There are many benefits for conducting an audit on your supplier. In an earlier blog I wrote about why you should conduct a right to audit. In this blog we will discuss 6 pros for conducting an audit on your supplier.
1. Know your dependencies
When using a service organization, often there are some common criteria to operate the service securely. Think about logging in, if users do not log-out from active sessions and/or distribute their password, how can a service provider guarantee no unauthorized people use the service? When a supplier provides a third-party assurance report like ISAE 3402 or SOC 2, common criteria are mostly incorporated in the report, however, these criteria are based on their risk and control framework. Mostly during an audit where the objectives are defined by the customer, aspects that are expected to be with the service provider are common controls that are partly the responsibility of the third-party and partly of their client. Auditing your supplier will provide transparency and will make sure the risks you see are covered.
2. Investigate on incidents
Did your supplier had a cyber security incident and you wondered why that was possible at the supplier you trusted? You can hope for the best, and that your supplier followed up appropriately on that incident, however, you can also check to be sure incidents are handled with care. The main reason for outsourcing is mostly to unburdened. Conducting a right-to-audit would be a very good reason to regain your trust.
3. Ensure privacy is incorporated
Privacy is a hot topic, and more and more rules and regulations are defined to ensure the privacy of individuals is incorporated at any company. Of course, every single company must ensure it meets the laws and regulations that apply, but what if a company doesn’t? If (personal) data is not properly secured and processed, not only the third party will be disadvantaged with a fine when your clients discover it is one of your service organizations it is a disadvantage of your brand. By auditing this aspect of your suppliers you are sure your third parties implemented the appropriate controls that you agree on to ensure privacy is secured properly.
4. Trace the chain
Do you know whether or not your service organization uses other third parties? Are the other parties in the scope of a third-party assurance report or carved-out? Partly you can trace the chain of suppliers that directly influence the service by reading the third-party assurance report, but what about third parties they use that in-directly can influence the service (like a third-party support system that is used)? If this can be a risk for your organization, you want to know what the impact will be and what is agreed on services. For example, you are hosting your data at a service provider and a support and monitoring tool is used but is of a third-party of your supplier, what is the impact if that service is not available for some time? The hosting services will continue, but you loose monitoring options that can be crucial when you are in the middle of a project. If you have a proper overview of the risk, tracing the chain will make sure the right aspects are audited.
5. Trust your SLA
Do you sometimes have trouble with your supplier, or do you not trust the SLA reports? It might be handy to perform an audit on these reports. Maybe the website that is hosted seems to be not reachable 10% of the time, however, the service provider shows a report every month that the website was online 99,98%. By auditing the way SLA reports are created you will get some confidence in the honesty of your service provider. It can be that an improper way of monitoring is used, like the uptime of the web server without measuring the uptime of the connectivity of the server. It also can be that the connection of your office is not reliable or there are some issues at your internet provider. An audit on the SLA will provide you with clarity about whether or not your SLA reports can be trusted.
6. Trust your supplier
Does your supplier invoices your company on specific usages or are you having a dispute on specific technical details? An auditor can help to perform tests on accuracy, completeness, and timeliness of data and can audit an environment based on common and/or legal standards. When you are in a dispute it can help to clarify the issues you experience and will give you clarity on whether or not assumptions and/or accusations are correct.
Mainly it is important to understand and can define the risks and objectives you see in the provided services of your supplier and within the cooperation between your organization and your supplier. Contrisity can support in defining proper risks and objectives as a base of a supplier audit. Also, we can perform a supplier audit.
