How Often Should You Do A Third-Party Risk Audit With Your Vendors?
Melissa Stevens | August 6, 2015
When you think of an audit, what comes to mind? If you’re at all familiar with the traditional auditing process, I’d imagine your answer would look something like this:
An audit is a thorough analysis and comprehensive review of a third-party program. It goes through the nuts and bolts of it all, parsing through governance issues, policies and procedures, documentation, assessment results, certifications, other third-party assessments, and more. It can also entertain on-site inspections to observe what people are doing, and see the day-to-day interactions inside an organization.
Am I close? Essentially, traditional audits are extremely thorough “vendor check-ins” to find out how things are going and what has changed since your last vendor check-in.
Comprehensive Third-Party Risk Audit Solutions
Now, what if I asked you this important question:
“What are you missing after a traditional audit?”
This is a frequently asked question by many organizations who are worried about the overall security of their data—and it’s certainly worth discussing. At the end of the day, audits are still very important. But the fact remains that most organizations will pass an audit. The real issue comes when auditors are no longer on-site. You have to think of an audit like a one-day exam—it tests the “knowledge” and “competency” of the third party on that one specific day. But wouldn’t you agree that a better test of intelligence comes on day three? Or day 257? Because as long as that third party has a great deal of access to your sensitive information, you’re going to want to know what goes on during the times you aren’t around—which is probably most of the time.
So one of the most important things you can do is take a multi-pronged approach and look at all aspects of the risk of a vendor. The process of performing a third-party risk audit is incredibly important for understanding the true cyber security posture of your vendor. This is typically done via a continuous monitoring solution that provides up-to-date information on the health of your vendor on any given day, instead of only once a year.
Steps For Determining Third Party Risk Audit Timing
Now that you better understand why risk assessment is such an important step of the process, you now need to know when you should perform an audit. An answer to this question would probably vary, but it’d most likely be based off of time and budgetary considerations for the first party. If you told me that your last organization performed third-party audits annually, would that be because none of your organization’s vendors posed any kind of risk? Probably not. There just simply aren’t enough hours in the day or dollars in the budget to do more audits.
Figure out the industry standards for audits. Ideally, this would be somewhere around the one-year mark.
Weigh industry standards against your information and intuition. There is usually a time that feels natural and appropriate for sending folks on-site for assessments, gathering information, and more. In other words, don’t just trust that the industry standard is right for your organization and your particular vendors without doing your homework.
Make it clear to your vendors that security is a priority and that it will be taken very seriously.
Establish a strong working relationship with the vendor. This will help when you need to request information from them in the future.
Once you’ve taken these steps, and before you set up an auditing schedule, you’ll want to:
Decide which assessments are most valuable so you can arrange your budget as necessary. This will help you ask and look for the right information when you begin the auditing process, so you don’t waste time or money.
Determine what information is most valuable in an audit and what you’ll glean from it. This will help you determine what information is critical for an audit, and what information is critical for more regular monitoring. (Which leads me to my next point.)
Select a continuous monitoring solution. Without this, you’ll only gain insight into the vendor you’re assessing on the day of the assessment. If you have vendors with access to your sensitive data, you’re going to want to know what goes on (and how secure the third party is) on the other 364 days of the year
So, as we’ve explained, you can’t just rely on traditional auditing methods. These methods, while very important in the security assessment process, won’t tell you what goes on during the days that you aren’t performing an audit. But if you supplement this program with continuous cyber security monitoring in real-time, you’ll be far more prepared for any potential problems.
Download Guide: 5 Ways Vendor Risk Management Programs Leave You In The Dark (& What You Can Do About It)
We've drilled down into areas that vendor risk management programs leave a little vague.
Download the guide to see if you've considered these critical areas of vendor risk management.
If you’re using a “one-size fits all” approach to managing your vendor lifecycle, you are missing opportunities to save money and operate more efficiently. Vendor management efficiencies don’t end in the onboarding stage: using a...
If you’re experiencing frustrating delays and procedural roadblocks during your vendor management process, you’re not alone. Security managers are seeing an increase in the number of third-parties integrating with their business, and ...
During this dynamic and stressful workplace environment 2020 has brought us, finding the most efficient ways to perform in your job has never been more important. When it comes to managing your vendor lifecycle, there are three ways you...