Hi Nicole,Generally, on-site visits serve two purposes. The first is to observe specific controls, such as physical security, information protection, or worker safety. Vendor site visits are also useful for reviewing documentation that the vendor was unwilling to send you during due diligence, such as business continuity plans and testing results. They also provide an actual view of the work environment, technology, culture, and even how management and leadership interact with and manage their employees. And site visits can also help you determine the quality, expertise, and working relationships of the individuals delivering the proposed services.
As for what controls you should be evaluating, that all depends on the product or service type that the vendor is providing and the risks identified as part of your inherent risk questionnaire.
So, suppose a vendor has access to sensitive or confidential information. In that case, your onsite visit should evaluate their physical and information security controls, access management, and if employees are removing sensitive data from their desks when unattended. Or suppose you are visiting a call center; you might also observe if agents are permitted to have cell phones or if they are restricted from printing sensitive data.
As another example, if you visit a manufacturing environment, you may have different considerations like worker safety, storage and management of raw materials, waste, and theft prevention.
The visit must focus on information that cannot be collected via document-based research. And your checklists should be based on where observations will be sufficient and where you will need to dive in and ask further questions. One important consideration for all onsite visits is that if there are controls that subject matter experts can only assess, it is important to include them in the visit.
I hope that helps, but I would love to hear from our other members.