An organization may rely on third-party vendors to provide some of its IT systems, applications, or

services, such as cloud computing, software development, or data processing. The organization

should evaluate the control environment of the third-party vendors, which is the set of policies,

procedures, and practices that establish the tone and culture of the vendor’s risk management and

control activities. The best way to evaluate the control environment of severalthird-party vendors is

to obtain independent control reports from high-risk vendors. Independent control reports are the

documents that attest to the design, implementation, and effectiveness of the vendor’s controls,

based on the standards or frameworks that are relevant and applicable for the vendor’s services,

such as the ISAE 3402 or the SOC 2. Independentcontrol reports are prepared by independent and

qualified auditors, who provide an objective and reliable assessment of the vendor’s controls. High-

risk vendors are the vendors that pose the highest level of risk to the organization, such as by having

access to sensitive or confidential data, or by providing critical or complex services. By obtaining

independent control reports from high-risk vendors, the organization can verify that the vendor’s

controls are adequate and appropriate for the organization’s needs, and that the vendor complies

with thecontractual and regulatory requirements. The other options are not as good as obtaining

independent control reports from high-risk vendors, as they may not provide sufficient or consistent

information or evidence on the vendor’s control environment:

Review vendors’ internal risk assessments covering key risk and controls means that the organization

examines the vendor’s own evaluation of its risks and controls, such as by reviewing the vendor’s risk

register, risk matrix, or risk report. This may provide some information or insight on the vendor’s

control environment, but it may not be as reliable or objective as obtaining independent control

reports, as the vendor’s internal risk assessments may have biases, conflicts, or gaps in their

methodology, scope, or quality.

Review vendors performance metrics on quality and delivery of processes means that the

organization measures and monitors the vendor’s performance and outcomes, such as by using key

performance indicators (KPIs), service level agreements (SLAs), or customer satisfaction surveys. This

may provide some information or feedback on the vendor’s control environment, but it may not be

as comprehensive or relevant as obtaining independent control reports, as the vendor’s performance

metrics may not cover all the aspects or components of the vendor’s controls, or may not reflect the

latest or updated status or results of the vendor’s controls.

Obtain vendor

from third parties means that the organization collects and verifies the

testimonials or recommendations of the vendor’s services from other customers or stakeholders,

such as by contacting them directly or by reading their reviews or ratings. This may provide some

information or evidence on the vendor’s control environment, but it may not be as accurate or

consistent as obtaining independent control reports, as the vendor’s references from third parties

may have biases, conflicts, or variations in their expectations, experiences, or opinions of the

vendor’s services. Reference = Risk and Information Systems Control Study Manual, 7th Edition,

Chapter 4, Section 4.1.2.1, pp. 147-148.