Organizations outsource processes and services for a variety of reasons:
to cut costs,
preserve resources,
make room for growth, and
remain competitive in their industries.
But ultimately, it is the enterprise, not the vendor/supplier, that is legally and contractually responsible for protecting its information.
To maintain information security, data privacy, business continuity, and service delivery, organizations should regularly monitor, review and audit their vendors.
Thus, it is worth examining best practices for preparing a first vendor audit plan.
Establishing the Criteria for Performing Vendor Audits
It may be challenging (or nearly impossible) to audit all vendors, particularly for large organizations that utilize many services.
Therefore, it is vital to establish criteria that aid in selecting which vendor to audit. Criteria may include the type of information being processed by the vendor, the vendor’s level of access to information, the importance of the process being outsourced, or the services being provided, vendor risk and/or customer contractual obligations.
Understanding Audit Requirements
The vendor auditor must understand that there are unique requirements for vendor audits.
For example, there may be local legal and regulatory requirements with which they must comply (e.g., the EU General Data Protection Regulation [GDPR], the US State of California Consumer Privacy Act [CCPA]).
Requirements may also arise from a contract, master services agreement, or annexure in agreement with the customer (e.g., a customer requirement for the organization to audit the organization’s vendor with a focus on service provisioning, information security, business continuity, privacy, or a combination of these focus areas).
In addition, if an organization is certified or planning to become certified in the International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) information security management system standard 27001:2013, then its requirements apply (e.g., Control A.15.2.1—Monitoring and review of supplier services).
An organization may also have its own policy describing requirements for conducting vendor audits. Further, an organization may have agreed with the vendor on including a right to audit clause, which is generally a prerequisite for conducting a vendor audit.
Vendor audits interpret risk by identifying the applicable requirements and ensuring communication with the vendor’s management to determine risk thresholds and implement required controls.
Planning for a Vendor Audit
It is recommended to follow a risk-based approach to vendor audits, which should account for the established vendor audit methodology.
Vendor audits interpret risk by identifying the applicable requirements and ensuring communication with the Vendor’s management to determine risk thresholds and implement required controls.
Risk-based vendor audits address the likelihood of incidents occurring due to vulnerabilities such as deficient safeguards, technologies, policies and procedures.
Adding a risk statement to an audit finding adds value to the vendor audit process. An audit plan should be created that addresses the audit purpose, scope and criteria.
Audit Purpose
The audit purpose may be to determine the extent of conformity to the vendor agreement or to evaluate the vendor’s ability to meet the organization’s requirements.
An audit also may be conducted for more specific purposes, such as:
To determine whether information security incidents and problems are managed properly.
To determine whether changes in vendor services or business status have affected service delivery.
To review vendor audit trails and records of information security events, operational problems, and failures; tracing faults; and disruptions related to the service delivered.
To determine the degree of compliance with data privacy
To evaluate the vendor’s business continuity capabilities
Audit Scope
The audit scope should include the physical location(s) of the organization as applicable and its business functions, activities and processes. The scope should be consistent with the vendor audit program and vendor audit objectives.
Audit Criteria
The audit criteria are used as a reference by which conformity is determined.
The criteria may include one or more of the following:
Applicable policies, processes and procedures
Performance criteria including objectives, statutory and regulatory requirements.
Vendor agreements or schedules
An audit may focus on areas such as information security, cybersecurity, data privacy or business continuity.
Further, the audit plan should contain details such as:
Which auditor audits what areas or processes and in which location
The day and time of each portion of the audit
The duration of the audit as a whole and the duration of each individual area or function assessment
The auditee from the vendor organization
The mode of audit (i.e., onsite, remote, hybrid)
The audit plan should factor in time for briefing (i.e., setting the context and tone), debriefing (i.e., disclosing the audit findings) and breaks during the workday so that time is effectively managed.
In some cases, an audit plan may include the use of official interpreters or translators, a technical expert (e.g., a representative from the organization’s business or an external resource) and/or an audit guide (i.e., a representative from the vendor organization who facilitates the audit).
Care should be taken so that the auditor’s and auditee’s time do not overlap during a particular process.
Sufficient time must be allotted for the vendor auditors to review and discuss the audit findings before formally disclosing the audit findings as part of the debriefing session. The audit plan should be flexible and account for annual leaves, holidays, local regulations and restrictions (e.g., lockdown due to the COVID-19 pandemic), and the availability of personnel.
The vendor should review and sign off on the audit plan well in advance so that there are no surprises.
Preparing a Vendor Audit Checklist
An auditor conducting their first independent vendor audit may benefit from preparing a list of items they wish to review in each process area.
Possible items to review during the audit include:
How is the vendor tracking conformity to the agreed vendor contract?
What actions are taken if a particular service level agreement (SLA) is not met?
How is the vendor tracking compliance with applicable and relevant legal and regulatory requirements?
What actions are taken if there is a legal noncompliance issue identified by the vendor?
What is the vendor’s approach to managing information security and privacy risk?
How is the vendor ensuring that all staff is trained on information security and privacy?
The checklist shouldn't be biased; instead, it should aid in rapid and accurate assessment of all pertinent areas and inspire confidence in the new auditor. Inputs to the list can come from the following:
Vendor agreements
Specific information security, data privacy, and business continuity schedules
Security incidents
Customer organization’s contractual information security, business continuity, and data privacy requirements
Applicable legal and regulatory requirements, organizational policies, processes, and procedures
It may be helpful to study the vendor organization’s website to gain an understanding of its overall operations, service offerings, and management. Auditors can also obtain feedback from the organization’s stakeholders about their vendor as another source of input.
The list of items to be audited can be discussed and reviewed with the vendor several days before the audit. Auditors should plan to verify the vendor’s responses with objective evidence during the audit.
Conclusion
The success of a vendor audit lies in the vendor audit plan. It is important for the vendor auditor to plan thoroughly and in advance.
The audit plan should clearly state the audit’s purpose, scope, criteria, available resources, and schedule of activities.
The vendor organization should review and approve the audit plan before the audit takes place. Learnings from the first vendor audit should form the input for subsequent audits as this helps in the continual improvement of the vendor audit planning process.
Thanks for reading...