Third-Party Risk Management
Audit or Regulatory Exam Checklist
The time has come to prepare for an audit or a regulatory exam. The process can be a little tedious and nerve-racking, even
for experienced professionals. However, if you stick to a simple game plan, an audit of any type will be much easier to manage.
Use this checklist as a basic guide of what to do when the auditors are coming for a visit:
Confirm if your third-party risk management audit is part of
a broader compliance or risk management audit and whether
your organization has staff dedicated to coordinating and
managing audits
Ensure senior management and the board have been notified of
the upcoming audit
Confirm with the auditors that you’ve received the notice and
will greet them upon arrival
Decide where the auditors will work and whom they should
consult for questions and updates
Review the audit notification carefully
Set aside adequate time to prepare
Don’t rush your preparation
Review your prior audit report and any related internal audit
documents to verify you’ve been responsive to any open items
or recommendations
Study the prior exam vs. the new notification for any potential
changes in scope or particular focus
Assign roles and responsibilities for gathering data and
documentation
Organize your vendor management governance documents
(e.g., policy and program)
Read through the document request lists and make sure you
understand precisely which documents the auditors need. A big
potential pitfall is providing the wrong documents or guessing
at what they’re requesting.
Re-read – with assistance preferably – all your program
documentation and be sure you’re confident explaining the
accompanying work product and process
If you’ve made any exceptions to your processes, make sure
there is an adequate rationale for doing so and appropriate
accompanying documentation
Prepare responses and documents for any pre-audit requests or
initial document requests
After preparing responses and documents, get a second review
for content and accuracy and do one more review yourself
PRO TIP: Many larger organizations have specific procedures
and communication protocols for dealing with audits or regulatory
exams. If this is the case, make sure you follow any internal
instructions regarding the audit.
Copyright © 2022 by Venminder, Inc.
Discuss expectations with your team, such as the need to clarify
questions before responding if they don’t fully understand, etc.
Communicate with your staff regarding general professionalism
and courtesy with auditors
Create a plan that outlines details on the opening meeting,
periodic updates and closing meeting, considering the times and
attendees
Establish a spokesperson and a separate notetaker to meet with
the auditors
Carefully review your vendor list and be prepared to discuss the
different vendor types, especially your critical vendors
Prepare talking points to summarize the general risk
management practices currently in place
Be ready to discuss the scope of vendor monitoring practices
(e.g., how the scope varies based on vendor and product type)
Consider how you’ll prove that your third-party risk
management practices are in sync with your policy
Take thorough notes and don’t be afraid to clarify any potential
concerns
Don’t hide any unfinished tasks and be sure to take
responsibility and explain the reason and how you’ll finalize it
Have a professional and respectful conversation when you
disagree with a conclusion – don’t be afraid to clarify the
auditor’s position against yours
Be responsive to feedback
Stay organized and keep records of what you’ve provided
Stay confident in your program – an audit or regulatory exam
is generally only once a year, but remember to take pride in the
work you do all year
It’s as simple as that! By taking these steps, you’ll be well
on your way to putting your best foot forward during your
next audit.
SAVE CHECKLIST PRINT CHECKLIST
Download free sample assessments
of vendor controls and see how Venminder
can help you reduce your third-party risk
management workload.