A U D I T A N D A S S U R A N C E

AUDIT
OVERSIGHT FOR
ONBOARDING
VENDORS
2 AUDIT OVERSIGHT FOR ONBOARDING VENDORS

CONTENTS

4 Introduction
4 Resource and Program Management
5 / How Audit Increases Accuracy and
Efficiency
5 Onboarding Requests
6 / Vendor Assessment Management
7 / Baselining Vendor Risk Management
Essentials
8 / The Collection Process and Vendor
Risk
10 Remediation Process
11 Technology and Assessment Services
12 Vendor Reporting
13 Conclusion
14 Acknowledgments

© 2020 ISACA. All Rights Reserved.

 3 AUDIT OVERSIGHT FOR ONBOARDING VENDORS

ABSTRACT
It’s a reality of modern business that certain business activities will be outsourced to
vendors. Without vendors, organizations would be left to fill gaps created by the need for
specialized knowledge or the desire to increase revenue or lower costs. This approach
isn’t financially feasible or sustainable in the long term. So, organizations (regardless of
size and industry) trust vendors to meet these business needs. In a recent poll, Deloitte
Development LLC noted that 71 percent of respondents stated a moderate to high level of
reliance on vendors.1 1

Businesses know that each new vendor adds an element of risk. Regulators also
recognize vendor risk and have been a catalyst to drive businesses toward a standardized
process for vetting new partners. Standardization includes a solid onboarding process
that is part of a mature effort to establish, refine and improve vendor oversight controls.
But having the process isn’t enough. Businesses must rely on audit to confirm they’re
engaging with the right vendors in the right ways. This white paper provides actionable
takeaways for auditors to provide oversight over vendor risk management and vendor
onboarding.

1
1
Deloitte, “Extending the Risk Management Ecosystem Poll,” December 2019, https://www.slideshare.net/DeloitteUS

© 2020 ISACA. All Rights Reserved.

