Wipfli logo
Back to Articles

Vendor management reviews: You can’t do without them

Mike Morris
Mike Morris
Apr 03, 2020
6 min read

Does your organization rely on vendors for critical functions, such as data storage or network security? Do they process financial transactions for your organization? Many companies outsource key services to vendors. But your customers, employees and stakeholders rely on you to protect their financial and personal information, as well as their financial transactions.

So long as you entrust a vendor with the safety and integrity of critical business or customer data, you must monitor that vendor to verify that the data will be both protected and available. You can outsource specific activities and functions, but you can’t outsource your responsibility for any risks associated with those actions. 

That means a periodic vendor management review should be an essential part of your vendor-management process. A thorough and holistic review is the only way to determine whether you can safely depend on your key vendors — whether they provide data backup, data center services, managed network security services or other key services that support your business. 

Vendor management requires a holistic approach

The first step in an effective vendor management review is to take a hard look at how you determine who your key vendors are. Much potential risk can be hidden in seemingly innocuous business services, so it’s important to turn an experienced eye to your vendor dependencies and vulnerabilities and to examine all your relationships. 

Your accounts payable list is a great place to start to ensure that you have a full population of vendors to analyze. While there will be many vendors on the accounts payable list that will not be deemed critical, it is important that each be evaluated to determine whether they have access to sensitive information and or are processing financial transactions on your behalf. 

Once you have identified your critical vendors, you should evaluate each vendor using the following categories of risk: 

  • Reputational
  • Cyber
  • Strategic
  • Transactional and operational
  • Legal and compliance

Let’s examine these categories in more detail.

Reputational risk

Reputational risk impacts the level of trust your customers and the marketplace have in your organization. Trust can be negatively impacted by a vendor. For example, the Target breach was caused by a vendor, Fazio Mechanical Services. While the vendor was at fault for the initial breach, Target’s name was in all of the headlines.

To the extent that they are associated with your organization in the public imagination, anything disreputable that a vendor does is liable to sully your firm’s good name. It’s critical to closely watch your vendors to ensure they have proper controls in place to protect their reputation and that they have the correct “tone at the top” to run a business with integrity. Finally, it’s important to monitor critical vendors in social media to see if there are emerging issues that could impact your reputation.

Cyber risk

Cyber risk is another area serious trouble can arise in from otherwise insignificant elements of your business ecosystem. Cybersecurity is only as strong as its weakest link. It’s critical to understand the cyber risk each critical vendor poses and identify controls to monitor that risk. For example, if a vendor is processing credit cards on your behalf, then you should be obtaining and reviewing a copy of their Payment Card Industry Data Security Standards (PCI DSS)report annually.  

Also, if a company is hosting transactional websites on your behalf, you should be reviewing their cyber resiliency program (e.g., information/cybersecurity program, incident response plan and annual testing documentation, employee cybersecurity training results, penetration testing overview and remediation efforts).   

With so many critical systems and services now based in the cloud and accessed remotely, the attack surface for cyber threats has never been broader. This is especially true if a vendor’s employees access systems remotely. 

Be sure to determine what access your vendors have to your systems and data, and for how long they have it. If they’re meaningfully connected to your company, review their cybersecurity practices — not just to learn which security services they use for their in-house systems but also to determine whether their employees are connecting in unsafe ways. 

Does the vendor have and enforce policies against using obsolete devices, operating systems or software? Do they insist on two-factor authentication or a remote-access virtual private network (VPN)? These are the types of questions to ask. 

Strategic risk

Keep an eye on large-scale, evolving risks that can arise when a vendor doesn’t fit into your overall strategy. Good day-to-day performance might lull you into letting serious problems develop. 

For example, suppose a vendor slowly builds out your data management system into a unique, proprietary operation. Such a system would be prohibitively expensive to transfer to another vendor that doesn’t know its quirks. In this scenario, the vendor is free to raise the price of its service far beyond what it could charge if your system were interoperable with standard systems.

Transactional and operational risk

Whatever product or service a vendor sells you, it simply must work. An up-to-date understanding of the likelihood of a significant interruption in service, and how exposed you are to adverse effects if the vendor fails, is crucial.   

If a vendor’s quality assurance is slipping, you need to know. With transactional risk, you want to understand the completeness and accuracy of their controls. This should be documented in a Service and Organization Controls (SOC) 1 report covering a period of time to show operating effectiveness of the controls (a Type II report). Operational risk extends to the risk of errors, outages or criminal activity. Again, a SOC 1 Type II report should be obtained and reviewed to identify areas of weakness in a vendor’s controls.

If a vendor is drifting toward bankruptcy or another sudden shutdown, you need to know. Reviewing the financial health of your vendors, ideally through audited financial statements, is critical. We have seen instances where a deteriorating financial condition had repercussions on internal controls, where layoffs impacted segregation of duties and, in the most drastic instances, where controls were abandoned altogether.

One of our clients was using a third party to print statements. One month, after an improper application change by the vendor, the vendor sent out statements on our client’s behalf that were grossly inaccurate. In this instance, it was both an operational and a reputational risk that impacted our client.  

If a vendor has high risks stemming from a likelihood of natural disasters, equipment failure or human threats, you need to know. Reviewing your vendor’s ability to maintain ongoing operations during a serious disruption, such as a tornado, fire, hacking attack, etc. is critical. Review a vendor’s business continuity plan and annual testing results annually. Additionally, if a vendor allows you to participate in their annual test, make sure that you choose to participate and document the results.

Legal and compliance risk

The government will not consider your responsibilities to have been outsourced if one of your vendors runs afoul of regulations or laws. It’s up to you to determine and manage the legal/compliance risks your vendors might pose. 

A vendor management review should examine vendors’ compliance with all the laws and regulations that govern both your business and the vendors’ businesses. Ask these questions:

  • Do they have compliance and risk management structures in place? 
  • Do they document everything that regulations require? 
  • Are they investing enough resources in protecting data that your company is responsible for? 
  • Do they keep abreast of legal changes that affect your business? 

Data privacy alone is guarded by a thicket of laws and regulations that are easy to break simply through carelessness, lack of attention or lack of resources. 

Make your review actionable

Each of the risks considered here should be assessed within the contexts of the functions that your vendors provide. Develop a comprehensive report of both findings and recommendations. Then, deliver your report to the board of directors and other key stakeholders, who should immediately begin to mitigate risk and otherwise act on any identified issues. 

By following the necessary procedures for a strong vendor risk management review, you can help your company reduce risk and liability. And that can help improve the continuation of business activities.

Author(s)

Mike Morris
Mike Morris
CISA, Partner
View Profile

See how we can help improve your risk operations and compliance: 

Securing your data
How we helped one organization undertake both HITRUST and SOC audits successfully.
See their story

TOP PICKS

Drew Baker
Drew Baker 03/13/2023
How the Cloud Controls Matrix helps protect your organization
Read full story
Torpey White
Torpey White 08/23/2021
SOC 1 vs SOC 2: What’s the difference?
Read full story
Artur Kuznetsov
Artur Kuznetsov 02/17/2021
Why information security policies and procedures are so important
Read full story