AuditLink Publishes Primer on Vendor Assessment Process

Jim Vilker, NCCO
AuditLink, the auditing and compliance division of CU*Answers, and Trust Exchange, a firm which helps financial institutions automate their vendor compliance monitoring, have recently published a white paper revolving around the components and process of determining the criticality of vendor relationships. “Assessing criticality is one of the most important components of a complete vendor management program,” said Jim Vilker, VP of Professional Services for AuditLink. The process described in the primer was based upon a year of field work with a number of credit unions including Frankenmuth CU, Diversified Members CU, and Parkside CU. The amount of research and application of FFIEC, NCUA, and other regulatory guidance has resulted in a working document that can be used to document their thought process using a risk-based approach that is practical and guides the credit union through the process. “Expectation going in was to develop a process that identifies the risk of the relationship and designs the ongoing due diligence to mitigate those risks identified throughout the vendor life cycle,” Vilker added. “Taking a cooperative approach to vendor management is the only way this industry is going to drive down the cost of this vital function and regulatory requirement. Developing whitepapers, facilitating seminars, and sharing knowledge has been our mantra from the beginning and it is beginning to pay off much faster than originally anticipated.” Vilker added that AuditLink is in the process of developing its next white paper and web conference on the components of monitoring function and thought process revolving around the evaluation of due diligence data. “What we have found interesting is how to address the instance in which a required piece of due diligence cannot be provided by the vendor. Do they fail as a trusted vendor? Is it acceptable business risk? Do they have other controls that do not meet the standard SOC 1 or 2 which achieve the same risk mitigating result?” These questions and others will be outlined in the CUSO’s next upcoming web conference on March 29th, and published in April. Click the link below to view the whitepaper. Tier-Levels-Primer.docx