Compliance & Legal

How to run a vendor risk assessment as Foundation and Nonprofit Ops Teams

Compliance & LegalFor Foundation and Nonprofit Ops Teams3 apps12 steps~24 min to set up

Your foundation has 4 ops staff managing relationships with 30–60 vendors: grant payment processors, fiscal sponsors, evaluation consultants, background-check firms, translation services, IT contractors. When a program officer asks 'are we still using that data-broker vendor and did they sign our updated data-privacy addendum?' you're digging through a shared Google Drive folder that has three versions of the vendor agreement, a DocuSign envelope that may or may not have been completed, and a QuickBooks vendor record that tells you what you paid but nothing about contract status. There's no system. There's a folder. And your 990 expenditure-responsibility review is in six weeks.

Build this on Starch → See the apps used

Compliance & LegalFor Foundation and Nonprofit Ops Teams3 apps12 steps~24 min to set up

Outcome

What you'll set up

A live vendor registry that pulls contract status, payment history from QuickBooks, and any open compliance flags into a single view your whole ops team can read without asking you

An automated risk-scoring workflow that checks each vendor against your foundation's own criteria — contract signed, data-privacy addendum on file, W-9 current, any past payment disputes — and flags whoever needs follow-up before your next board meeting

A repeatable annual re-assessment process that drafts vendor outreach emails, tracks responses, and logs the completed review so you have a clean audit trail for your auditors and 990 preparer

The Starch recipe

Apps, data, and prompts

The combination of Starch apps, the data sources they pull from, and the prompts you use to drive them.

Apps used

CRM Knowledge Management Contract Lifecycle Management

Data sources & config

Starch syncs your QuickBooks data on a schedule — vendor records, payment history, and bill detail feed directly into the registry. Salesforce connects via Starch's integration catalog and the agent queries it live to pull vendor contact records and any existing relationship notes. Vendor portal sites, state charity-registration databases, and DocuSign status pages that don't have a direct integration are automated through your browser — no API needed. Notion connects via Starch's integration catalog to surface any existing policy documents or prior assessment notes your team has already written.

Prompts to copy

Build me a vendor risk registry that shows each vendor's name, contract expiration date, whether their data-privacy addendum is signed, their W-9 status, total payments from QuickBooks this fiscal year, and a risk tier I can manually set (low/medium/high). Flag anyone whose contract expired in the last 90 days or whose W-9 is missing.

Create an automation that runs every Monday and emails me a list of vendors whose contracts expire within 60 days, including the vendor name, contract end date, and last payment amount from QuickBooks.

Build a vendor assessment tracker where I can log annual re-assessment dates, notes from reference checks, and any compliance exceptions we've approved, and search across all of it by vendor name or program area.

Draft an outreach email to a vendor requesting their updated W-9 and signed data-privacy addendum, referencing the grant program we fund through them and our compliance deadline of [date].

Run these in Starch → or paste them into your favorite agent

Walkthrough

Step-by-step

1 Connect QuickBooks — Starch syncs your vendor list, payment totals, and bill history on a schedule so the registry always reflects your current spend without a manual export.

2 Connect Salesforce from Starch's integration catalog; the agent queries it live to pull existing vendor contact records, relationship owners, and any prior notes your program team has logged.

3 Connect Notion from Starch's integration catalog so Starch can read your existing policy documents — your data-privacy policy, vendor code of conduct, expenditure-responsibility checklist — and use them as the baseline criteria for risk scoring.

4 Tell Starch to build the vendor registry app: describe your fields (contract expiration, addendum status, W-9 on file, risk tier, last payment, program area) and Starch assembles the surface from your connected data.

5 For any vendor whose contracts or signed addenda live in DocuSign or a vendor portal, Starch automates the status check through your browser — no API needed — and writes the result back to the registry.

6 Set a risk-scoring rule in plain language: 'Mark a vendor high-risk if their contract expired more than 30 days ago, their W-9 is not on file, or they've had a payment dispute in the last 12 months.' Starch applies it across every record.

7 Build the Monday-morning automation: Starch pulls all vendors with contracts expiring in the next 60 days, formats the list, and sends it to your email or Slack so nothing surprises you at board time.

8 For the annual re-assessment cycle, tell Starch to draft outreach emails for each vendor in your high- or medium-risk tiers — the drafts reference the specific grant program, the compliance deadline, and what documents you need returned.

9 Log responses back into the vendor registry as they come in — Starch can watch your Gmail for replies from known vendor domains and update the record, or you can log them manually through the app's input form.

10 Before each board meeting, run the vendor risk summary view: how many vendors reviewed this cycle, how many outstanding items, any approved exceptions with justification. Export it as a clean table for your audit file.

11 When your 990 preparer asks for expenditure-responsibility documentation, pull the vendor registry filtered to international grantees or pass-through payments — the QuickBooks payment history and signed-addendum status are already in one place.

12 Contract Lifecycle Management — coming soon — will handle the full contract drafting, redlining, and e-signature workflow natively inside Starch, replacing the current DocuSign-plus-Google-Drive patchwork for new vendor agreements.

See this running on Starch

Connect your tools, describe what you want, and the agent builds it. Closed beta is free.

