Due Diligence and Ongoing Monitoring

 View Only
  • 1.  Consulting and audit firm due diligence

    This message was posted by a user wishing to remain anonymous
    Posted 08-09-2022 10:15 PM
    This message was posted by a user wishing to remain anonymous

    Good Morning,

    Just wanted to verify with everybody as to what type of documentation do you request for your due diligence on below vendors:

    Title Agents
    External Auditors

    Thank you for the input.

  • 2.  RE: Consulting and audit firm due diligence

    Posted 08-18-2022 01:34 PM

    Completing your standard inherent risk assessment is a great way to determine what due diligence should be required. Your risk assessment should help you identify the types and amounts of risks present in the engagement. For example, suppose your attorneys will be handling sensitive information. In that case, you will need to validate that they have the proper controls to do so effectively. In most cases, you don't need to try and figure out due diligence by service provider type but rather scope your due diligence based on the risks identified. Using a standardized and consistent approach for all your vendors is the best way to ensure your due diligence scope is correct.

    There is, however, an exception, and that is related to external auditors or other firms that are evaluating your company ( auditors, rating agencies, certification bodies). In these situations, the third parties must have an "arm's length" relationship with your organization. That means they must remain completely neutral to perform their jobs. These specific organizations should be out of scope for your TPRM program because they can not remain neutral if engaged with your processes directly. I would be very clear about defining what types of organizations or third-party types qualify for this exception, and I would document it in the TPRM policy. I hope this information is helpful. I would love to hear what others think.

  • 3.  RE: Consulting and audit firm due diligence

    Posted 08-19-2022 03:12 PM
    This is where having an Intake process that lives above your risk assessment becomes handy. 
    And you can use Categories to cycle certain Third Parties down a separate path... Not all things need Enhanced Due Diligence... and in some cases you want to pre-screen to determine if other processes need to be invoked.  

    For instance, Attorneys can be vetted differently, depending on how they are going to be used. We don't need to do a full blown Inherent risk assessment if we're using an Attorney to help us write up one customer deal (prep of loan docs for instance). So I'd not drop them in the Venminder process as the starting point. But prescreen to determine if there's an evidence we need to do a deeper assessment. 

    And we should have other pre-screening activities, prior to a Venminder scrub... Is the business unit attempting to bring in Technology? If we do a quick assessment with IT an InfoSec... we can determine if we should be spending any time at all with on-boarding or risk assessments... If IT says, no that's not going to work in our environment or InfoSec says that's not going to be safe in our environment, we can put a stop to wasted expenses... 

    Further, is this an activity that needs go through Venminder at all? Donations we give to community groups for our CRA program. We just need to know who is getting the money; do a quick OFAC screen... don't need a PO don't need a contract... just need A/P to cut a check... so minimum review only... 

    The vendors used under the legacy Reg Q program; vendors paid from a commercial customers account analysis credits; part of the Bank's Treasury Management Services (TMS) program. You still need to vet the Third Party; but the risk assessment is unnecessary. Basic Due Diligence and Know Your Vendor (KYV) process. Your form Tri-Party Agreement... 

    And Affiliates... you have Reg W requirements... and there needs to be a clearly defined accounting for expenses. But you're not going to do a risk assessment on an Affiliate... 

    Pre-screening also allows you to help the business determine if they need to run through a formal program management process; if they need to run through a Sourcing process (formal RFP) if the expected spend is going to trip other oversight and approval processes. And you may want to use pre-screening to determine if you'll trip over Exclusivity clauses with other vendors (and avoid a potential breach). 

    So, I do recommend using Categories and assigning specific due diligence activities that are appropriate for the risk related to that specific category; and the pre-screen process is a better way of managing resources and only spending time on those Third Parties that need your extra attention... 

    For me, I only really care about 300-400 of the 3000+ third parties in my inventory... and then only 80 to 120 of those I care about get a lot more attention...   It allows me to focus resources on those third parties that need deeper Due Diligence reviews, better contracting efforts and On-going monitoring and reporting... 

    Good luck

    Bradley Martin

  • 4.  RE: Consulting and audit firm due diligence

    This message was posted by a user wishing to remain anonymous
    Posted 08-22-2022 10:04 AM
    This message was posted by a user wishing to remain anonymous

    Thank you.
    So glad we have such good resources.