Hi Mark,
We also do an annual review of SOC and ISO certifications by obtaining this information from our vendors that we require it from. I am curious about a couple of things noted in your post as I am looking for a better way, other than paying a service, to collect these on an annual basis. We continuously have issues collecting them from our vendors, almost as if they are reluctant to supply them.
- You mention 3 year cycle in parenthesis after "...SOC2 and ISO27001 report..." What do you mean by 3 year cycle? Is the ISO27001 only supplied on a 3 year cycle?
- You also mention "By maintaining these certs through a reputable auditor, we are good to go", are you referring to a paid service that does this such as Venminder? If so, would you be able to share who you are using for this function and what your experience is with them? If not, can you please expand on what this entails?
Thanks so much in advance, I know this takes time out of your day.
Best,
Charlotte
------------------------------
Charlotte Pennella
シャーロット ペネラ
Contracts Manager
4 Manhattanville Road
Purchase, NY 10577
------------------------------
Original Message:
Sent: 10-21-2020 09:41 AM
From: Mark Eden
Subject: Vendor Risk Assessment Questionnaire
Yes, as part of the annual review, our vendor/suppliers are asked for their latest SOC2 and ISO 27001 report (3-year cycle). By maintaining these certifications through a reputable auditor, we are good to go. This avoids having to send the obligatory questionnaire which grows with every passing year. The certification covers enough of the questionnaire to satisfy this part of the Supplier Review process.
Hope this helps,
Original Message:
Sent: 09-22-2020 03:02 PM
From: Aaron Sparks
Subject: Vendor Risk Assessment Questionnaire
A follow-up question I would ask is: does your entity actually require a vendor to maintain SOX compliance? For example, would you expect a vendor to provide annual proof of SOX compliance? I have seen due diligence questionnaires reference specific standards (like SOX) because if a vendor is compliant, then it also indicates that they have internal controls, data security policies, reporting standards, etc., in place as an organization. Some ways I have observed to make the questionnaire a little more flexible to different vendor's terminology/understanding is to either to break down the standard into specific questions or make a reference such as, "the vendor deploys adequate controls reasonably similar to XYZ Industry Standard. If yes, please identify the applicable standard."
Original Message:
Sent: 09-22-2020 11:04 AM
From: Melissa Madigan
Subject: Vendor Risk Assessment Questionnaire
Good afternoon,
I am reviewing our current risk assessment questionnaire and looking for input. Our current questionnaire includes the following question:
"The vendor deploys adequate accounting controls which have been deemed Sarbanes–Oxley (SOX) compliant."
Since SOX documentation is not currently part of the standard due diligence this question is difficult to answer accurately. Does anyone else have similar questions related to SOX or is this something that we can safely remove from our questionnaire?
The question was added by a former employee, so we are unable to determine why it was included.
Thank you.