Vendor Onboarding Checklist: Free 50-Point Framework 2026

How to Use This Checklist

Assign each item a status (Not Started / In Progress / Complete / N/A) and an owner. Items cannot be marked complete without the required evidence or action documented. Use the tiered summary to identify which phases and items apply to your vendor's tier — do not apply the full 50-item process to a low-risk Tier 3 vendor.

Phase 1: Pre-Approval Screening (8 Items — All Tiers)

• › ✓ Business need confirmed — documented requirement from requesting department; budget approved
• › ✓ Preferred/existing vendor check — confirm no existing approved vendor can meet the need before adding a new vendor
• › ✓ Legal entity name verified — exact match to IRS records; state of incorporation confirmed
• › ✓ OFAC SDN screening completed — vendor name and principals screened; no match confirmed
• › ✓ SAM.gov debarment screening — government-connected organisations only
• › ✓ OIG exclusion screening — healthcare organisations; all vendors submitting claims to federal programmes
• › ✓ Adverse media screening — Google/news search for material issues; Tier 1 via formal adverse media tool
• › ✓ Conflict of interest disclosure — requesting employee confirms no personal interest in this vendor

Phase 2: Document Collection (10 Items)

• › ✓ W-9 or W-8BEN-E collected and verified — TIN matching via IRS e-services for US vendors
• › ✓ Certificate of Insurance — General Liability — organisation listed as additional insured; meeting minimum limits
• › ✓ Certificate of Insurance — Professional Liability / E&O — for professional services and technology vendors
• › ✓ Certificate of Insurance — Workers' Compensation — for vendors providing on-site personnel
• › ✓ Certificate of Insurance — Cyber Liability — for Tier 1 technology and data-access vendors
• › ✓ NDA executed — mutual NDA signed by authorised signatory before sharing confidential information
• › ✓ Supplier Code of Conduct signed — vendor acknowledges your ethical and compliance standards
• › ✓ Bank account / ACH form collected — direct from vendor (not by email redirect); account details verified
• › ✓ Licences and certifications confirmed — applicable professional, state, or industry licences on file
• › ✓ HIPAA BAA executed (if applicable) — healthcare organisations only; required before any PHI access

Phase 3: Risk Assessment (8 Items — Tier 1 & 2 Only)

• › ✓ Risk questionnaire sent and completed — tier-appropriate questionnaire via vendor portal
• › ✓ Risk questionnaire scored — composite risk score calculated; threshold review if elevated
• › ✓ D&B financial health score obtained — Tier 1: review for credit risk and stability
• › ✓ Cyber risk score obtained (Tier 1 tech vendors) — BitSight or SecurityScorecard pulled
• › ✓ SOC 2 Type II report reviewed (Tier 1 tech vendors) — within 18 months; issues noted and assessed
• › ✓ Risk assessment reviewed and approved — documented approval by procurement and compliance
• › ✓ Risk treatment decisions documented — any elevated risks have owner-assigned treatment plan
• › ✓ Vendor tier confirmed — Tier 1/2/3 classification confirmed for monitoring frequency

Phase 4: Contract Execution (7 Items)

• › ✓ Contract type determined — MSA + SOW, standalone services agreement, or purchase order terms
• › ✓ Contract template selected or customised — use pre-approved template; legal review if modifications required
• › ✓ Key terms confirmed — payment terms, SLAs, data rights, IP ownership, termination provisions
• › ✓ Contract routed for internal approval — financial and legal approvals per authority matrix
• › ✓ Contract executed via e-signature — both parties signed; executed copy in VMP contract repository
• › ✓ Contract metadata captured in VMP — start date, end date, renewal date, auto-renew provisions, key dates
• › ✓ Renewal alert configured — 90-day and 60-day renewal alert set in VMP

Phase 5: System Setup (10 Items)

• › ✓ Vendor master record created in ERP — legal entity name, address, payment terms, tax classification
• › ✓ Vendor record created in VMP — linked to ERP vendor ID; all documents attached
• › ✓ Vendor tier assigned in VMP — Tier 1/2/3 classification drives monitoring and compliance requirements
• › ✓ Payment terms configured in AP — net terms, early payment discount if applicable
• › ✓ Bank account verified and entered in ERP — dual verification; fraud prevention controls applied
• › ✓ 1099 / tax reporting flag set — US vendors classified for 1099-NEC/MISC reporting as applicable
• › ✓ Purchase order template configured — PO terms reference executed MSA/SOW
• › ✓ Spend category coding applied — correct GL account and spend category assigned
• › ✓ Approval routing configured — PO approval routing matches authority matrix for this vendor
• › ✓ Compliance monitoring activated — certificate expiration tracking, sanctions re-screen schedule set

Phase 6: Relationship Launch (7 Items — Tier 1 & 2)

• › ✓ Vendor notified of approval — confirmation sent via portal; instructions for PO process and invoice submission
• › ✓ Internal team notified — requesting department and AP team informed vendor is active
• › ✓ Kickoff meeting scheduled (Tier 1) — structured kickoff with vendor account team; cover SLAs, communication protocols, escalation paths
• › ✓ Primary contacts documented — vendor account manager, escalation contact, and invoice contact captured in VMP
• › ✓ KPIs and scorecard metrics agreed — Tier 1/2 vendors: agree performance metrics at relationship launch, not after first miss
• › ✓ First review date scheduled — 90-day check-in (Tier 1), 6-month review (Tier 2)
• › ✓ Onboarding record marked complete — completion date, approving manager, and outstanding items documented

Tiered Checklist Summary