Professional Documents
Culture Documents
Confirm if your third-party risk management audit is part of Discuss expectations with your team, such as the need to clarify
a broader compliance or risk management audit and whether questions before responding if they don’t fully understand, etc.
your organization has staff dedicated to coordinating and
managing audits Communicate with your staff regarding general professionalism
and courtesy with auditors
Ensure senior management and the board have been notified of
the upcoming audit Create a plan that outlines details on the opening meeting,
periodic updates and closing meeting, considering the times and
Confirm with the auditors that you’ve received the notice and attendees
will greet them upon arrival
Establish a spokesperson and a separate notetaker to meet with
Decide where the auditors will work and whom they should the auditors
consult for questions and updates
Carefully review your vendor list and be prepared to discuss the
Review the audit notification carefully different vendor types, especially your critical vendors
Don’t rush your preparation Be ready to discuss the scope of vendor monitoring practices
(e.g., how the scope varies based on vendor and product type)
Review your prior audit report and any related internal audit
documents to verify you’ve been responsive to any open items Consider how you’ll prove that your third-party risk
or recommendations management practices are in sync with your policy
Study the prior exam vs. the new notification for any potential Take thorough notes and don’t be afraid to clarify any potential
changes in scope or particular focus concerns
Assign roles and responsibilities for gathering data and Don’t hide any unfinished tasks and be sure to take
documentation responsibility and explain the reason and how you’ll finalize it
Organize your vendor management governance documents Have a professional and respectful conversation when you
(e.g., policy and program) disagree with a conclusion – don’t be afraid to clarify the
auditor’s position against yours
Read through the document request lists and make sure you
understand precisely which documents the auditors need. A big Be responsive to feedback
potential pitfall is providing the wrong documents or guessing
at what they’re requesting. Stay organized and keep records of what you’ve provided
Re-read – with assistance preferably – all your program Stay confident in your program – an audit or regulatory exam
documentation and be sure you’re confident explaining the is generally only once a year, but remember to take pride in the
accompanying work product and process work you do all year