6 Steps to Developing a Successful Internal Vendor Management Audit Program

Internal audit programs are important as they can help identify gaps and areas that may have been overlooked. It’s important to understand the basic steps to a successful internal vendor management audit program. Let’s go through those steps now.

The 6 Steps to Developing an Internal Vendor Management Audit Program

1. Establish the scope and objective of the audit. This is important, so you have a clear goal in mind and can properly carry out the audit. 
   
   
2. Review the documentation that governs and guides the organization’s program. This includes board level policies, process documentation, vendor categorization criteria and risk assessment methodology.
   
   These policies should be approved, repeatable methodologies that are uniformly applied to the organization’s vendor population. Additionally, vendor reports showing ongoing reviews and governance of the vendors must be provided as evidence of compliance with this framework. All documentation should evidence that the processes outlined in the governance documents are being appropriately executed.
   
   

3. Make sure ongoing monitoring has been established on a recurring schedule basis and on the associated risk of the vendor relationship. Keep in mind that it is not enough for organizations to initially perform required due diligence prior to contracting with the selected vendor. The ongoing review and monitoring of the relationship throughout the lifecycle of the vendor engagement must be demonstrated.
   
   
4. Consider regulatory expectations. It’s imperative that you understand the regulatory bodies' expectations related to vendor management. While many of the regulations related to vendor management appear similar - FED, OCC, FDIC, FFIEC, NCUA, CFPB - each has their own area of focus as it relates to the organizations under their supervisory authority.

Additionally, regulators expect that business leaders within the organization monitor and take responsibility for the actions of their vendors through various laws and standards. Some of the laws and standards they are verifying include:

• BSA/AML Regulations
• Regulatory Guidance from the applicable prudential regulator
• The Sarbanes-Oxley Act
• The Gramm-Leach-Bliley Act
• The Foreign Corrupt Practices Act (FCPA)
• The Health Insurance Portability and Accountability Act (HIPAA)
• The Payment Card Industry Data Security Standard (PCI DSS) requirements
• and CFPB guidance
  
  

5. Consider and clearly identify control activities. The following is a list of control activities that can be included as part of the audit of the vendor management program. Remember, the list is a starting point and can be modified based on the overall complexity and scope of your organization’s program. These include:
   • Vendor Management Program Framework reviews including:
     • Governance
       • Board
       • Executive/Management oversight
       • Committee
       • Structure
     • Operating Model
       • Policies
       • Procedures
       • Processes
     • Vendor Lifecycle Management
       • Planning
       • Vendor Selection
       • Due Diligence
       • Contracting
       • Ongoing Monitoring/Periodic Reviews
       • Termination/Renewal
     • Staff Interviews. You are looking for:
       • Expertise in vendor management including knowledge of applicable laws and regulations
       • A comprehensive understanding of the banks relationships including contractual obligations and regulatory requirements
       • Verifying that the appropriate and adequate resources are allocated to vendor management
     • Contract Reviews which include:
       • Evaluating the contract management process
       • Determining if the contract language, specifically security language and right to audit, is adequate for the relationships being reviewed and managed
     • Documentation Reviews:
       • Does the documentation align with the vendor management operating model and associated processes established by your bank?
     • Risk Assessment framework and methodology
     • Vendor categorization
     • Vendor concentration
     • Foreign vendor reviews
6. Identify, assess risks and provide recommendations to mitigate control weaknesses. If there are weaknesses, this covers you and assists to fix those going forward.

We hope these steps help as you develop or improve your internal vendor management audit program. 

Further develop your third party program with vendor risk data from 2019. Download the whitepaper.