Scribd
Upload
611 views9 pages

Vendor Risk Management Guide

Organizations need efficient processes to audit their vendor risk management programs. This involves establishing an audit trail and reviewing documentation across the vendor lifecycle, including qualification, engagement, delivery, finances, and termination. It also requires assessing risks and having policies, procedures, and processes to govern vendor management. Ongoing governance is supported through ongoing review of vendor reports, questionnaires, and audits.

Uploaded by

Shashank Gautam
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
611 views9 pages

Vendor Risk Management Guide

Organizations need efficient processes to audit their vendor risk management programs. This involves establishing an audit trail and reviewing documentation across the vendor lifecycle, including qualification, engagement, delivery, finances, and termination. It also requires assessing risks and having policies, procedures, and processes to govern vendor management. Ongoing governance is supported through ongoing review of vendor reports, questionnaires, and audits.

Uploaded by

Shashank Gautam
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd

Organizations conduct due diligence into the third-party's ecosystem and security,

but to truly protect themselves, they must audit and continuously monitor their
vendors. Not only do organizations audit their vendors, but standards and
regulations often require audits of the company's vendor management program.
Organizations need efficient vendor risk management audit processes that allow for
smooth audits of their vendor management program.
What are the steps in a vendor management audit?

Internal audit managers know that successful audits begin by establishing an audit
trail. The operating model, or living documents that guide the process, includes
vendor categorization and concentration based on a risk assessment that uses an
approved methodology. Next, organizations must supply vendor report reviews
proving ongoing governance throughout the vendor lifecycle.

What is vendor lifecycle management?

Traditionally, vendor lifecycle management incorporates five primary categories:


qualifying, engagement, managing delivery, managing finances, and relationship
termination. However, as data breach risk increases, companies need to include
reviewing information security as a sixth category in the life cycle. Due diligence
during the qualification step incorporates information security management.
However, threats evolve continuously meaning that organizations need to review
information security over the entire lifecycle, not just at a single point.

Before documenting activities, companies need to plan their supplier relationship


management process from start to finish. As regards the audit, companies need to
ensure that their supplier relationship management policies, procedures, and
processes address each step in the life cycle.

QUALIFYING

__ Process for obtaining and determining insurance, bonding, and business license
documentation

__ Benchmarks for reviewing financial records and analyzing financial stability

__ Review process for staff training and licensing


__ Benchmarks for evaluating IT assets

ENGAGEMENT

__ Contracts include a statement of work, delivery date, payment schedule, and


information security requirements

INFORMATION SECURITY MANAGEMENT

__ Baseline identity access management within the vendor organization

__ Baseline privileged access management for the vendor

MANAGING DELIVERY

__ Scheduling deliverables

__ Scheduling receivables.

__ Organization defines stakeholders responsible for working with the vendor

__ Establishing physical access requirements

__ Defining system access requirements

MANAGING FINANCES

__ Establish invoice schedule

__ Establish payment mechanism

TERMINATING RELATIONSHIP

__ Revoking physical access

__ Revoking system access


__ Definitions of causes for contract/relationship termination

What should the risk assessment framework and methodology


documentation contain?

Before reviewing third-party vendors or establishing an operating model,


companies need to create a risk assessment framework and methodology for
categorizing their business partners. This process includes aligning business
objectives with vendor services and articulating the underlying logic to senior
management and the Board of Directors.
When auditors review risk assessments, they need documentation proving the
evaluative process as well as Board oversight. For example, organizations choosing
a software vendor for their quality management system need to establish risk
tolerances. As part of the risk assessment methodology, the auditor will review the
vendor categorization and concentration.

RISK ASSESSMENT QUALITATIVE DOCUMENTATION

__ Vendors are categorized by service type

__ Access needed to internal data

__ Nature of data categorized by risk (client confidential, private data, corporate


financial, identifiers, passwords)

__ Data and information security expectations

RISK ASSESSMENT QUANTITATIVE DOCUMENTATION

__ Financial solvency baselines

__ Contract size

__ Beneficial owners of third-party's business


__ Location of headquarters

__ IT Security Ratings

What does an organization need as part of its operating model


documentation?

The term "operating model" primary means policies, procedures, and processes that
guide vendor management. These documents act as the skeleton for any third-party
management program as well as the audit.

RISK ASSESSMENT

__ Does the organization risk rate its vendors?

__ Does the risk assessment discuss the methodology


(qualitative/quantitative/combination)

__ Are the vendors categorized by risk?

VENDOR RISK MANAGEMENT POLICY

__ Does it include human resources security?

__ Does it discuss physical and environmental security?

__ Does it establish baseline requirements for network and system security?

__ Does it establish baseline requirements for data security?

__ Does it establish baselines requirements for access control?

__ Does it establish baseline requirements for IT acquisition and maintenance?

__ Does it require vendors to document their vendor management program?


__ Does it define the vendor's incident response management responsibilities?

__ Does it define the vendor's business continuity and disaster recovery


responsibilities?

__ Does it outline the vendor compliance requirements?

PROCEDURES

__ Is there a workflow for engaging in vendor management review?

__ Does the organization designate a stakeholder to track vendors, relationships,


subsidiaries, documents, and contacts?

__ Does the organization designate a stakeholder responsible for vendor due


diligence?

__ Does the organization designate a stakeholder who delivers and collects surveys
and risk assessments?

__ Does the organization designate a stakeholder to manage contract review and


renewal?

__ Does the organization outline a process for coordinating with legal, procurement,
compliance, and other departments when hiring and managing a vendor?

__ Does the organization outline metrics and reports needed to review vendors?

What documentation supports vendor report reviews and ongoing


governance?

Vendor report reviews are one part of ongoing vendor management governance.
Proving continuous monitoring includes reviewing reports and
questionnaires attesting to security.
VENDOR REPORT DOCUMENTATION
__ Audit Reports (SOC audits, ISO audits)

__ Security questionnaires

__ Financial reports

__ Financial controls documentation

__ Operational controls documentation

__ Compliance controls documentation

__ Data breach reports

__ Access control management documentation

__ Control change management documentation

You might also like