Vendor Management from an Auditor s Perspective

Size: px

Start display at page:

Download "Vendor Management from an Auditor s Perspective"

Jerome Tucker
5 years ago
Views:

1 Vendor Management from an Auditor s Perspective Mike Morris Partner mmorris@pkm.com (404) Mary Beth Marchione Systems Manager mmarchione@pkm.com (404) April 25, 2017

2 Session Agenda Understand the elements of a complete vendor management program Understand how to clearly document your vendor management program activities Learn of prevalent vendor management issues that we are seeing

3 Why Vendor Management? Your risk might extend past your vendor to subservice providers You must have a mechanism to evaluate and monitor your key vendor s providers You cannot outsource your risk! The use of vendors to outsource critical processes! 3

4 Where to Begin? Every good vendor management program starts with a complete list of vendors. 4

5 Documentation Formal Vendor Management Program (policy and procedures) Vendor Risk Assessment (all vendors) Individual vendor due diligence (for high-risk vendors) Appendix J elements Board reporting 5

6 Vendor Management Program Directive control Policy document to guide program Define risk-based methodology Tools for management Process to report and track issues Update annually 6

Vendor Risk Assessment Identify all critical vendors Risk buckets: Strategic Operational/Transactional Legal/Regulatory Compliance Security Risk Factors

7 Vendor Risk Assessment Identify all critical vendors Risk buckets: Strategic Operational/Transactional Legal/Regulatory Compliance Security Risk Factors Type of Information Accessed Controlled or Ongoing Access to Systems Type of Access (Read Only or Change/Edit) Criticality of Vendor Service Financial Impact 7

provisions/ Service Level Agreements (SLAs) Penetration testing

8 Individual Vendor Reviews Financial statements SOC report review SOC 1 versus SOC 2 Complementary User entity controls Key contract provisions/ Service Level Agreements (SLAs) Penetration testing results (cyber resilience) Breaches Incident response responsibilities 8

9 Poll Question: As part of your vendor management review, do you review business continuity planning and/or testing? 9

10 Individual Vendor Reviews Business continuity planning Business continuity testing Secure coding Issue resolution/remediation Insurance coverage 10

11 Individual Vendor Review How to Document Narrative Summary Checklist Supporting Documentation 11

Penetration testing results Business continuity

12 New Vendor Due Diligence Risk-based procedures Reputation Insurance coverage Audit reports Penetration testing results Business continuity planning Business continuity testing Technology used/integration 12

13 Board Reporting! Program Risk Assessment Ongoing Monitoring Reportable Issues SLAs 13

14 Poll Question: Have you had an audit or exam review finding related to vendor management in the past year? 14

15 Prevalent Issues Vendors with access to non-public customer information have not been identified 15

16 Prevalent Issues For new vendors, vendor risks are not being evaluated (or are not documented) before signing the contract 16

17 Prevalent Issues Subservice organizations have not been identified or appropriately evaluated 17

18 Prevalent Issues The institution has not mapped the complementary user entity controls listed in key SOC reports to specific controls maintained and tested by the institution 18

documentation to determine the vendor can appropriately

19 Prevalent Issues Management has not obtained thirdparty service provider business continuity plans or testing documentation to determine the vendor can appropriately recover and continue service in a disaster situation 19

20 Prevalent Issues Management has not participated in third-party service provider business continuity testing to ensure operating capabilities in a disaster situation 20

21 Conclusion A complete vendor management program includes policy, risk assessment, vendor review (monitoring), due diligence, and reporting Activities should be clearly documented To avoid the pitfalls of prevalent issues, it is important to: Review all vendors Consider business continuity Document due diligence efforts Document compliance with end user control considerations 21

22 Questions & Answers

23 Vendor Risk Assessment Workshop Presented by Branan Cooper Chief Risk Officer at Venminder (502) April 25, 2017

24 Session Agenda? General webinar instructions How to ask questions What to do if technical problems occur

25 Poll Question: Do you have a documented Risk Assessment process as part of your vendor management protocol? 25

26 Regulatory Guidance What the guidance says: Regulatory guidance mandates any well managed program includes a risk assessment of third parties OCC Bulletin FDIC FIL OCC Bulletin

27 Categories of Risk Business Impact Critical vs Non-Critical The 3 threshold questions you should ask Regulatory Risk High, Moderate, Low What categories you should consider 27

28 Why a Risk Assessment Needs to be Done Fundamental pillar that informs all other areas of risk management What to do in follow up 28

29 High Risk High risk does not always mean Critical or vice versa High risk is not at all a bad thing 29

30 Quick Definitions Inherent Residual Mitigating Control 30

31 And now let s create a risk assessment Disclaimer: This is not our actual risk assessment template, this is a very scaled down version, for more information please contact us for a demo of our robust risk assessment tool and other features

32 Questions & Answers

33 Thank You

34 Follow us on: Follow us on: