Supplier due diligence is broader than vendor due diligence. Where vendor DD leans technology-heavy (security questionnaires, SOC 2, pen tests, DPAs), supplier DD covers the physical supply chain as well: manufacturers, logistics providers, raw material sources, contract manufacturers, and the fourth-party suppliers behind each of those. Procurement teams run it. Compliance, legal, and finance sit alongside.

This is the checklist most mid-market and enterprise procurement teams build, laid out category by category. It covers know-your-supplier (KYS) basics, supply chain risk, financial stability, sanctions and compliance exposure, and the continuous monitoring piece that keeps the file from going stale between annual reviews. A procurement audience reading this already knows the terms (KYS, OFAC, UFLPA, CSDDD), so definitions are kept light.

Supplier vs vendor: the terminology split

The two terms overlap heavily and many programs use them interchangeably. Precision matters when writing a checklist.

"Vendor" is used most often in technology and services contexts: SaaS platforms, outsourced IT, managed service providers, professional services firms. The diligence set is dominated by security, privacy, and contract terms. The vendor due diligence checklist sibling covers that set in depth.

"Supplier" is used most often in physical goods, procurement, and industrial contexts: component manufacturers, contract manufacturers, logistics and freight, raw materials, packaging, chemicals, subassembly. The diligence set adds supply chain visibility, financial stability, human rights and modern slavery compliance, environmental and social governance exposure, and sanctions screening across multiple tiers.

Pharmaceuticals, defense, food, and apparel treat supplier diligence as the primary discipline and vendor diligence as a subset. Pure SaaS, most fintech, and consumer internet do the reverse. The checklist below assumes a procurement-led supplier program and notes where it borrows from vendor diligence.

The KYS (Know Your Supplier) checklist

Know-Your-Supplier is the procurement analogue of Know-Your-Customer. It produces a verified identity record for every supplier and establishes beneficial ownership, sanctions posture, and sector-specific legal identity. Without a current KYS record, every downstream check is working on unverified inputs.

1. Legal entity verification. Registered name, trading name(s), country of incorporation, registration number, registered address, legal form, and date of formation. Verified against the official business registry (Companies House, SEC EDGAR, equivalents) rather than the supplier's own website.

2. Beneficial ownership. Ultimate beneficial owners (UBOs) holding 25 percent or more, the ownership chain, and any politically exposed persons (PEPs) in the control structure. Required under AMLD6 in the EU, BSA and the Corporate Transparency Act in the US, and similar frameworks elsewhere. Sources: D&B Beneficial Ownership, LexisNexis Bridger, Sayari, Moody's Orbis.

3. Sanctions and watchlist screening. OFAC SDN, EU Consolidated Financial Sanctions, UK HMT, UN Consolidated Sanctions, and sector-specific lists (BIS Entity List for US export controls, DoD 1260H List, Treasury's NS-CMIC List). Screening runs against the supplier entity, its UBOs, directors, and officers. Matched names require adjudication.

4. Adverse media and reputational screening. Negative news matching, litigation history, enforcement actions, and regulatory fines. Time-bound to five years and severity-weighted. Sources: LexisNexis, Refinitiv World-Check, Dow Jones Risk & Compliance.

5. Sector-specific licensing and registration. Industry licenses (FDA registration, EPA permits, ISO certifications, export control licenses, customs broker licenses, trade memberships). Verified against issuing authority databases, not supplier-provided copies.

6. Insurance and financial responsibility. Current certificate of insurance with required coverage lines (general liability, professional liability, product liability, cyber, workers compensation), named-insured status, and carrier ratings. Expiration dates tracked in the supplier record.

7. Tax and payment compliance. W-9 or W-8BEN-E for US tax classification, VAT/GST registration, and any tax treaty documentation. Payment banking details verified through two-factor confirmation to prevent business email compromise.

Each line produces a documented artifact: a copy of the registry record, the screening report, the license certificate. The artifacts live in the supplier master, not in the analyst's inbox. The TPRM policy template covers how these artifacts get named in the policy's process section.

Supply chain risk considerations

Supply chain risk is what separates supplier diligence from vendor diligence. The questions procurement asks are different because the failure modes are different.

Geographic concentration. Where the supplier produces, where the supplier sources raw inputs, and where the supplier's logistics network has single points of failure. A supplier with three factories all in one earthquake zone, one strike-prone port, or one sanctioned region carries concentration risk independent of its own financial strength.

Tier-N visibility. Critical suppliers should be able to name their own critical suppliers (tier-2) and the tier beyond (tier-3). Most cannot. The absence of tier-N visibility is the single most common finding in supply chain risk assessments. When the 2020-2023 semiconductor shortage cascaded through automotive, appliance, and electronics manufacturers, most of them learned their tier-2 and tier-3 exposure for the first time in the middle of the crisis.

Logistics and port dependency. Which ports and which carriers the supplier routes through. Single-lane dependency (one port, one trucking firm, one freight forwarder) is a failure mode that does not appear on any questionnaire unless specifically asked.

