Practice Guide: Auditing Third-party Risk Management

This practice guide helps internal auditors become better informed and educated on risks related to third-party providers and how the organization manages them. Risks across the full vendor life cycle are considered, including the appropriate sourcing, ongoing management, and termination of vendors.

Further exploration into risks resulting from the types of services being provided and the sensitivity of data being shared is covered. The guide provides structure for planning and executing third-party risk audits appropriate to the size, scale, and risks facing an organization. Example audit guidance is provided, making this a robust resource with tangible tools.

Topics include:

• Outlining key roles, responsibilities, and risks involved in managing third-party providers.
• Defining a third-party risk audit coverage approach.
• Developing a structure for scoping, planning, and executing third-party risk audits.
• Appropriately engaging and assessing third-party risk management activities across the business, oversight, and control functions.
• Determining whether the organization has a third-party risk management structure that results in a “patchwork” approach and, if so, how to bring it together into an enterprisewide framework.

Item number 10.1303.dl