Corporate Due Diligence Checklist for Vendors and Partners

A corporate due diligence checklist is only useful if it helps you make a decision. You need questions you can actually ask, evidence you can request, and a clear rule for when to move from standard checks to enhanced due diligence.

This guide gives you a copy ready checklist you can use for vendors, partners, distributors, and acquisition targets. It is built in modules, so you can keep it lean for lower risk relationships and add depth when risk increases.

Most teams fail due diligence in one of two ways. They ask too few questions and miss a real risk signal. Or they ask too many and still do not know what to do with the answers.

Use this simple method instead.

1. Start with the Core questions
   These apply to almost every counterparty.

2. Add only the Modules that match your situation
   Use geography, contract size, criticality, and exposure to choose modules.

3. Collect evidence, not just statements
   Answers matter, but documents and verifiable proof matter more.

4. Flag red flags and resolve them
   Do not ignore issues. Document what you found, what you asked, and what changed.

5. Escalate when triggers appear
   If you hit key risk triggers, move to enhanced due diligence instead of forcing a yes or no decision with weak information.

This turns a third party due diligence questionnaire into a decision tool, not a paperwork exercise.

Use this corporate due diligence checklist core set first. It covers the basics that prevent most avoidable surprises. Keep your questions direct, and ask for proof when anything is unclear.

Core module 1 Identity and legitimacy

These questions confirm you are dealing with the right legal entity. They also surface mismatches early, which is often the first warning sign.

1. What is the full legal entity name, registration number, and jurisdiction of incorporation
2. Which legal entity will sign the contract and issue invoices
3. Where do you operate, and which locations are involved in delivery
4. Who are the directors and key executives responsible for this relationship
5. Are you using any trading names, affiliates, or related entities in delivery or billing

If any of the basics change mid process, treat that as a signal to slow down and verify.

Core module 2 Ownership and control

This is where beneficial ownership due diligence questions belong. You are trying to understand who ultimately owns or controls the counterparty, and whether the structure is simple enough to trust.

1. Who are the ultimate beneficial owners, and what percentage does each own or control
2. Do any owners or controllers sit behind trusts, nominees, or layered holding companies, and why
3. Has ownership changed in the last 12 to 24 months, and what changed
4. Who has signing authority and operational control for the relationship
5. Are any owners or key controllers politically exposed persons, or closely connected to government roles

You do not need a long debate about definitions. You need clarity on control.

Core module 3 Capability and delivery risk

These vendor due diligence questions protect you from performance failures. They also reveal whether the counterparty relies on hidden subcontracting or fragile dependencies.

1. What exactly will you deliver, and which team or site is responsible
2. What are your key dependencies, including subcontractors and external providers
3. What happens if your main delivery team is unavailable
4. What is your business continuity plan for outages or major disruptions
5. Can you provide two to three relevant client references for similar work

If the counterparty cannot explain delivery in a simple way, assume there is operational risk.

Core module 4 Compliance posture and controls

This section works as a third party due diligence questionnaire baseline. It helps you understand whether controls exist, and whether the counterparty will agree to reasonable contract protections.

1. Do you have written policies covering anti bribery, sanctions compliance, and conflicts of interest
2. Who owns compliance internally, and what training is required for relevant staff
3. How do you approve and monitor your own third parties when you subcontract
4. Will you agree to audit rights, compliance attestations, and termination for cause
5. Have you had internal investigations related to misconduct, and what changed after

If they refuse reasonable controls, treat that as a risk signal, not a negotiation style.

Use these modules when the relationship creates extra exposure. You do not need to use every module every time. You do need to use the right ones for the risk you are taking.

Module A Sanctions, debarment, restricted party exposure

Use when the relationship is cross border, regulated, public sector adjacent, or tied to sensitive products or jurisdictions.

1. Have you, your owners, or key executives ever been sanctioned, debarred, or restricted by any authority
2. Do you screen customers and partners against sanctions and restricted party lists, and how often
3. Have you been denied banking services, had accounts closed, or faced payment restrictions, and why
4. Are any deliveries, services, or payments routed through higher risk jurisdictions, and which ones
5. Have you changed company names or operating entities in the last few years, and why

Module B Adverse media and reputational exposure

Use when the partnership is brand sensitive, high visibility, or involves agents, distributors, or intermediaries.

1. Have you faced credible allegations related to fraud, corruption, labor abuses, or serious misconduct
2. What was investigated, what was the outcome, and what changed afterwards
3. Are there recurring customer complaints that indicate systemic failure or safety issues
4. Are any key principals linked to past controversies through other companies
5. What steps do you take to prevent repeat incidents, and how do you prove it

Module C Legal, litigation, regulatory, enforcement history

Use when the contract is long term, high value, or in a sector with strict regulators.

1. Are you currently involved in material litigation, arbitration, or regulatory investigations
2. Have you had enforcement actions, license issues, or repeated compliance breaches in the last five years
3. What are the top legal risks you see in this relationship
4. What insurance coverage do you maintain, based on your industry and delivery scope
5. Have you terminated relationships for compliance reasons, and why

Module D Financial stability and resilience

Use when the supplier is critical, the contract is large, or switching would be painful.

1. Can you share recent financial statements, and explain any major changes in revenue, debt, or cash flow
2. What percentage of revenue depends on your top customers, and what happens if one leaves
3. Have you had late payments to suppliers, payroll issues, restructuring, or going concern warnings
4. What is your plan if costs rise or the contract expands
5. Who finances delivery, and do you rely on one bank or one funding source

Module E Data security and privacy

Use only if they touch personal data, payment data, health data, or confidential IP.

1. What data will you access, store, or process, and where is it hosted
2. Who has access to the data, and how is access controlled
3. Have you had a security incident, and what remediation occurred
4. Do you have recognized security controls or third party reports such as SOC 2 or ISO 27001
5. What is your breach notification process, and what timelines do you commit to

Module F ESG and supply chain impact

Use when your buyer policy requires it, when regulation applies, or when your industry is under scrutiny.

1. Do you have a process to identify and reduce human rights, labor, or environmental risks in your supply chain
2. Which parts of delivery rely on subcontractors in higher risk regions, and how do you oversee them
3. Have you faced ESG related controversies, and what changed afterwards
4. What proof can you provide that controls are active, not just written
5. Who owns ESG accountability internally

A checklist becomes real diligence when you ask for proof. You do not need a massive file dump. You need the right documents that confirm identity, ownership, and controls.

Request evidence that matches the modules you used.

• Corporate registration documents and proof of good standing where applicable
• Organization chart and a simple ownership declaration for beneficial owners
• List of directors, key executives, and relationship owners
• Compliance policy pack and proof of training completion for relevant staff
• Summary of screening method used for sanctions and restricted party checks
• Litigation summary and insurance coverage summary
• Financial statements when financial resilience matters
• Security reports or attestations when data access is involved
• Any internal investigation summary that is relevant to the relationship

Standard checks are often enough for low risk, low exposure relationships. Enhanced due diligence is for situations where the impact of being wrong is high, and verification is harder.

Escalate when you hit any of these triggers.

• Unclear or changing beneficial ownership, or layered structures with weak explanations
• Cross border exposure in higher risk regions or sensitive sectors
• Adverse media allegations that repeat across credible sources
• Any potential sanctions, debarment, or restricted party exposure
• Refusal to provide basic evidence, or inconsistent responses
• Critical supplier status, high contract value, or long duration contracts
• Use of agents, introducers, or intermediaries who represent you

If you want an independent report aligned with your risk tolerance and timelines, contact us for corporate due diligence for a structured review.