VM-01 Third-Party / Vendor Management
Vendor / Third-Party Risk Assessment
Third-party risk is assessed before and during reliance.
- Domain
- Third-Party / Vendor Management
- Control type
- Detective
- Automated / manual
- Manual
- Frequency
- Onboarding + periodic
- Framework reference
- MAS Outsourcing; MAS TRM – Third Party
What good looks like
Material vendors risk-assessed at onboarding and periodically.
Risk if it fails
Inherited third-party risk unmanaged.
How Tess tests it
3 tests — each concludes only on cited evidence.
Vendor-risk process (onboard+periodic) defined
Design- Procedure
- Inspect the process.
- Expected
- Defined.
- Sample
- 1 (design inspection)
- Evidence
- Vendor risk assessments, due-diligence records.
Onboarding due diligence performed
Operating- Procedure
- Sample vendors.
- Expected
- Assessed at onboarding.
- Sample
- Judgmental, by population (e.g. 10–25)
- Evidence
- Vendor risk assessments, due-diligence records.
Periodic re-assessment performed
Operating- Procedure
- Inspect re-assessments.
- Expected
- Current.
- Sample
- Judgmental, by population (e.g. 10–25)
- Evidence
- Vendor risk assessments, due-diligence records.
Evidence Tess looks for
Vendor risk assessments, due-diligence records.
More in Third-Party / Vendor Management
Want Tess to test VM-01 against your evidence?
Book a demo