Reporting

This message was posted by a user wishing to remain anonymous

Hi everyone,

I recently joined thinktank. I have a question: what are the most import things to factor in your vendor assessment summary report that will be sent to the stakeholders after you have conducted your assessment? and if anyone has a sample of vendor assessment summary report that has a list of details to include, could you please share with me? 
Thank you

Hi there,

When it comes to a vendor risk assessment summary report, every organization is slightly different. However, there are some fundamentals that these reports should always include. Please pay attention to numbers 10-11, as Subject Matter Expert reviews should always be completed before contracts are executed.

 The risk area(s) being evaluated.

1. The name of the reviewer(s)
2. The date and time, and time of the review
3. The time period that the review covers
4. A list of and dates of all source material used for review; this includes any expiration dates, time frames, bridge letters, etc. Note: If formal interviews are used as source material, make sure to include the review date, the name of the individual interviewed, their position, and qualifications.
5. The specific controls that are being evaluated.
6. Confirmation that a suitable control(s) exists
7. Confirmation that the control(s) has been tested (if not, this should be noted in the report)
8. Any control gaps or deficiencies noted, and the risk experts' opinion regarding the severity of the gap or deficiency and the potential impacts of not remediating the failed control.
9. The Subject Matter Expert's recommendations for remediation. Include specifics when necessary
10. If remediations must be made before the contract is signed or if post-contract remediation is acceptable.
11. A summary statement from the Subject Matter Expert regarding the general sufficiency of the controls, quality of documentation, the expertise of key vendor staff, and general consideration of the risk environment posed by the vendor. The Subject Matter Expert should also provide a documented opinion recommending the organization move forward, pause or stop based on their review of the above.

 

Those are really the basics; your organization can expand on these or change them. But this list provides a great starting point for those new to vendor risk assessments. I would love to hear thoughts from other members too.

Original Message:
Sent: 04-25-2022 03:55 PM
From: Anonymous Member
Subject: Vendor Assessment Summary Report

This message was posted by a user wishing to remain anonymous

Hi everyone,

I recently joined thinktank. I have a question: what are the most import things to factor in your vendor assessment summary report that will be sent to the stakeholders after you have conducted your assessment? and if anyone has a sample of vendor assessment summary report that has a list of details to include, could you please share with me? 
Thank you

Perfect reply.

Just one more to add 

If you have any findings , observations or NC  which might be either Physical , logical or Operational, make sure you get a closing date & the confirmation of the same through email from the vendor, but you should also have a compensate control till the finding is closed.

Tx
Sri
Original Message:
Sent: 05-09-2022 11:29 AM
From: Hilary Jewhurst
Subject: Vendor Assessment Summary Report

Hi there,

When it comes to a vendor risk assessment summary report, every organization is slightly different. However, there are some fundamentals that these reports should always include. Please pay attention to numbers 10-11, as Subject Matter Expert reviews should always be completed before contracts are executed.

 The risk area(s) being evaluated.

1. The name of the reviewer(s)
2. The date and time, and time of the review
3. The time period that the review covers
4. A list of and dates of all source material used for review; this includes any expiration dates, time frames, bridge letters, etc. Note: If formal interviews are used as source material, make sure to include the review date, the name of the individual interviewed, their position, and qualifications.
5. The specific controls that are being evaluated.
6. Confirmation that a suitable control(s) exists
7. Confirmation that the control(s) has been tested (if not, this should be noted in the report)
8. Any control gaps or deficiencies noted, and the risk experts' opinion regarding the severity of the gap or deficiency and the potential impacts of not remediating the failed control.
9. The Subject Matter Expert's recommendations for remediation. Include specifics when necessary
10. If remediations must be made before the contract is signed or if post-contract remediation is acceptable.
11. A summary statement from the Subject Matter Expert regarding the general sufficiency of the controls, quality of documentation, the expertise of key vendor staff, and general consideration of the risk environment posed by the vendor. The Subject Matter Expert should also provide a documented opinion recommending the organization move forward, pause or stop based on their review of the above.

 

Those are really the basics; your organization can expand on these or change them. But this list provides a great starting point for those new to vendor risk assessments. I would love to hear thoughts from other members too.

Original Message:
Sent: 04-25-2022 03:55 PM
From: Anonymous Member
Subject: Vendor Assessment Summary Report

This message was posted by a user wishing to remain anonymous

Hi everyone,

I recently joined thinktank. I have a question: what are the most import things to factor in your vendor assessment summary report that will be sent to the stakeholders after you have conducted your assessment? and if anyone has a sample of vendor assessment summary report that has a list of details to include, could you please share with me? 
Thank you