FLOWBOX AI Back to Home
Coming Soon

VEND-CHECK

AI tool and vendor risk checks for 75-100 staff UK accountancy firms.

Staff are using AI tools you haven't approved. Copilot add-ins, transcript apps, cloud AI services - all processing client data without formal vetting. Under ISQM 1 and UK GDPR, that risk sits with your firm.

VEND-CHECK is a self-service documentation kit that gives you a simple approval process, vendor registers, and risk criteria for AI tools and third-party vendors. When QAD, PI or clients ask "Which AI tools do you use and how do you govern them?" - you have an answer.

Get Notified When VEND-CHECK Launches See Full Governance Stack
WHY

Shadow AI is already in your firm

Triggers that bring managing partners to VEND-CHECK:

  • Partners discover staff using unapproved AI tools on client data
  • Confusion about whether cloud providers and AI plug-ins are "approved"
  • QAD and PI insurers starting to ask about third-party and AI tool risk
  • No central register of what tools are in use across the firm
  • No record of who approved what, when, or on what basis

ISQM 1 requires firms to manage "resources obtained from service providers" including technology. UK GDPR requires documented due diligence on processors handling personal data. Without a vetting process, your firm carries vendor risk without evidence of controls.

WHAT YOU GET

Vetting documents, not vendor management software

Shadow IT Risk Calculator

10-12 question HTML assessment revealing current AI tool exposure. Generates a "Data Leakage Risk" score with Red/Amber/Green rating.

Vendor Vetting Checklist

15-point "must-pass" criteria covering data residency, sub-processors, training data use, certifications, and breach notification. Flagged for ICAEW/ACCA requirements.

Approved Tools Register

Excel template with columns for tool name, purpose, owner, risk rating, approval status, DPA status, and next review date. Ready for QAD inspection.

New Tool Decision Flow

Simple yes/no/conditional approval process. Staff submit request, IT Partner scores against checklist, decision recorded. Takes minutes, not meetings.

Vendor Enquiry Templates

Email templates for requesting data protection details from vendors. GDPR addendum wording included. Copy, paste, send.

Staff Communication Pack

Email templates for announcing approved, restricted, and banned tools. Clear wording staff can understand. Reduces "I didn't know" excuses.

These are editable documents and spreadsheets you control. No software subscriptions. No vendor management platforms. No consultants.

TRANSFORMATION

Before and after VEND-CHECK

Before VEND-CHECK

  • "We hope staff aren't pasting client data into random tools"
  • No central list of AI tools in use
  • No record of who approved what
  • Vendor questions handled ad-hoc by whoever gets asked
  • QAD or PI asks about third-party risk and you scramble

After VEND-CHECK

  • "We know exactly which tools we use and how they were assessed"
  • Approved tools register filed and maintained
  • Clear decision trail for every tool
  • Standard process for new tool requests
  • Evidence ready for QAD, PI and client questions
SEQUENCE

How VEND-CHECK fits in the stack

FlowBox AI Governance Stack showing VEND-CHECK as the Vendors layer - policy, people, vendors, clients, audit and monitoring

VEND-CHECK is the Vendors layer of the FlowBox AI Governance Stack

1

GUV-KIT: Policy first

Board-approved AI governance documentation. Defines what's allowed and who's responsible.

2

COMP-KIT: Train staff

Staff training and competency evidence. People know the rules and can prove it.

3

VEND-CHECK: Control tools

Vendor vetting and tool governance. You know what's in use and who approved it.

4

Future kits

TRUST-PACK (client communication), AUDIT-GUARD (audit workpapers), MONITOR-BOX (annual review).

See how VEND-CHECK fits into the full FlowBox AI governance stack.

View Full Stack
FAQs

Common questions

Does this replace our existing IT security questionnaires?

No. VEND-CHECK complements your existing IT security processes. It focuses specifically on AI governance - data use, training data exposure, and regulatory alignment. Your standard IT security vetting continues alongside.

Is this legal advice?

No. VEND-CHECK provides documentation templates and process support for AI tool governance. It does not constitute legal, regulatory or compliance advice. Your firm retains responsibility for compliance decisions.

Do we need GUV-KIT first?

Recommended but not required. VEND-CHECK works best when your firm has an AI Acceptable Use Policy in place (GUV-KIT provides this). The policy defines what tools staff can use; VEND-CHECK helps you vet and approve those tools.

When will VEND-CHECK be available?

VEND-CHECK is currently in development. Join the notification list to be first to know when it launches.

STAY UPDATED

Get notified when VEND-CHECK launches

Be first to know when VEND-CHECK is available. No spam - just a single email when we launch.

Register Your Interest

Or get GUV-KIT now and we'll contact you when VEND-CHECK is ready.