2023 IT Examiner School

Vendor Due Diligence A proper due diligence process should focus on the prospective third party’s: • Ability to provide the services needed • Financial condition • Industry expertise • Knowledge & experience of applicable laws and regulations • Reputation (check references, public information) • Scope of operations and deliverables (can they provide adequate service and support?) • Effectiveness of controls (will they make audit reports available?)

Software Contract Agreements • Management should establish clear expectations in the contract. • Insist on right to audit. • Agree on notification requirements for security incidents or changes in any subcontracting relationships. • Exit provisions, data ownership, data conversion all need to be considered in the contract. • Regulatory requirements clause. • For mission-critical software, clauses that limit vendor liability are a dangerous practice. • Before management signs the contracts, it should submit them for legal counsel review.