Try it on Starch →

Worked example

Q1 2026 Vendor Risk Review — Riverside Community Foundation

Sample numbers from a real run

Evaluation consultants (3 vendors)	87,000
Fiscal sponsor — West Coast grantmaking	420,000
Translation and interpretation services	31,500
Background screening vendor	8,400
IT managed services contractor	54,000

Riverside Community Foundation's ops director ran their Q1 2026 vendor risk review with 38 vendors in scope. Starch synced QuickBooks and surfaced $600,900 in vendor payments across five categories. The registry flagged 6 vendors immediately: two evaluation consultants whose master service agreements had lapsed in December 2025, the fiscal sponsor whose updated data-privacy addendum was never countersigned after a 2024 policy revision, and three smaller contractors with no W-9 on file despite payments over $600. The Monday-morning automation had been sending contract-expiry warnings since November, but those had gone to an inbox nobody owned — a process problem the registry made visible. Starch drafted outreach emails to all 6 flagged vendors in under 10 minutes, referencing the specific grant program and the foundation's March 31 compliance deadline. Within two weeks, 5 of 6 had returned updated documents; the sixth (a translation vendor) was replaced. The board packet for April included a one-page vendor risk summary: 38 vendors reviewed, 6 exceptions identified, 5 resolved, 1 vendor offboarded. The 990 preparer got a clean export of the expenditure-responsibility documentation for the fiscal sponsor relationship — the first time that file didn't require a week of manual assembly.

Measurement

How you'll know it's working

Percentage of active vendors with a current, countersigned contract on file

Average days from contract expiration to renewal or termination (the gap is where risk lives)

Number of vendors flagged high-risk at the start of the annual review cycle vs. cleared by board meeting

Time from audit information request to document delivery (target: under 48 hours, not a week of digging)

Expenditure-responsibility documentation completeness rate for international or pass-through payments

Comparison

What this replaces

The other ways teams handle this today, and how the Starch version compares.

Fluxx or Foundant

Built for grants management, not vendor risk — and the licensing cost assumes a dedicated grants team, not a 4-person ops shop.

DocuSign + shared Google Drive folder

You know where signed contracts are (sometimes), but you have no view across all vendors, no expiry alerts, and no connection to what you actually paid them in QuickBooks.

Salesforce with a custom vendor object

Your Salesforce instance can technically store vendor data, but someone has to build and maintain the custom object, and it still won't pull QuickBooks payment history without a separate integration project.

Airtable vendor tracker

A well-built Airtable base gets you 70% of the way there, but it's a manual data entry problem — nothing syncs from QuickBooks automatically, and there's no browser automation for checking vendor portal statuses.

Spreadsheet (Excel or Google Sheets)

Free and flexible, but the data is only as current as the last time someone updated it, and 'the spreadsheet' is usually three versions behind by the time anyone asks a question.

On Starch RECOMMENDED

One platform — crm, knowledge management, contract lifecycle management all running on connected data. Setup in plain English; numbers stay current via scheduled syncs and live agent queries.

Try it on Starch →

FAQ

Frequently asked questions

We track most of our vendor contracts in DocuSign and some older ones are just PDFs in Google Drive. Can Starch work with that?

Yes, with some nuance. For DocuSign, Starch can automate the status check through your browser — it logs in, checks envelope status, and writes the result back to your vendor registry — no DocuSign API setup required. For PDF contracts in Google Drive, you can connect Google Drive from Starch's integration catalog and have the agent query documents live. What Starch can't do today is automatically extract and parse every clause from an arbitrary PDF — you'd be logging the key fields (expiration date, addendum signed, scope) into the registry yourself, or having the agent help you work through them one at a time.

Our QuickBooks data is the source of truth for what we paid vendors. How current is that data in Starch?

Starch syncs your QuickBooks data on a schedule — vendor records, bills, and payments. For a vendor risk review that runs quarterly or annually, scheduled sync is exactly the right model: you're looking at payment history over a fiscal year, not real-time transaction feeds. One honest note: QuickBooks report views (P&L, Transaction List) are temporarily unavailable pending a fix, but entity-level data — vendor records, invoices, bills, payments — syncs normally and is what the vendor registry uses.

We're not a tech-forward team. How hard is it to actually build the vendor registry in Starch?

You describe what you want in plain language and Starch builds it. A typical prompt looks like: 'Build me a vendor registry with columns for vendor name, contract expiration date, whether their data-privacy addendum is signed, W-9 status, total payments this fiscal year from QuickBooks, and a risk tier I can set manually. Flag anyone with an expired contract or missing W-9.' That's the actual authoring experience — no drag and drop, no configuration panels, no code. If the first version isn't quite right, you describe the change and Starch updates it.

Is this secure enough for vendor data that includes payment amounts and contract terms?

Starch is not SOC 2 Type II certified today — that's worth knowing upfront. If your foundation's data-security policy or a funder requirement mandates SOC 2 Type II, you should evaluate that against your risk tolerance before storing sensitive vendor data in Starch. For many small foundations, the operational risk of having no vendor risk system at all is more pressing than the SOC 2 gap, but that's a judgment call for your team.

What happens when we need to re-assess vendors every year? Do we have to rebuild this every time?

No. Once the registry and the automation are set up, the annual cycle runs on top of the same structure. You reset the 'last assessed' date fields, the automation picks up vendors due for re-assessment, Starch drafts the outreach emails, and you log responses as they come in. The registry accumulates a history of each review cycle, so by year three you have a clean longitudinal record of every vendor's compliance status — which is exactly what auditors and 990 preparers want to see.

Can Starch replace our grants-management system like Fluxx or Foundant?

No, and we're not trying to. Starch doesn't have a native grants-management database with application intake, review workflows, and payment scheduling. What it does is connect to the systems you already use — Salesforce, QuickBooks, Google Drive — and build the surfaces in between that purpose-built grants tools either don't cover (vendor risk) or charge six figures to provide. If you're using Salesforce to track grantees, Starch sits alongside it, not instead of it.