Raw material sourcing. For suppliers with commodity inputs, the sourcing origin and the availability of substitutes. Cobalt, lithium, rare earths, high-grade steel, and certain polymers have chronic sourcing-origin concentration. Conflict minerals compliance (tin, tungsten, tantalum, gold under Section 1502 of Dodd-Frank and the EU Conflict Minerals Regulation) applies to any supplier whose inputs include these materials.

Climate and ESG exposure. Physical climate risk to supplier facilities (flooding, wildfire, extreme heat affecting worker safety), Scope 3 emissions reporting, and material ESG findings. The EU Corporate Sustainability Due Diligence Directive (CSDDD), which entered force in 2024, extends this from a reporting exercise to a legal duty of care for large buyers operating in the EU.

Financial stability checks

A supplier that goes bankrupt mid-contract is more disruptive than a supplier that performs poorly. Financial stability checks catch distress before it becomes failure.

Credit and financial scoring. D&B PAYDEX (payment history), D&B Failure Score and Delinquency Score, Moody's ratings for rated suppliers, Altares for European suppliers, Experian Commercial, and Equifax Business. Trend direction matters more than absolute value. A supplier whose Delinquency Score has deteriorated two bands in six quarters is a stronger distress signal than one with a middling but stable score.

Filed financials. For private suppliers in jurisdictions that require public filing (UK, most EU member states), the most recent filed accounts. Revenue trend, gross margin trend, current ratio, and debt-to-equity. For US private suppliers, filings are not required; request audited or reviewed financials for any Tier-1 designation.

Working capital signals. Days sales outstanding, days payable outstanding, inventory turnover. Rising DSO or falling inventory turnover on an otherwise healthy income statement precedes liquidity strain. Supplier performance managers see this in late payments, shipment delays, or requests for expedited payment terms before credit bureaus register it.

Ownership and capital structure. Private equity ownership, debt-financed recapitalizations, and debt covenants that would be tripped by a significant contract loss. PE-owned suppliers operating near covenant thresholds can restructure faster than the customer expects on loss of a single major contract.

Insurance recoverability. If the supplier fails, which of your own insurance lines respond. Trade credit insurance, business interruption cover, and contingent business interruption for supply chain disruption. Confirm limits and deductibles before the distress event, not after.

Sanctions, trade, and compliance exposure

This category has grown the fastest over the past five years. A sanctions-screening check has expanded into a suite of distinct regulatory obligations.

Sanctions program compliance. Beyond the initial KYS screening, ongoing monitoring against updated sanctions lists. OFAC updates the SDN list roughly weekly; EU and UK lists update less frequently but with more jurisdictional complexity. Suppliers with any operations in sanctioned jurisdictions, or with ownership chains touching sanctioned parties, require enhanced diligence and senior legal approval.

Export controls. US EAR and ITAR, EU dual-use regulations, and country-specific export licensing. Suppliers handling controlled technology, dual-use goods, or defense articles need licensed status verified at each renewal. BIS Entity List and Unverified List additions create immediate exposure that must be caught before the next shipment.

Forced labor and human rights. The Uyghur Forced Labor Prevention Act (UFLPA) in the US creates a rebuttable presumption that goods made in whole or in part in Xinjiang are made with forced labor. Importers must document the supply chain back to primary raw materials. The UK Modern Slavery Act, Australia's Modern Slavery Act, Germany's LkSG, and now the EU CSDDD impose similar due diligence duties on large buyers. Documentation should include supply chain maps, supplier attestations, third-party audit reports, and worker-voice survey data where available.

Anti-bribery and corruption. FCPA in the US, UK Bribery Act, and equivalents. Suppliers in high-risk corruption jurisdictions require enhanced diligence on intermediaries, sales agents, and any government-related touchpoints. Transparency International's Corruption Perceptions Index is the baseline benchmark for jurisdiction risk.

Data protection and cross-border transfer. For suppliers handling any personal data, the Data Processing Agreement, standard contractual clauses, and transfer impact assessment. GDPR, UK GDPR, Swiss FADP, and the growing patchwork of US state privacy laws. Privacy regulation changes faster than annual review cycles. Programs need a mechanism to catch updates as they happen. The regulatory compliance monitoring walkthrough covers how teams build that mechanism.

Continuous supplier monitoring

The annual questionnaire is a snapshot. By the time the next one goes out, the supplier may have changed beneficial owners, added a sub-supplier in a sanctioned jurisdiction, let a certification lapse, had an enforcement action filed, or entered financial distress. Continuous monitoring closes that gap.

Five monitoring surfaces matter most for a supplier:

Sanctions and watchlist deltas. Automated re-screening against updated sanctions and watchlists. Frequency: weekly at minimum for Tier-1 suppliers, monthly for Tier-2.

Beneficial ownership changes. New owners, new directors, new corporate parents. Detected through registry monitoring or commercial tools (D&B, Sayari, Moody's Orbis alerts). Frequency: monthly, with event-driven alerts from the provider.

