Vendor Offboarding Checklist for Compliance

Published November 12, 2020 by 5 min read

Every vendor relationship your company strikes allow your business to save money and exploit new opportunities more efficiently. What’s more, every vendor relationship can develop into more ways for you and your supplier to increase value and grow the business. 

That said, every vendor relationship should also follow a natural lifecycle— one that begins with initial review and onboarding, and ends with the termination of the supplier’s contract and offboarding.

Procedures for onboarding new third parties are a key part of your third-party risk management program, and hence they are discussed constantly.

Equally important, however, is offboarding. If done poorly, it can leave your company exposed to data breaches, compliance failures, unnecessary costs, loss of valuable equipment, and potential litigation.

That’s why it’s important to have processes in place to identify when and how to end your relationships with third-party vendors and to ensure you complete the procedures associated with terminating those relationships in the right way. (Ideally, you should automate these processes across your company.)

What is Vendor Offboarding?

Third-party vendor offboarding is the process of removing a vendor from your administrative and finance records when you end a contract or a relationship with that vendor. Only conduct vendor offboarding, however, after the vendor has fulfilled all its essential contractual and residual obligations, such as after-sales support and warranties.

You can eliminate potential risks to your company by making certain that you handle offboarding appropriately. This includes ensuring that the vendor can no longer access your physical property or IT systems and that the supplier destroys all your data in its possession. You should also notify your finance department to stop payments to the vendor.

Too often, companies give more attention to the structure and formality at the front end of their third-party management processes: sourcing and procurement, due diligence, risk management, contracting, and so forth. They don’t pay enough attention to the need for carefully considered offboarding procedures.

Vendor Offboarding Checklist for Compliance

Here is a vendor offboarding checklist for compliance to help you when you’re ending a relationship with one of your third-party vendors:

Access to Data and Systems

Organizations give different suppliers different levels of access to systems, (including VPNs, telecommunication systems, and internal applications) for the lengths of their contracts so those vendors can deliver the services they were hired to provide. 

Keep a detailed inventory of all the data and systems your suppliers can access, as well as which of their employees have access to those systems and information. You should reference this inventory during the offboarding process to guarantee that you terminate the supplier’s access to your company’s information and systems.

Physical Access to Facilities

Vendors may also need access to your buildings and offices. So also critical to keep a log of the suppliers’ employees who have access to your premises, as well as how they have access: keys to the building, entry codes, key cards, and so forth.

When a vendor’s contract ends and its employees no longer need access to your facilities, ensure that the vendor returns any physical keys, badges, key cards, and the like. You must also notify appropriate employees within your company (receptionists and security personnel, for example) that the vendor no longer has permission to access your facilities. Update any electronic access codes or other internal building access systems as well.

Return of Equipment

If a vendor has borrowed your equipment to perform its contractual obligations, have a process in place to ensure that all your property is accounted for and returned. For example, you can use software to document, tag, and identify any equipment that you issued. Then check whether the vendor returns that equipment at the end of the vendor’s contract. You should also document the condition of the equipment when the vendor returns it.

The inventory you generate should also include what data, information, and intellectual property were provided to the vendor. Work with that vendor to ensure that it returns what it’s able to return, and deleted or destroyed what it can’t. 

That said, not all data can be destroyed; it may reside on backup tapes, and some regulations mandate that data is preserved for a period of time. In that case, get assurances from your supplier that it will safeguard your information until those files can be destroyed. 

Review the Contract

The journey from the beginning of a vendor contract to its end is often different than the terms outlined in the original agreement. The scope of an engagement can change over time; unplanned delays arise. Things happen. 

Throughout the tenure of the contract, then, document any changes in the contract — specifically those that affect the contract deliverables. Then, during the offboarding process, check that the vendor did indeed deliver all the goods or services it was contracted to provide.

And as your vendor relationship changes over time (for example, if you have to expand the supplier’s services) remember to update the scope, controls, and termination provisions throughout the relationship. You don’t want to look for these necessary items during the offboarding process and realize that they’re missing.

Ongoing Security 

It’s critical that you and your vendor review any security policies (including privacy policies) that are related to the contract. You must remind the vendor of provisions and requirements that continue even after your relationship has ended, such as confidentiality and privacy. Get formal acknowledgment from your vendor that it will continue to adhere to the provisions of the contract that continue even after the contract or relationship has concluded.

Final Payments

Pay all your vendor invoices, and ensure that any outstanding debts or refunds owed to you are paid as well. 

Update the Vendor Profile

When a relationship with a vendor ends, the vendor’s profile should be updated accordingly. Check the accuracy of the vendor’s legal name, the names of your primary points of contact, what active contracts you may still have with the vendor, and so forth. This will help you keep an accurate inventory of your third-party supplier relationships.

Vendor Lifecycle Management

Each vendor in your company’s supply chain has a lifecycle that starts with the initial review and onboarding and ends with the termination of the vendor’s contract. Vendor lifecycle management allows you to acknowledge the importance of your vendors and incorporate them into your procurement strategies. Vendor offboarding is the final part of the vendor lifecycle management. 

The vendor management lifecycle generally consists of:

  • Vendor identification: shortlisting potential suppliers. This includes cross-checking whether the shortlisted vendors and the offers they submit match your required specifications.
  • Vendor selection: ensuring whether a specific supplier can deliver the necessary goods or services. 
  • Vendor segmentation: classifying each shortlisted vendor according to specific metrics, including lifecycle cost, availability, quality of goods or services, and support.
  • Vendor onboarding: gathering all the data and documents necessary to add a vendor to your approved list of vendors. This can include due diligence checks on prior litigation, poor customer reviews, audits of security controls, and the like. 
  • Vendor performance management: measuring and analyzing how a vendor performs throughout the contract to identify weaknesses and reduce vendor risks.
  • Vendor information management: collecting data from every step in a vendor lifecycle right from onboarding through offboarding.
  • Vendor risk management and assessment: identifying, analyzing, and mitigating supplier risks.
  • Vendor relationship management: identifying your most important vendors and cultivating long-term relationships with them.
  • Vendor offboarding: removing a vendor from your finance and administrative records when you end a vendor contract or relationship.

To remain competitive and get more out of your vendor relationships, you must adopt new technologies to streamline your vendor lifecycle management processes — including offboarding. Automated vendor lifecycle management helps companies operate more efficiently. It can build better vendor relationships by improving engagement and transparency, and by reducing risks.

Again, offboarding is one of the most neglected parts of vendor lifecycle management. Don’t approach the end of a supplier relationship in such a haphazard way; rather define the offboarding process during the onboarding process, so that the end of the relationship can happen smoothly and precisely.

Learn how we can fit into your business.

Schedule a demo to learn how we can help guide your organization to confidence in infosec risk and compliance.

See ZenGRC in action!

Get a demo