4 AUDIT OVERSIGHT FOR ONBOARDING VENDORS
Introduction
Across an enterprise, functional groups play different roles in
vendor risk management (VRM) and the executive team and
board of directors have ultimate responsibility for oversight.
However, there are many touchpoints in VRM and the
oversight process where audit can lend its expertise.
Those areas are:
• Resource and program management
• Onboarding requests
• Remediation process
• Technology and assessment services
• Vendor reporting
The audit function delivers a lot of value to risk managers,
IT and the C-suite when it comes to VRM and vendor
onboarding. Audit has expertise in assessing operational
practices and analyzing regulatory expectations with
current practices. For example, in the due-diligence phase
of vendor selection, audit can discover risks in the
relationship with a potential service provider. Likewise,
Resource and Program Management
The first key area where audit can provide oversight is
resource and program management. Audit must identify
and assess who is managing the overall VRM program.
While there is centralized responsibility for program
oversight, the program is an enterprise-wide effort. Here
are examples of the groups who participate in this effort
and common roles they play:
• Executive leadership is essential to obtain buy-in and support.
Without that, there is little holding the program together.
Hierarchy, separation of duties and policies bind the program
under executive sponsorship.
• Risk managers help manage the program. They are often a
team of individuals who (like auditors) have unobstructed
visibility across the enterprise. Based on the information they
© 2020 ISACA. All Rights Reserved.
during the onboarding process, audit can help the
business mitigate vendor compliance risk with various
regulations like the Bank Secrecy Act (BSA)/Anti-Money
Laundering (AML), Gramm-Leach-Bliley Act and Health
Insurance Portability and Accountability Act (HIPAA).
Audit also offers the benefit of its experience collaborating
with other groups that have roles in vendor risk
management. Through these pre-existing enterprise-wide
relationships, audit can provide the extra layer of
assurance that identified risks are being managed
according to the enterprise’s risk strategy and appetite.
This white paper gives actionable takeaways on how audit
can provide oversight of an established vendor risk
program, particularly the five areas listed previously.
Assumptions are that the appropriate governance is in
place (i.e., the board and executive leadership support the
program) and a technical solution (software) has already
been implemented.
have, risk managers can make decisions about the level of
risk—inherent or residual. Risk managers cannot be an
afterthought, and they must have access to senior
management to escalate issues if necessary.
• Business unit leaders have the primary relationship with
vendors. During the information gathering process, business
unit leads will be very involved. They are the go-between
with the risk management team and the vendor as
nondisclosure agreements (NDAs), contracts and other
documents are received and added to the collection
of resources.
• Procurement is heavily involved in coordination and
onboarding. Often, they are intertwined with business unit
leaders, finance, compliance and legal.
5 AUDIT OVERSIGHT FOR ONBOARDING VENDORS
How Audit Increases Accuracy
and Efficiency
Since the VRM program is an enterprise-wide effort, the
audit function can add value in several areas, like ensuring
standardized processes. It’s possible that business units
within the same enterprise may manage vendors using
different processes. Failure to standardize these
processes can lead to missing information and
redundancies. These inefficiencies and inconsistencies
can make it difficult to onboard vendors. But audit can
document processes around vendor selection, due
diligence, onboarding, and monitoring to keep everyone
working to the same set of standards. By assessing the
process, audit can also determine if the right stakeholders
are involved at each step. Without this oversight,
onboarding can become chaotic.
The key to managing VRM programs at scale is purpose-
built software and automation. With this technology, the
onboarding steps are less manual. So, the process becomes
more organized, accurate and efficient. Auditors should
assess technology solutions to ensure that the solutions:
• Have out-of-the-box content but also allow for customization.
• Integrate with independent security ratings services to
categorize vendors.
Onboarding Requests
Onboarding begins when a vendor is invited to complete a
request for information (RFI) or a request for proposal
(RFP). This can be managed through efficient processes
and technology.
To create efficiencies in the procurement and risk
management process, auditors must ensure RFP
templates align with vendor assessment activities. This
way, information from a potential vendor is provided early
in the procurement process, which can then be used by
the risk management team in later stages. This also
enhances collaboration between procurement and risk
management.
© 2020 ISACA. All Rights Reserved.
• Demonstrate third-party risk posture through interactive
storyboards.
• Track and remediate audit findings from onsite visits.
• Contain automated workflows, notifications and escalations.
Automation is no longer a “nice to have.” Not only does it
streamline processes by automating repeatable steps, it
frees up staff to focus on more strategic initiatives. This is
especially vital as the number of tasks in the vendor
management process continues to increase. Plus,
accuracy is enhanced since there is less chance of human
error. Once the people and the process are in place,
technology solutions are not far behind.
Audit Oversight: Resource and Program Management
• Are there steps where automation can be applied to create
efficiencies and streamline the process?
• Are the right stakeholders involved and is there support for
process owners?
• Is there a technology solution in place with ready-to-use
standard content and workflows, with customization options
if needed?
• Is there clear visibility and reporting for each step of the
vendor onboarding process?
• Are the right stakeholders notified at the right times when
issues arise or resolutions are complete?
Technology can kick-off an automated onboarding
workflow when a new vendor is requested, and vendor
evaluation, approvals and requirements can all be
centrally managed. This is particularly important as the
approval process pulls information from multiple sources
(e.g., due-diligence forms, the practicality of the vendor
