Back

Review the information collected about each supplier for the supply chain due diligence report.


CONTROL ID
08856
CONTROL TYPE
Business Processes
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Conduct all parts of the supply chain due diligence process., CC ID: 08854

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • The due diligence should involve an evaluation of all relevant information about the service provider. Information to be evaluated includes the service provider's: (5.4.3, Guidelines on Outsourcing)
  • Due diligence undertaken during the assessment process should be documented and re-performed periodically as part of the monitoring and control processes of outsourcing arrangements. The due diligence process may vary depending on the nature, and extent of risk of the arrangement and impact to the i… (5.4.5, Guidelines on Outsourcing)
  • Reports on the monitoring and control activities of the institution should be reviewed by its senior management and provided to the board for information. The institution should ensure that monitoring metrics and performance data are not aggregated with those belonging to other customers of the serv… (5.8.2 (e), Guidelines on Outsourcing)
  • where those institutions and payment institutions within the group, institutions affiliated to a central body or institutions that are part of an institutional protection scheme rely on a central pre-outsourcing assessment of outsourcing arrangements, as referred to in Section 12, each institution a… (4.2 23(c), Final Report on EBA Guidelines on outsourcing arrangements)
  • Institutions and payment institutions should assess the potential impact of outsourcing arrangements on their operational risk, should take into account the assessment results when deciding if the function should be outsourced to a service provider and should take appropriate steps to avoid undue ad… (4.12.2 64, Final Report on EBA Guidelines on outsourcing arrangements)
  • The downstream company should review information the assessment team generated when assessing the due diligence processes of the smelters or refiners. (Supplement on Tin, Tantalum, and Tungsten Step 2: II.C.2, OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • The downstream company should review information the assessment team generated when assessing the due diligence processes of the refiners. (Supplement on Gold Step 2: § III.C.2, OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • The auditor must confirm the name of the refinery. (§ C(1), EICC and GeSI Gold Supply Chain Transparency: Smelter Audit, Jule 12, 2012)
  • The auditor must confirm the location of the refinery. (§ C(1), EICC and GeSI Gold Supply Chain Transparency: Smelter Audit, Jule 12, 2012)
  • The auditor must confirm the types of gold-bearing materials the refinery received. (§ C(1), EICC and GeSI Gold Supply Chain Transparency: Smelter Audit, Jule 12, 2012)
  • The auditor must confirm the complete list of suppliers for each type of gold-bearing materials received. (§ C(1), EICC and GeSI Gold Supply Chain Transparency: Smelter Audit, Jule 12, 2012)
  • The auditor must confirm the types of gold products the refinery produces. (§ C(1), EICC and GeSI Gold Supply Chain Transparency: Smelter Audit, Jule 12, 2012)
  • The auditor must confirm the types of gold-bearing materials that are transferred to other refineries and other company locations. (§ C(1), EICC and GeSI Gold Supply Chain Transparency: Smelter Audit, Jule 12, 2012)
  • Review of independent third-party assessments and regulatory reports; (TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:4 Bullet 2, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Regular review of MIS reporting (e.g., adherence to RTOs); (TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:4 Bullet 3, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Regulatory, audit, and information security reports from service providers. (App A Tier 1 Objectives and Procedures Objective 2:1 Bullet 5, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Quality of management information systems (MIS) and reports needed to monitor the technology service provider's performance appropriately. (App A Tier 1 Objectives and Procedures Objective 3:2 Bullet 5, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Credit approval and monitoring procedures for all new and established merchant accounts. Consider use of Dun & Bradstreet reports, bank statements and credit reports. (App A Tier 1 Objectives and Procedures Objective 6:9 Bullet 5, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Whether MIS received from the technology service provider is adequate. (App A Tier 1 Objectives and Procedures Objective 11:2 Bullet 6, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • For retail EFT/POS and bankcard transaction processing activities contracted to third-party service providers, assess the adequacy of the review process performed by management regarding annual financial statements, audit reports, and Payment Card Industry (PCI) Data Security Standard assessment. (App A Tier 2 Objectives and Procedures A.3, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Ensure that the financial institution obtains and analyzes all audits conducted by the ACH service provider, pursuant to the NACHA rule compliance audit requirement. (App A Tier 2 Objectives and Procedures J.10, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Minimum acceptable service provider characteristics; (App A Tier 2 Objectives and Procedures O.1 Bullet 3, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Analyzes the service provider's audited financial statements and annual reports; (App A Tier 2 Objectives and Procedures O.2 Bullet 2, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • The cost for additional system and data conversions or interfaces presented by the various technology service providers; (App A Tier 2 Objectives and Procedures O.3 Bullet 4, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Oversight and monitoring of cloud service provider-managed controls. Management should evaluate and monitor the cloud service provider's technical, administrative, and physical security controls that support the financial institution's systems and information assets that reside in the cloud environm… (Risk Management Audit and Controls Assessment Bullet 2, FFIEC Security in a Cloud Computing Environment)