Professional Documents
Culture Documents
White Paper de Auditoria para Proveedores PDF
White Paper de Auditoria para Proveedores PDF
AUDIT
OVERSIGHT FOR
ONBOARDING
VENDORS
2 AUDIT OVERSIGHT FOR ONBOARDING VENDORS
CONTENTS
4 Introduction
4 Resource and Program Management
5 / How Audit Increases Accuracy and
Efficiency
5 Onboarding Requests
6 / Vendor Assessment Management
7 / Baselining Vendor Risk Management
Essentials
8 / The Collection Process and Vendor
Risk
10 Remediation Process
11 Technology and Assessment Services
12 Vendor Reporting
13 Conclusion
14 Acknowledgments
ABSTRACT
It’s a reality of modern business that certain business activities will be outsourced to
vendors. Without vendors, organizations would be left to fill gaps created by the need for
specialized knowledge or the desire to increase revenue or lower costs. This approach
isn’t financially feasible or sustainable in the long term. So, organizations (regardless of
size and industry) trust vendors to meet these business needs. In a recent poll, Deloitte
Development LLC noted that 71 percent of respondents stated a moderate to high level of
reliance on vendors.1 1
Businesses know that each new vendor adds an element of risk. Regulators also
recognize vendor risk and have been a catalyst to drive businesses toward a standardized
process for vetting new partners. Standardization includes a solid onboarding process
that is part of a mature effort to establish, refine and improve vendor oversight controls.
But having the process isn’t enough. Businesses must rely on audit to confirm they’re
engaging with the right vendors in the right ways. This white paper provides actionable
takeaways for auditors to provide oversight over vendor risk management and vendor
onboarding.
1
1
Deloitte, “Extending the Risk Management Ecosystem Poll,” December 2019, https://www.slideshare.net/DeloitteUS
Introduction
Across an enterprise, functional groups play different roles in during the onboarding process, audit can help the
vendor risk management (VRM) and the executive team and business mitigate vendor compliance risk with various
board of directors have ultimate responsibility for oversight. regulations like the Bank Secrecy Act (BSA)/Anti-Money
However, there are many touchpoints in VRM and the Laundering (AML), Gramm-Leach-Bliley Act and Health
oversight process where audit can lend its expertise. Insurance Portability and Accountability Act (HIPAA).
Those areas are: Audit also offers the benefit of its experience collaborating
• Resource and program management with other groups that have roles in vendor risk
• Onboarding requests management. Through these pre-existing enterprise-wide
• Remediation process relationships, audit can provide the extra layer of
• Technology and assessment services assurance that identified risks are being managed
• Vendor reporting according to the enterprise’s risk strategy and appetite.
The audit function delivers a lot of value to risk managers, This white paper gives actionable takeaways on how audit
IT and the C-suite when it comes to VRM and vendor can provide oversight of an established vendor risk
onboarding. Audit has expertise in assessing operational program, particularly the five areas listed previously.
practices and analyzing regulatory expectations with Assumptions are that the appropriate governance is in
current practices. For example, in the due-diligence phase place (i.e., the board and executive leadership support the
of vendor selection, audit can discover risks in the program) and a technical solution (software) has already
relationship with a potential service provider. Likewise, been implemented.
resource and program management. Audit must identify risk—inherent or residual. Risk managers cannot be an
and assess who is managing the overall VRM program. afterthought, and they must have access to senior
While there is centralized responsibility for program management to escalate issues if necessary.
oversight, the program is an enterprise-wide effort. Here • Business unit leaders have the primary relationship with
are examples of the groups who participate in this effort vendors. During the information gathering process, business
and common roles they play: unit leads will be very involved. They are the go-between
How Audit Increases Accuracy • Demonstrate third-party risk posture through interactive
storyboards.
and Efficiency • Track and remediate audit findings from onsite visits.