and validation criteria). Housing this documentation in a
central spot supports the decision-making process and
also helps streamline the audit process later on.
Much of the information collected during onboarding may
be consistent regardless of vendor. Common documents
collected may include NDAs, terms of service, insurance
 6 AUDIT OVERSIGHT FOR ONBOARDING VENDORS
verification and policies. While consistency is still key, not
all vendors are the same. So, it may be necessary to make
judgments about the information requested. In providing
oversight, audit must be aware when these types of
decisions are made. The goal is to strike a balance
between accommodating the process and not reducing
the effectiveness of controls.
One way auditors can find more efficiencies and reduce
duplication during onboarding is to ensure that data from
historical requests is centrally located and accessible in
the vendor portal. This supports cross-referencing with
new onboarding requests, which eliminates duplicate
requests and creates a more focused scope. Another way
to gain efficiency is to have a common solution that
makes onboarding accessible. This should include
at-a-glance status, especially for ongoing assessments.
If a vendor deviates from the norm, it should be easy to
see and remediate the deviation by quickly alerting the
appropriate people.
Vendor Assessment
Management
The sooner an organization can act on its plans, the sooner it
can gain a competitive advantage. The vendor wants the
business just as much as the enterprise requesting its
services. The vendor is eager to finalize the deal and will
allocate any needed resources to help meet the request.
As materials are obtained, there may be gaps between
what was requested and what is actually received. The
vendor should be able to log in to a central software
system and provide missing documents or address
documents that need additional attention. It is a simple
capability that, when offered through centralized solutions,
helps everyone and eliminates back-and-forth email-
chasing.
Questionnaires offer baseline insights into the vendor. The
questionnaires can be segmented by a few categories:
• Technologies in use
• Operating systems
2
American Institute of Certified Public Accountants (AICPA) Assurance Services Executive Committee, Trust Services Criteria, USA, 2017, pp. 10–52,
https://www.aicpa.org/content/dam/aicpa/interestareas/frc/assuranceadvisoryservices/downloadabledocuments/trust-services-criteria.pdf
© 2020 ISACA. All Rights Reserved.
• Databases
• Cloud services
• Virtualization and containerization
• Applications
• Host and network security
• Security program and controls
• Least privilege and role-based access control
• Encryption
• Vulnerability management
• Penetration testing
• Logging and monitoring
• Incident response
• Disaster recovery and business continuity plans
• Governance
• Security policies
• Training and education
• Organizational structure
• Skills and competencies
• Processes
• Internal and external dependencies
• Organizational support and hierarchy
• Leadership responsibility for security
• Reporting structure
• Board oversight
• Separation of duties
Responses to the questionnaires provide a general idea
about the level of risk. They also highlight areas of
concern that can then be investigated more thoroughly
during onboarding. Having a comprehensive view of the
enterprise (and its risk appetite), auditors can evaluate
completed questionnaires to identify any responses that
present critical risk (operational or regulatory) to the
enterprise. Also, auditors can increase vendor assessment
efficiency by ensuring that information requested on the
questionnaires complements the information provided in
the Statement of Control (SOC) report. In its Trust
Services Criteria document, the American Institute of
Certified Public Accountants (AICPA) provides SOC criteria
related to system operations, processing integrity, privacy,
and availability.2 The AICPA criteria around availability
1
considers whether systems have controls to support
 7 AUDIT OVERSIGHT FOR ONBOARDING VENDORS
accessibility, but the criteria, doesn’t speak to what
functions the system performs or what the minimum
3
acceptable performance is for the system. The auditors 2 unacceptable gaps. See figure 1 for some elements of a risk
can pick up where the SOC ends and ensure that
questionnaires request the additional information on
system function and performance.
A few words of caution when questionnaires are used:
• Completed questionnaires don’t provide validation of controls.
So, enterprises shouldn’t presume assurance about controls
based solely on the use of questionnaires.
• To scale and mature a vendor risk management program, the
program will have to grow beyond questionnaires and involve
continuous assessments using technology.
Baselining Vendor Risk
Management Essentials
Baselining is usually done by the second line of defense
and consists of assessing expectations of a vendor and
how/if they can deliver. Some resources that are part of
this baselining process—which should be reviewed by
audit—include:
• Risk assessment templates—Standardized templates for new
vendors should be used in most vendor onboarding instances.
However, in cases where a vendor is unique, it’s acceptable to
modify the risk assessment template. Since stakeholders will
have access to the risk templates, these minor modifications
should be made easily. Eventually, the templates will grow and
match the diversity of vendors. Audit can provide oversight here
by reassessing the templates periodically or whenever there is a
3
2
Ibid., p. 4
© 2020 ISACA. All Rights Reserved.
significant change in the risk environment. This will help prevent
the templates from becoming outdated or containing
assessment template.
FIGURE 1: Reference Risk Assessment Template
Elements
• Risk assessment type
• Category of risk
(critical, high, medium, low)
• Controls
• Processes
• Testing
• Centralized documentation—All VRM programs should allow
for centralized access, maintenance and documentation sharing. If
documentation isn’t kept in one location, information can be easily
lost or become disorganized. Business owners won’t know where
to start, and overall management of the onboarding process can
become a serious challenge. Purpose-built software solves this
problem and ultimately makes baselining more efficient. The
pitfalls of lost or unorganized information are why many
enterprises look for a solution that will grow with the organization
and support more efficient processes. Figure 2 details what a
technology solution should include.
 8 AUDIT OVERSIGHT FOR ONBOARDING VENDORS

