Exams or Audits

This message was posted by a user wishing to remain anonymous

Recent audit is asking us to ensure the annual report to the board sufficiently addresses the scope and detail regarding vendor oversight activities.  Including overall condition and performance of mission critical service provider arrangements and any exceptions identified thru monitoring, etc.  Do you do this today, and how do you approach it in your program?

We present status of our Program to the Risk Management Committee of the Board at least annually. We also have a requirement to report to the Board any new vendors that may increase the overall inherent risk to the bank.
Original Message:
Sent: 02-27-2020 10:44 AM
From: Anonymous Member
Subject: Annual Report - overall condition and performance of mission critical service provider arrangements

This message was posted by a user wishing to remain anonymous

Recent audit is asking us to ensure the annual report to the board sufficiently addresses the scope and detail regarding vendor oversight activities.  Including overall condition and performance of mission critical service provider arrangements and any exceptions identified thru monitoring, etc.  Do you do this today, and how do you approach it in your program?

​We provide a report quarterly to the Risk Committee of the Board.  We report on a number of things including new vendors and their associated risk level, any risk changes for existing vendors, updates on VRM scorecards of most critical vendors, and the risk mitigation strategies for our top vendor risks.
Original Message:
Sent: 02-28-2020 08:42 AM
From: Mirella Coleman
Subject: Annual Report - overall condition and performance of mission critical service provider arrangements

We present status of our Program to the Risk Management Committee of the Board at least annually. We also have a requirement to report to the Board any new vendors that may increase the overall inherent risk to the bank.
Original Message:
Sent: 02-27-2020 10:44 AM
From: Anonymous Member
Subject: Annual Report - overall condition and performance of mission critical service provider arrangements

This message was posted by a user wishing to remain anonymous

Recent audit is asking us to ensure the annual report to the board sufficiently addresses the scope and detail regarding vendor oversight activities.  Including overall condition and performance of mission critical service provider arrangements and any exceptions identified thru monitoring, etc.  Do you do this today, and how do you approach it in your program?

This message was posted by a user wishing to remain anonymous

​Our Policy dictates that we report to our Enterprise Risk Management Committee quarterly, and that committee reports up to the Risk Committee of the Board quarterly. We are required to report on oversight status of all Critical vendors that are considered high risk and any vendors that are implicated by Sarbanes-Oxley. We are also required to report on any new relationships that have been entered in to that are considered Critical.

We have a dashboard view that shows whether those oversight monitoring duties occurred and what the results were. If we have any that were less than satisfactory we have to report on remediation and/or contingency plans.
Original Message:
Sent: 02-27-2020 10:44 AM
From: Anonymous Member
Subject: Annual Report - overall condition and performance of mission critical service provider arrangements

This message was posted by a user wishing to remain anonymous

Recent audit is asking us to ensure the annual report to the board sufficiently addresses the scope and detail regarding vendor oversight activities.  Including overall condition and performance of mission critical service provider arrangements and any exceptions identified thru monitoring, etc.  Do you do this today, and how do you approach it in your program?