Vendor/Customer Audit

Vendor Audit Process

Vendor audits are quickly becoming a best practice across industries given significant third-party risks in data privacy, cybersecurity, corruption and other areas. OM Dhruv Management Systems assists with this process by helping organizations build greater internal understanding of the information that it is sharing with its third-party vendors through the Data Risk Intelligence scans.

What is a vendor audit?
A vendor audit is used by organizations to evaluate a third-party hired by the organization. An audit can look at a number of different issues, such as the organization’s quality control, its costs vs. benefits, its cybersecurity protection, or other aspects.
In the privacy context, third-party vendor risk management is becoming an area that businesses are enhancing. The Cambridge Analytica scandal has put third-party data sharing front and center in the eyes of regulators and the media. Organizations that are only looking at their own practices and are not evaluating their vendor data practices are missing a key area of concern.

What are the Benefits and Costs of a Vendor Audit?
An organization’s efforts to oversee vendors can be expensive, time-consuming and difficult. At the highest levels, it would require site visits, internal document review and interviews of key vendor stakeholders.
However, vendor management can occur at a number of levels and organizations may decide that their concerns can be satisfied with a lower level of scrutiny. Some organizations may decide that the risk with a vendor is minimal based on their activities within the organization and a questionnaire sent to the third-party vendor for response may be sufficient to gain the clarity that it needs to continue its relationship with them.
Notwithstanding the efforts that can be required to understake vendor management, organizations may not be able to avoid enhanced efforts in this area. Facebook may have avoided significant regulatory and media scrutiny over the past year if it had engaged in more substantial efforts in vendor risk management. As vendors are asked to do more for organizations, or third-parties are provided with significant data, the oversight on them needs to correlate to the risks. Yet, as Cambridge Analytica shows, even small organizations can cause significant problems for a large organization.

What may occur as part of the vendor audit process? In general, vendor audits may include some or all of the following:
– Review of the third-party’s books and records.
– Data analysis on transactions and records.
– Sampling of high risk transactions.
– Phone or In-Person interviews with third-party personnel.
– Vendor questionnaires.
– Site visits.
– Review of contracts, policies and other documents.
– Documentation of findings and any correction plans.

Effective Vendor Management Process Balancing.
The amount of time and resources that should be put into a vendor audit depends in large part on the risks that a third-party may pose within the organization. If a service provider has minimal access to data (in the privacy context), then it may warrant a lower level of scrutiny.

How Does OM Dhruv Management Systems Help with Vendor Audits?
Many organizations do not have sufficient insight into their data sharing with their third-party vendors. OM Dhruv Management Systems help with the identification of service providers for an organization. Additionally, information from the Data Risk Intelligence scans can be used in the identification of the level of data sharing that is happening with an organization so that an internal decision can be made about the appropriate level of vendor scrutiny.