How Often Should You Do A Third-Party Risk Audit With Your Vendors?

Vendor Risk Management

Written by Melissa Stevens August 06, 2015

When you think of an audit, what comes to mind? If you’re at all familiar with the traditional auditing process, I’d imagine your answer would look something like this:

An audit is a thorough analysis and comprehensive review of a third-party program. It goes through the nuts and bolts of it all, parsing through governance issues, policies and procedures, documentation, assessment results, certifications, other third-party assessments, and more. It can also entertain on-site inspections to observe what people are doing, and see the day-to-day interactions inside an organization.

Am I close? Essentially, traditional audits are extremely thorough “vendor check-ins” to find out how things are going and what has changed since your last vendor check-in.

Comprehensive Third-Party Risk Audit Solutions

Now, what if I asked you this important question:

What are you missing after a traditional audit?

This is a frequently asked question by many organizations who are worried about the overall security of their data—and it’s certainly worth discussing. At the end of the day, audits are still very important. But the fact remains that most organizations will pass an audit. The real issue comes when auditors are no longer on-site. You have to think of an audit like a one-day exam—it tests the “knowledge” and “competency” of the third party on that one specific day. But wouldn’t you agree that a better test of intelligence comes on day three? Or day 257? Because as long as that third party has a great deal of access to your sensitive information, you’re going to want to know what goes on during the times you aren’t around—which is probably most of the time.

5 Ways your Vendor Risk Management Program Leaves You In The Dark

And what you can do about it

Document placeholder

5 Ways your Vendor Risk Management Program Leaves You In The Dark

And what you can do about it

Relationships with vendors are important (or even vital) for many organizations, but unfortunately, there’s a trade-off—the more data you share, the more risk you acquire.

Download Whitepaper
Button Arrow
So one of the most important things you can do is take a multi-pronged approach and look at all aspects of the risk of a vendor. The process of performing a third-party risk cybersecurity audit is incredibly important for understanding the true cyber security posture of your vendor. This is typically done via a continuous monitoring solution that provides up-to-date information on the health of your vendor on any given day, instead of only once a year.

Steps For Determining Third Party Risk Audit Timing

Now that you better understand why risk assessment is such an important step of the process, you now need to know when you should perform an audit. An answer to this question would probably vary, but it’d most likely be based off of time and budgetary considerations for the first party. If you told me that your last organization performed third-party cybersecurity audits annually, would that be because none of your organization’s vendors posed any kind of risk? Probably not. There just simply aren’t enough hours in the day or dollars in the budget to do more audits.

Take the first step toward a better VRM program today by downloading this free guide.

But as more attention is drawn to vendor risk management and cyber security issues—particularly due to recent highly publicized data breaches from the likes of Target, J.P. Morgan Chase, and Home Depot—more regulators and organizations are interested in specialized third-party risk audits. Following these highly publicized breaches, more companies want to know what they should be doing in addition to standard audits to keep their data safe. The following steps will help you determine how often you should perform regular audits so you can keep your data safe and secure:

  1. Figure out the industry standards for audits. Ideally, this would be somewhere around the one-year mark.
  2. Weigh industry standards against your information and intuition. There is usually a time that feels natural and appropriate for sending folks on-site for assessments, gathering information, and more. In other words, don’t just trust that the industry standard is right for your organization and your particular vendors without doing your homework.
  3. Make it clear to your vendors that security is a priority and that it will be taken very seriously.
  4. Establish a strong working relationship with the vendor. This will help when you need to request information from them in the future.

Once you’ve taken these steps, and before you set up an auditing schedule, you’ll want to:

  • Decide which assessments are most valuable so you can arrange your budget as necessary. This will help you ask and look for the right information when you begin the auditing process, so you don’t waste time or money.
  • Determine what information is most valuable in an audit and what you’ll glean from it. This will help you determine what information is critical for an audit, and what information is critical for more regular monitoring. (Which leads me to my next point.)
  • Select a continuous monitoring solution. Without this, you’ll only gain insight into the vendor you’re assessing on the day of the assessment. If you have vendors with access to your sensitive data, you’re going to want to know what goes on (and how secure the third party is) on the other 364 days of the year

In Summary

So, as we’ve explained, you can’t just rely on traditional auditing methods. These methods, while very important in the security assessment process, won’t tell you what goes on during the days that you aren’t performing an audit. But if you supplement this program with continuous cyber security monitoring in real-time, you’ll be far more prepared for any potential problems.

Download Guide: 5 Ways Vendor Risk Management Programs Leave You In The Dark (& What You Can Do About It)

Related InSights