OUTSOURCING DUE DILIGENCE FORM

Transcription

1 OUTSOURCING DUE DILIGENCE FORM SERVICE TO BE OUTSOURCED 1. Type of service to be outsourced: Accounting/Finance: Compliance Consulting: Legal Services: Administrative Functions: Information Technology: Operations/Support Functions: Other: 2. Is this service essential to the operation of the Firm (i.e. transaction order entry; custody and prime brokerage; service designed to promote rapid recovery of operations etc.)? Yes No APPROPRIATENESS OF OUTSOURCING 1. Potential impact on Firm if service provider fails to perform: Financial Impact: High Medium Low N/A Reputational Impact: High Medium Low N/A Operational Impact: High Medium Low N/A Customer Service Impact: High Medium Low N/A Potential Losses to Customers: High Medium Low N/A Comply with Regulatory Requirements: High Medium Low N/A Costs to Firm: High Medium Low N/A Degree of Difficulty Replacing Service Provider: High Medium Low N/A 2. Is there an affiliation or other relationship between the Firm and the service provider? Yes No If yes, please describe the relationship and any potential conflicts of interest: 3. Is the service provider a regulated entity subject to independent supervision? Yes No If yes, name of regulator: SERVICE PROVIDER INFORMATION 1. General Information Firm Name: Firm Address: Contact Name(s): CRD # (if applicable): Phone: Fax: Website: Outsourcing Due Diligence Form 1

2 (PAGE 2) 2. Is the service provider owned/controlled by a Parent Co.? Yes Name: No 3. Personnel: Approximate # of employees: Does the service provide hire independent contractors? Yes No 4. Background Information: How many years has the service provider been in business? How many years has the service provider provided the outsourced function? Is the service provider known to the Firm or employees of the Firm? Yes No If yes, please name the individual(s) and describe any prior experience each had with the service provider: DUE DILIGENCE 1. What methods did the Firm use to verify the service provider s information? (Choose all that apply.) FINRA Public Disclosure Internet Research Entity Formation Documents SEC Public Disclosure Credit/Background Check Independent Research Form BD/ADV Media/News Reports Personal Referral Business Plan 10K RFP Policies and Procedures Manual(s) Personal Interviews Marketing Materials Financials Onsite Inspection Sales Materials Other: Does the firm maintain evidence of the above methods used to verify the service provider s information (i.e. copies of documents reviewed; notes from personal interviews and onsite inspections; printouts from public disclosure sites etc.)? Yes No If yes, please identify where this evidence is maintained: 2. Please list any other Firms that use this service (if contacted personally, identify the name of the contact and the result of the contact): 3. Please describe the background and experience of individuals who will be performing the services: 4. Based on your review of the information, has the service provider and/or its principals been subject to any regulatory, criminal or civil disciplinary issues? Yes No If yes, please describe: Outsourcing Due Diligence Form 2

3 5. Based on your review of the information, please describe the service provider s ability and capacity to perform the outsourced activities effectively, reliably, and to a high standard (include in your description relevant technical, financial, human resources, and/or other assets of the service provider): 6. Does the service provider have a business continuity plan? Yes No If yes, review a copy of the plan and comment on its adequacy: 7. Is privacy and protection of non-public information a factor in outsourcing? Yes No If yes, comment on the adequacy of the service provider s for safeguarding non-public information: 8. After reviewing the information, are there any questionable issues or potential conflicts of interest? Yes No If yes, please describe: CONTRACTS AND AGREEMENTS 1. Has (or will) the Firm entered into a written agreement with the service provider? Yes No If yes, please identify the relevant provisions and disclosures in the contract (choose all that apply). Provides for Firm and regulator access to records Firm and client confidentiality Limitations on service provider s ability to sub-contract Payment arrangements Defines responsibilities of all parties subject to contract Provide quality services measures Defines how responsibilities will be monitored Guarantees and indemnities Liability for unsatisfactory performance or other breach Information security provisions Requirement to maintain a disaster recovery plan Disclosure of breaches in security Time Commitment (Termination Date): Other relevant provision(s): 2. Was the written agreement reviewed by the Firm s legal counsel? Yes No N/A If yes, name of legal counsel: Date of Review: 3. Was the written agreement reviewed by the principal responsible for outsourcing functions? Yes No If yes, name of principal: Date of Review: Outsourcing Due Diligence Form 3

