This message was posted by a user wishing to remain anonymous
Our Policy dictates that we report to our Enterprise Risk Management Committee quarterly, and that committee reports up to the Risk Committee of the Board quarterly. We are required to report on oversight status of all Critical vendors that are considered high risk and any vendors that are implicated by Sarbanes-Oxley. We are also required to report on any new relationships that have been entered in to that are considered Critical.
We have a dashboard view that shows whether those oversight monitoring duties occurred and what the results were. If we have any that were less than satisfactory we have to report on remediation and/or contingency plans.
Original Message:
Sent: 02-27-2020 10:44 AM
From: Anonymous Member
Subject: Annual Report - overall condition and performance of mission critical service provider arrangements
This message was posted by a user wishing to remain anonymous
Recent audit is asking us to ensure the annual report to the board sufficiently addresses the scope and detail regarding vendor oversight activities. Including overall condition and performance of mission critical service provider arrangements and any exceptions identified thru monitoring, etc. Do you do this today, and how do you approach it in your program?