Since the VRM program is an enterprise-wide effort, the • Contain automated workflows, notifications and escalations.
audit function can add value in several areas, like ensuring
Automation is no longer a “nice to have.” Not only does it
standardized processes. It’s possible that business units
streamline processes by automating repeatable steps, it
within the same enterprise may manage vendors using
frees up staff to focus on more strategic initiatives. This is
different processes. Failure to standardize these
especially vital as the number of tasks in the vendor
processes can lead to missing information and
management process continues to increase. Plus,
redundancies. These inefficiencies and inconsistencies
accuracy is enhanced since there is less chance of human
can make it difficult to onboard vendors. But audit can
error. Once the people and the process are in place,
document processes around vendor selection, due
technology solutions are not far behind.
diligence, onboarding, and monitoring to keep everyone
working to the same set of standards. By assessing the Audit Oversight: Resource and Program Management
process, audit can also determine if the right stakeholders
• Are there steps where automation can be applied to create
are involved at each step. Without this oversight,
efficiencies and streamline the process?
onboarding can become chaotic.
• Are the right stakeholders involved and is there support for
built software and automation. With this technology, the • Is there a technology solution in place with ready-to-use
onboarding steps are less manual. So, the process becomes standard content and workflows, with customization options
assess technology solutions to ensure that the solutions: • Is there clear visibility and reporting for each step of the
Onboarding Requests
Onboarding begins when a vendor is invited to complete a Technology can kick-off an automated onboarding
request for information (RFI) or a request for proposal workflow when a new vendor is requested, and vendor
(RFP). This can be managed through efficient processes evaluation, approvals and requirements can all be
and technology. centrally managed. This is particularly important as the
approval process pulls information from multiple sources
To create efficiencies in the procurement and risk
(e.g., due-diligence forms, the practicality of the vendor
management process, auditors must ensure RFP
and validation criteria). Housing this documentation in a
templates align with vendor assessment activities. This
central spot supports the decision-making process and
way, information from a potential vendor is provided early
also helps streamline the audit process later on.
in the procurement process, which can then be used by
the risk management team in later stages. This also Much of the information collected during onboarding may
enhances collaboration between procurement and risk be consistent regardless of vendor. Common documents
management. collected may include NDAs, terms of service, insurance
all vendors are the same. So, it may be necessary to make • Cloud services
decisions are made. The goal is to strike a balance • Host and network security
between accommodating the process and not reducing • Security program and controls
• Encryption
One way auditors can find more efficiencies and reduce
• Vulnerability management
duplication during onboarding is to ensure that data from
• Penetration testing
historical requests is centrally located and accessible in
• Logging and monitoring
the vendor portal. This supports cross-referencing with
• Incident response
new onboarding requests, which eliminates duplicate
• Disaster recovery and business continuity plans
requests and creates a more focused scope. Another way
• Governance
to gain efficiency is to have a common solution that
• Security policies
makes onboarding accessible. This should include
• Training and education
at-a-glance status, especially for ongoing assessments.
• Organizational structure
If a vendor deviates from the norm, it should be easy to
• Skills and competencies
see and remediate the deviation by quickly alerting the
• Processes
appropriate people.
• Internal and external dependencies
• Board oversight
The sooner an organization can act on its plans, the sooner it
• Separation of duties
can gain a competitive advantage. The vendor wants the
business just as much as the enterprise requesting its Responses to the questionnaires provide a general idea
services. The vendor is eager to finalize the deal and will about the level of risk. They also highlight areas of
allocate any needed resources to help meet the request. concern that can then be investigated more thoroughly
during onboarding. Having a comprehensive view of the
As materials are obtained, there may be gaps between
enterprise (and its risk appetite), auditors can evaluate
what was requested and what is actually received. The
completed questionnaires to identify any responses that
vendor should be able to log in to a central software
present critical risk (operational or regulatory) to the
system and provide missing documents or address
enterprise. Also, auditors can increase vendor assessment
documents that need additional attention. It is a simple
efficiency by ensuring that information requested on the
capability that, when offered through centralized solutions,
questionnaires complements the information provided in
helps everyone and eliminates back-and-forth email-
the Statement of Control (SOC) report. In its Trust
chasing.