4 OVERSIGHT AND PERIODIC REVIEW 1. Who is responsible for the periodic oversight and review of the outsourced service? 2. Please identify the individual(s) who will monitor the outsourced service? 3. Please identify the tools that will be used to monitor the outsourced service: Service delivery reports prepared internally Service delivery reports supplied by the service provider Publicly available resources Performance levels established in written agreement Internal auditor Onsite inspection External auditor Attestations by service provider Other 4. Frequency of monitoring: Daily Weekly Monthly Quarterly Annually Other 5. If deficiencies are found, are there procedures in place to respond to such deficiencies (i.e. communicate with the service provider; terminate the contract)? Yes No DOCUMENTATION REVIEW AND APPROVAL 1. Individual(s) responsible for completing this due diligence review: a. b. c. Supervising Principal: I have reviewed the information contained in this Outsourcing Due Diligence Form and: The Firm has elected to use the service provider above. The Firm will not use the service provider above. Supervisor Signature Date Printed Name of Supervisor Outsourcing Due Diligence Form 4

5 Contact Information Initial Vendor Due Diligence & Checklist This questionnaire and checklist is intended to assist advisers in conducting due diligence when selecting a new service provider/vendor. Vendor should also complete the Initial Due Diligence Questionnaire, which requests information regarding data protection, insurance and references. Vendor Name: Phone: Contact Person: Description of services/products proposed: Company Information 1. Where is the vendor headquarters located? 2. Where are its local offices? 3. How many employees does the vendor have? 4. How long has the vendor been in business? 5. If the vendor is not independent, who owns the vendor's company? 6. Who are the vendor s typical clients? 7. How many clients does the vendor currently serve? 8. Who does the vendor consider to be its competitors? 9. How does the product/service stack up against the competition (list strengths and weaknesses)? 10. Other: Service/Product Offering 1. What is the name of the product/service? 2. How would you describe the product/service? 3. Are any enhancements for the product/service already in planning stages? 4. Describe initial and ongoing training, including any additional costs involved: 5. Who will be the main contact for questions/concerns? 2010 Advisor Solutions Group, Inc. Page 1 of 2 Revised July 2011

6 6. What is the background and experience of individuals who will be providing the product/ performing the service? References (refer to Initial Due Diligence Questionnaire) Company Name: Phone: Name & Title: Company Name: Phone: Name & Title: Is the service provider known to the Adviser or any employee(s) of the Adviser? Yes No If yes, describe any prior experience each person had with the service provider: Conduct Internet searches to determine whether adverse events, rumors, or other questionable items pertaining to the vendor are circulating. If such events are discovered, research as applicable. Contracts & Agreements Consider the following provisions and disclosures when reviewing a vendor s service contract/agreement: Ownership and access to records and data Defines responsibilities of all parities subject to contract Liability for unsatisfactory performance or other breach Time commitment (Termination Date) Payment structure Guarantees and indemnities Provisions for breaches in security of non-public information Provisions on service provider ability to sub-contract Defines how responsibilities will be monitored Confidentiality disclosure Defines specifics of deliverable and scope of service Information security provisions to safeguard nonpublic information Requirement to maintain a disaster recovery plan or business continuity plan Other relevant provisions/disclosures: Document Checklist Initial Due Diligence Questionnaire Proposal or Vendor Agreement SAS 70 / Internal Controls Report Disaster Recovery Plan Privacy / Security Policy Proof of Liability of Insurance Financial Records Other: General Review Completed by: Print Name Title Date 2010 Advisor Solutions Group, Inc. Page 2 of 2 Revised July 2011

7 Ongoing Vendor Due Diligence Evaluation This evaluation is intended to assist advisers with the ongoing oversight and review of outsourced services. This internal evaluation should be conducted by individual(s) at the firm who use or rely most on the services / products provided and reviewed by compliance, as needed. Vendor Name: Contact Person: Phone/ Description of services/products provided: Vendor Contact Information Vendor Checklist Use the following table to rate the firm s satisfaction with each item listed. List each score in the righthand column and calculate total score below. List relevant comments/observations below each item and discuss with vendor, as necessary. 1. Request and Review Vendor Due Diligence Questionnaire: ensure responses and documentation provided is appropriate and complete. SCORE 4 = Very Satisfied 3 = Satisfied 2 = Dissatisfied 1 = Very Dissatisfied 2. Service Agreement: ensure that the vendor is adhering to all terms of the written agreement and performing services under such agreement. 3. Competitiveness of Terms and Conditions: review service agreement and ensure all services/products outlined in the agreement are actually necessary and being used by the firm. 4. Competitiveness of Price: compare the price of services/product rendered to the current services preformed/products provided. Consider if obtaining price comparisons is necessary. This could be done by calling other vendors and/or searching the Internet to compare prices. 5. Expertise & Responsiveness of Sales/Technical Support Staff: consider interaction with vendor and their ability to respond to requests. 6. Ability to Meet Deadlines/Deliver Product or Service on Time: consider vendors ability to deliver product/service when promised. 7. Data Protection/Security Breaches: consider the manner in which client information is handled and protected. Review current safeguards and determine if they are effective Advisor Solutions Group, Inc. Page 1 of 2 Revised October 1, 2010