Adverse media and enforcement. News monitoring for supplier-named enforcement actions, lawsuits, safety incidents, recalls, protest actions, and regulatory sanctions. Severity-graded and deduplicated before landing in the alert queue. Frequency: daily for Tier-1.

Financial distress signals. Credit score changes, late payment reports, late filing of accounts, auditor changes. Commercial data providers send event-driven alerts on covered suppliers. The continuous vendor monitoring spoke covers the broader signal architecture TPRM teams build; the supplier-specific version adds financial signals to the mix.

Documentation surface. The pages the supplier publishes about itself: sustainability reports, sub-processor or sub-supplier disclosures, policy pages, code of conduct, insurance certificates, certifications. These pages change without notice. For the upstream version of this question in IT vendor contexts, see what is a sub-processor.

For new regulatory pipeline items (proposed rules, consultation papers, pending legislation that will change what your supplier diligence must cover), the horizon-scanning regulatory intelligence piece covers the discovery stack most compliance teams use.

Using the checklist

The checklist above is designed to be scaled by tier. A tier-1 strategic supplier handling regulated data or single-sourced critical components goes through every line. A tier-4 commodity supplier with interchangeable substitutes goes through KYS, sanctions screening, and baseline financial check only. The vendor risk assessment spoke walks through the tiering logic most programs end up with.

Three practical rules separate useful programs from compliance theatre.

Artifacts, not attestations. Every checklist line requires evidence, not the supplier's assurance that they are compliant. A registry copy, a screening report, a current certificate. Attestations are valid for reference; they are not valid as evidence of compliance.

Same evidence set, different depth. Use the same categories across tiers and adjust depth rather than invent new checklists. This keeps the supplier master schema clean and keeps the analyst workflow learnable.

Refresh cadence beats refresh perfection. A tier-1 supplier whose KYS was checked six months ago and is scheduled for quarterly review is in better shape than one whose KYS was checked fifteen months ago and is perfect. Cadence matters more than comprehensiveness for the review cycle.

For the program-level view of how supplier diligence fits into the broader TPRM lifecycle, frameworks, and operating model, the complete TPRM guide is the anchor this checklist supports.

Frequently asked questions

How do you do due diligence on a supplier?

At a minimum: verify legal identity and beneficial ownership against the official registry; screen the entity and its UBOs against sanctions, watchlist, and adverse media sources; collect and verify sector-specific licensing and insurance; check financial stability through a commercial data provider (D&B, Altares, Moody's, or regional equivalent); and document the supply chain exposure (geographic, tier-N, raw materials). For any supplier handling regulated data or critical components, add a full questionnaire covering security, privacy, and operational resilience, plus continuous monitoring post-contract. The checklist above walks through each category.

What are the four P's of due diligence?

The four P's commonly cited in supplier due diligence are: People (ownership, directors, key management, politically exposed persons), Products (what they make or provide, sourcing origin, substitution availability), Process (manufacturing, quality systems, controls, certifications), and Protection (insurance, indemnification, legal and regulatory exposure). Some sources substitute Performance or Place for one of these. Use it as a prompt list, not a scoring framework.

What are the five key supplier evaluation criteria?

The most commonly used set: Quality (defect rates, consistency, fitness for purpose), Cost (unit cost, total landed cost, payment terms), Delivery (on-time performance, lead time stability, responsiveness), Service (technical support, communication, issue resolution), and Risk (financial stability, compliance, concentration, geopolitical exposure). Some industries add Sustainability or Innovation as a sixth criterion.

What is the difference between VDD and VA?

Vendor Due Diligence (VDD) is the full assessment process performed on a prospective or existing vendor, typically at intake and on a tier-driven cadence afterward. Vendor Assessment (VA) is a broader term that can refer to VDD, performance assessment, or any structured review. In practice, the two terms are used interchangeably in most TPRM and procurement literature. Where precision matters (regulatory filings, audit documentation), VDD refers specifically to the pre-contract and periodic assessment; VA often refers to ongoing performance evaluation.

How often should supplier due diligence be refreshed?

The baseline for tier-1 strategic suppliers is annual full refresh with continuous monitoring between cycles. Tier-2 suppliers typically go on a biennial full-refresh cadence with monthly monitoring. Tier-3 and tier-4 suppliers often run on a triennial cadence with event-triggered review. Event triggers include: a material change in ownership or control, a sanctions-list addition, a material adverse media finding, a significant financial distress signal, loss or lapse of a required license or certification, or a customer-initiated change in tier driven by increased criticality.

Is supplier due diligence the same as KYS?

No. KYS (Know Your Supplier) is a subset of supplier due diligence. KYS covers legal identity verification, beneficial ownership, sanctions screening, and baseline compliance documentation. Full supplier due diligence adds supply chain risk analysis, financial stability checks, operational and quality assessment, and sector-specific compliance (UFLPA, CSDDD, export controls, conflict minerals). Think of KYS as the foundation layer and full supplier DD as the complete building.