Whether you’re in insurance, healthcare, government, consulting, or a wide range of other fields, chances are that your company outsources products or projects to vendors. And outsourcing means added risk to your company. This is why many companies often have a dedicated vendor risk management team to handle these risks.

Internal audit is positioned to help evaluate risk that arises from working with vendors. Below are steps for determining which vendors to audit and what to focus on during the audit.

Determine Which Vendors to Audit

In most cases with a company, you can’t audit ALL vendors. For one, your audit team doesn’t have the resources. And two, there’s a law of diminishing returns if you are going to audit all vendors. For example, auditing small vendors with little risk is probably an ineffective use of your time and the company’s money.

You have to choose the most important vendors to audit, but how do you choose, and where do you start? Here are a few ideas to narrow down your vendor risk assessment players.


  • Catalog your vendors. Some companies already have a plan that outlines high-risk vendors. “This may seem like a given,” writes Sean Cronin, President of Process Unity, “but you’d be surprised how many companies have a disorganized approach when it comes to hiring third parties,” Cronin suggests that audit create a comprehensive catalog of suppliers, what they offer, and even which groups within the business could leverage vendors’ services.

  • Profile your vendors internally to gauge inherent risk. Interviewing your company’s business unit that uses the vendor’s services helps audit pinpoint certain areas to investigate with the vendor. Once you catalog the vendors and determine how vendors are used in the company, you can begin to categorize vendors.
  • Categorize your vendors into “buckets” for further action. Cronin outlines how to do this: “Hospitals, for example, would have an insurance company bucket, a lab services bucket, a medical equipment supplier bucket, and so on.” This way, “vendors in any given bucket can be assessed in a similar fashion because they should have common risk factors.”
  • Use a questionnaire for self-assessment. Vendors with a high or medium inherent risk rating are accustomed to these self-assessment questionnaires. But you might want to consider using the questionnaire outside the required vendors because it helps to define potential risk to investigate. Try to keep the questionnaire concise and specific. Too many questions will warrant wandering answers or possibly not returning the questionnaire at all.

Now that you’ve identified all vendors and determined which vendors present the greatest risk, it’s time to focus on areas to assess for each vendor.

Review Individual Vendors

Vendor risks can quickly become your company’s risks too. As such, there are some common areas to review for each vendor that will keep your own company safe.

Some common areas to review for individual vendors include the following:

  • Business Continuity Plans (BCP) and Disaster Recovery Plans (DRP). Are BCPs and DRPs in place and fully tested?
  • Secure coding. If the vendor has access into your systems, do they have IT controls in place to protect your sensitive data?
  • Issue resolution/remediation. Does the vendor audit their company? What is the company culture toward solving problems? How has the company resolved issues in the past?
  • Insurance coverage. Does the vendor have the correct type and amount of insurance to ensure consistency in maintenance and delivery?

Although these items may seem routine for vendor risk management, their company will probably have a different culture and expectations. As such, the way they test for disaster could be vastly different than the way your company tests for disaster. Take time to step outside the audit box and step into their company trenches. How organized is IT? How friendly is their HR department? You don’t have to be in their company trenches, but it’s helpful to get a flavor for the tone and structure of their company.

Perform Due Diligence

Similar to reviewing the vendor is just doing simple due diligence, such as reviewing the risk-based procedures the vendor has in place and looking at their long-term reputation.

Working with the wrong vendor could not only tarnish your company’s reputation but also result in fines. For instance, one non-profit company must check to make sure all their vendors are not affiliated with terrorist networks; otherwise, the company could risk government penalties.

For new vendors, the due diligence checklist might assess additional information such as audit reports, business continuity plans (BCP), insurance coverage, and technology usage and integration with your company.

Write Common Vendor Issues     

Inevitably, the vendor risk management process isn’t perfect, and audit will report the findings to the company. Below are example sentences for reporting these common vendor issues.

Common issue

Issue Statement

Vendor Privacy

The company does not have a comprehensive list of all vendors with access to non-public customer information.

New Vendor Process

For new vendors, the company does not evaluate or document vendor risks before signing the contract.

Vendor BCP/DRP

Management has not reviewed vendor BCPs or DRPs to discern whether the vendor can recover and continue service in a disaster situation.


In the end, all companies function a little differently from each another. Many of us can note distinctive differences (cultural, risk appetite, and more) between different companies we’ve worked for. What might be normal process to your company might not be normal process for the vendor, thus opening up risks that could leave your own company more vulnerable than expected.

Interested in learning more about this topic and other similar ones? Mark your calendars for our upcoming ITAC Conference in San Diego and the highly-anticipated SuperStrategies in Las Vegas.