8 Vendor Checklist Use the following table to rate the firm s satisfaction with each item listed. List each score in the righthand column and calculate total score below. List relevant comments/observations below each item and discuss with vendor, as necessary. 8. Financial Stability: consider the vendor s 1) business model 2) # of clients compared to # of staff 3) staff turnover, as significant changes in these areas could be indicators of an unstable vendor. SCORE 4 = Very Satisfied 3 = Satisfied 2 = Dissatisfied 1 = Very Dissatisfied 9. Reputation of Company: conduct Internet searches such as a Google search to determine what rumors might be circulating regarding the vendor. If something turns up, research the finding. Ask other professionals in the industry about their knowledge or experience with vendor. Analysis: Total Score: Vendor performance meets or exceeds firm expectations; no further action necessary Vendor performance needs improvement; discuss areas of weakness with vendor Substantial improvement necessary; consult with vendor and/or replace or below Contracts & Agreements It is a best practice to periodically review a vendor s service contract/agreement to ensure all necessary provisions are addressed and relevant. Consider the following provisions and disclosures when reviewing a vendor s service contract/agreement: Ownership and access to records and data Defines responsibilities of all parities subject to contract Liability for unsatisfactory performance or other breach Time commitment (Termination Date) Payment arrangements Guarantees and indemnities Provisions for breaches in security of non-public information Provisions on service provider ability to sub-contract Defines how responsibilities will be monitored Confidentiality disclosure Defines specifics of deliverable and scope of service Information security provisions to safeguard non-public information Requirement to maintain a disaster recovery plan or business continuity plan Other relevant provisions/disclosures: Document Checklist Ongoing Due Diligence Questionnaire SAS 70 / Internal Controls Report Disaster Recovery Plan Privacy / Security Policy Proof of Liability of Insurance Financial Records Other: General Review Completed by: Print Name Title Date 2010 Advisor Solutions Group, Inc. Page 2 of 2 Revised October 1, 2010

9 Real Processes for Vendor Selection and Management Vendor Selection Seek out vendors offering compliance solutions. Poll other firms Materials from Meetings Attended Review Trade Group Web Sites Evaluate whether the product or service provides a comprehensive compliance solution. Identify regulatory requirements Identify business needs Identify technical requirements Create a business case How will product/service be delivered or supported? On-Site Delivery Web-based & Attachments Ask about technological infrastructure and get your IT department or resources involved. Programming language Version Releases How does the vendor support upgrades? (Include in Contract) Is product/service compatible with your current office systems? Take it for a test drive! Load your data into test environment or request it be incorporated in sales demo. o (Be sure to have a confidentiality agreement signed first!) Get familiar with functionality and assess the impact on your current workflows. Create test scenarios to address gaps in your current processes. Obtain an understanding of people, service teams, legal and organizational structure of vendor. How long has the vendor been in business? Office locations Outsourcing partners Open positions, recent new hires and departures Client base (i.e. how many, type, oldest and newest clients?)

10 Business Continuity Where is the vendor s recovery site? Does the plan rely primarily on remote access? How often is the plan tested? o Request results from most recent test. If not provided ask vendor to describe whether or not there were any issues and how they were resolved. Has BCP been activated in the last 12 months? Describe the event, duration and whether client s experienced any disruptions with product/service. Obtain references and speak with clients and users. Implementation Enlist an executive sponsor or endorsement from senior management. Create an implementation team get the right people involved and time commitment. Communicate goals, objectives and expectations. Establish weekly team meetings. Ask team members to provide status reports. Appoint a Project Manger to act as a liaison between vendor and implementation team. Create a Project Plan with key milestones and target dates. Document work flows and sources of data. Build in time for adequate testing. If possible, run new system in parallel with legacy system. Track implementation issues and make certain they are adequately resolved before go-live. If system is a critical business application, update your firm s business continuity plan. Update policies and procedures, marketing materials and client disclosures as necessary. Provide training to employees and compliance users. Involve Employees in development of procedures and forms usage Communicate release and benefits of new system. Relationship Management Post implementation approximately 3 to 6 months after go-live. Report issues to project team. Track issues and work with vendor to resolve to your satisfaction. Escalate issues of high risk to risk management team.

11 Weekly/Monthly meetings with vendor as needed. Conduct a due diligence visit with vendor. Meet at the vendor s office and visit with support teams and people who worked on your implementation. Prepare an agenda for the meeting -tell the vendor what you want to discuss and see. Maintain documentation of due diligence review. Request vendor s Code of Ethics, Business Continuity Plan, SSAE 16, Privacy Policy. Prepare a written report with your observations and recommendations. Participate in User conferences. Seek out users who have similar business needs and face similar challenges. Make recommendations for enhancements. Continually assess whether your business needs are met with your current compliance solution. Conduct Mock Audit to test effectiveness Are controls effective? Are there any known critical weaknesses? Is the vendor responsive? Follow developments related to vendor and competitors.