Due Diligence and Ongoing Monitoring

 View Only

  • 1.  Testing of 3rd party monitoring of their critical/high risk vendors

    This message was posted by a user wishing to remain anonymous
    Posted 07-11-2025 10:14 AM
    This message was posted by a user wishing to remain anonymous

    I am looking for any best practices of how anyone tests that their 3rd parties are actively monitoring their critical/high inherent risk 3rd parties?  What do you request and have success receiving from your 3rd parties to ensure they are doing this?  Any feedback is appreciated.



  • 2.  RE: Testing of 3rd party monitoring of their critical/high risk vendors

    Posted 07-11-2025 12:24 PM

    Hi,

    To be clear, your vendors' third parties' contractors / vendors are fourth parties to you.  Fourth parties are also known as subservice organizations.

     

    One best practice is to obtain the SOC 2 reports of your vendors.  These reports should include discussions of the vendor management program covering the subservice organizations.  The discussion should disclose how your vendors assess and manage risks associated with their vendors and business partners, that is, subservice organizations.  The information in the SOC 2 reports can give you sufficient background to have discussions with your vendors on who they consider to be their key subservice organizations.

     



  • 3.  RE: Testing of 3rd party monitoring of their critical/high risk vendors

    This message was posted by a user wishing to remain anonymous
    Posted 07-11-2025 12:25 PM
    This message was posted by a user wishing to remain anonymous

    I find that any quality conducted SOC 2 Type 2 report has some information regarding TPRM available within the body report and also within the scope of control testing, even if it's just the auditors confirming a policy is in place for managing third parties and that annual reviews are conducted of high risk/critical vendors. Additionally, larger companies sometimes have available a Standard Information Gathering (SIG) Questionnaire. These SIGs can have a lot useful information, even beyond TPRM.

    Lastly, I outright request documentation of a Third Party Risk Management policy or program from all of my organization's critical high risk vendors. I have yet to encounter significant push back. A company not having a policy or statement regarding their TPRM is a red flag.