Organizations outsource processes and services for a variety of reasons: to cut costs, preserve resources, make room for growth and remain competitive in their industries. But, ultimately, it is the enterprise, not the supplier, that is legally and contractually responsible for protecting its information. To maintain information security, data privacy, business continuity, and service delivery, organizations should regularly monitor, review and audit their suppliers. Thus, it is worth examining best practices for preparing a first supplier audit plan.
Establishing the Criteria for Performing Supplier Audits
It may be challenging (or nearly impossible) to audit all suppliers, particularly for large organizations that utilize many services. Therefore, it is vital to establish criteria that aid in selecting which suppliers to audit. Criteria may include the type of information being processed by the supplier, the supplier’s level of access to information, the importance of the process being outsourced or the services being provided, supplier risk and/or customer contractual obligations.
Understanding Audit Requirements
The supplier auditor must understand that there are unique requirements for supplier audits. For example, there may be local legal and regulatory requirements with which they must comply (e.g., the EU General Data Protection Regulation [GDPR], India’s Information Technology Act, the US State of California Consumer Privacy Act [CCPA]). Requirements may also arise from a contract, master services agreement or annexure in agreement with the customer (e.g., a customer requirement for the organization to audit the organization’s supplier with a focus on service provisioning, information security, business continuity, privacy or a combination of these focus areas). In addition, if an organization is certified or planning to become certified in the International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) information security management system standard 27001:2013, then its requirements apply (e.g., Control A.15.2.1—Monitoring and review of supplier services). An organization may also have its own policy describing requirements for conducting supplier audits. Further, an organization may have agreed with the supplier on including a right to audit clause, which is generally a prerequisite for conducting a supplier audit.
Supplier audits interpret risk by identifying the applicable requirements and ensuring communication with the supplier’s management to determine risk thresholds and implement required controls.
Planning for a Supplier Audit
It is recommended to follow a risk-based approach to supplier audits, which should account for the established supplier audit methodology. Supplier audits interpret risk by identifying the applicable requirements and ensuring communication with the supplier’s management to determine risk thresholds and implement required controls. Risk-based supplier audits address the likelihood of incidents occurring due to vulnerabilities such as deficient safeguards, technologies, policies and procedures. Adding a risk statement to an audit finding adds value to the supplier audit process. An audit plan should be created that addresses the audit purpose, scope and criteria.
Audit Purpose
The audit purpose may be to determine the extent of conformity to the supplier agreement or to evaluate the supplier’s ability to meet the organization’s requirements. An audit also may be conducted for more specific purposes, such as:
- To determine whether information security incidents and problems are managed properly
- To determine whether changes in supplier services or business status have affected service delivery
- To review supplier audit trails and records of information security events, operational problems and failures; tracing of faults; and disruptions related to the service delivered
- To determine the degree of compliance to data privacy
- To evaluate the supplier’s business continuity capabilities
Audit Scope
The audit scope should include the physical location(s) of the organization as applicable and its business functions, activities and processes. The scope should be consistent with the supplier audit program and supplier audit objectives.
Audit Criteria
The audit criteria are used as a reference by which conformity is determined. The criteria may include one or more of the following:
- Applicable policies, processes and procedures
- Performance criteria including objectives, statutory and regulatory requirements
- Supplier agreements or schedules
An audit may focus on areas such as information security, cybersecurity, data privacy or business continuity.
Further, the audit plan should contain details such as:
- Which auditor audits what areas or processes and in which location
- The day and time of each portion of the audit
- The duration of the audit as a whole and the duration of each individual area or function assessment
- The auditee from the supplier organization
- The mode of audit (i.e., onsite, remote, hybrid)
The audit plan should factor in time for briefing (i.e., setting the context and tone), debriefing (i.e., disclosing the audit findings) and breaks during the workday so that time is effectively managed. In some instances, an audit plan may include the use of official interpreters or translators, a technical expert (e.g., a representative from the organization’s business or an external resource) and/or an audit guide (i.e., a representative from the supplier organization who facilitates the audit).
Care should be taken so that the auditor’s and auditee’s time do not overlap during a particular process. Sufficient time must be allotted for the supplier auditors to review and discuss the audit findings before formally disclosing the audit findings as part of the debriefing session. The audit plan must be flexible and account for holidays, local regulations and restrictions (e.g., lockdown due to the COVID-19 pandemic), and the availability of personnel. The supplier should review and sign off on the audit plan well in advance so that there are no surprises.
Preparing a Supplier Audit Checklist
An auditor conducting their first independent supplier audit may benefit from preparing a list of items they wish to review in each process area.
Possible items to review during the audit include:
- How is the supplier tracking conformity to the agreed supplier contract?
- What actions are taken if a particular service level agreement (SLA) is not met?
- How is the supplier tracking compliance to applicable and relevant legal and regulatory requirements?
- What actions are taken if there is a legal noncompliance issue identified by the supplier?
- What is the supplier’s approach to managing information security and privacy risk?
- How is the supplier ensuring that all staff are trained on information security and privacy?
The checklist should not create any bias, rather, it should help to adequately assess relevant areas in a timely manner and provide a sense of confidence to the new auditor. Inputs to the list can come from the following:
- Supplier agreements
- Specific information security, data privacy and business continuity schedules
- Security incidents
- Customer organization’s contractual information security, business continuity and data privacy requirements
- Applicable legal and regulatory requirements, organizational policies, processes and procedures
It may be helpful to study the supplier organization’s website to gain an understanding of its overall operations, service offerings and management. Auditors can also obtain feedback from the organization’s stakeholders about their suppliers as another source of input. The list of items to be audited can be discussed and reviewed with the supplier several days before the audit. Auditors should plan to verify the supplier’s responses with objective evidence during the audit.
Conclusion
The success of a supplier audit lies in the supplier audit plan. It is important for the supplier auditor to plan thoroughly and in advance. The audit plan should clearly state the audit’s purpose, scope, criteria, available resources and schedule of activities. The supplier organization should review and approve of the audit plan before the audit takes place. Learnings from the first supplier audit should form the input for subsequent audit as this helps in continual improvement of the supplier audit planning process.
Chetan Anand, CDPSE, Agile Scrum Master, CCIO, CPISI, OneTrust Fellow of Privacy Technology, IRAM2, ISO 27001 LA, ISO 22301 LA, ISO 27701, ISO 31000, ISO 9001 LA, Lean Six Sigma Green Belt, NLSIU Privacy and Data Protection Laws, SQAM
Is the associate vice president of information security and chief information security officer (CISO) at Profinch Solutions, where he oversees all strategic and operational aspects of information security. He has 19 years of professional experience in information and cybersecurity, business continuity, privacy, risk and quality. He has worked in various industries such as IT, IT-enabled services (ITES), fintech, healthcare, pharmaceuticals, manufacturing, research and development, and in various capacities including technical, managerial and leadership roles. He has contributed to Information Security Forum (ISF) research on continuous supply chain assurance and assisted with report reviews and functionality testing of ISF tools. He also volunteers with the Bureau of Indian Standards by participating in International Organization for Standardization (ISO) standards formulation and technical committee work.