Supplier Onboarding Checklist

Purpose

Onboarding a new supplier without proper vetting exposes your organisation to compliance, security, and operational risks. This checklist ensures every new supplier is evaluated consistently before they start providing goods or services. For Indian SMEs, proper supplier onboarding is critical for GST compliance, input tax credit claims, and vendor risk management.

1. Legal & Compliance Verification

• GSTIN verified on GST portal — status is "Active," business name matches, filing history is current and consistent.
• PAN collected and verified — name matches GSTIN registration.
• MSME registration verified (if applicable) — Udyam Registration Number.
• Tax residency certificate collected (if foreign vendor).
• Business registration certificate (ROC / Registrar of Companies) verified for private limited, LLP, or partnership entities.

2. Financial Stability Check

• Bank account details collected and verified against a cancelled cheque or bank statement (for payment processing).
• Credit rating checked (if available through credit bureau or financial databases).
• GST return filing history reviewed — consistent filings with no significant gaps suggest financial stability.
• Trade references contacted: 2-3 existing clients, preferably in similar industry and scale.
• Litigation history checked — any pending tax disputes, legal cases, or regulatory actions.

3. Security & Data Privacy Assessment

• NDA signed and on file — covering any data the supplier will access during the engagement.
• Data Processing Agreement (DPA) signed if supplier will process personal data on your behalf (mandatory under DPDP Act).
• Security questionnaire completed by supplier covering: encryption practices, access controls, incident response, employee background checks, and sub-processor management.
• Security certifications verified: ISO 27001, SOC 2, or equivalent (if applicable to the service).
• Data residency confirmed — where will your data be stored and processed?

4. Operational Capability

• Service Level Agreement (SLA) agreed and signed: response times, resolution times, uptime guarantees, escalation procedures, and penalty clauses for non-compliance.
• Key contact persons identified: account manager, technical support, escalation contacts, and billing inquiries.
• Communication channels defined: email, phone, portal, emergency contact procedure.
• Reference implementation/demo completed (for product or service suppliers).
• Disaster recovery and business continuity plan reviewed (for critical suppliers).

5. Contract & Commercial

• Purchase agreement or service contract signed by authorised representatives of both parties.
• Pricing terms documented: unit prices, volume discounts, price escalation clauses, and payment terms.
• Termination clauses defined: notice period, termination for cause/ convenience, data return/deletion upon termination.
• Insurance certificates collected (if required): professional liability, cyber insurance, general liability.
• Supplier records created in procurement system with all verified data.

Review & Renewal

Supplier onboarding documentation is reviewed annually. For critical suppliers, a full re-assessment is conducted every 2 years. Changes in supplier ownership, financial status, or legal structure trigger an immediate re-assessment.