I'll chime in that I agree that quarterly reviews are overkill, unless they have earned a red flag because of a qualified SOC report, or financials that are failing, or some sort of OFAC violation perhaps?
For the usual course of events, you really aren't getting much new data after a quarter, unless it's a publicly traded company whose finances are getting troubled.
SOC's and/or an SSAE18 review doesn't get new information faster than annually, so it feels like a lot of effort for no new information.
We use the relatively standard
High – annual
Moderate – 2 year review
Low – 3 year review.
Prior role, we had an extra layer –
Critical High – annual
High 18 months
Moderate – 2 yrs
Low – 3 yrs
And I would make the case that at the very bottom, needing little to no review are things like association memberships, utilities, mandated relationships [think FDIC].
But that's in a different thread. Not trying to open new cans with new worms.
Thanks,
Dave
David Howe
Chief Information Officer