Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit

Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.


Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 


Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.



Trends, best practices and insights to keep you current in your knowledge of third-party risk.


Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

On-Demand Webinars



Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.



Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

State of Third-Party Risk Management 2023!

Venminder's seventh annual whitepaper provides insight from a variety of surveyed individuals into how organizations manage third-party risk today.


Third Party Risk Q&A: Auditor's Perspective and Best Practices

10 min read
Featured Image

During our recent three day Vendor Management Bootcamp we had a lot of GREAT questions come in. It was simply impossible to get to them all during the live sessions, so we have worked with the various speakers to compile the answers and make them available for all here.

Below you will find the questions and the speaker responses from Day 1, Session 1.

Day 1 - Session 1
An Auditor’s Perspective on Third Party Risk

This session was led by experts Mike Morris, Partner at PKM, and Mary Beth Marchione, Systems Manager at PKM, where they discussed common mistakes as well as practical tips for solid vendor management practices from an auditor's perspective. 

The following answers were kindly provided by:

MikeMorris-PKM.jpg Mary Beth Marchione PKM.jpg

Mike Morris
Porter Keadle Moore

Mary Beth Marchione
Systems Manager
Porter Keadle Moore

What if we have a tier one vendor who will not provide any policies and procedures, SOC or SSAE 16 reports or financials due to personal policy and procedure. Do you recommend we do not engage unless they do, if critical? Or do you feel it’s safe to evaluate the vendor and service they are providing?

Answer: "I would be wary of any company that refuses to provide information required to support the highly-regulated financial services industry. A SOC report is the best option for vendor management; however, there are other activities that you can perform, including on-site assessments, control environment questionnaires, periodic meetings with the vendor and inspecting documents on-site. You can also review output reports related to service levels/processing accuracy, etc. There is no one answer whether it is save or not to continue your relationship with the vendor. The best way to determine that is through the procedures noted as well as gaining more information as to why they are not currently engaging in a SOC audit. In addition, it's imperative to ensure that vendor management information is available contractually prior to signing (or renewing) any critical vendor contracts."

Q2: How often should the board be notified? Annually?

Answer: "The Board should be notified/review the vendor management program at least annually or anytime a major change or issue arises. This should occur once all of the reviews for the previous year have been performed (typically first quarter of the subsequent year)."

Q3: If a vendor has access to non-public information should they automatically be considered high risk?

Answer: "Having access to non-public information does increase the risk related to the vendor relationship. It will be important to assess how often (the frequency) they access the information, whether the access is controlled and monitored, whether the access is unfettered and the type of non-public information accessed to make that determination."

For more information related to creating an effective risk assessment process, download our whitepaper.

Q4: Examples of mapped CUEC controls. Name policies and procedures?

Answer: "When mapping CUEC controls, consider a table with three columns. The first column is the CUEC itself, the second column is the individual(s) in your organization responsible for the control and the third column would be the mapping of the control to your internal control structure (including SOX and FDICIA testing, as applicable). Once you have set up the table for a given vendor, it should not change much from year to year, but the CUECs must be formally reviewed and updated at least annually."

Q5: What level of due diligence is required for medium risk vendors?

Answer: "This will depend on the financial institution's overall risk appetite as well as the methodology defined within your vendor management program. Generally, medium risk vendors are still under scrutiny as it relates to their financials and third party audit reports. You must determine the reputational, strategic, transactional/operational, legal/compliance risks that these vendors pose and review them accordingly. Also, make sure you clearly define the requirements for reviewing medium risk vendors in your vendor management policy and follow those requirements for each medium risk vendor reviewed."

Q6: I have vendors that will not provide their BCP or disaster recovery plan and testing due to their wanting to keep it secure. What should I do?

Answer: "A solution may be to go onsite and view the documents or obtain summary documents for these areas. You should ensure that when you go into the contract renewal phase for each vendor that you try to get these items as a contractual requirement."

Q7: How can participation happen in a test if the only way to test is in a live environment and it effects our customers real time? We have not found a way to test when testing can only be done in real time.

Answer: "Participation could mean that assigned testers in your organization access the vendor's test environment to determine whether it mirrors your live environment. This could be achieved through a test subnet or a temporary virtual environment. If it's not feasible for you to participate, you can obtain a copy of the vendor's testing to determine if they successfully recovered. Remember, it's recommended that you participate, but not specifically required to allow for some flexibility in these instances."

Q8: Is the statement from the vendor that they are responsible for the subservice providers enough?

Answer: "No. It's a start and can be noted as a review point within your vendor management program, however, without documentation, we can not accept it. With the SSAE18 changes, there will be more transparency as it relates to subservice organization being used by your vendors, the functions those subservice organizations perform and the vendor management your direct vendor is performing."
To learn more about subservice providers or fourth parties, download this infographic.

Q9: When should your legal team be brought in during the vendor management process?

Answer: "The legal team should be brought in during the due diligence phase before signing a contract with a vendor, during contract renewal and at the discretion of management as it relates to matters of vendor non-compliance/issues."

Q10: Who do you see as the risk owner for third party risk? Vendor Management, Contract Owner or Operational Risk?

Answer: "The Board of Directors and senior management are responsible for due diligence/due care. They should formally name an assigned individual or group that is responsible for owning the third party risk management function and reporting status updates periodically (at least annually)."

Q11: Do we allow the vendors to assess which "subservicers" they use are "critical" or do we rate the critical "subservicers" ourselves?

Answer: "It will be important for you to understand the nature of the service provided by the subservice organization and from there you can apply your vendor management methodology to understand if they are critical. This may require inquiry of your vendor and a strong understanding of the nature of the services your vendor/subservice providers are providing."

Q12: How do you monitor SLA?

Answer: "You can monitor SLAs through output reports, help desk tickets and error and issue monitoring. You should be monitoring for down time, errors and customer complaints for a given vendor and comparing that to your contractual SLAs. Some vendors will provide specific SLA reports for your review. SOC 2 reports should address the controls at the vendor related to SLAs, so review the SOC reports as well."

Q13: If your A/P list of vendors reaches several thousand vendors, can we use a risk based approach to conducting vendor due diligence?

Answer: "Yes, you should always use a risk based approach. You can quickly discard low risk vendors, such as newspaper delivery, lawn maintenance, professional services fees (i.e. NACHA payment fees) that don't have a direct impact on your internal controls. You do need to be careful of vendors that have physical access, such as the cleaning crew and printer/copier maintenance companies. While you won't have to get SOC reports or financials on these companies, you will want to document your information security controls, such as clean desk policies, requirements for emptying shred bin containers under desks into locked shred bins periodically throughout the day and before employees leave for the night, etc."

Q14: What is the best way to get documents for vendors that don’t like releasing documents?

Answer: "You should always ensure that your contract has provisions to obtain these documents. If you've already signed a contract, you should ensure that the contract renewal includes these provisions. In the meantime, perform onsite visits to review the documentation and summarize your reviews."

Q15: Do you anticipate any special considerations or deviation from the points you've made here if the vendor is a large service provider that is being used as an aggregator?

Answer: "No, but it will be important to understand the nature of the service provided/the data they are aggregating, have access to and/or maintain. Your specific review procedures should be customized based upon the risk and the nature of the services provided."

Q16: Should an MSA be required for all SLAs that are not part of a contract?

Answer: "Yes, that would be the most prudent approach. "

 Learn Venminder can help you lower your vendor management workload. Download our samples.

Download Free Venminder Due Diligence Document Samples

Subscribe to Venminder

Get expert insights straight to your inbox.

Ready to Get Started?

Schedule a personalized solution demonstration to see if Venminder is a fit for you.

Request a Demo