Vendor audits are a nightmare. Here’s how to make them a little less time consuming.

By 
Jacob Høedt Larsen
July 8, 2024

Vendor audits are a nightmare. Doing one is manageable, however, managing it at scale is much more difficult. There’s a lot of scrambling for vendor information, following up when vendors do not come back on e-mails - or answer just half the questions asked. You need a vendor audit program that has structure, overview and control. Here are 5 things you can do to make it a little less time consuming.

1. Have a list of your vendors - and data processors of course

This sounds simple. A list of all your vendors and a label that tells you if they are a data processor or not.

That is probably THE single most important feature in a great vendor audit program.

If you do not know who your vendors are, there is no way to prioritise them to make sure you are spending your audit ressources where you get the most bang for your buck. However, in our experience, such a list (or even a database) is not there, or it is incomplete and not up-to-date.

So, if you do not have such a list, your time is probably best spent compiling it.

2. Know who is critical to you

Second, you need an overview of which vendors (and systems) are most critical to you.

In data protection those are the systems which pose the biggest risk to your data subjects.

Information security will probably need to address those posing the greatest risks to the company or society at large.

Make sure your system is flexible enough to have different labels on different systems and vendors.

3. Decide on the method and the timing in advance - task management at its best

Vendor audits come in many shapes and sizes. 

Some systems are critical and you will need to follow up regularly with the vendor, combing through their ISAE 3000 or ISO audits.

Others are less critical, so you might just need to send an e-mail every two years to make sure the vendor still does things according to the contract you entered into.

And everything in between.You probably have a little handful of audit types, like:

  • Physical audit
  • External auditor’s report
  • Questionnaire
  • Statement from vendor
  • No audit

You can also carry out the audits at different intervals. Some will have to be every year, some every two years.Decide on the audit method and timing every time a new vendor comes in and put it in your system as a recurring task. However, beware of mission creep. It is too easy to set high standards for yourself in advance, so be clear-minded and make an educated decision based on the resources you actually have.

Therefore, it is best practice to have objective criteria governing the timing and method. Most use criteria like:

  • Number data subjects in the system
  • Sensitivity of the information and
  • Risks posed by the system.

4. Have a systematic process, automatic reminders

Now, even with a great overview of systems and vendors, audit methods and the timing, there is still a lot of heavy lifting to do.

Once you initiate your audits by sending out e-mails and questionnaires, everything becomes even more of a hassle.

Who answered?

Who completed the entire questionnaire?

Whom should I remind… and when?

Make sure to think through your system, so that everything is as automated as possible. You want a great overview at all times.

5. Evaluate the information

Finally. Please do not forget to actually evaluate the information you get back. Again, it sounds obvious, but you cannot imagine how many questionnaires go un-evaluated and how many external audit reports just sit un-read in the system.

Want to see how Wired Relations support vendor audits? Book a demo.

Great vendor management depends on governance: In this webinar, we talk to TDC NET about how good governance can build a great privacy culture. You'll get great inspiration on how to set-up a governance structure for handling new vendors.