(270) 506-5140 CONTACT US
Examination Preparation

7 Key Vendor Risk Management Items Your Examiner Will Care About

May 7, 2019 by Branan Cooper

When you get notice of an upcoming exam it can be a time of frantic scrambling – but it doesn’t necessarily have to be. There are specific items your examiner is going to care about. The best way to know what they’re looking for is to truly understand the scope of the audit. Once you understand the audit scope, you’ll already be off to a great start.

7 Key Items Your Examiners Will Care About

Let’s discuss seven vendor risk management items your examiner is almost always going to request:

  1. Your vendor risk management program and all associated documentation. Your examiner will want to see that the policy, program and procedures documentation are all current – meaning updated at least annually or periodically as changes occur – and any documentation that is referenced within the documents are available to review. Examiners will verify your work product matches what is set out in your policy (e.g., SOC reviews, financial reviews, etc.).

  2. A vendor risk management/third party risk organization chart. This will help them better understand who is actively involved.

  3. A job description and bio for your key organizational members. Examiners will use this to verify adequate training and their level of expertise.

  4. Your active vendor inventory. With this, be sure to identify every vendor and their correlated risk level – critical/non-critical and high, moderate or low risk. In addition, identify the vendors you’ve written out of scope and indicate why. Quick tip: Typically, you can request an updated vendor list from Accounts Payable. Comb through the list to make sure you didn’t accidentally leave out a vendor.

  5. Evidence of ongoing monitoring. You probably have relevant due diligence on file from when you vetted the vendor, and that’s fantastic. However, examiners want to see that you’re continuing to keep the due diligence up-to-date, even after you’ve contracted with the vendor. They’ll want to see the most current due diligence and new analyses that have been performed by subject matter experts.

  6. Active involvement by senior management and the board. Regulatory guidance requires it. Provide the reports you typically share with them and any meeting minutes to prove their involvement.

  7. Documentation proving that prior exam findings have been resolved. This is a big one! Don’t fall victim to repeat findings.

Doing these seven things upon notice of an exam is a proactive approach. It’ll make the exam go much more smoothly if you’ve organized these items beforehand and are prepared.

Be as prepared as possible for your examination. Download this eBook for further information.New Call-to-action

Branan Cooper

Written by Branan Cooper

Branan Cooper is the Chief Risk Officer at Venminder. Branan has nearly 30 years of experience in the financial services industry with a focus on the management of operational and regulatory processes and controls—most notably in the area of third party risk and operational compliance. Branan leads the Venminder delivery team as the third party risk management subject matter expert in residence. Branan also serves as an industry thought leader. He's a member of InfraGard and the Professional Risk Management Industry Association (PRMIA). And, he was selected in 2018 as an advisor to the Center for Financial Professionals (CEFPro) and board member for the Global Sourcing Resource Network (GSRN).

Follow Branan Cooper

Subscribe to the Venminder Blog