When you get notice of an upcoming exam it can be a time of frantic scrambling – but it doesn’t necessarily have to be. There are specific items your examiner is going to care about. The best way to know what they’re looking for is to truly understand the scope of the audit. Once you understand the audit scope, you’ll already be off to a great start.
7 Key Items Your Examiners Will Care About
Let’s discuss seven vendor risk management items your examiner is almost always going to request:
- Your vendor risk management program and all associated documentation. Your examiner will want to see that the policy, program and procedures documentation are all current – meaning updated at least annually or periodically as changes occur – and any documentation that is referenced within the documents are available to review. Examiners will verify your work product matches what is set out in your policy (e.g., SOC reviews, financial reviews, etc.).
- A vendor risk management/third party risk organization chart. This will help them better understand who is actively involved.
- A job description and bio for your key organizational members. Examiners will use this to verify adequate training and their level of expertise.
- Your active vendor inventory. With this, be sure to identify every vendor and their correlated risk level – critical/non-critical and high, moderate or low risk. In addition, identify the vendors you’ve written out of scope and indicate why. Quick tip: Typically, you can request an updated vendor list from Accounts Payable. Comb through the list to make sure you didn’t accidentally leave out a vendor.
- Evidence of ongoing monitoring. You probably have relevant due diligence on file from when you vetted the vendor, and that’s fantastic. However, examiners want to see that you’re continuing to keep the due diligence up-to-date, even after you’ve contracted with the vendor. They’ll want to see the most current due diligence and new analyses that have been performed by subject matter experts.
- Active involvement by senior management and the board. Regulatory guidance requires it. Provide the reports you typically share with them and any meeting minutes to prove their involvement.
- Documentation proving that prior exam findings have been resolved. This is a big one! Don’t fall victim to repeat findings.
Doing these seven things upon notice of an exam is a proactive approach. It’ll make the exam go much more smoothly if you’ve organized these items beforehand and are prepared.
Be as prepared as possible for your examination. Download this eBook for further information.