Services Criteria document, the American Institute of
Questionnaires offer baseline insights into the vendor. The Certified Public Accountants (AICPA) provides SOC criteria
questionnaires can be segmented by a few categories: related to system operations, processing integrity, privacy,
• Technologies in use and availability.2 The AICPA criteria around availability
1
2
American Institute of Certified Public Accountants (AICPA) Assurance Services Executive Committee, Trust Services Criteria, USA, 2017, pp. 10–52,
https://www.aicpa.org/content/dam/aicpa/interestareas/frc/assuranceadvisoryservices/downloadabledocuments/trust-services-criteria.pdf
accessibility, but the criteria, doesn’t speak to what significant change in the risk environment. This will help prevent
functions the system performs or what the minimum the templates from becoming outdated or containing
3
acceptable performance is for the system. The auditors 2 unacceptable gaps. See figure 1 for some elements of a risk
can pick up where the SOC ends and ensure that assessment template.
• Processes
Baselining Vendor Risk
Management Essentials • Testing
Baselining is usually done by the second line of defense
and consists of assessing expectations of a vendor and
how/if they can deliver. Some resources that are part of • Centralized documentation—All VRM programs should allow
this baselining process—which should be reviewed by for centralized access, maintenance and documentation sharing. If
audit—include: documentation isn’t kept in one location, information can be easily
• Risk assessment templates—Standardized templates for new lost or become disorganized. Business owners won’t know where
vendors should be used in most vendor onboarding instances. to start, and overall management of the onboarding process can
However, in cases where a vendor is unique, it’s acceptable to become a serious challenge. Purpose-built software solves this
modify the risk assessment template. Since stakeholders will problem and ultimately makes baselining more efficient. The
have access to the risk templates, these minor modifications pitfalls of lost or unorganized information are why many
should be made easily. Eventually, the templates will grow and enterprises look for a solution that will grow with the organization
match the diversity of vendors. Audit can provide oversight here and support more efficient processes. Figure 2 details what a
by reassessing the templates periodically or whenever there is a technology solution should include.
3
2
Ibid., p. 4
When a centralized technology solution is introduced, • Analysis is performed to make sure that changes are
audit can use its expertise during the system implemented with minimal disruption to operations.
of insurance?
In looking at adequacy of the technology, audit may ask:
• Can the vendor easily provide materials through a centralized
• Does the technology continue to meet strategic objectives and
portal?
end user needs?
• Is there a process to verify the presence of controls?
• Does access remain appropriate for end users and
• Beyond the contract, is the vendor compliant with a security
administrators?
framework and applicable privacy regulations?
• Has corrective action been taken to address deficiencies?
• Do the vendor’s audit report types (internal versus external),
• Was the corrective action completed within a time period
frequency, and scope provide the enterprise with assurance
commensurate with the risk level?
on relevant deficiencies and their resolution?
• Was the action taken aligned with the severity of the
deficiency’s risk?4 3
When an existing solution is updated, audit can provide The Collection Process and
assurance that: Vendor Risk
• Changes are prioritized to align with business objectives. Audit may want to focus more attention on the higher-risk
• Emergency changes require approval. vendors when auditing the onboarding process. The
• Changes are formally documented, and documentation is riskiness of a vendor often comes down to the data and
centrally stored and managed. systems with which they interact. Let’s examine a few
scenarios in financial services:
4
3
ISACA, CISA Review Manual, 27th Edition, USA, 2019, p. 139, https://www.isaca.org/bookstore/cisa-exam-resources/crm27ed
• A statement processing vendor requires access to every example, if a SOC 2 (Type 2) report is required as part of
customer’s record in order to process monthly statements. assessing the vendor’s control environment, audit can
Based on its service, the vendor has access to a lot of identify the SOC 2–relevant controls in the enterprise’s
personally identifiable information. environment. If a vendor doesn’t have a SOC 2 report,
• A loan processing company obtains information when customers audit should look at alternate reporting (e.g., an external IT
apply for a loan. The loan processor doesn’t have every customer audit report) and compare that report to the vendor’s
record, only records of those customers who apply. information security plan to assess the vendor’s control
• A marketing firm receives customer contact information. environment. When possible, audit can confirm some of
Physical and electronic addresses will be used in an external the data collected. For example, auditors shouldn’t just
mailing for a checking account promotion. ask if there is a disaster recovery/business continuity
program in place; they should verify the existence of
Assessed just on data volume, the first and last vendors
process and controls. How are systems restored, who
present the greatest risk due to the information to which they
restores them, and where do systems reside? A similar
have access. One mishap and every single customer is
process can be performed for the vendor’s security
impacted by the vendor’s breach. On the other hand, the loan
incident management program.
