Vendor Risk Managment
Vendor Risk Managment
Vendor Risk Managment
but to truly protect themselves, they must audit and continuously monitor their
vendors. Not only do organizations audit their vendors, but standards and
regulations often require audits of the company's vendor management program.
Organizations need efficient vendor risk management audit processes that allow for
smooth audits of their vendor management program.
What are the steps in a vendor management audit?
Internal audit managers know that successful audits begin by establishing an audit
trail. The operating model, or living documents that guide the process, includes
vendor categorization and concentration based on a risk assessment that uses an
approved methodology. Next, organizations must supply vendor report reviews
proving ongoing governance throughout the vendor lifecycle.
QUALIFYING
__ Process for obtaining and determining insurance, bonding, and business license
documentation
ENGAGEMENT
MANAGING DELIVERY
__ Scheduling deliverables
__ Scheduling receivables.
MANAGING FINANCES
TERMINATING RELATIONSHIP
__ Contract size
__ IT Security Ratings
The term "operating model" primary means policies, procedures, and processes that
guide vendor management. These documents act as the skeleton for any third-party
management program as well as the audit.
RISK ASSESSMENT
PROCEDURES
__ Does the organization designate a stakeholder who delivers and collects surveys
and risk assessments?
__ Does the organization outline a process for coordinating with legal, procurement,
compliance, and other departments when hiring and managing a vendor?
__ Does the organization outline metrics and reports needed to review vendors?
Vendor report reviews are one part of ongoing vendor management governance.
Proving continuous monitoring includes reviewing reports and
questionnaires attesting to security.
VENDOR REPORT DOCUMENTATION
__ Audit Reports (SOC audits, ISO audits)
__ Security questionnaires
__ Financial reports