Risk Assessments

Expand all | Collapse all

Vendor Risk Assessment Questionnaire

  • 1.  Vendor Risk Assessment Questionnaire

    Posted 09-22-2020 11:04 AM
    Good afternoon,
    I am reviewing our current risk assessment questionnaire and looking for input.  Our current questionnaire includes the following question:
    "The vendor deploys adequate accounting controls which have been deemed Sarbanes–Oxley (SOX) compliant."
    Since SOX documentation is not currently part of the standard due diligence this question is difficult to answer accurately.  Does anyone else have similar questions related to SOX or is this something that we can safely remove from our questionnaire?
    The question was added by a former employee, so we are unable to determine why it was included.

    Thank you.

  • 2.  RE: Vendor Risk Assessment Questionnaire

    Posted 09-22-2020 03:02 PM

    A follow-up question I would ask is: does your entity actually require a vendor to maintain SOX compliance?  For example, would you expect a vendor to provide annual proof of SOX compliance?  I have seen due diligence questionnaires reference specific standards (like SOX) because if a vendor is compliant, then it also indicates that they have internal controls, data security policies, reporting standards, etc., in place as an organization.  Some ways I have observed to make the questionnaire a little more flexible to different vendor's terminology/understanding is to either to break down the standard into specific questions or make a reference such as, "the vendor deploys adequate controls reasonably similar to XYZ Industry Standard.  If yes, please identify the applicable standard."   

  • 3.  RE: Vendor Risk Assessment Questionnaire

    Posted 10-21-2020 09:42 AM
    Yes, as part of the annual review, our vendor/suppliers are asked for their latest SOC2 and ISO 27001 report (3-year cycle). By maintaining these certifications through a reputable auditor, we are good to go. This avoids having to send the obligatory questionnaire which grows with every passing year. The certification covers enough of the questionnaire to satisfy this part of the Supplier Review process. 

    Hope this helps,

  • 4.  RE: Vendor Risk Assessment Questionnaire

    Posted 10-21-2020 11:01 AM
    Edited by Brittany Padgett 10-21-2020 01:27 PM
    Hi Mark,

    We also do an annual review of SOC and ISO certifications by obtaining this information from our vendors that we require it from.  I am curious about a couple of things noted in your post as I am looking for a better way, other than paying a service, to collect these on an annual basis.  We continuously have issues collecting them from our vendors, almost as if they are reluctant to supply them.

    - You mention 3 year cycle in parenthesis after "...SOC2 and ISO27001 report..."  What do you mean by 3 year cycle?  Is the ISO27001 only supplied on a 3 year cycle?
    - You also mention "By maintaining these certs through a reputable auditor, we are good to go", are you referring to a paid service that does this such as Venminder?  If so, would you be able to share who you are using for this function and what your experience is with them?  If not, can you please expand on what this entails?

    Thanks so much in advance, I know this takes time out of your day.


    Charlotte Pennella
    シャーロット ペネラ
    Contracts Manager
    4 Manhattanville Road
    Purchase, NY 10577

  • 5.  RE: Vendor Risk Assessment Questionnaire

    Posted 10-21-2020 03:00 PM
    The ISO 27001 cert is good for a 3-year period though applicability should be reviewed annually. It is part of our checklist. "Is it still valid? Do we think the supplier can meet the requirements?"

    Reputable auditor - KPMG, Deloitte, Coalfire, etc. Venminder is a service supplier and should be treated as a supplier but not an auditor. Unless I am missing something in their service portfolio, they are not an audit body. Our procurement department is responsible for gathering information from the supplier as they are responsible and accountable for the supplier relationship. My only exposure to Venminder is as a supplier who is periodically reviewed.

    Internally, we will use any one of the auditors listed above and others. It really depends on what is being audited.  

    Hope this helps. 

  • 6.  RE: Vendor Risk Assessment Questionnaire

    Posted 10-21-2020 04:33 PM
    We also request these items via a Vendor Risk program doing a Due Diligence and Annual Audit based on a vendor risk score or if applicable during contract negotiations if it is a vendor we need to ensure is protecting data or networks appropriately.  Similar was done in my previous company as well.  All of the work is done internally though and only for vendors we consider a Critical or High Risk.

    I agree with the auditors mentioned, PWC is also another one.

    Jamie Sumter
    Vendor Risk Lead