A Due Diligence Checklist Template

May 5, 2005 The following is a due diligence checklist put together by CUNA Strategic Services, Inc. It is intended to be used to gather information and provide questions that can serve as a guide for your credit union when constructing your own due diligence process on a potential vendor or business partner.

Are you a Council Member?

Get more helpful articles like this & other resources to help you save time & money!

> View Membership Benefits

Corporate Information Overview of company's corporate structure. Operating agreement and corporate structure (including an explanation of the relationship between your parent company and subsidiaries). Owners (holding over 10%) and directors. Organizational charts (high-level) and key management resumes. Complete list of current credit union clients. List of any state or trade associations your company is currently "endorsed" by. User references (including contacts and phone numbers for credit union users). Summary of pending or threatened litigation, claims, or suits. Proof of liability and property insurance. Listing of relevant contracts with third-party vendors, consultants, resellers, independent contractors, etc. Strategic business plans (current and future), including succession planning. Financial Information

Annual reports, including year-end financial statements for the past three years (audited if available). Current financial statement. Has your company received any outside funding other than from stockholders? If so, please explain. Please provide the following sales information: Annual credit union sales: $ Total annual sales: $ Your company's ranking in credit union market share for this product/service (i.e., 1st, 2nd, 3rd, etc.) Technical Overview (Questions 1-5 pertain to an ASP model structure)

Physical security. Where is (are) your data center(s) located? Describe the physical security, disaster recovery, back up/redundancy, and prevention features of your data center. Who (including data center staff, other employees and vendors) has physical access to the host servers? Network security. Are industry-standard firewalls deployed? Where are they deployed? How does your company keep the software for the firewalls current? Is administrative access to firewalls and other perimeter devices allowed only through secure methods or direct serial port access? What protocols and ports are allowed to traverse the network and firewall? Does your company use intrusion detection systems (IDSs)? How long are IDS logs kept? Does your company use an intrusion prevention system (IPS)? Are formal incident-response procedures in place? Are they tested regularly? Does your company engage third-party security service providers to perform ongoing vulnerability assessments? Does your company have a workflow diagram of the process for CU system failure? If so, please provide.

Systems security. Are ongoing vulnerability assessments performed against the systems? Are file permissions set on a need-to-access basis only? How are operating systems kept up to date? How does your company keep abreast of software vulnerabilities? What is the procedure for installing software updates? Are audit logs implemented on all systems that store or process critical information? How often are these logs reviewed? What change management procedures are in place? Staff security. What are the credentials of the systems administration staff? Has the systems administration staff undergone complete background and criminal checks? How long are the access logs retained for? Who reviews the logs? How many characters must a password have? Are alphanumeric passwords required? How frequently must it be changed? Are hosting staff onsite or on-call 24/7? Security policy. Describe the user account and password policy. Are screen-blanking mechanisms deployed on all employee workstations? Do sessions automatically time out after an idle period? Are user accounts for contract personnel created with expiration dates? How are user accounts closed after termination? Software overview (if possible, please send a copy of the software or provide access to a demo). Please provide a description of any software that is required for credit unions to use in order to support your products/services. Is this software available in a network version? Does the software require an interface with our credit union's core processing system? Does the software allow your company access to any credit union data via download and/or direct interface? Privacy/confidentiality of data. How does your company protect the privacy of any member and/or account information that may be collected and maintained through this service? Are you SAS 70 certified and/or ISO 17799 compliant? How is data integrity ensured? What checks are carried out on people who might have access to the data? Discuss all security features.

Are all development software licenses current? Please provide a list of your development software licenses. Does your company utilize any third-party software development companies? If so, please explain. When was the software first released? When was the software last updated? How often is software updates/upgrades planned? Does the credit union pay for updates/upgrades? Please describe the levels of support (i.e., technical, customer, etc.) your company provides to participating credit unions. What methods would a credit union use to contact your company for support? How many staff positions are available to assist credit unions with support issues? What happens to the credit union's data if they decide to terminate the service with your company? Business Model

Explain how your product/service satisfies a strategic need for credit unions. Describe your current sales process. How long is your sales cycle, on average? Provide samples of all sales materials (i.e., presentations, proposals, etc.) What are your growth expectations over the next five years? How would you define your company's primary target market in the financial services industry? Please also include size of institution in terms of asset size and members. What tactics or activities do you currently use to generate sales leads? Provide a list of your top lead sources and the percentage of leads that are generated from each source. Who is your competition? What differentiates your company from its competition? What will your company provide under this possible alliance that others cannot? Provide a sample credit union agreement. Provide a list of any warranties/guarantees for your services. Describe the compliance guarantee offered to participating credit unions. Are there any limitations or legal restrictions by state? If violations are found, who is financially responsible? How is compliance with state and federal regulations insured? How does this product/service comply with (name Act)? Has the product been reviewed for compliance with any federal agencies and by any state regulatory authorities? If so, please provide any supporting documentation. How is your product/service currently priced? Do you expect this pricing structure to change through an alliance relationship? Describe your current implementation process beginning at the point of receiving a signed agreement or purchase order for the product/service. Provide a typical project plan.

Provide samples of any marketing and advertising materials that are used to promote the product/service to credit unions. Provide copies of all materials (deliverables) a credit union would receive as part of the service(s) (i.e., analyses, bids, etc.) Describe the training that is provided to any participating credit union. Is the training done onsite or remotely? Who is responsible for providing the training? Provide samples of the training materials. Describe the billing process. Why should your company be considered for a strategic alliance relationship with our CU?