IT Examiner School - Oct 2025

CONTROLLED//FDIC INTERNAL ONLY

D&A Core Module Procedure 5 – Ongoing Monitoring Evaluate the ongoing monitoring process for managing key vendor and third-party relationships, including supply chain as applicable, in accordance with their criticality. Consider the following:  Financial statements  Authorization for the entity to monitor and periodically review vendor(s) for compliance with its agreement, i.e., permissibility/prohibition of the third party to subcontract or use another party to meet its obligations  Controls assessments, such as SSAE 18 SOC Reports (Statement on Standards for Attestation Engagement Service Organization Control Reports) and audit reports  Regulatory reports, including report of examination of any examined service provider(s) at the most recent examination; and the quality of the institution’s vendor management relative to the rating.  Affiliate relationships (e.g., Federal Reserve Regulation W)  Consumer compliance  Onsite reviews  Participation in user groups  Potential changes due to the external environment (e.g., changes in subcontractors, shift in industry practices, changes in security, or compliance requirements).  Business continuity program, including integrated testing with the entity’s plan  Compliance with service level agreements (SLAs) and contract provisions  Vendor awareness of emerging technologies  Communication with key stakeholders (e.g., board of directors, senior managers, business  Information security program and audit  Cybersecurity preparedness and resilience  Incident response  Internal and external audit reports

line management, users) and existing customers.  Assess the risk for outsourcing arrangements.  Report to the Board of Directors Click here to enter comments

If applicable, and as needed based on the extent of the entity’s involvement in the following areas, continue to the Expanded Analysis.  Cloud computing  User groups

 Vendor information security programs  Managed security service providers  Foreign-based technology service providers  Vendor incentive agreements  Credit card related merchant activities

InTREx Abbreviated Core Examination Procedures Module July 29, 2025

Page 16 of 17