Having a right to audit clause in your contracts with your suppliers, a pretty standard clause to include. Unfortunately, the right to audit is barely used. Nowadays we see large enterprises started to regularly conduct the right to audit on their suppliers (besides receiving a third-party assurance reports). Reason? To be more in control!
Disruptions in supply chain
Research of Business Continuity Institute shows that more than half of the organizations (52%) experienced supply chain disruptions (BCI Supply Chain Resiliency Report 2019). Disruption within IT plays a significant role in the supply chain disruptions, like unplanned IT or telecom outages (44%) and Cyber-attack and data breach (26%). The financial impact of the disruptions is over one million euro’s for over 10 percent of the organizations. We conclude that a disruption among suppliers is not a risk with a low impact and probability. It is a risk to take seriously.
Monitoring custom/specific agreements
Most suppliers nowadays understand third-party assurance reports are crucial when serving the bigger organization. However, third-party assurance report provides insights specifically in the controls a supplier wants to report on. By introducing the SOC 2 standard, a comprehensive framework is introduced for the audit. However, the controls are still covering generic subjects.
When using a supplier for specific services, risks that are part of your risk assessment may not be covered by the objectives and controls stated in the third-party assurance report. Also, when specific agreements are made, these agreements may not be covered by the supplied audit reports. Conducting a third party audit on your supplier provides more insights on specific agreements and complies to the risks defined in your risk assessment.
Compliance to law and regulations (specifical privacy)
Of course, every organization must comply with the law and legislation that applies to their business. However, if a company does not comply with it, it can affect your organization ‘s brand. What if your data that is stored at a supplier gets stolen or distributed? Will your clients trust your security?
To get a better understanding and to be in control of data protection, conducting the right to audit on your supplier(s) helps. Besides that it will provide more confidence in the confidentiality, integrity, and availability of the data and processes that you outsource, it should also be included in your data processing register for GDPR compliancy.
Whether or not you have specific agreements or SLA’s with your suppliers, conducting the right to audit will be beneficial for your organization. An audit on the design and existence of procedures of your supplier(s) will give you insights into the control environment of your critical assets. Based on the risks you can opt for a more stringent audit and test the operational effectiveness of procedures and controls.
Contrisity supports in performing supplier audits as part of your internal organization. Also, we can perform an audit and deliver a third-party assurance report based on the objectives your organization defines.