processing vendor collects a lot of information, but is getting
only a percentage of the entire customer base. Whatever the Audit’s involvement with other groups is important too. It’s
percentage of data collected may be, it’s less than 100 one of the ways experienced auditors can find outliers
percent. So, the risk to the business is less. that may not have been discovered by the business line.
Checks and balances happen when the audit team
The services provided by a vendor and their reviews assessments that have been through risk and
“replaceability” is another factor when assessing risk. The vendor management teams.
statement and marketing vendors hold the most
What risk does the vendor present? The secondary
customer information, but these vendors could easily be
review process is greatly supported when central
replaced. The loan processor doesn’t have the same
platforms are in place.
volume of data but is a big contributor when it comes to
helping the enterprise make money. So, it’s more difficult Audit Oversight: The Collection Process and Vendor
to replace this vendor. Risk
• Are there criteria to differentiate vendor risk and criticality,
In addition to criticality, assessing vendors in this manner
and is it being applied to all vendors?
will help to establish a vendor score during the collection
• Has the adequacy of the vendor’s business continuity and
process analysis. A vendor score can be placed on the
disaster recovery plans been assessed?
inherent risk, control risk, and the overall summary of the
• Do the vendor’s plans for continuation of services align with
company.
the enterprise’s strategy and operational needs?
The audit team has a great opportunity during the vendor • Is the vendor assessment effort commensurate with the
assessment and collection processes. Here, audit can vendor’s risk level?
Remediation Process
There will likely be findings from the collection process and For deficiencies that are remediated, auditors can work
vendor assessment that require remediation. There is no with management to confirm that proposed actions truly
better time than during onboarding to call attention to correct deficiencies. Also, based on the severity of the
deficiencies and put in place an action plan. If issues come deficiency, audit can ensure that the time allotted for
up, management can choose any of the following options: corrective action is appropriate: the higher the risk, the
• Accept the risk. Based on the data obtained and the service shorter the time that the deficiency should remain
provided by the vendor, the risk may be accepted as-is. The risk unaddressed. These discussions come together in a
rating from similar data already within the enterprise can help remediation plan that describes the deficiency, the
businesses make educated decisions about acceptance. corrective action to be taken, a target date for completion,
• Implement compensating controls. There are times when full and a responsible party.
remediation can’t be achieved due to legitimate business
The remediation plan and all the associated documents
limitations (cost or availability of resources), but with
should be centralized where audit can access and review
compensating controls, the risk becomes acceptable.
the decision-making criteria. All key stakeholders should
• Design a remediation plan. The vendor and risk management
also have visibility into the remediation plan and its
can work on a remediation plan. The time to execute the plan
current status.
should be part of contract language and may be a determining
factor when selecting the vendor. Audit’s oversight helps to provide proof that the remediation
steps taken (and the end result) are aligned with the
By not taking corrective action, management has decided to
enterprise’s risk profile. This oversight is needed to ensure
accept the risk identified. In its oversight role, audit should
that unilateral decisions aren’t made, introducing undue risk.