FIGURE 2: Aligning Technology and Centralized Vendor Risk Solutions

• Automation of business-unit request-form workflow

• Vendor import capability

• Workflows that support classification of criticality, assessment and remediation

• Vendor collection and assessment distribution support

• Standardized control framework content (such as NIST, ISO®, COBIT®, HITRUST®)

• Vendor portal for self-service and tracking

• Flexibility, customization to accommodate different categories and prioritization

• Continuous monitoring and integration with external scoring entities

• Detailed executive reporting

When a centralized technology solution is introduced, • Analysis is performed to make sure that changes are

audit can use its expertise during the system implemented with minimal disruption to operations.

implementation, to make sure that no new risk is

introduced. For those enterprises with a technology Audit Oversight: Vendor Assessment and Evaluation
solution already in place, audit can perform a post- • Are there standards in questionnaires to include the right
implementation review. documentation, like NDAs, terms of service and verification

of insurance?
In looking at adequacy of the technology, audit may ask:
• Can the vendor easily provide materials through a centralized
• Does the technology continue to meet strategic objectives and
portal?
end user needs?
• Is there a process to verify the presence of controls?
• Does access remain appropriate for end users and
• Beyond the contract, is the vendor compliant with a security
administrators?
framework and applicable privacy regulations?
• Has corrective action been taken to address deficiencies?
• Do the vendor’s audit report types (internal versus external),
• Was the corrective action completed within a time period
frequency, and scope provide the enterprise with assurance
commensurate with the risk level?
on relevant deficiencies and their resolution?
• Was the action taken aligned with the severity of the

deficiency’s risk?4 3

When an existing solution is updated, audit can provide
assurance that:
• Changes are prioritized to align with business objectives.
• Emergency changes require approval.
• Changes are formally documented, and documentation is
centrally stored and managed.
The Collection Process and
Vendor Risk
Audit may want to focus more attention on the higher-risk
vendors when auditing the onboarding process. The
riskiness of a vendor often comes down to the data and
systems with which they interact. Let’s examine a few
scenarios in financial services:

4
3
ISACA, CISA Review Manual, 27th Edition, USA, 2019, p. 139, https://www.isaca.org/bookstore/cisa-exam-resources/crm27ed

© 2020 ISACA. All Rights Reserved.

9 AUDIT OVERSIGHT FOR ONBOARDING VENDORS
• A statement processing vendor requires access to every
customer’s record in order to process monthly statements.
Based on its service, the vendor has access to a lot of
personally identifiable information.
• A loan processing company obtains information when customers
apply for a loan. The loan processor doesn’t have every customer
record, only records of those customers who apply.
• A marketing firm receives customer contact information.
Physical and electronic addresses will be used in an external
mailing for a checking account promotion.
Assessed just on data volume, the first and last vendors
present the greatest risk due to the information to which they
have access. One mishap and every single customer is
impacted by the vendor’s breach. On the other hand, the loan
processing vendor collects a lot of information, but is getting
only a percentage of the entire customer base. Whatever the
percentage of data collected may be, it’s less than 100
percent. So, the risk to the business is less.
The services provided by a vendor and their
“replaceability” is another factor when assessing risk. The
statement and marketing vendors hold the most
customer information, but these vendors could easily be
replaced. The loan processor doesn’t have the same
volume of data but is a big contributor when it comes to
helping the enterprise make money. So, it’s more difficult
to replace this vendor.
In addition to criticality, assessing vendors in this manner
will help to establish a vendor score during the collection
process analysis. A vendor score can be placed on the
inherent risk, control risk, and the overall summary of the
company.
The audit team has a great opportunity during the vendor
assessment and collection processes. Here, audit can
lend expertise as the collected data are evaluated. For
© 2020 ISACA. All Rights Reserved.
example, if a SOC 2 (Type 2) report is required as part of
assessing the vendor’s control environment, audit can
identify the SOC 2–relevant controls in the enterprise’s
environment. If a vendor doesn’t have a SOC 2 report,
audit should look at alternate reporting (e.g., an external IT
audit report) and compare that report to the vendor’s
information security plan to assess the vendor’s control
environment. When possible, audit can confirm some of
the data collected. For example, auditors shouldn’t just
ask if there is a disaster recovery/business continuity
program in place; they should verify the existence of
process and controls. How are systems restored, who
restores them, and where do systems reside? A similar
process can be performed for the vendor’s security
incident management program.
Audit’s involvement with other groups is important too. It’s
one of the ways experienced auditors can find outliers
that may not have been discovered by the business line.
Checks and balances happen when the audit team
reviews assessments that have been through risk and
vendor management teams.
What risk does the vendor present? The secondary
review process is greatly supported when central
platforms are in place.
Audit Oversight: The Collection Process and Vendor
Risk
• Are there criteria to differentiate vendor risk and criticality,
and is it being applied to all vendors?
• Has the adequacy of the vendor’s business continuity and
disaster recovery plans been assessed?
• Do the vendor’s plans for continuation of services align with
the enterprise’s strategy and operational needs?
• Is the vendor assessment effort commensurate with the
vendor’s risk level?
 10 AUDIT OVERSIGHT FOR ONBOARDING VENDORS

