Exams or Audits

What would be a reasonable regularity for auditing third party arrangements based on criticality or risk levels (High, Medium and low)? This is for internal auditors. How often should Internal Audit review/audit third party arrangements?

Can you please provide your inputs to the above question?

Hi. 

Happy to provide my perspective based upon my experience.  However, it really depending on your organization's risk framework.  As a best practice based on the organization's risk management policy, Internal Audit should conduct reviews of third-party arrangements at a frequency aligned with the vendor's inherent risk (H,M,L) and criticality to the bank's operations. High-risk or critical vendors are those supporting core banking functions or handling sensitive data and should be reviewed annually or more frequently if conditions warrant. Medium-risk vendors are typically reviewed every 18 to 24 months, focusing on key risk areas such as access, performance issues, or regulatory compliance. Low-risk vendors may be reviewed on a three-year cycle or sooner if there are changes in the scope of services, vendor ownership, or the external risk landscape. In addition to risk-based cadences, a formal internal review should also be performed at the time of any contract renewal, regardless of risk tier, to ensure terms remain appropriate and that risks are still within tolerance. Trigger-based reviews may also be necessary when significant changes occur, such as ongoing performance issues, vendor breach, regulatory issue, or merger. This approach helps ensure oversight remains consistent with the organization's overall risk appetite and regulatory expectations.  Hope that is helpful.

For us, TPRM is subject to risk rating for audit frequency.  Because our core banking platform is vendor hosted, some vendors house NPI, some vendors are critical to our IT infrastructure, we have joint ventures sharing customers subject to BSA screening, etc. our TPRM function is audited annually.