DQM GRC consultants are experienced in working with third parties to minimise supply chain compliance issues and risks. Here are some examples of supply chain audit services we have provided:
- Ensured that third parties were handling data in line with contractual requirements.
- Created and reviewed a risk-based approach for monitoring supply chains. This may involve tiered questionnaires depending on the service provided.
- Conducted an independent review of third parties and provided a report supported by recommendations for improvement.
Our specialist auditors will work with you to create a bespoke audit plan to meet your needs and requirements:
We will create one or more bespoke audit templates and/or questionnaires based on the terms of your contracts and data sharing agreements for your approval.
This process includes establishing the audit framework and criteria to ensure that our audit is appropriately sensitised to areas of non-compliance.
We will conduct a test audit to ensure that the audit template works as intended and that the report meets your requirements. The DQM GRC audit team will liaise with the agreed test subject and handle scheduling details for completion. Any amendments to the standard template will be completed post-audit.
We will work with you to design a suitable audit plan and schedule. This includes defining the scope and frequency of audits (generally based on the level of risk associated with the third party).
An annual audit is commonly recommended for high-risk organisations in the supply chain. In some circumstances, multiple audits may be required – for example, at the end of a contract, following a cyber incident, or to ensure that remediation actions have been completed following a previous audit.
We will carry out the audits according to the agreed plan. In our experience, the scheduling is more efficient when completed by the DQM GRC team. Contact information for the identified audit targets will be provided in the planning stage for the programme. The team will then work with the agreed contact to schedule the audit within the agreed time frames and gather any necessary pre-audit information.
We will work with you to monitor the ongoing effectiveness of the audits. The frequency of this review cycle will be agreed upon in advance but will also be triggered by changes to contracts or data-sharing agreements or by known breaches and incidents and will take place at least annually.