Intelligex | Inconsistent Screening to AribaOneTrust Due Diligence

Note: This example reflects the types of solutions Intelligex can deliver. Actual engagements are tailored to each client’s goals, systems, constraints, timeline, and resources, so implementation details and outcomes may vary.

Overview

Third?party due diligence at a global enterprise was inconsistent. Vendor onboarding requests arrived in SAP Ariba with variable details, screening happened in email and spreadsheets, and sanctions or adverse media checks were performed late or not at all. Legal escalations appeared near purchase order cutoffs, forcing urgent holds and rework with Procurement. Intelligex integrated SAP Ariba with OneTrust for third?party risk management and Refinitiv World?Check for sanctions and adverse media screening, added a risk?scoring model with jurisdiction and service?category weights, and built remediation workflows with Legal sign?offs. Screening began at intake, risk ratings and holds were visible in Ariba, and remediation tasks moved in a governed flow. The team gained clear visibility and avoided late?stage surpriseswhile Ariba, existing vendors, and approval paths stayed in place.

Client Profile

Industry: Global enterprise with complex supply chain and regulated customers
Company size (range): Multi?region operations with centralized Legal & Compliance and distributed Procurement
Stage: SAP Ariba for supplier onboarding and purchasing; due diligence performed by email and spreadsheets; spot checks against sanctions lists; inconsistent escalation and remediation tracking
Department owner: Legal & Compliance (Ethics & Compliance, Sanctions/AML, and Legal Operations)
Other stakeholders: Procurement/Supplier Management, InfoSec/Privacy, Finance/AP, IT/Integrations, Internal Audit, Regional Compliance Officers, Business Owners

The Challenge

Supplier intake asked for basic information, but risk signals were not enforced. A vendor could be approved in Ariba before sanctions or adverse media results were available. Procurement analysts emailed questionnaires, pasted results into trackers, and asked Legal for reviews in chat. When a flagged hit appeared late, buyers paused requisitions and rebuilt timelines. Counterparty names were sometimes entered with abbreviations or translated spellings, which made manual screening unreliable.

Jurisdiction and service category mattered, yet they were not captured consistently. Marketing agencies in low?risk markets moved through the same process as data processors or customs brokers in higher?risk locations. Screening happened with varying depth based on the analyst rather than on an agreed model. Remediation stepscollecting certifications, requesting ownership attestations, or restricting scopelived in long email threads. Leaders could not see which vendors were under review, what blocked approval, or whether holds were due to policy or data entry.

Audit evidence was difficult to assemble. Proof of screening dates, lists checked, approvals granted, and responses provided by vendors were stored across inboxes and shared folders. During reviews, the team traced decisions by searching messages and spreadsheets instead of pulling a single case record.

Why It Was Happening

Due diligence was not embedded in onboarding. SAP Ariba handled supplier records and approvals, but screening and questionnaires lived outside the system. There was no integration that pushed a vendor through a risk tiering model at intake, triggered the right questionnaires, and returned a disposition that Ariba could enforce. As a result, diligence happened on a best?effort basis subject to deadlines.

Risk rules and approvals were documented but not encoded. Countrylevel restrictions, service?category policies, and escalation thresholds were written in PDFs. Analysts interpreted them differently, and exceptions were granted by email without a system of record. Without a shared scoring model and gated workflows, inconsistent outcomes were predictable.

The Solution

Intelligex connected SAP Ariba supplier onboarding to OneTrust for third?party risk workflows and to Refinitiv World?Check for sanctions, politically exposed persons (PEPs), and adverse media screening. Vendor requests triggered automated screening and dynamic questionnaires based on jurisdiction, ownership, and service type. A governed scoring model returned risk tiers to Ariba, where approval steps, holds, and remediation tasks were enforced. Legal reviewed flagged results in OneTrust, documented dispositions with reason codes, and the final status wrote back to Ariba. Sanctions screening aligned to official lists and sources such as the OFAC sanctions list (OFAC Sanctions Search), with adverse media and PEP data from World?Check and third?party workflows in OneTrust Third?Party Risk. Privacy controls followed the NIST Privacy Framework.

Integrations: SAP Ariba supplier requests into OneTrust; automated calls to World?Check for sanctions/PEP/adverse media; results and risk scores back to Ariba; collaboration tools for alerts; identity/SSO for role?based access.
Risk model: Tiering by jurisdiction, service category, data handling, and ownership; effective?dated thresholds and weights; disposition codes that drive Ariba approval steps and holds.
Dynamic questionnaires: Vendor questionnaires triggered by tier and service type (for example, anti?corruption, data protection, beneficial ownership); follow?ups and evidence requests tracked in OneTrust; due dates and reminders visible to Procurement and Legal.
Screening and matching: Name normalization and alias handling; re?screening cadence; manual review queue for near matches; documented false?positive handling and escalation.
Remediation workflows: Conditional requirements for certifications, contractual clauses, scope restrictions, or enhanced monitoring; Legal sign?offs with reason codes; status updates synced to Ariba.
Controls and audit: Immutable logs for screenings, questionnaires, approvals, and holds; evidence packets attached to vendor records; dashboards for in?flight reviews and policy exceptions.
Security and privacy: Role?based permissions; minimal PII shown in Ariba; sensitive match details stored in OneTrust; retention and legal hold aligned to policy.

