Five Controls To Consider When Auditing a Vendor Management Program
Note: This article was originally published on ISACA.org.
As enterprises grow larger and become more reliant on external vendors, it becomes necessary to establish effective vendor management programs. Vendor management is a fundamentally critical function that impacts an organization’s operational success, efficiency, reputation and risk exposure. The internal audit department can promote an effective vendor management program by identifying and assessing risk, taking due diligence actions, periodically monitoring vendor performance, ensuring compliance and promoting continuous improvement. At minimum, critical vendors should be monitored and vetted with due diligence that includes inquiring about any recent security incidents. By implementing a functional vendor management program, internal auditors contribute to the overall success of the organization by safeguarding against potential risk and improving vendor relationships.
To put the importance of vendor management into perspective, investigative findings from the Target data breach of 2013—one of the most infamous data breaches in recent history—found that Target had “no controls limiting their [vendor] access to any system, including devices within stores such as point of sale (POS) registers and servers.”1 This means that the heating, ventilation and air conditioning (HVAC) vendor in question had uncontrolled access to every cash register in every Target store. Target’s network credentials were eventually compromised and stolen by malicious actors. If Target’s leadership could go back in time and perform an internal audit of the effectiveness of their vendor management program, these risk factors could have been exposed sooner, and controls could have been put into place to reduce the risk of a security incident stemming from the use of an authorized vendor.
There are several key controls that an organization should implement as part of its vendor management program. Performing an internal audit of these controls can aid in mitigating risk and enhancing the quality of reports on their efficacy.
Control 1: Enterprise Vendor Risk Assessment
An enterprise vendor risk assessment consists of cybersecurity and governance, risk and compliance (GRC) teams collaborating closely with business units to identify and assess potential risk associated with vendor relationships. All critical business units such as accounting, legal, human resources (HR), operations, IT, cybersecurity and vendor owners should be considered during an enterprise vendor risk assessment. Effective vendor risk assessments categorize vendors based on their degree of importance to the organization and determine who is considered a critical or high-risk vendor. An enterprise vendor risk assessment, which should be performed at least annually, serves as the foundation for developing a risk-based approach to a strong vendor management program. After the vendor risk assessment is performed, the internal audit department can use the deliverable to validate whether the assessment identified critical vendors through a risk-ranked approach that included careful vendor due diligence.
Control 2: Monitoring Vendor Performance Through Evaluations
Continuous evaluation and monitoring of vendor performance is essential for ensuring service quality, adherence to contractual requirements and compliance with regulations. Cybersecurity and GRC teams should establish performance metrics, in the form of key performance indicators (KPIs). KPIs offer a clear, objective and efficient way to continuously monitor vendors and determine the frequency of evaluations, thereby ensuring optimal vendor performance and risk management.
Periodic vendor evaluations are typically performed for higher-risk vendors based on the enterprise vendor risk assessment. Evaluations validate that the organization continues to maintain expected security controls by taking the following due diligence measures:
- Inclusion of a right to audit clause in the vendor agreement to reserve the right to audit, allowing the organization to review official documents reflecting the state of internal systems and controls
- Review of an independent assurance report (e.g., System and Organization Controls [SOC] 1 or SOC 2)
- Compliance attestations for cybersecurity standards such as the Payment Card Industry Data Security Standard (PCI-DSS) and the International Organization for Standardization (ISO) standard ISO 27001
- Vendor-completed cybersecurity questionnaires
- Agreed-upon procedures (AUP) attestations performed by an accounting firm
- Other industry certifications (e.g., HITRUST assessments)
Additional resources for executing due diligence may include vendor scorecards from third-party sourced data and reports or a tool to scan public-facing Internet vendor domains for discoverable vulnerabilities.
Periodic assessments should be conducted by management to measure vendor performance against established security benchmarks, identify any deviations or exceptions and perform corrective remediation as necessary. The internal audit department can obtain the vendor evaluation results and determine whether management sufficiently evaluated the vendor as part of the periodic monitoring of critical vendors. Available independent assurance reports should be carefully assessed and reviewed by management to identify whether critical exceptions or findings were noted in the reporting section. Internal audit can test that the results of independent assurance or attestations were converted to KPIs that identified the current risk level of critical vendors’ security controls and whether the vendor relationship puts the organization at a high cybersecurity risk.
Control 3: Performing Due Diligence for New Vendors
To mitigate risk, cybersecurity and GRC teams should ensure that thorough due diligence is conducted prior to new vendor onboarding. Vendor onboarding should include the signing of contracts to determine whether the vendor security program aligns with the expectations of the organization, specifically regarding cybersecurity and confidentiality. Effective due diligence of new vendors includes evaluating vendor qualifications, credentials, regulatory compliance, history of financial stability and assessing the vendor’s available independent assurance reports. A standardized due diligence process for vendor onboarding allows the internal audit department to test vendor security controls that were evaluated by the cybersecurity or GRC team. There are various IT and cybersecurity risk factors that must be considered, such as:
- Where a vendor-provided IT application is hosted (e.g., onsite, at a colocation data center chosen by the vendor, in the cloud by the vendor (such as via a Software-as-a-Service [SaaS] product)
- How users are authenticating on the system and verification of password requirements
- Application programming interface (API) configurations or other interfaces
Control 4: Contract and Agreement Management
Cybersecurity and GRC teams should review vendor contracts, statements of work (SOWs) or other agreements to determine whether they contain clauses for applicable service commitments, system requirements, data security, confidentiality, termination rights and dispute resolution mechanisms. Regular audits of vendor contracts help identify gaps, noncompliance issues or failure of a vendor to uphold service commitments, allowing for timely corrective actions to be taken. Internal audit may collaborate with internal counsel, cybersecurity or GRC teams to test whether the agreements and contracts address cybersecurity risk as it relates to the nature of the service being provided by the vendor.
Control 5: Continuous Improvement
Vendor management should receive ongoing improvements to adapt to changing business needs and emerging cybersecurity risk. Typically, a cybersecurity committee or similar group meets at an agreed-upon schedule to report on the ongoing vendor management program’s effectiveness, especially the monitoring of identified critical vendors in the enterprise vendor risk assessment. The internal audit department may perform periodic reviews and evaluations of the effectiveness of the vendor management program and consider annually reviewing the vendor management policy that governs the program. By conducting post-implementation reviews, internal auditors can assess the effectiveness of controls by monitoring vendor KPIs, identifying areas for improvement and proposing recommendations to enhance the overall vendor management program.
Cybersecurity incidents are constantly evolving as different attack vectors continue to be uncovered every day. It is critical for management teams to focus on the footprint that they can control as third-party risk grows and changes. The mentioned 5 example controls are actionable steps any internal audit department can take to help reduce risk and improve accountability through their vendor management program.
1 Krebs, B.; “Inside Target Corp., Days After 2013 Breach,” Krebs on Security, 21 September 2015
We're Looking for
At KSM, you’ll be encouraged to find your purpose, exercise your creativity, and drive innovation forward.