Hi everyone, check out the below questions on vendor site visits. These were asked during a Third Party Risk Management Bootcamp that Venminder had last week. A lot of information was shared. It was three days, 6 sessions and 11 presentations long, covered by nine experts. There were also a lot of great questions that came in during those live sessions. The team thought it would be helpful to share what those questions were and provide answers as well. Chime in if you have further answers for any of these or any further comments or questions. And, if you're interested in viewing the recordings, you'll find the link on the Program Improvement library page.
Q: If you can attain all the due diligence information remotely - why do an on-site visit?
A: Perhaps it's not necessary, but sometimes there is value in validating what they have asserted to in writing is actually occurring in practice – much like the OCC and FDIC do in visiting their member institutions to validate in practice rather than accepting all documents at face value.
Q: What is your threshold for performing on-site vendor audits? Primarily critical activity vendors?
A: It depends on your methodology and vendor management policy. Usually, it's high and critical vendors. If a vendor is medium risk but you've identified a lot of risk, then you may still need an on-site visit just depending on your policy.
Q: How do you determine if a site visit is required? After a risk assessment and review of documents provided?
A: We always start with a risk assessment to understand the vendor and what's critical. If we don't do a risk assessment, we'll be more prone to look at more than we need to. So, it's important to be risk-minded when doing these.
Q: We have had issues conducting site visits when the vendor is not in the country due to budget limitations. What can we do?
A: You can try to find a local resource there such as a CPA firm. You have to drive the scope and project to make sure you're going to get what you want and need, but you can use a third party to get the audit accomplished.
Q: Regulators are telling us site visits are required on a certain schedule for the highest risk. Are you aware of any rules or regulations regarding this?
A: No, I haven't seen any firm guidance that requires site-visits. Site visits aren't required; they're suggested. However, if a regulator is suggesting it, then in some cases, we should abide by that.
Q: Do you test cyber resilience with a tabletop? Are you conducting the tabletop or are you looking for documentation only?
A: We're looking for documentation only. Management needs to have a process to do that. We're only looking at the process they have, understanding their methodology, how they've documented their conclusions and determining if that's sufficient.
Q: In regard to fourth parties, what contract language do you recommend? What do you do with them for the on-site visit?
A: That gets tricky because it's going to be difficult to get that in a contract with your key vendor. Even if you don't have a contractual relationship, you can still ask the fourth party and from time to time, they may let you in. That comes back to vendor management performed by your vendors. Do their contacts have right to audit to go on-site and do a site visit? It gets a little complex, but there are options around that. I'd start with your vendors' vendor management programs and make sure they're sufficient.
Brittany Padgett
Community Manager
Third Party ThinkTank