Implementation

Discovery: Mapped current onboarding and approval paths in Ariba; inventoried sanctions, PEP, and adverse media sources; documented jurisdiction and service?category rules; reviewed existing questionnaires; sampled late?stage escalations to identify failure modes; gathered Legal, Privacy, and Audit requirements.
Design: Authored the risk tiering model and ownership; defined integration points between Ariba, OneTrust, and World?Check; designed dynamic questionnaires and evidence types; mapped remediation actions to Ariba approval steps; planned dashboards, alerts, and evidence exports; set access tiers and change control.
Build: Implemented Ariba triggers to create OneTrust assessments; configured World?Check screening with name normalization and alias rules; encoded tiering thresholds and escalation triggers; built remediation workflows with Legal sign?offs; wired status and scores back to Ariba; instrumented logs, masking, and retention.
Testing/QA: Ran in shadow mode against recent vendor cohorts; validated matching and false?positive handling; exercised jurisdictional and service?category thresholds; piloted dynamic questionnaires and remediation steps with Procurement and regional counsel; tuned weights, labels, and notifications from feedback.
Rollout: Enabled read?only risk scores in Ariba first; turned on holds and approval gates for a pilot region and vendor categories; expanded by region and category in waves; kept manual review as a controlled fallback; tightened thresholds after stable cycles.
Training/hand?off: Delivered playbooks for Procurement on intake, questionnaires, and holds; trained Legal on match review, remediation, and dispositions; briefed regional compliance on jurisdiction rules; updated SOPs; transferred model and workflow ownership to Legal & Compliance under change control.
Human?in?the?loop review: Established recurring reviews of match quality, false positives, and exception patterns; recorded decisions with rationale and effective dates; updated thresholds, questionnaires, and remediation rules accordingly.

Results

Screening started when vendors entered onboarding, not after the fact. Procurement saw risk scores and holds in Ariba, vendors received dynamic questionnaires early, and flagged matches moved to a Legal queue with context from World?Check and prior decisions. When remediation was required, tasks and approvals were visible to both Procurement and Legal, and the vendors status reflected those outcomes.

Late?stage surprises declined. Jurisdiction and service?category thresholds drove consistent tiering, and exceptions carried clear owner and rationale. Evidence packetsscreening results, questionnaires, approvals, and remediation recordslived with the vendor record for audits. The organization kept SAP Ariba, OneTrust, and screening vendors; the new layer stitched them together with risk scoring, workflow gates, and governance.

What Changed for the Team

Before: Screening happened in spreadsheets and email after onboarding. After: Ariba triggered automated screening and OneTrust assessments at intake.
Before: Analysts interpreted jurisdiction and service risk differently. After: A governed model tiered risk consistently with effective?dated rules.
Before: Holds and escalations appeared near PO deadlines. After: Risk scores and holds surfaced early with remediation paths and owners.
Before: Evidence lived across inboxes. After: Screening, questionnaires, and approvals attached to the vendor record with logs.
Before: False positives consumed cycles. After: Name normalization, alias handling, and review queues reduced noise and documented decisions.
Before: Visibility was limited to the analysts tracker. After: Dashboards showed in?flight reviews, exceptions, and trends by region and category.

Key Takeaways

Embed due diligence in onboarding; trigger screening and questionnaires when suppliers enter the system, not after approval.
Govern the risk model; use jurisdiction and service?category weights with effective?dated thresholds and owners.
Automate holds and remediation; drive approvals and tasks from scores and dispositions so Procurement and Legal see the same status.
Reduce false positives; normalize names, capture aliases, and standardize review queues with documented outcomes.
Prove the record; keep screening results, questionnaires, and sign?offs with the vendor for audits and renewals.
Integrate, dont replace; keep Ariba, OneTrust, and screening sourcesadd scoring, workflows, and evidence between them.

FAQ

What tools did this integrate with? SAP Ariba handled supplier intake and approval steps, OneTrust managed third?party assessments and remediation workflows (OneTrust Third?Party Risk), and Refinitiv World?Check provided sanctions, PEP, and adverse media data (World?Check). Sanctions alignment referenced official lists such as the OFAC Sanctions Search. Identity/SSO governed access, and dashboards ran on the existing analytics stack.

How did you handle quality control and governance? The risk modelweights, thresholds, and questionnaire logiclived under Legal & Compliance change control with release notes and effective dates. Screening configurations included name normalization, alias capture, and false?positive handling rules. All screenings, questionnaires, dispositions, holds, and approvals wrote to immutable logs. Privacy controls aligned to the NIST Privacy Framework.

How did you roll this out without disruption? The team ran in shadow mode first, populating risk scores in Ariba without gating approvals. A pilot enabled holds and remediation for selected regions and categories while manual review remained as a fallback. After thresholds and workflows stabilized, coverage expanded in waves and email?based screening was retired.

How were false positives and near matches handled? Screening used normalized names, transliteration, and captured known aliases. Near matches entered a manual review queue in OneTrust with context and prior decisions. Reviewer outcomes updated the match logic, and reason?coded false positives prevented repeat work on renewals or re?screens.

What about renewals and ongoing monitoring? Vendors in active status re?screened on a cadence defined by risk tier, with changes generating alerts and, when needed, remediation tasks. Renewals reused prior evidence where policy allowed and required fresh attestations for higher?risk categories.

How did you handle regional differences and restricted parties? Jurisdiction rules and restricted?party lists were encoded in the model. When a vendor matched a restricted party or country, Ariba enforced hard holds. Regional counsel owned exceptions and could apply scope restrictions or require enhanced monitoring with recorded rationale.

Can this extend to data protection and security assessments? Yes. The same intake triggered data protection and security questionnaires for vendors handling personal or confidential data, with Privacy and InfoSec reviews routed in OneTrust. Dispositions and required contractual clauses wrote back to Ariba approval steps.

Department/Function: IT & Infrastructure Legal & Compliance Procurement Supply Chain & Logistics

Capability: AI Integration & Workflow Automation Data Integration Pipelines & Reliability

Get a FREE
Proof of Concept
& Consultation

No Cost, No Commitment!

Email due diligence delayed onboarding; SAP Ariba–OneTrust–World?Check risk tiering enforced holds and remediation