Views: 201 Author: Wendy Publish Time: 2023-04-28 Origin: Site Inquire
It is recommended to follow a risk-based approach to supplier audits, which should account for the established supplier audit methodology. Supplier audits interpret risk by identifying the applicable requirements and ensuring communication with the supplier’s management to determine risk thresholds and implement required controls. Risk-based supplier audits address the likelihood of incidents occurring due to vulnerabilities such as deficient safeguards, technologies, policies and procedures. Adding a risk statement to an audit finding adds value to the supplier audit process. An audit plan should be created that addresses the audit purpose, scope and criteria.
The audit purpose may be to determine the extent of conformity to the supplier agreement or to evaluate the supplier’s ability to meet the organization’s requirements. An audit also may be conducted for more specific purposes, such as:
To determine whether information security incidents and problems are managed properly
To determine whether changes in supplier services or business status have affected service delivery
To review supplier audit trails and records of information security events, operational problems and failures; tracing of faults; and disruptions related to the service delivered
To determine the degree of compliance to data privacy
To evaluate the supplier's business continuity capabilities
The audit scope should include the physical location(s) of the organization as applicable and its business functions, activities and processes. The scope should be consistent with the supplier audit program and supplier audit objectives.
The audit criteria are used as a reference by which conformity is determined. The criteria may include one or more of the following:
Applicable policies, processes and procedures
Performance criteria including objectives, statutory and regulatory requirements
Supplier agreements or schedules
An audit may focus on areas such as information security, cybersecurity, data privacy or business continuity.
Which auditor audits what areas or processes and in which location
The day and time of each portion of the audit
The duration of the audit as a whole and the duration of each individual area or function assessment
The auditee from the supplier organization
The mode of audit (i.e., onsite, remote, hybrid)
The audit plan should factor in time for briefing (i.e., setting the context and tone), debriefing (i.e., disclosing the audit findings) and breaks during the workday so that time is effectively managed. In some instances, an audit plan may include the use of official interpreters or translators, a technical expert (e.g., a representative from the organization’s business or an external resource) and/or an audit guide (i.e., a representative from the supplier organization who facilitates the audit).
Care should be taken so that the auditor’s and auditee’s time do not overlap during a particular process. Sufficient time must be allotted for the supplier auditors to review and discuss the audit findings before formally disclosing the audit findings as part of the debriefing session. The audit plan must be flexible and account for holidays, local regulations and restrictions (e.g., lockdown due to the COVID-19 pandemic), and the availability of personnel. The supplier should review and sign off on the audit plan well in advance so that there are no surprises.