GDPR standard; many US state laws require similar timelines. This belongs in your contract, but verify it's operationally real during onboarding.

Payment Terms & Banking (Q19–24)

Payment and banking questions catch the fraud that slips through every other filter. Bank account fraud against AP departments accounts for the majority of business email compromise (BEC) losses — $2.9 billion in 2023 according to the FBI's IC3 Report.

19. What are their standard payment terms? Net 30 is standard. Net 60 and Net 90 exist for high-volume vendors. Document the agreed terms before you start processing invoices — invoice payment term disputes are the most common vendor relationship friction point, and they're preventable with a clear upfront agreement.

20. Do they offer early payment discounts — and what's the implied APR? A "2/10 Net 30" discount (2% if paid in 10 days) represents an annualized return of approximately 36%. Capturing this discount consistently is free money. Run the APR calculation on any discount terms: Discount% / (1 - Discount%) × (365 / (Net Days - Discount Days)).

21. Have you verified their bank account details via a phone call to a number from their official website? This is the single highest-impact question on this list. Never trust bank details in an email or on an invoice — both are easily spoofed. Call a phone number you found independently on the vendor's website to confirm routing and account numbers. Document the name of the person who confirmed, the date, and the number you called. This one step stops most ACH fraud cold.

22. Do they accept ACH payments? ACH is more secure than paper checks. Checks can be washed and reprinted; ACH transactions leave a digital trail and can be reversed in cases of unauthorized transactions. If a vendor insists on checks only, that's worth noting.

23. What is their formal process for requesting a bank account change? Ask: "If you need to update your banking information, what's your internal process?" The right answer involves written requests on company letterhead, verification calls, and management sign-off — not an email from someone who says they're from accounts receivable. Your AP policy should match: all bank change requests require independent verification regardless of who asks.

24. Have they provided a W-9 (for US vendors) or W-8BEN (for foreign vendors)? Required for proper 1099 reporting and FBAR compliance. A vendor unwilling to provide a W-9 before you start paying them is a vendor you shouldn't pay. The IRS requires backup withholding (24%) on payments to vendors who fail to provide TIN certification.

Contractual Risk (Q25–30)

Contracts are where onboarding risk becomes ongoing exposure. The questions below focus on the clauses that create surprise obligations — auto-renewals, liability gaps, and the absence of exit rights.

25. Does the contract specify a liability cap — and is it sufficient for your exposure? Most vendor contracts cap liability at the fees paid in the prior 12 months. If a vendor breach causes you $2 million in damages but you paid them $50,000 last year, their contractual liability is $50,000. For high-stakes relationships, negotiate a higher cap or require insurance that covers your actual exposure.

26. Are there auto-renewal provisions — and when must you notify to opt out? Auto-renewal clauses with 60–90 day notification windows are the most common source of unintentional contract extensions. Calendar the notification deadline the day you sign. A notification window you miss costs you another full contract term.

27. What are the termination conditions and how much notice does each party need? "Termination for convenience" (the right to exit without cause) is the provision you want but rarely get without negotiation. Know what you're locked into: performance defaults, cure periods, and notice timelines before you sign, not after the relationship goes sideways.

28. Is there an SLA with financial penalties for non-performance? SLAs without penalties are aspirational, not contractual. For vendors providing critical services, the SLA should specify uptime or delivery commitments and the fee credits or termination rights triggered by non-performance. "Best efforts" language in an SLA is meaningless.

29. Does the contract include a right-to-audit clause? Essential for SOX-compliant companies and strongly recommended for anyone else. A right-to-audit clause gives you the ability to request records and conduct inspections to verify the vendor's performance and billing accuracy. It's also the foundation of any AP audit trail defense if you're ever questioned on a vendor relationship.

30. Are there exclusivity or non-compete clauses that limit your future options? Some vendor contracts — particularly in staffing, software development, and consulting — include clauses preventing you from hiring their employees or working with their competitors for a defined period. Read these carefully before signing. Exclusivity provisions that survive contract termination are binding even after the vendor relationship ends.

How to Use This Checklist

Don't treat these 30 questions as a one-time screening form. Use them to establish a baseline:

• Before onboarding: Go through all 30. Document answers. Require written attestations for cybersecurity and compliance questions.
• At renewal: Re-run the financial stability, compliance, and banking questions. Things change. Insurance lapses. New litigation appears. Bank accounts get compromised.
• When something changes: Any notification of ownership change, banking update, new subcontractor, or key personnel departure triggers a targeted re-verification.

For companies managing more than 50 active vendors, manual re-verification gets expensive fast. Vendor management automation handles continuous OFAC screening, insurance expiration tracking, and bank detail change alerts — which is exactly the 95% of vendor risk that happens after onboarding, not before it.

FAQ

What is a vendor risk assessment checklist?

A vendor risk assessment checklist is a structured list of questions AP and procurement teams use to evaluate a new vendor before onboarding. It covers financial stability, compliance (OFAC, insurance, tax ID), cybersecurity controls, payment terms, and contractual obligations. The goal is to identify risks before you start paying a vendor — and to document baseline commitments you can enforce if the relationship deteriorates.

How often should you re-run vendor risk assessments?

At minimum: annually for active vendors and any time a material change occurs (ownership change, banking update, new subcontractor, expiring insurance certificate). High-value vendors or those with access to sensitive systems warrant quarterly reviews for OFAC and compliance status. Vendor management automation platforms run OFAC and insurance checks continuously, flagging changes as they occur rather than waiting for the next scheduled review.

What is the biggest vendor risk in accounts payable?

Bank account fraud — specifically, fraudulent bank account change requests — is the highest-impact vendor risk in AP. The FBI's 2023 IC3 Report attributed $2.9 billion in losses to business email compromise targeting payment processes, with vendor impersonation being the primary method. Verifying bank details via an independent phone call before onboarding, and requiring the same verification for any bank change request, prevents most of this exposure. AI fraud detection tools also flag anomalous payment patterns that indicate a compromised vendor account.

Do small companies need vendor risk assessments?

Yes — but the depth scales with the contract value and the vendor's access to your systems. A $500 monthly subscription to a SaaS tool doesn't warrant a SOC 2 review. A $150,000 services contract with a vendor who has access to your ERP does. A practical rule: run all 30 questions for contracts over $25,000 or any vendor touching financial data. For smaller, lower-risk vendors, focus on the compliance and banking sections at minimum.