discuss possible outcomes with management. What are the
The remediation phase is the ideal time for auditors, risk
possible outcomes of accepting the risk? If it’s possible to
managers, and business owners to work with the vendor on
quantify the outcomes, audit can better frame that discussion
a remediation plan consisting of agreed-upon actions and a
with management. Is the deficiency significant or could its
suitable time frame. While the plan is being drafted, audit can
residual risk jeopardize enterprise goals? If so, internal audit
confirm that the plan is adequate. Once the vendor is
should formally document management’s final decision to
onboarded and the remediation process has been
accept the risk. Also, internal audit should inform the board or
completed, audit can validate by making sure that the
other governing body of management’s decision.5 4
• Conduct periodic program evaluations. During these Some clauses allow the enterprise to conduct an audit at any
evaluations, enterprises will be able to determine if a previously time (provided the vendor is given the notice required in the
remediated risk (not included in the contract language) has clause). Audit can leverage the right to audit clause to gain
resurfaced or if a new risk has come up that needs remediation. assurance around the vendor’s ongoing compliance with the
There should be service level agreements in place leading up to agreement. Audit can also confirm the vendor’s compliance
risk findings and certainly as findings are being resolved. For with regulatory requirements. Lastly, the right to audit may be
example, during a program evaluation, auditors can check the triggered if there is a potential irregularity like fraud.
Vendor Reporting
Reporting is two-pronged. The first prong is reporting that from when determining how well a vendor is performing? How
the enterprise must provide to meet regulatory do you know if a vendor is truthful on the questionnaires?
requirements. For example, in the United States, financial Continuous assessments provide great insight on the state of
institutions subject to the Federal Deposit Insurance an enterprise—not only on the vendor’s security posture, but its
Corporation (FDIC) must disclose banking services that financial health, too. The audit team can work with business
are provided by a third party. Management or the units on the continuous assessments to ensure that vendor
enterprise’s compliance team designs controls around data are accurate and unbiased. If a potential vendor enters a
prevention of reporting that doesn’t align with external proposal, audit can partner with risk managers to assess
requirements. In its oversight role, audit evaluates the whether the vendor has an unacceptable amount of financial,
reporting process to identify any deficiencies or risk in the geographic, security or other risk. This reporting allows the
from the candidate pool. It saves time, and it’s a great way to
The second prong is the internal reporting that the enterprise
reduce complexity in vendor selection when volumes are high.
creates as part of ongoing vendor management. The
Prequalifying vendors is a good way to manage a shortlist
objective of internal reporting is primarily to manage risk. But
versus a large pool of vendors. Choice is nice, but too many
the reporting also provides executive management and the
potential vendors makes selection harder than it needs to be.
board with a view of the vendor program. Given this, best
Quickly assess, eliminate those who do not meet the criteria,
practices for vendor reporting identify a couple of areas that
and prequalify the strong performers.
should involve audit:
Once a vendor has been onboarded, what is the risk
• Changes in vendor’s operations—Vendor management is a
profile and does audit agree? Audit should continue to
huge concern, given all the high-profile breaches in the news.
review the risk profile regularly. An annual assessment in
Business leaders and boards look to audit for reassurance and
today’s dynamic environment is often not enough. Audit
independent validation that a vendor is performing as expected.
should be able to access standard vendor reports at any
In providing oversight of ongoing monitoring, auditors can
time in addition to ad hoc reports that can be extracted. If
confirm that the vendor relationship continues to support
a vendor is trending in the wrong direction, this needs to
achievement of strategic goals. But if the vendor’s effectiveness
be identified quickly before it becomes a significant issue.
has deteriorated since onboarding, audit can identify any gaps
Pulling these data and scores into a central system can
between that performance shortfall and achieving strategic
then trigger notifications to audit, stakeholders, and risk
goals. Business leaders and boards look to audit for
management. Audit can then assess vendors’ action
reassurance and independent validation. Where has crisis been
plans to ensure they are adequate.
averted as a result of a solid audit program leveraging?