Remediation Process
There will likely be findings from the collection process and
vendor assessment that require remediation. There is no
better time than during onboarding to call attention to
deficiencies and put in place an action plan. If issues come
up, management can choose any of the following options:
• Accept the risk. Based on the data obtained and the service
provided by the vendor, the risk may be accepted as-is. The risk
rating from similar data already within the enterprise can help
businesses make educated decisions about acceptance.
• Implement compensating controls. There are times when full
remediation can’t be achieved due to legitimate business
limitations (cost or availability of resources), but with
compensating controls, the risk becomes acceptable.
• Design a remediation plan. The vendor and risk management
can work on a remediation plan. The time to execute the plan
should be part of contract language and may be a determining
For deficiencies that are remediated, auditors can work
with management to confirm that proposed actions truly
correct deficiencies. Also, based on the severity of the
deficiency, audit can ensure that the time allotted for
corrective action is appropriate: the higher the risk, the
shorter the time that the deficiency should remain
unaddressed. These discussions come together in a
remediation plan that describes the deficiency, the
corrective action to be taken, a target date for completion,
and a responsible party.
The remediation plan and all the associated documents
should be centralized where audit can access and review
the decision-making criteria. All key stakeholders should
also have visibility into the remediation plan and its
current status.

factor when selecting the vendor. Audit’s oversight helps to provide proof that the remediation
steps taken (and the end result) are aligned with the
By not taking corrective action, management has decided to
enterprise’s risk profile. This oversight is needed to ensure
accept the risk identified. In its oversight role, audit should
that unilateral decisions aren’t made, introducing undue risk.
discuss possible outcomes with management. What are the
The remediation phase is the ideal time for auditors, risk
possible outcomes of accepting the risk? If it’s possible to
managers, and business owners to work with the vendor on
quantify the outcomes, audit can better frame that discussion
a remediation plan consisting of agreed-upon actions and a
with management. Is the deficiency significant or could its
suitable time frame. While the plan is being drafted, audit can
residual risk jeopardize enterprise goals? If so, internal audit
confirm that the plan is adequate. Once the vendor is
should formally document management’s final decision to
onboarded and the remediation process has been
accept the risk. Also, internal audit should inform the board or
completed, audit can validate by making sure that the
other governing body of management’s decision.5 4

remediation action aligns with the plan.

Cost or a lack of human resources may prevent an
Remediation requirements identified during the initial
enterprise from implementing a control the way it was
assessment phase can be managed in the following ways:
originally designed. Management may then devise a
• Carry the remediation requirements over into contract language.
compensating control that should address the deficiency,
Issues remediated may not come up again. But if they do, adding
just in a different way. While a compensating control can
the issues into the contract language ensures future resolution of
help manage costs or use human resources better, it’s not
those items. Audit will be able to verify issues that have been
a short-cut. Prior to implementation, audit can assess the
addressed based on agreed upon language. Audit will also want to
compensating control to make certain that it addresses
verify that timelines have been included when issues were added
the deficiency adequately.
into the contract language. Without timelines, the vendor won’t

have an incentive to remediate in a time frame that is

commensurate with the identified risk.

