Vendor Management Review

If you are relying on vendors for the outsourcing of key services, then you should have a well-designed process for managing those vendors.

And, while you can outsource specific activities and functions, it’s important to remember that you can’t outsource the responsibility of the risks associated with those actives or functions. Your customers rely on you to protect their critical data, such as account numbers, medical records and credit card information. At the same time, your employees rely on you to protect their non-public customer information, such as social security numbers and bank account information used for payroll purposes. It’s possible you might also be relying on vendors for data backup, data center services, managed network/security services, or other key services that support your business.

Vendor Management Review

At PKM, our vendor management review is designed to take a holistic approach to auditing your vendor management process. Key steps of our audit procedures include:

  • Determining how you have identified key vendors and whether any vendors have been omitted from your risk assessment process.
  • Examining your vendor management risk assessment process to determine whether the various risks have been considered including: strategic risk, transactional/operational risks, legal/compliance risk, and reputational risks based upon the nature of the transactions processed or data stored at a particular vendor.
  • Reviewing vendor management policies and procedures to determine whether key vendor management activities have been addressed, such as contract requirements, new vendor due diligence, and the ongoing monitoring of existing vendors.
  • Determining which vendors are using subservice providers to determine whether management has identified such provider and determined how far your risk extends.
  • Inspecting your ongoing monitoring of key vendors, including obtaining and reviewing each critical vendor’s Service Organization Control (SOC) reports (as applicable), financial health, information security program, penetration tests, business continuity plans and testing results, Payment Card Industry (PCI) reports, and any other pertinent information, as applicable.
  • Reviewing your vendor management reporting process to ensure that your Board of Directors and key stakeholders are aware of the results of the process and have the ability to act upon any issues identified during the process.

Our deliverable is in the form of a formal report, which will include any findings and related recommendations identified during the audit. The result of a strong vendor management program helps a company to reduce their risk and liability and to help ensure a smooth continuation of your business activities.

For more information on the PKM vendor management review, or to schedule a consultation,, please contact Systems Partner Mike Morris at mmorris@pkm.com or 404-420-5669.