Communicating up and highlighting how risk has been Vendor reporting provides auditors with information that
managed is an opportunity for auditors. allows them to quickly interject as needed, based on the
• Gaps in due diligence—Risk management or the compliance information assessed. This is why continuous
function may be closely involved with monitoring due diligence. assessment solutions (possible through reporting) have
However, audit can provide the high-level view of gaps in due emerged to provide an ‘always-on’ assessment against
diligence and resulting risk. Where do the unbiased data come data collected.
Conclusion
Vendor onboarding is most useful when there is VRM. Of course, technology aside, skilled people and
accessibility and transparency in the process. Each effective processes are required for the program to be
request coming through needs to be dealt with successful. Without them, technology just automates a
proficiently. At all times, vendors going through due broken process that won’t get better on its own.
diligence need to be accessible to auditors, stakeholders
Audit plays an important role in vendor onboarding
and risk managers. The ability to quickly pre-qualify or
because it has the requisite skills to add value throughout
exclude candidates from the pool makes the process less
this process. It can oversee standardization of
bulky to manage. Likewise, the ability to do side-by-side
documentation for vendor selection, identify unvetted
vendor comparisons gives enterprises insight on where to
vendors, and create and execute remediation plans. By
focus attention. Comparative assessments minimize
relying on the audit function, using data to drive decisions
effort, which is helpful to all involved.
and working within a centralized system, organizations
The growth and dependency on vendors won’t slow down can effectively and efficiently onboard and maintain
anytime soon. Neither will the regulations that govern vendor relationships with far less risk.
Acknowledgments
ISACA would like to recognize:
R.V. Raghu
CISA, CRISC
Versatilist Consulting India Pvt. Ltd., India
Gabriela Reynaga
CISA, CRISC, COBIT 5 Foundation, GRCP
Holistics GRC, Mexico
Gregory Touhill
CISM, CISSP
Cyxtera Federal Group, USA
Asaf Weisberg
CISA, CRISC, CISM, CGEIT
introSight Ltd., Israel
Rob Clyde
ISACA Board Chair, 2018-2019
CISM
Board Director, Titus and Executive Chair,
White Cloud Security, USA
About ISACA
For more than 50 years, ISACA® (www.isaca.org) has advanced the best
1700 E. Golf Road, Suite 400
talent, expertise and learning in technology. ISACA equips individuals with
Schaumburg, IL 60173, USA
knowledge, credentials, education and community to progress their careers
and transform their organizations, and enables enterprises to train and build
Phone: +1.847.660.5505
quality teams. ISACA is a global professional association and learning
organization that leverages the expertise of its 145,000 members who work in Fax: +1.847.253.1755
information security, governance, assurance, risk and privacy to drive
Support: support.isaca.org
innovation through technology. It has a presence in 188 countries, including
more than 220 chapters worldwide. Website: www.isaca.org
About Galvanize
Galvanize builds award-winning, cloud-based security, risk management,
Provide Feedback:
compliance, and audit software to drive change in some of the world’s largest
organizations. We’re on a mission to unite and strengthen individuals and www.isaca.org/audit-oversight-for-
entire organizations through the integrated HighBond software platform. With onboarding-vendors
LinkedIn:
DISCLAIMER www.linkedin.com/company/
isaca
ISACA has designed and created Audit Oversight for Onboarding Vendors (the Facebook:
“Work”) primarily as an educational resource for professionals. ISACA makes www.facebook.com/ISACAGlobal
no claim that use of any of the Work will assure a successful outcome. The Instagram:
Work should not be considered inclusive of all proper information, procedures www.instagram.com/
isacanews/
and tests or exclusive of other information, procedures and tests that are
reasonably directed to obtaining the same results. In determining the propriety
of any specific information, procedure or test, professionals should apply their
own professional judgment to the specific circumstances presented by the
particular systems or information technology environment.
RESERVATION OF RIGHTS
We provide software for your entire audit workflow, from planning, risk assessments,
and fieldwork to analytics, issue management, and reporting.
wegalvanize.com/highbond