Back

Establish, implement, and maintain supply chain onsite investigation procedures.


CONTROL ID
08919
CONTROL TYPE
Business Processes
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a chain of custody or traceability system over the entire supply chain., CC ID: 08878

This Control has the following implementation support Control(s):
  • Assist with local logistics in support of supply chain onsite investigations., CC ID: 08920
  • Create an on-site mine visit report., CC ID: 08921


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • In addition, if evaluation and verification of the appropriateness of outsourced work can not be sufficiently performed only with the submitted information, it is necessary to verify it on site by auditing/monitoring the outsourcees' offices or data centers. Furthermore, when the specified system is… (A1.5. ¶ 2, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • Before a planned on-site visit, institutions, payment institutions, competent authorities and auditors or third parties acting on behalf of the institution, payment institution or competent authorities should provide reasonable notice to the service provider, unless this is not possible due to an em… (4.13.3 95, Final Report on EBA Guidelines on outsourcing arrangements)
  • Onsite investigations should include the smelter or refiner facilities and the sites where they conduct due diligence for responsible supply chains of minerals from conflict-affected and high-risk areas. (Supplement on Tin, Tantalum, and Tungsten Step 4: A.4(c)(i), OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • Onsite investigations should include a sample of the smelter's or refiner's suppliers. (Supplement on Tin, Tantalum, and Tungsten Step 4: A.4(c)(ii), OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • Onsite investigations should include meeting with the assessment team to review the standards and methods they used to generate information. (Supplement on Tin, Tantalum, and Tungsten Step 4: A.4(c)(iii), OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • Onsite investigations should include consultations with central government authorities, local government authorities, united nations expert groups, local civil societies, and united nations peacekeeping missions. (Supplement on Tin, Tantalum, and Tungsten Step 4: A.4(c)(iv), OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • Onsite investigations should include the refiner facilities and the sites where they conduct due diligence for responsible supply chains of gold from conflict-affected and high-risk areas. (Supplement on Gold Step 4: A.4(b)(i), OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • Onsite investigations should include a sample of the refiner's suppliers. (Supplement on Gold Step 4: A.4(b)(ii), OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • Onsite investigations should include consulting with the assessment team to review the standards and methods they used to generate information. (Supplement on Gold Step 4: A.4(b)(iii), OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • Onsite investigations should include consultations with central government authorities, local government authorities, united nations expert groups, local civil societies, and united nations peacekeeping missions. (Supplement on Gold Step 4: A.4(b)(iv), OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • Making site visits to the subservice organization (¶ 2.53 Bullet 4, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Making site visits to the third party (¶ 2.61 Bullet 4, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • The Agencies' supervisory approach to cross-border outsourcing emphasizes the responsibility of the serviced financial institution to conduct adequate due diligence, manage risks appropriately, comply with applicable U.S. and foreign laws and regulations, and ensure access to critical information wi… (Supervision of Foreign-Based TSP Program ¶ 2, FFIEC IT Examination Handbook - Supervision of Technology Service Providers, October 2012)