5
4
ISACA, ITAF: A Professional Practices Framework for IS Audit/Assurance, 3rd Edition, USA, 2014, p. 142, https://www.isaca.org/bookstore/audit-control-
and-security-essentials/itaf

© 2020 ISACA. All Rights Reserved.

11 AUDIT OVERSIGHT FOR ONBOARDING VENDORS
• Conduct periodic program evaluations. During these
evaluations, enterprises will be able to determine if a previously
remediated risk (not included in the contract language) has
resurfaced or if a new risk has come up that needs remediation.
There should be service level agreements in place leading up to
risk findings and certainly as findings are being resolved. For
example, during a program evaluation, auditors can check the
accounts payable system to verify that vendors being paid have
been validated and documented. Mapping payments to vendors
is a simple way to make sure no vendor has slipped through the
process. Likewise, if a payment hasn’t been sent in months,
follow-up may be necessary to determine if the vendor is still
performing services. If not, offboarding may need to occur.
• If the vendor contract has a right-to-audit clause, the
enterprise should engage its auditors to exercise that right.
Getting a SOC report provides a point-in-time view into the
vendor’s practices. But auditing provides a more current view of
the vendor’s operations. The terms of a right-to-audit clause
may provide the enterprise with the ability to review procedures
and records related to the vendor’s agreed upon activities.
Technology and Assessment Services
Robotic process automation (RPA) and purpose-built
software centralize disparately managed tasks, increase
data accuracy, and reduce human error. Data entry is sped
up as automation pulls in data from predefined sources.
Data becomes consistent and up to date, and inputting
the data requires little or no manual intervention. This
means the data are already cleaned, normalized and ready
for audit. So, auditors can focus on higher-value work like
partnering with management on process improvement
and reducing risk when it comes to vendor onboarding.
Vendor management programs should be data-driven.
Decisions around vendor risk should never be subjective
or based on opinion alone. Data help to point out inherent
risk, which can then be remediated, leaving residual risk.
(For example, a web server connected to a database
holding sensitive information may have a vulnerability. But
© 2020 ISACA. All Rights Reserved.
Some clauses allow the enterprise to conduct an audit at any
time (provided the vendor is given the notice required in the
clause). Audit can leverage the right to audit clause to gain
assurance around the vendor’s ongoing compliance with the
agreement. Audit can also confirm the vendor’s compliance
with regulatory requirements. Lastly, the right to audit may be
triggered if there is a potential irregularity like fraud.
Audit Oversight: Remediation Process
• Is there a process among audit, risk
management, and vendors to remediate
issues?
• When risk is accepted, is it well documented
for audit to review?
• Is there a central solution capturing risk
acceptance and documentation for audit
visibility?
• What is the time frame to revisit accepted risk
and determine if it’s still acceptable?
• Are compensating controls verified with audit
and subject matter experts?
after patching the vulnerability, the risk of the database
being compromised is significantly reduced.)
Technology provides efficiencies that enterprises seek, and
audit complements automated technology assessment
services. While technology needs to be trusted, audit
provides the verification to ensure data and decisions align.
Audit Oversight: Technology and Assessment
Services
• Does audit have visibility into automation capabilities and
manual processes?
• Is there a sufficient escalation process when vendor risk
changes?
• Are weak vendors quickly eliminated after automated
assessments?
• What scoring system is used to accept or reject vendors?
• Is there validation after issues are addressed?
12 AUDIT OVERSIGHT FOR ONBOARDING VENDORS
Vendor Reporting
Reporting is two-pronged. The first prong is reporting that
the enterprise must provide to meet regulatory
requirements. For example, in the United States, financial
institutions subject to the Federal Deposit Insurance
Corporation (FDIC) must disclose banking services that
are provided by a third party. Management or the
enterprise’s compliance team designs controls around
prevention of reporting that doesn’t align with external
requirements. In its oversight role, audit evaluates the
reporting process to identify any deficiencies or risk in the
reporting process.
The second prong is the internal reporting that the enterprise
creates as part of ongoing vendor management. The
objective of internal reporting is primarily to manage risk. But
the reporting also provides executive management and the
board with a view of the vendor program. Given this, best
practices for vendor reporting identify a couple of areas that
should involve audit:
• Changes in vendor’s operations—Vendor management is a
huge concern, given all the high-profile breaches in the news.
Business leaders and boards look to audit for reassurance and
independent validation that a vendor is performing as expected.
In providing oversight of ongoing monitoring, auditors can
confirm that the vendor relationship continues to support
achievement of strategic goals. But if the vendor’s effectiveness
has deteriorated since onboarding, audit can identify any gaps
between that performance shortfall and achieving strategic
goals. Business leaders and boards look to audit for
reassurance and independent validation. Where has crisis been
averted as a result of a solid audit program leveraging?
Communicating up and highlighting how risk has been
managed is an opportunity for auditors.
• Gaps in due diligence—Risk management or the compliance
function may be closely involved with monitoring due diligence.
However, audit can provide the high-level view of gaps in due
diligence and resulting risk. Where do the unbiased data come
© 2020 ISACA. All Rights Reserved.
from when determining how well a vendor is performing? How
do you know if a vendor is truthful on the questionnaires?
Continuous assessments provide great insight on the state of
an enterprise—not only on the vendor’s security posture, but its
financial health, too. The audit team can work with business
units on the continuous assessments to ensure that vendor
data are accurate and unbiased. If a potential vendor enters a
proposal, audit can partner with risk managers to assess
whether the vendor has an unacceptable amount of financial,
geographic, security or other risk. This reporting allows the
enterprise to take immediate action and eliminate a vendor
from the candidate pool. It saves time, and it’s a great way to
reduce complexity in vendor selection when volumes are high.
Prequalifying vendors is a good way to manage a shortlist
versus a large pool of vendors. Choice is nice, but too many
potential vendors makes selection harder than it needs to be.
Quickly assess, eliminate those who do not meet the criteria,
and prequalify the strong performers.
Once a vendor has been onboarded, what is the risk
profile and does audit agree? Audit should continue to
review the risk profile regularly. An annual assessment in
today’s dynamic environment is often not enough. Audit
should be able to access standard vendor reports at any
time in addition to ad hoc reports that can be extracted. If
a vendor is trending in the wrong direction, this needs to
be identified quickly before it becomes a significant issue.
Pulling these data and scores into a central system can
then trigger notifications to audit, stakeholders, and risk
management. Audit can then assess vendors’ action
plans to ensure they are adequate.
Vendor reporting provides auditors with information that
allows them to quickly interject as needed, based on the
information assessed. This is why continuous
assessment solutions (possible through reporting) have
emerged to provide an ‘always-on’ assessment against
data collected.
13 AUDIT OVERSIGHT FOR ONBOARDING VENDORS

