Much goes into the planning and coordination of a vendor site visit. The planning leading up to the site visit will determine the success of the time you invest with the vendor while on-site.
9 Steps to Planning an On-Site Vendor Visit
Here are nine steps to take in helping you plan the visit.
- Begin the planning process early. While you may think you have up to a full calendar year in which to perform your annual assessments, it’s important to realize that holidays, vacations and other unforeseen events impact the availability of key executives with whom you may wish to speak. In reality, it’s very unlikely you’re the only organization who is requesting access to visit the vendor on-site.
- Review previous assessments. This is a great way to identify any past findings and determine if the vendor has improved, worsened or has remained the same.
- Send a formal notification. Work with your vendor contact to obtain the contact information of whom you need to submit a formal request to regarding performing an on-site visit. This won’t be a surprise to your vendor since they deal with many requests per year. At this point you want to be prepared to be flexible regarding the timeframe since this is when coordination and cooperation between both parties sets the tone. Planning an on-site vendor visit should be approached as a collaborative effort.
- Set proper expectations – the audit scope. For the vendor to plan resources adequately, set the scope of the visit. This is where you can list each area of your visit and the due diligence that you’d like to review. Basically, you should request any relevant documentation prior to the visit and review. This allows you to be as informed as possible on the basics so that you can focus your attention on the most important areas while on-site.
- Partner or Adversary? Adversary may be too much of a harsh term, but if there are areas which you need to establish an honest discussion about service level agreements or product/service quality, add these as on-site discussion points in the agenda. Careful consideration should be given to the timing of this conversation.
- Provide an agenda. Involve your vendor to develop an agenda. The last thing you should do is appear on-site without a plan established. Create a list of topics to be discussed and the people with whom you will be meeting.
- Perform the assessment. Meet with the key leaders of each business line you will be performing the assessment on. If you can’t review documentation unless you’re physically on-site, request that the vendor can allocate adequate time for you to review those documents at that time.
- A physical security test. While on-site, it’s a great time to test physical security policy and procedures. If the vendor has a visitor policy, document your experience of signing in, name badge protocol, walk by work areas to verify employees are following clean desk/clear screen policies, etc.
Ask yourself these 5 security questions:
-
- Were you able to piggyback behind an employee to get into secure areas?
- Are shred bins locked?
- Are security cameras in place?
- Is there evidence that staff are following the policy?
- How does management monitor and enforce policies?
- Perform an on-site exit interview. Prepare and provide a summary or general feedback for the vendor. Set the expectation of next steps. After the joint effort invested in the on-site visit, it makes for a very valid business practice to partner with the vendor and share areas which require attention or have caused a concern and need for further clarification. If additional information is required to close out the assessment, set deadlines for the vendor so that you can work toward a timeline to close out the review.
Implementing these steps into your annual on-site visits should tremendously streamline the process. Good luck!
.gif?width=1920&name=Sample-Graphic-Animation%20(1).gif)
