You are here: Home » News » Supplier Assessment » Planning for a Supplier Audit

Planning for a Supplier Audit

Views: 201     Author: Wendy     Publish Time: 2023-04-28      Origin: Site Inquire

Planning for a Supplier Audit

It is recommended to follow a risk-based approach to supplier audits, which should account for the established supplier audit methodology. Supplier audits interpret risk by identifying the applicable requirements and ensuring communication with the supplier’s management to determine risk thresholds and implement required controls. Risk-based supplier audits address the likelihood of incidents occurring due to vulnerabilities such as deficient safeguards, technologies, policies and procedures. Adding a risk statement to an audit finding adds value to the supplier audit process. An audit plan should be created that addresses the audit purpose, scope and criteria.

Audit Purpose

The audit purpose may be to determine the extent of conformity to the supplier agreement or to evaluate the supplier’s ability to meet the organization’s requirements. An audit also may be conducted for more specific purposes, such as:

To determine whether information security incidents and problems are managed properly

To determine whether changes in supplier services or business status have affected service delivery

To review supplier audit trails and records of information security events, operational problems and failures; tracing of faults; and disruptions related to the service delivered

To determine the degree of compliance to data privacy

To evaluate the supplier's business continuity capabilities

Audit Scope

The audit scope should include the physical location(s) of the organization as applicable and its business functions, activities and processes. The scope should be consistent with the supplier audit program and supplier audit objectives.

Audit Criteria

The audit criteria are used as a reference by which conformity is determined. The criteria may include one or more of the following:

Applicable policies, processes and procedures

Performance criteria including objectives, statutory and regulatory requirements

Supplier agreements or schedules

An audit may focus on areas such as information security, cybersecurity, data privacy or business continuity.

Further, the audit plan should contain details such as:

Which auditor audits what areas or processes and in which location

The day and time of each portion of the audit

The duration of the audit as a whole and the duration of each individual area or function assessment

The auditee from the supplier organization

The mode of audit (i.e., onsite, remote, hybrid)

The audit plan should factor in time for briefing (i.e., setting the context and tone), debriefing (i.e., disclosing the audit findings) and breaks during the workday so that time is effectively managed. In some instances, an audit plan may include the use of official interpreters or translators, a technical expert (e.g., a representative from the organization’s business or an external resource) and/or an audit guide (i.e., a representative from the supplier organization who facilitates the audit).

Care should be taken so that the auditor’s and auditee’s time do not overlap during a particular process. Sufficient time must be allotted for the supplier auditors to review and discuss the audit findings before formally disclosing the audit findings as part of the debriefing session. The audit plan must be flexible and account for holidays, local regulations and restrictions (e.g., lockdown due to the COVID-19 pandemic), and the availability of personnel. The supplier should review and sign off on the audit plan well in advance so that there are no surprises.