DQM GRC consultants are experienced in working with third parties to ensure they comply with their obligations. Here are some examples of supply chain audit services we have provided:
- Ensured that third parties are handling data in line with contractual requirements.
- Created and reviewed a risk-based approach for monitoring supply chains. This may involve tiered questionnaires depending on the service provided.
- Conducted an independent review of third parties and provided a report supported by recommendations for improvement.
Our specialist auditors will work with you to create a bespoke audit plan to meet your needs and requirements:
We will create one or more bespoke audit templates and/or questionnaires based on the terms of your contracts and data sharing agreements for your approval.
This process includes establishing the audit framework and criteria to ensure that our audit is appropriately sensitised to areas of non-compliance.
We will carry out a test audit to ensure that the audit template works as intended and the report meets your requirements. Any amendments to the standard template will be completed post-audit. The DQM GRC audit team will liaise with the agreed test subject and handle scheduling details for completion.
We will work with you to design a suitable audit plan and schedule. This includes defining the scope and frequency of audits (which are normally based on the level of risk associated with the third party).
An annual audit is commonly recommended for high-risk organisations in the supply chain. In some circumstances, multiple audits may be required – for example, at end of contract, following a cyber security or data protection incident, or to ensure that remediation actions have been completed following a previous audit.
We will carry out the audits according to the agreed plan. In our experience, the scheduling is more efficient when completed by the DQM GRC team. Contact information for the identified audit targets will be provided in the planning stage for the programme. The team will then work with the agreed contact to schedule the audit within agreed time frames and gather any necessary pre-audit information.
We will work with you to monitor the ongoing effectiveness of the audits. The frequency of this review cycle will be agreed in advance, but will also be triggered by changes to contracts or data sharing agreements, or by known breaches and incidents, and will take place at least annually.