How to define the regularity of internally auditing a third party arrangement based on its criticality rating or risk rating (high, medium, low)? Regulations are not prescriptive about how often these arrangements need to be audited.