Article written by:
Brooke Hauser, CPA
Senior, Information Technology Services
Deciding where to start when analyzing existing vendors can be very cumbersome. Do you send a questionnaire? Do you go on site for a visit or audit? Or, do you accept the risk and perform no review? Here’s a step-by-step guide for how to begin your vendor review process:
- Determine how critical the vendor is
- You should maintain a vendor listing with all of your current vendors. This listing should include information such as vendor name, what they do, if they have access to sensitive customer or company data, if they have access to your network, and how critical the vendor is. View “How To Identify Your Critical Vendors” for help on how to determine if a vendor is critical.
- You will typically have different procedures depending on if the vendor is critical or non-critical to your business.
- Choose the review procedures and frequency
- There are a lot of options when it comes to performing vendor reviews. What you choose depends on the criticality of the vendor and how much assurance you want to obtain. You will receive a higher level of assurance by obtaining a vendor’s SOC report than you will by having them complete a questionnaire and not requiring any supporting documentation.
- Here are a few procedures you can perform:
- Obtaining the vendor’s SOC report that was completed by an independent party: this gives you a great deal of assurance because not only were the controls audited, they were audited by someone with experience and expertise in that area. This saves you time and money because you won’t need to complete the audit on your own.
- Completing an audit on your own: you still have a great deal of assurance with doing this on your own, however, this requires you to either find someone within the company or hire an individual to conduct audits. You will also need to determine what you want to audit and go back and forth with the vendor to obtain the support needed to complete the audit.
- Having your vendor complete a questionnaire: the level of assurance you obtain from this procedure is dependent on how much you rely on the vendor’s responses, or if you obtain supporting documentation with each response. For example, as part of a questionnaire, you may ask if users are terminated in a timely manner and rely on the vendor responding with “yes,” then user access is removed within two business days. You may also require them to provide a termination ticket demonstrating this control. To reduce the time and effort you put into this review process, there are sites that will provide questionnaire templates or help facilitate the entire process.
- Setting up news alerts for a vendor: this alone is not sufficient for reviewing critical vendors but can be used as a way to monitor them outside of the review period. However, this is appropriate for those non-critical vendors.
- Frequency goes back to how critical the vendor is and your Company’s risk tolerance. Typically, if it is a critical vendor, then a vendor review is performed on an annual basis. Vendors that are deemed non-critical are typically reviewed every other year or every two years.
For more information about how to handle vendor management, please see our CyberTrends webinar, “Successfully Managing Third-Party Vendors.”
To discuss how to manage vendor relationships in more detail, contact us today.