A new supplier sends back a clean onboarding packet: a completed questionnaire, a certificate of insurance, a W-9, a couple of references, maybe a signed code-of-conduct attestation. On paper the vendor checks out, and for plenty of suppliers that packet is most of what you need. But every page of it came from the vendor itself. Vendor due diligence is the work of checking the parts of that account that carry real exposure against records the supplier does not control, and deciding which suppliers are worth checking at all.
The packet does real work. A questionnaire scopes the relationship, a certificate of insurance shows what coverage the vendor carries, references point you to people who have worked with them, and the whole file gives procurement a consistent record to compare suppliers against and to show an auditor later. It is genuinely useful, and for a high-volume program it is where onboarding has to start.
What the packet does is capture what the vendor says about itself. The open question is which of those claims you take on the vendor's word and which you confirm.
A questionnaire only captures what the vendor chose to write down. An honest supplier fills it out straight. But one with something to keep quiet, an ownership tie to a flagged entity, a lawsuit in progress, a policy that lapsed last month, can leave a line blank or word it carefully, and the finished form looks no different from an honest one. Even a vendor acting in good faith can only report what it knows about itself. You can read the document closely and still not separate an accurate answer from a convenient one.
That's the real limit of a questionnaire. The problem isn't that it's useless. It's that everything on it is the vendor's own account, unverified, with no flag for what got shaded or left off. The harder a supplier is to corroborate, the more that gap matters, and the surprises rarely come from the name-brand suppliers. They come from the small operations, the five-person shop you can't quite place, where the form is most of what you have and the public record runs thin. Closing that gap is the job of third party due diligence.
Verification tests the claims that carry exposure against a source the vendor has no hand in. It is not re-keying the questionnaire. It is confirming a short list of things independently:
You don't have to run all five on every supplier. Treat it as a menu rather than a fixed vendor due diligence checklist, and pull only the lines that match what a given vendor could actually cost you.
What a vendor could cost you is mostly a question of what it touches. A supplier that ships commodity packaging on net-30 terms, one you could replace next week, is not the contract manufacturer holding your product designs, the software vendor sitting inside your systems, or the subcontractor whose crew works on your customer's site. Spend matters, but access and dependency matter more. The suppliers that can hurt you are the ones you cannot easily walk away from, or the ones that reach your data, your customers, or your premises.
The more access a vendor has, the further the check should go. The long tail of low-touch, replaceable suppliers can clear a fast automated screen, our Preliminary Report, where database checks come back in minutes and an investigator confirms any adverse hit before it reaches you. The handful you actually depend on, or the ones sitting offshore where records are harder to reach, are typically worth investigator-verified depth, our Advanced and Deep Dive reports, pulled and confirmed at the source. Matching the check to the risk is also how programs stop overspending, since there's no return in running the deepest report on a vendor you could replace tomorrow.
A vendor relationship isn't always a one-time transaction. Many renew, and the supplier keeps living its own life long after you onboard it. The manufacturer you cleared in January can pick up a lawsuit in March, let the insurance you verified lapse in June, or land on a watchlist after a change in ownership. A check run at onboarding is accurate the day you run it and quietly goes stale from there. For the vendors you genuinely depend on, that's where continuous monitoring can be worth considering. It re-checks them over time, so a new lawsuit, a lapse, or a watchlist hit shows up when it happens rather than at the next contract review. Plenty of suppliers never need it, and the value is in keeping the few that matter from slipping under the radar.
Good vendor due diligence comes down to knowing where confirmation is worth the effort. The packet still does its job, scoping the relationship and putting the vendor's own account on the record. From there you verify the handful of things that would actually hurt if a vendor got them wrong or kept them quiet, sized to what that supplier touches, let the replaceable long tail clear a light automated screen, and keep a closer eye on the few you truly depend on. The packet is a good place to start the conversation. It just should not be the final source of truth on a vendor.
If you're standing up or tightening a vendor risk management program, that tiering is exactly the part we help with. Tell us about your supplier base and we'll set the depth with you, tier by tier.
.png)
