Auto-fill SIG/CAIQ vendor diligence with Claude

A Claude Skill that takes a vendor due diligence questionnaire (SIG, SIG-Lite, CAIQ, or a custom format) and your product/service documentation, then auto-fills as many responses as possible while flagging the ones that need human input. Cuts the typical 4-8 hours of vendor-side questionnaire response time down to 30-45 minutes.

What you’ll need

• Claude Code or Claude.ai with custom Skills enabled
• The diligence questionnaire as .xlsx (most common) or .docx
• Your firm’s documentation: security policies, SOC 2 report, privacy policy, business continuity plan, data handling docs
• Optional: previously-completed questionnaires (the Skill can pattern-match against prior responses)

Setup

1. Drop the Skill. Place vendor-dd-questionnaire.skill into your Claude Code skills directory (~/.claude/skills/) or upload to Claude.ai project. The Skill exposes one callable function: complete_questionnaire.
2. Index your documentation. The Skill expects your security/compliance docs in a documentation/ subfolder — SOC 2, privacy policy, security policy, data flow diagrams, incident response plan, BCP, vendor-management policy.
3. Optionally add prior questionnaires. Place completed questionnaires in prior_responses/ for pattern-matching. The Skill identifies questions answered before and reuses the response (with attribution).
4. Test on a known questionnaire. Run on a SIG-Lite you’ve completed manually. Compare auto-filled responses to your manual responses. Tune the documentation index if responses miss obvious sources.

How it works

The Skill processes the questionnaire in three passes:

1. Question classification. For each question, identifies the response type expected (yes/no, descriptive, document upload, certification reference) and the topic (access control, encryption, BCP, etc.).
2. Response generation. Searches the indexed documentation for the relevant content, drafts a response in the format expected, and cites the source document.
3. Confidence scoring + flagging. Each response gets a confidence score; responses below threshold are flagged for human review with the question text, candidate answer, and the source documents the Skill considered.

Output

• Auto-filled questionnaire in the original format (preserves the customer’s .xlsx structure)
• Review summary — list of low-confidence responses requiring human input, with the question, candidate response, and source citations
• Audit log — for each auto-filled question, the source document(s) and confidence score, defensible if a customer asks how a response was derived

Where it fits

This Skill is for the vendor side — your team responding to customer security questionnaires. Pair with intake-side workflows for the inbound diligence on your own vendors.

For high-volume questionnaire response (multiple per week), consider also:

• Whistic, OneTrust, or SecurityScorecard for shared-questionnaire repository (customers can self-serve)
• HyperComply or Conveyor for AI-native questionnaire automation as a service

Watch-outs

• Documentation freshness. The Skill is only as accurate as your documentation. Stale SOC 2 references or outdated security policies produce wrong responses. Annual documentation audit matters.
• Marketing vs technical responses. Some questionnaire questions invite marketing-style answers; others require technical specificity. Verify the Skill is producing the right tone for the audience.
• Don’t skip human review on flagged items. Auto-fill the easy 70-80%; human reviews and finalizes the rest. Skipping human review produces customer-facing inaccuracies.
• Track which customers got which responses. The questionnaire is contractual representation; track responses to specific customer agreements for audit trail.