We use 5 factors to determine inherent risk and criticality:
1. Information Sharing (Confidential, Private, Public data)
2. Operational Reliance
3 Operational Replacement
4. Regulatory Compliance
5. Annual Spend
Each factor can be assessed as High, Moderate, Low risk with 3,2,and 1 point assigned respectively
Once the criticality assessment is completed, total point are tallied and criticality rating assigned. Highest number= critical vendor, lowest =minor vendor
It's all risk based.
Original Message:
Sent: 04-20-2022 01:12 PM
From: Anonymous Member
Subject: Consulting and audit firm due diligence
This message was posted by a user wishing to remain anonymous
Hi Mirella. Would you mind sharing how you determine "vendor criticality"? This is something we are struggling with.
Original Message:
Sent: 04-20-2022 12:01 PM
From: Mirella Coleman
Subject: Consulting and audit firm due diligence
- Consulting and Audit firms are treated as any other vendor, meaning we determine vendor rating using a criticality assessment. The depth of New Vendor Due Diligence and Performance Review is based on the vendor criticality.
We normally do a financial review on all vendors, regardless of rating. IT Security Assessment is done on any vendor providing technology solutions. Business Continuity and Disaster Recovery Plans and Testing results are required for vendor that rate high on Operational Reliance.
We do evaluate whether a vendor is in scope for SOC1 and /or SOC 2 review as well and request the SOC reports.
- For Audit firms engaged by the Audit Committee/Board, we do conduct a limited review that is focused on the vendor performance. If a technology solution is used, then an IT Security Assessment will be conducted; SOC 2 Type 2 are requested along with any other IT Security documentation needed by the IT Security dept.
Best regards
Mirella Coleman
Vendor Risk Manager, CRVPM IV, CBCP
This email and any files transmitted with it are confidential and may contain protected or privileged material. If you are not the intended recipient be advised that you have received this email in error and that any use, dissemination, forwarding, printing or copying of this email is strictly prohibited.
Original Message:
Sent: 4/15/2022 1:39:00 PM
From: Anonymous Member
Subject: Consulting and audit firm due diligence
This message was posted by a user wishing to remain anonymous
Our Bank engages with many consulting and external auditors. What type of due diligence should we conduct?
What if they have access to NPPI? What type of due diligence documents should we request from them?
Currently, if they are approved by the board or a committee designated by the board we do not perform any due diligence.