Conclusion
Vendor onboarding is most useful when there is
accessibility and transparency in the process. Each
request coming through needs to be dealt with
proficiently. At all times, vendors going through due
diligence need to be accessible to auditors, stakeholders
and risk managers. The ability to quickly pre-qualify or
exclude candidates from the pool makes the process less
bulky to manage. Likewise, the ability to do side-by-side
vendor comparisons gives enterprises insight on where to
focus attention. Comparative assessments minimize
effort, which is helpful to all involved.
The growth and dependency on vendors won’t slow down
anytime soon. Neither will the regulations that govern
VRM. Of course, technology aside, skilled people and
effective processes are required for the program to be
successful. Without them, technology just automates a
broken process that won’t get better on its own.
Audit plays an important role in vendor onboarding
because it has the requisite skills to add value throughout
this process. It can oversee standardization of
documentation for vendor selection, identify unvetted
vendors, and create and execute remediation plans. By
relying on the audit function, using data to drive decisions
and working within a centralized system, organizations
can effectively and efficiently onboard and maintain
vendor relationships with far less risk.

© 2020 ISACA. All Rights Reserved.

14 AUDIT OVERSIGHT FOR ONBOARDING VENDORS

Acknowledgments
ISACA would like to recognize:

Expert Reviewers Board of Directors

Yusuf Hashmi Brennan P. Baybeck, Chair Greg Grocholski
CISA, CRISC, CGEIT CISA, CRISC, CISM, CISSP ISACA Board Chair, 2012-2013
India Vice President and Chief Information CISA
Kanupriy Parab Security Officer for Customer Services, Saudi Basic Industries Corporation, USA
Oracle Corporation, USA
CISA, CRISC, CISM David Samuelson
India Rolf von Roessing, Vice-Chair Chief Executive Officer, ISACA, USA
CISA, CISM, CGEIT, CISSP, FBCI
Larry L. Llirán
FORFA Consulting AG, Switzerland
CISA, CISM
Puerto Rico Tracey Dedrick

