Free Resources
AI Vendor Due Diligence Questionnaire
J.H. RANDOLPH & CO. · 60-QUESTION PROCUREMENT FRAMEWORK
AI Governance Template

AI Vendor Due Diligence Questionnaire

A 60-question due diligence questionnaire for evaluating AI vendors seeking to integrate with payroll systems. Covers model governance, data handling, audit trail, liability allocation, and SLA requirements. Procurement-ready — send directly to prospective AI vendors.

Questions
60 total
Format
Procurement-ready
Procurement starting point only. This questionnaire should be reviewed by legal and information security before use. Vendor responses require legal review. Satisfactory DDQ responses alone do not constitute vendor approval for payroll integration.

Official sources

Use NIST and IRS materials when evaluating AI vendors that touch payroll processes.

🏛️
Section A — Questions 1–12
Model Governance & AI Risk Management

  1. Does your organization have a written AI Risk Management Policy? If yes, provide a summary or the policy document.

  2. What AI governance framework does your organization follow? (e.g., NIST AI RMF, ISO/IEC 42001, EU AI Act principles)

  3. Who is the designated responsible owner for AI model outcomes that affect customer payroll data?

  4. Describe the model development lifecycle for AI systems used in payroll processing — from training through deployment and retirement.

  5. How are AI models validated before production deployment? Provide your validation methodology and success criteria.

  6. How frequently are deployed AI models retrained or updated? What triggers a model update?

  7. What human-in-the-loop controls exist to prevent autonomous AI execution of payroll-affecting decisions?

  8. Describe your bias and fairness testing methodology. How do you test for disparate impact on protected demographic groups?

  9. Has your AI system been independently audited or assessed? If yes, by whom and when was the most recent assessment?

  10. How does your organization identify and manage AI model drift over time?

  11. What is your process for communicating model changes to customers? What advance notice is provided?

  12. Do you maintain a model card or factsheet for AI systems used in payroll? Provide a copy or describe the content.

🔒
Section B — Questions 13–24
Data Handling, PII Controls & Privacy
High Priority

  1. What categories of payroll data does your AI system process? Specifically: does it process Social Security Numbers, bank account numbers, or full dates of birth?

  2. Describe your PII masking or tokenization procedures for data input to AI/ML models. Is SSN masked before AI processing?

  3. Are customer payroll records used to train or fine-tune your AI models? If yes, describe the process and how customer consent is obtained.

  4. Where is customer payroll data stored and processed? List all geographic regions (including cloud provider regions).

  5. Who are your sub-processors who may have access to customer payroll data? Provide a current list.

  6. Are you willing to execute a Data Processing Agreement (DPA) meeting GDPR, CCPA, and applicable U.S. state privacy law requirements?

  7. What encryption standards are applied to payroll data at rest and in transit?

  8. What is your data retention and deletion policy for customer payroll data after contract termination?

  9. How is customer payroll data isolated from other customers' data in your system architecture?

  10. Describe your access controls for personnel who may access customer payroll data — background checks, role-based access, least-privilege enforcement.

  11. Have you experienced any data breaches involving payroll or HR data in the past 5 years? If yes, describe the incident, scope, and remediation.

  12. What certifications has your data security program achieved? (e.g., SOC 2 Type II, ISO 27001, FedRAMP)

📝
Section C — Questions 25–36
Audit Trail & Explainability
Critical for IRS Compliance

  1. Does your AI system generate an immutable audit log for every payroll-affecting decision or recommendation? Describe the log format and content.

  2. What is retained in the audit log? Specifically: inputs, outputs, model version, timestamp, and user who acted on the recommendation?

  3. How long are audit logs retained? Can they be exported in a format suitable for IRS examination or legal discovery?

  4. Can your system demonstrate why a specific AI recommendation was made (explainability)? For payroll tax calculations, is the calculation logic auditable?

  5. Are AI-generated outputs distinguishable from human-entered data in the audit log? How?

  6. How do you log human overrides of AI recommendations? Is the override reason captured?

  7. Can you provide audit logs on demand to the customer for IRS examination purposes? What is the turnaround time and any associated cost?

  8. Do you provide a customer-accessible dashboard or portal showing AI decision history for payroll outputs?

  9. How are changes to the AI model version logged in relation to historical payroll decisions?

  10. In the event of a disputed payroll calculation, can your system reconstruct exactly what the AI recommended on a specific date and why?

  11. Are your audit logs stored separately from your production systems to prevent tampering?

  12. Has your audit trail been tested in the context of an actual regulatory examination? Describe the outcome.

⚖️
Section D — Questions 37–48
Liability Allocation & Contractual Protections
Legal Review Required

  1. Does your contract acknowledge that the employer retains full legal liability to the IRS for payroll tax withholding and deposit obligations, regardless of AI outputs?

  2. What indemnification does your organization provide if your AI system produces an incorrect payroll tax calculation that results in IRS penalties to the customer?

  3. Does your liability cap cover IRS Failure to Deposit (FTD) penalties and associated interest? What is the cap amount?

  4. Does your contract include a limitation of liability clause that caps your exposure at monthly SaaS fees? How is this reconciled with the potential magnitude of IRS penalties?

  5. Will you indemnify the customer for third-party claims arising from discriminatory AI outputs in payroll decisions (e.g., EEOC claims)?

  6. Does your contract require you to maintain professional liability (errors and omissions) insurance covering AI-related payroll errors? What is the policy limit?

  7. Are your AI outputs covered under your E&O insurance, or is AI explicitly excluded?

  8. How does your contract address liability when an AI model error was introduced by a model update you deployed without customer notification?

  9. Do you carry cyber liability insurance covering payroll data breaches? What is the policy limit and carrier?

  10. Will you provide your AI governance policy and model risk documentation to the customer's auditors or regulators upon request?

  11. Does your contract include a right-to-audit clause allowing the customer to audit your AI governance practices?

  12. How does your SLA define and address situations where your AI system produces outputs that are material errors (e.g., incorrect withholding affecting more than 1% of employees)?

📊
Section E — Questions 49–60
SLA, Incident Response & Business Continuity

  1. What is your stated SLA for system availability? What is the historical uptime over the past 24 months?

  2. What maintenance windows exist? Are payroll processing windows protected from scheduled maintenance?

  3. Define your incident severity levels for AI-related errors. What constitutes a P1 incident in your framework?

  4. What is your notification SLA to customers when a P1 AI incident is detected? 1 hour? 4 hours? Same business day?

  5. Describe your incident response process from detection through customer notification and remediation.

  6. In the event of an AI model failure during a payroll run, what is your procedure for restoring accurate calculation capability? What is the RTO (Recovery Time Objective)?

  7. Do you maintain a fallback processing mode (non-AI) that can be activated when AI systems are unavailable or unreliable?

  8. How do you communicate root cause analysis to customers following an AI incident?

  9. What SLA credits are available when AI errors cause customer remediation costs (e.g., W-2c filing, penalty abatement efforts)?

  10. Describe your business continuity and disaster recovery plan for AI-dependent payroll systems. What is your RPO (Recovery Point Objective)?

  11. How long is customer data available following contract termination? In what format can it be exported?

  12. Provide contact information for your dedicated payroll AI compliance contact — the person a customer's payroll director would call during an IRS examination related to your AI outputs.