🆕 Free Download
This complete 50-point checklist is available as a downloadable Excel template at ProcurementVMS.com — with built-in scoring, completion tracking, and tiered versions for Tier 1, 2, and 3 vendors.
☰ Contents
How to Use This Checklist
This 50-point checklist is organized into six sequential phases. Assign a single owner for each phase. Track completion status (Not Started / In Progress / Complete / Waived) for each item. Configure your vendor management platform to enforce checklist completion before vendor activation — no item can be skipped without a documented exception.
Phase 1: Pre-Qualification (8 Items)
Complete before sending the vendor onboarding invitation. This phase protects your organization from onboarding duplicate, sanctioned, or conflicted vendors.
- › ✓ Business justification documented — written rationale for new vendor relationship
- › ✓ Vendor master duplicate check — confirm vendor does not already exist under a different name or ID
- › ✓ Risk tier assigned — Tier 1 (critical), Tier 2 (high), Tier 3 (standard) based on spend and risk factors
- › ✓ OFAC / UN / EU sanction screening — run against vendor legal name and principal owners
- › ✓ Secretary of State good standing — verify active business registration in state of incorporation
- › ✓ Conflict of interest check — confirm no relationship between vendor principals and your employees
- › ✓ Procurement owner assigned — named individual responsible for this onboarding through activation
- › ✓ Onboarding invitation sent — portal link, requirements list, 5-day completion expectation
Phase 2: Company & Tax Information (10 Items)
Collected via self-service vendor portal. All items required before proceeding to compliance documentation phase.
- › ✓ Legal entity name (exact) — must match IRS records exactly
- › ✓ EIN / W-9 — for US vendors; W-8BEN or W-8BEN-E for foreign vendors
- › ✓ Registered business address
- › ✓ Remit-to / payment address — confirm if different from registered address
- › ✓ ACH banking information or check preference
- › ✓ Primary business contact — name, title, email, phone
- › ✓ Accounts payable contact — for invoice and payment inquiries
- › ✓ Payment terms — Net 30 standard; negotiate early-pay discount if applicable
- › ✓ DUNS number (D-U-N-S) — required for government contractors; recommended for all
- › ✓ Business license — for regulated industries or licensed professional services
Phase 3: Compliance Documentation (12 Items)
Core compliance documents required for most vendor categories. Additional items apply for technology vendors, healthcare vendors, and financial services vendors.
- › ✓ Code of Conduct signed — vendor acknowledgment of your supplier standards
- › ✓ Anti-Bribery / FCPA acknowledgment
- › ✓ General Liability COI — minimum $1M per occurrence; your org named as additional insured
- › ✓ Professional Liability / E&O COI — for service providers and consultants
- › ✓ Workers' Compensation COI — required if vendor has on-site personnel
- › ✓ NDA executed — bilateral; signed by authorized vendor representative
- › ✓ Data Processing Agreement (DPA) — required for vendors accessing personal data
- › ✓ HIPAA Business Associate Agreement (BAA) — healthcare organizations only
- › ✓ Information Security Questionnaire — for technology and data-access vendors
- › ✓ SOC 2 Type II report — for SaaS, cloud, and data processing vendors (within 18 months)
- › ✓ ISO 27001 certificate — alternative or supplement to SOC 2 for international vendors
- › ✓ Modern Slavery / Human Trafficking statement — for vendors with international supply chains
Configure This Checklist in Procurement VMS
Join US procurement leaders who replaced manual processes with intelligent automation. Live in 4–8 weeks.
Phase 4: Risk Assessment (6 Items)
Applies to Tier 1 and Tier 2 vendors. Tier 3 standard vendors may complete a streamlined 3-item version. All assessments must be scored and exceptions documented before proceeding to approval.
- › ✓ Risk questionnaire completed and scored — appropriate tier questionnaire
- › ✓ Financial health check — D&B credit score, revenue, years in business
- › ✓ Adverse media screening — news and legal records scan
- › ✓ Cyber risk score — BitSight or SecurityScorecard for Tier 1 technology vendors
- › ✓ Residual risk level documented — inherent risk minus mitigating controls
- › ✓ Risk treatment decision recorded — Accept / Mitigate / Transfer / Avoid + rationale
Phase 5: Approval & System Setup (8 Items)
- › ✓ Procurement Manager approval — confirmed complete and compliant
- › ✓ Legal review completed — required for Tier 1; optional for Tier 2
- › ✓ Finance / AP approval — payment terms and banking confirmed
- › ✓ IT Security sign-off — for technology vendors with system or data access
- › ✓ ERP vendor master record created — correct entity name, payment terms, AP contact
- › ✓ Vendor ID assigned — unique identifier in procurement and ERP systems
- › ✓ Contract linked to vendor record — master service agreement or PO terms
- › ✓ Document expiration dates logged — COI and cert renewal alerts configured
Phase 6: Activation & Communication (6 Items)
- › ✓ Formal approval notification sent to vendor — with vendor ID and active date
- › ✓ Invoicing instructions communicated — format, submission method, required PO reference
- › ✓ Portal access confirmed — vendor can log in and view their profile
- › ✓ Internal stakeholder notified — requesting department informed of activation
- › ✓ Performance baseline documented — initial KPI targets set for Tier 1/2 vendors
- › ✓ First review date scheduled — QBR or annual review added to calendar