I’m a weirdo who builds compliance and auditing software for this very use case. Getting functioning hardware or software from a vendor l is one thing. You can QA whether it’s up to spec.
Vetting compliance with operational best practices is a different can of worms. You have to check compliance with random audits and investigations, and people that want to hide shit will try to work around that random checking.
All in all, it’s one of those things that probably seems simple when you’re looking at it from afar, but if you’re actually trying to do the job, you know it’s way more complicated than outsiders realize.