Title Page

  • Service Provider Name

  • Conducted on

  • Prepared by

Due Diligence

  • InfoSec Annual Review - Provide your infosec framework (Please email or add in platform)

  • InfoSec Annual Testing - Provide your latest specialist external testing of infosec (Latest Pen Test, SOC2 or ISO27001 Certification - Please email or add in platform)

  • BCP Testing - Provide formal report regime for BCP (Please email or add in platform)

  • Business Impact Assessment (BIA) of critical business processes and critical systems - Please provide your latest BIA

  • DR Testing - Provide DR Report- full documented scope, success criteria and outcomes (Please email or add in platform)

  • User Access Review (Please provide latest User access review)

Claims

  • Do you have documented claims processes and policies that are compliant with General Insurance Code of Practice (GICoP)?

  • Do you have current claims procedure manuals?

  • Do you have controls in place to capture the failure of any systems, processes, or controls?

  • Do you have systems and processes in place to monitor, measure and detect whether your employees are complying with the standards under GICoP in the provision of their relevant services?<br>This includes,<br>- ensuring employees are adequately trained,<br>- ensuring employees are experienced, and<br>- ensuring that relevant professional licenses are current?<br>

  • Do you have an effective file quality review process / quality assurance program?

  • Please provide report or evidence via email or on platform e.g Review question set

  • Do you have a current policy and procedure relating to fraud and anti-money laundering prevention?

  • Please provide report or evidence via email or on platform

  • If you have identified any customers experiencing vulnerability (CEV) have you followed your documented processes for managing these customers?

  • Please provide report or evidence via email or on platform e.g a link to your vulnerable customer policy

Complaints and Disputes

  • Do you have a process and controls in place to monitor your handling of complaints?

  • If applicable in the last 12 months, have you successfully submitted your IDR complaints data to ASIC?

Outsourcing

  • Do you intend to outsource any aspect of the services you will provide us?

  • Please details of the services being outsourced

Distribution Arrangements

  • Is your Australian Financial Services (AFS) Licence current?

  • Has your AFS Licence been restricted by Australian Securities and Investments Commission (ASIC)?

  • Have you reported any incidents/breaches against your AFS Licence to ASIC for the last 12 months?

  • Have you met all of your regulatory and legislative obligations in respect of your AFS Licence?<br>

  • Have you lodged company accounts with the Regulator (ASIC) over the last twelve months?<br>- ASIC FS70 Australian Financial Services Licensee Profit and Loss Statement and Balance Sheet<br>- ASIC FS71 Auditor’s Report for AFS Licensee

  • Do you have systems in place to identify, report, manage and monitor conflicts of interest?

  • Have you met your legal and regulatory obligations for record retention and disposal for the last 12 months?

Information Security

  • Have you maintained an information security framework and complied with the relevant legislation?

  • Has your Information Security Controls Framework been reviewed in the last 12 months?

  • Have you become aware of a material weakness in any of your information security controls in the last year?

  • Please provide further details

  • Have you complied with your Information Security Controls testing program?

  • If you became aware of a critical cyber security incident in the last period did you notify the Australian Cyber Security Centre within 12 hours?

  • Please provide further information about the nature of the incident

  • Have you maintained effective User Access Review Controls?

  • Do you use access profiling to ensure the appropriate segregation of duties?

Business Resilience

  • Have you completed a Business Impact Assessment (BIA) of critical business processes and critical systems in the past 12 months?

  • Do you have a Business Continuity Plan (BCP) for each of the critical business processes determined in your BIA which includes a recovery strategy/plan?

  • Do you have an IT Service Continuity Management (ITSCM) Plan with recovery time and recovery point objectives to align with the BIA?

  • As part of your ITSCM plan, do you have a Disaster Recovery Plan (DRP) for each of the critical systems determined in your BIA?

  • Have all core operating systems used in providing services to us, been continuously available during core business hours during the last 12 months?

Fraud and Corruption

  • Have you reported any suspected or actual misconduct in the last 12 months?

Training

  • Have staff received adequate training, and have the skills and qualifications to do their roles, and are those records of training are maintained?

  • Have you maintained the organisational competence to meet the required Financial Services (AFS) Licence and/or other legislation?

Incident Management

  • In the last 12 months did you receive any notices from regulators or Australian Financial Complaints Authority (AFCA) that pertain to services you intend to provide to SCC?

  • Please provide further information

  • Have you maintained an effective incident management process during the last 12 months?

Privacy

  • Have you taken all reasonable steps in the last 12 months to comply with all applicable privacy legislation?

  • Have there been any new processes/projects or changes to current processes that impact the handling and/or processing of personal information related to services you intend to provide SCC?

  • Please provide further information

  • Who is your designated privacy officer?

Modern Slavery

  • Do you have policies and processes in place to assist with the identification and eradication of modern slavery in your supply chain network?

The templates available in our Public Library have been created by our customers and employees to help get you started using SafetyCulture's solutions. The templates are intended to be used as hypothetical examples only and should not be used as a substitute for professional advice. You should seek your own professional advice to determine if the use of a template is permissible in your workplace or jurisdiction. You should independently determine whether the template is suitable for your circumstances.