Vendor Management Program Audit

Vendor Management Program Audit

The goal of a Vendor Management Program audit is to ensure the institution has the appropriate controls in place to mitigate risks that are present in the Vendor Management Program Structure, Outsourcing process, Services provided and the Management of 3rd party relationships.

CEI Professional Services audits the thirteen (13) key controls of a vendor management program throughout the five (5) phases of the 3rd party risk management lifecycle to ensure that the institution has implemented risk mitigation controls that are commensurate with its size and complexity as well as with the types of vendors with whom it conducts business.

Utilizing the eAuditManager module of our Enterprise Program Manager suite of automated risk and audit management tools, we document the Control Objectives, Control Activity, Test Steps, and Work Performed along with evidence and artifacts collected. This drives the Observations, Findings, Risk Ratings, Results and Recommendations.

Activities conducted include:

  • Program Framework review including:
    • Governance
    • Operating Model
    • Vendor Lifecycle Management
  • Staff interviews
  • Contract Reviews
  • Documentation Reviews
  • Risk Assessment framework and methodology
  • Vendor categorization and concentration review
  • Vendor Report reviews


  • Executive Report
  • Observations
  • Findings with Risk Ratings
  • Recommendations