Vendors Not in Scope for Vendor Management Program
How do I show that I have run my out-of-scope vendors through the Vendor Management Program?
Clients subject to banking regulations have found during audits that examiners are requesting the Vendor Management Team produce lists of all vendors used in the organization, whether the vendor is part of the ongoing monitoring program or not. This task can be difficult if all vendors are not housed in VI. Initial paperwork may have been manual and filed with a different department. In some organizations, the AP list of vendors becomes the source of truth for the vendor names, and the Vendor Management Team may not even be aware a number of the vendors exist, meaning the vendors were not run through the Vendor Management Program. This can cause headaches during internal and external audits.
The Best Practice solution in VendorInsight® for showing an auditor that all vendors are initially run through the Vendor Management Program is to create a contract record for the vendor before a contract is signed or services are used. Once the record is created, answer the Vendor Relationship Profile (VRP) questions and pull the OFAC report to apply to the record PCM. Upload any documents to the vendor record that you may use externally to help determine whether the vendor will be selected. If the vendor is out-of-scope per the VRP questions, there may be no additional due diligence documentation needed other than vendor selection documentation. Once it is determined the vendor will not be part of the ongoing monitoring in VendorInsight®, and you no longer wish to include the vendor on reports, you can mark the contract record as “inactive/terminated”. All documentation, including the VRP, OFAC and uploaded due diligence document(s), will go to the archive.
This Best Practice solution will allow you to show an auditor that the documentation can be found in the archive, proving it was initially run through the VendorInsight® system. Once the contract record goes to the archive in VI, it no longer counts towards your population of active contract records.
Where do I list the out-of-scope vendors so they do not appear in VendorInsight, but I can still pull a complete vendor list?
For some clients, the Vendor Management Team not only has to show that all vendors went through the Vendor Management Program but they also have to produce a complete list of Vendor Names per an audit request. This may be difficult if you are working with a specific set of vendors. Your accounts payable solution may have the entire list of vendors, while VI may not.
The Best Practice for maintaining a list of all vendors within VI is to use the Enterprise Vendor Metadata module. If this module is enabled, you are able to create a custom template for tracking additional information your organization may need cataloged, as well as produce a report of all vendors listed. You are able to upload one document per vendor in this module, so you can make a package of the completed VRP, OFAC and due diligence documentation that were used during the vendor selection process, and file with the record in this section. This also allows you to list any vendors for which you may have signed exceptions but you still wish to track selected information.
The Enterprise Vendor Metadata module is an additional cost. If you are interested, and the module is not already enabled, please reach out to your Account Manager to discuss options.
Keep in mind, you can reach out to your VI Program Administrator!
If you are still unsure about Best Practices regarding Vendors not in scope for your Vendor Management Program, remember you can always reach out to your VI Program Administrator for help.
What's Next
This is what was achieved and what was omitted in this how-to.