Hi there,
I assume that the questionnaires you refer to are your vendor risk questionnaires, which you utilize during your due diligence process. These questionnaires are typically accompanied by due diligence documentation to provide evidence of your vendor's risk management practices and controls.
I think the important factor to consider is not only the answers in the questionnaire but also the documented evidence they provide to support their answers. If issues are identified because the evidence doesn't support the answers provided in the questionnaire, there isn't much of a need to go back and forth. Issues must be identified so they can be remediated. This isn't something that should be up for negotiation, as your organization will be held accountable for any problems that arise. Ultimately, the third party must meet your organizational standards, and if qualified subject matter experts are reviewing the questionnaire and accompanying documentation and they find an issue, the vendor must remediate it.
On the other hand, if the vendor is asking to revise because they didn't understand a question(s), that might indicate that the questionnaire should be revised to avoid any future confusion. While it's always important to operate in good faith, your processes are there to protect your organization and its customers, and exceptions should be limited. I hope that helps, but I would be interested in what other members have to say.
Original Message:
Sent: 09-24-2024 01:28 PM
From: Anonymous Member
Subject: Third-Party Validation Process
This message was posted by a user wishing to remain anonymous
Hi Think Tank,
We are up and running with our TPRM process and are in the early phases of distributing reports to our vendors. Third parties are now coming back to counter-act issues we've identified through the third-party questionnaire. However, how much validation opportunity do you give your providers? It's becoming a never-ending cycle of back-and-forth and allowing third parties to revise their responses that they initially provided.
Any insights would be appreciated, thank you