Due Diligence and Ongoing Monitoring

 View Only

  • 1.  Consulting and audit firm due diligence

    This message was posted by a user wishing to remain anonymous
    Posted 04-18-2022 09:28 AM
    This message was posted by a user wishing to remain anonymous

    Our Bank engages with many consulting and external auditors. What type of due diligence should we conduct? 
    What if they have access to NPPI? What type of due diligence documents should we request from them?

    Currently, if they are approved by the board or a committee designated by the board we do not perform any due diligence.


  • 2.  RE: Consulting and audit firm due diligence

    Posted 04-20-2022 12:09 PM
    1. Consulting and Audit firms are treated as any other vendor, meaning we determine vendor rating using a criticality assessment. The depth of New Vendor Due Diligence and Performance Review is based on the vendor criticality.

    We normally do a financial review on all vendors, regardless of rating.  IT Security Assessment is done on any vendor providing technology solutions.  Business Continuity and Disaster Recovery Plans and Testing results are required for vendor that rate high on Operational Reliance.

    We do evaluate whether a vendor is in scope for SOC1 and /or SOC 2 review as well and request the SOC reports.

    1. For Audit firms engaged by the Audit Committee/Board, we do conduct a limited review that is focused on the vendor performance.  If a technology solution is used, then an IT Security Assessment will be conducted; SOC 2 Type 2  are requested along with any other IT Security documentation needed by the IT Security dept.

     

     

    Best regards

     

    Mirella Coleman

    Vendor Risk Manager, CRVPM IV, CBCP

     

         

     

    This email and any files transmitted with it are confidential and may contain protected or privileged material. If you are not the intended recipient be advised that you have received this email in error and that any use, dissemination, forwarding, printing or copying of this email is strictly prohibited.



    Original Message


  • 3.  RE: Consulting and audit firm due diligence

    This message was posted by a user wishing to remain anonymous
    Posted 04-20-2022 01:16 PM
    This message was posted by a user wishing to remain anonymous

    Hi Mirella.  Would you mind sharing how you determine "vendor criticality"? This is something we are struggling with.
    Original Message


  • 4.  RE: Consulting and audit firm due diligence

    Posted 04-20-2022 02:40 PM
    We use 5 factors to determine inherent risk and criticality:
    1. Information Sharing (Confidential, Private, Public data)
    2. Operational Reliance
    3 Operational Replacement
    4. Regulatory Compliance
    5. Annual Spend
    Each factor can be assessed as High, Moderate, Low risk with 3,2,and 1 point assigned respectively
    Once the criticality assessment is completed, total point are tallied and criticality rating assigned. Highest number= critical vendor, lowest =minor vendor
    It's all risk based.
    Original Message


  • 5.  RE: Consulting and audit firm due diligence

    This message was posted by a user wishing to remain anonymous
    Posted 04-20-2022 05:19 PM
    This message was posted by a user wishing to remain anonymous

    You can separate out inherent risk and criticality. A vendor that is considered to be "critical" to ongoing operations could conceivably be on the lower risk side. Criticality can be determined by asking if the vendor is necessary for business, if losing the vendor would cause a disruption in services, and whether there are any replacements if it goes out of business. Risk is going to focus more on the types of information they deal with, regulations, your spend amount, etc.
    Original Message