During our recent three day Vendor Management Bootcamp we had a lot of GREAT questions come in. It was simply impossible to get to them all during the live sessions, so we have worked with the various speakers to compile the answers and make them available for all here.
Below you will find the questions and the speaker responses from Day 1, Session 1.
Day 1 - Session 1
An Auditor’s Perspective on Third Party Risk
This session was led by experts Mike Morris, Partner at PKM, and Mary Beth Marchione, Systems Manager at PKM, where they discussed common mistakes as well as practical tips for solid vendor management practices from an auditor's perspective.
The following answers were kindly provided by:
Mary Beth Marchione
Q1: What if we have a tier one vendor who will not provide any policies and procedures, SOC or SSAE 16 reports or financials due to personal policy and procedure. Do you recommend we do not engage unless they do, if critical? Or do you feel it’s safe to evaluate the vendor and service they are providing?
Answer: "I would be wary of any company that refuses to provide information required to support the highly-regulated financial services industry. A SOC report is the best option for vendor management; however, there are other activities that you can perform, including on-site assessments, control environment questionnaires, periodic meetings with the vendor and inspecting documents on-site. You can also review output reports related to service levels/processing accuracy, etc. There is no one answer whether it is save or not to continue your relationship with the vendor. The best way to determine that is through the procedures noted as well as gaining more information as to why they are not currently engaging in a SOC audit. In addition, it's imperative to ensure that vendor management information is available contractually prior to signing (or renewing) any critical vendor contracts."
Q2: How often should the board be notified? Annually?
Answer: "The Board should be notified/review the vendor management program at least annually or anytime a major change or issue arises. This should occur once all of the reviews for the previous year have been performed (typically first quarter of the subsequent year)."
Q3: If a vendor has access to non-public information should they automatically be considered high risk?
Answer: "Having access to non-public information does increase the risk related to the vendor relationship. It will be important to assess how often (the frequency) they access the information, whether the access is controlled and monitored, whether the access is unfettered and the type of non-public information accessed to make that determination."
Q4: Examples of mapped CUEC controls. Name policies and procedures?
Answer: "When mapping CUEC controls, consider a table with three columns. The first column is the CUEC itself, the second column is the individual(s) in your organization responsible for the control and the third column would be the mapping of the control to your internal control structure (including SOX and FDICIA testing, as applicable). Once you have set up the table for a given vendor, it should not change much from year to year, but the CUECs must be formally reviewed and updated at least annually."
Q5: What level of due diligence is required for medium risk vendors?
Answer: "This will depend on the financial institution's overall risk appetite as well as the methodology defined within your vendor management program. Generally, medium risk vendors are still under scrutiny as it relates to their financials and third party audit reports. You must determine the reputational, strategic, transactional/operational, legal/compliance risks that these vendors pose and review them accordingly. Also, make sure you clearly define the requirements for reviewing medium risk vendors in your vendor management policy and follow those requirements for each medium risk vendor reviewed."
Answer: "A solution may be to go onsite and view the documents or obtain summary documents for these areas. You should ensure that when you go into the contract renewal phase for each vendor that you try to get these items as a contractual requirement."
Q7: How can participation happen in a test if the only way to test is in a live environment and it effects our customers real time? We have not found a way to test when testing can only be done in real time.
Answer: "Participation could mean that assigned testers in your organization access the vendor's test environment to determine whether it mirrors your live environment. This could be achieved through a test subnet or a temporary virtual environment. If it's not feasible for you to participate, you can obtain a copy of the vendor's testing to determine if they successfully recovered. Remember, it's recommended that you participate, but not specifically required to allow for some flexibility in these instances."
Q8: Is the statement from the vendor that they are responsible for the subservice providers enough?
Answer: "No. It's a start and can be noted as a review point within your vendor management program, however, without documentation, we can not accept it. With the SSAE18 changes, there will be more transparency as it relates to subservice organization being used by your vendors, the functions those subservice organizations perform and the vendor management your direct vendor is performing."
To learn more about subservice providers or fourth parties, download this infographic.
Q9: When should your legal team be brought in during the vendor management process?
Answer: "The legal team should be brought in during the due diligence phase before signing a contract with a vendor, during contract renewal and at the discretion of management as it relates to matters of vendor non-compliance/issues."
Q10: Who do you see as the risk owner for third party risk? Vendor Management, Contract Owner or Operational Risk?
Answer: "The Board of Directors and senior management are responsible for due diligence/due care. They should formally name an assigned individual or group that is responsible for owning the third party risk management function and reporting status updates periodically (at least annually)."
Q11: Do we allow the vendors to assess which "subservicers" they use are "critical" or do we rate the critical "subservicers" ourselves?
Answer: "It will be important for you to understand the nature of the service provided by the subservice organization and from there you can apply your vendor management methodology to understand if they are critical. This may require inquiry of your vendor and a strong understanding of the nature of the services your vendor/subservice providers are providing."
Q12: How do you monitor SLA?
Answer: "You can monitor SLAs through output reports, help desk tickets and error and issue monitoring. You should be monitoring for down time, errors and customer complaints for a given vendor and comparing that to your contractual SLAs. Some vendors will provide specific SLA reports for your review. SOC 2 reports should address the controls at the vendor related to SLAs, so review the SOC reports as well."
Q13: If your A/P list of vendors reaches several thousand vendors, can we use a risk based approach to conducting vendor due diligence?
Answer: "Yes, you should always use a risk based approach. You can quickly discard low risk vendors, such as newspaper delivery, lawn maintenance, professional services fees (i.e. NACHA payment fees) that don't have a direct impact on your internal controls. You do need to be careful of vendors that have physical access, such as the cleaning crew and printer/copier maintenance companies. While you won't have to get SOC reports or financials on these companies, you will want to document your information security controls, such as clean desk policies, requirements for emptying shred bin containers under desks into locked shred bins periodically throughout the day and before employees leave for the night, etc."
Q14: What is the best way to get documents for vendors that don’t like releasing documents?
Answer: "You should always ensure that your contract has provisions to obtain these documents. If you've already signed a contract, you should ensure that the contract renewal includes these provisions. In the meantime, perform onsite visits to review the documentation and summarize your reviews."
Q15: Do you anticipate any special considerations or deviation from the points you've made here if the vendor is a large service provider that is being used as an aggregator?
Answer: "No, but it will be important to understand the nature of the service provided/the data they are aggregating, have access to and/or maintain. Your specific review procedures should be customized based upon the risk and the nature of the services provided."
Q16: Should an MSA be required for all SLAs that are not part of a contract?
Answer: "Yes, that would be the most prudent approach. "
Learn Venminder can help you lower your vendor management workload. Download our samples.