Darren O’Brien Former Chief Risk Officer with Hudson

City Bancorp, USA
United Kingdom
Pam Nigro
Dapo Ogunkola
CISA, CRISC, CGEIT, CRMA
CISA, CRISC
United Kingdom Health Care Service Corporation, USA

R.V. Raghu
CISA, CRISC
Versatilist Consulting India Pvt. Ltd., India

Gabriela Reynaga
CISA, CRISC, COBIT 5 Foundation, GRCP
Holistics GRC, Mexico

Gregory Touhill
CISM, CISSP
Cyxtera Federal Group, USA

Asaf Weisberg
CISA, CRISC, CISM, CGEIT
introSight Ltd., Israel

Rob Clyde
ISACA Board Chair, 2018-2019
CISM
Board Director, Titus and Executive Chair,
White Cloud Security, USA

Chris K. Dimitriadis, Ph.D.

ISACA Board Chair, 2015-2017
CISA, CRISC, CISM
INTRALOT, Greece

© 2020 ISACA. All Rights Reserved.

15 AUDIT OVERSIGHT FOR ONBOARDING VENDORS

About ISACA
For more than 50 years, ISACA® (www.isaca.org) has advanced the best
1700 E. Golf Road, Suite 400
talent, expertise and learning in technology. ISACA equips individuals with
Schaumburg, IL 60173, USA
knowledge, credentials, education and community to progress their careers
and transform their organizations, and enables enterprises to train and build
Phone: +1.847.660.5505
quality teams. ISACA is a global professional association and learning
organization that leverages the expertise of its 145,000 members who work in Fax: +1.847.253.1755
information security, governance, assurance, risk and privacy to drive
Support: support.isaca.org
innovation through technology. It has a presence in 188 countries, including
more than 220 chapters worldwide. Website: www.isaca.org

About Galvanize
Galvanize builds award-winning, cloud-based security, risk management,
Provide Feedback:
compliance, and audit software to drive change in some of the world’s largest
organizations. We’re on a mission to unite and strengthen individuals and www.isaca.org/audit-oversight-for-

entire organizations through the integrated HighBond software platform. With onboarding-vendors

more than 6,300 customer organizations in 130 countries, Galvanize is

www.isaca.org/audit-oversight-for-
connecting teams in many Fortune 1,000 and S&P 500 companies, and
onboarding-vendors
hundreds of government organizations, banks, manufacturers, and healthcare
organizations. Whether these professionals are managing threats, assessing Participate in the ISACA Online
risk, measuring controls, monitoring compliance, or expanding assurance Forums:
coverage, HighBond automates manual tasks, blends organization-wide data, https://engage.isaca.org/onlineforums
and broadcasts it in easy-to-share dashboards and reports. Learn more at Twitter:
wegalvanize.com. www.twitter.com/ISACANews

LinkedIn:
DISCLAIMER www.linkedin.com/company/
isaca
ISACA has designed and created Audit Oversight for Onboarding Vendors (the Facebook:
“Work”) primarily as an educational resource for professionals. ISACA makes www.facebook.com/ISACAGlobal
no claim that use of any of the Work will assure a successful outcome. The Instagram:
Work should not be considered inclusive of all proper information, procedures www.instagram.com/
isacanews/
and tests or exclusive of other information, procedures and tests that are
reasonably directed to obtaining the same results. In determining the propriety
of any specific information, procedure or test, professionals should apply their
own professional judgment to the specific circumstances presented by the
particular systems or information technology environment.

RESERVATION OF RIGHTS

© 2020 ISACA. All rights reserved.

Audit Oversight for Onboarding Vendors

© 2020 ISACA. All Rights Reserved.

Audit serves
up an extra
layer of
assurance for
vendor risk.
The HighBond platform by Galvanize is the only cloud-based platform to unite the
objectives of audit, risk, and compliance professionals through data.

We provide software for your entire audit workflow, from planning, risk assessments,
and fieldwork to analytics, issue management, and reporting.

See how HighBond can work for you.

wegalvanize.com/highbond