IT Examiner School

Results of On-Site Discussions with Management

Meeting with NA Fossil Examiner: I’ve reviewed your Vendor Management Program and found that is overall satisfactory; however, I didn’t see where the Program discussed obtaining information from your primary vendors regarding third party relationships. Could you provide me information about what your FI does in this regard? NA Fossil: I have assisted EVP Anita Jones regarding the establishing and administering the Program, but she is the better person to ask this question. Examiner: Ok. But, you handle the IT service provider relationships where this may occur. Could you explain what you do? NA Fossil: Yes, when the there is a new IT service provider or a contract is up for renewal, I discuss this topic with the vendors to gain assurances that there is no 3 rd party or subcontracting of services. Examiner: Does this include ensuring that all FI and customer data is at the vendor and that it is maintained in the U.S.? NA Fossil: Yes, I make sure that all that is in the contract before EVP Jones approves and signs any IT contracts. Examiner: I didn’t see anything in the last audit report, but have the auditors reviewed your Program and made any comments? NA Fossil: Oh yes, they have reviewed it and they made an observation regarding this topic, but said it would not be in their audit report.

Examiner: So, what is happening regarding updating your Program to include this observation? NA Fossil: You will need to discuss that with EVP Jones.

Examiner: Thanks. When it comes to the reviewing your vendors’ information, how is this preformed? NA Fossil: I review all the high and medium risk IT vendors based on the Program’s guidelines and then provide information up to EVP Jones so she can include this information for her reports to the Executive Committee. I let her know if there have been any priority changes.