Monitoring supply chain compliance takes skills and experience

The GDPR (General Data Protection Regulation) requires organisations to monitor their third parties’ compliance with their legal and contractual obligations. The EDPB (European Data Protection Board) makes it clear that it is not sufficient to simply place contractual obligations on third parties – organisations must also document how they ensure compliance.

DQM GRC can operate your audit programme and give you confidence that risks that arise through your supply chain are identified and minimised. We can design an audit programme around your risks and controls and seek answers from your suppliers and processors about their practices. You will receive a report that identifies areas of good practice and highlights deficiencies, supported by recommendations to resolve or mitigate them.

Discover more about our third party assurance services and solutions below

How does this service work?

DQM GRC consultants are experienced in working with third parties to ensure they comply with their obligations. Here are some examples of supply chain audit services we have provided:

  • Ensured that third parties are handling data in line with contractual requirements.
  • Created and reviewed a risk-based approach for monitoring supply chains. This may involve tiered questionnaires depending on the service provided.
  • Conducted an independent review of third parties and provided a report supported by recommendations for improvement.

Our specialist auditors will work with you to create a bespoke audit plan to meet your needs and requirements:

1.

Audit templates

We will create one or more bespoke audit templates and/or questionnaires based on the terms of your contracts and data sharing agreements for your approval.
This process includes establishing the audit framework and criteria to ensure that our audit is appropriately sensitised to areas of non-compliance.



2.

Test audit

We will carry out a test audit to ensure that the audit template works as intended and the report meets your requirements. Any amendments to the standard template will be completed post-audit. The DQM GRC audit team will liaise with the agreed test subject and handle scheduling details for completion.


3.

Audit plan

We will work with you to design a suitable audit plan and schedule. This includes defining the scope and frequency of audits (which are normally based on the level of risk associated with the third party).

An annual audit is commonly recommended for high-risk organisations in the supply chain. In some circumstances, multiple audits may be required – for example, at end of contract, following a cyber security or data protection incident, or to ensure that remediation actions have been completed following a previous audit.


4.

The audits

We will carry out the audits according to the agreed plan. In our experience, the scheduling is more efficient when completed by the DQM GRC team. Contact information for the identified audit targets will be provided in the planning stage for the programme. The team will then work with the agreed contact to schedule the audit within agreed time frames and gather any necessary pre-audit information.



5.

Periodic review

We will work with you to monitor the ongoing effectiveness of the audits. The frequency of this review cycle will be agreed in advance, but will also be triggered by changes to contracts or data sharing agreements, or by known breaches and incidents, and will take place at least annually.

What to expect

Your auditor will typically take two days to complete an audit. This will involve a combination of interviews with key individuals, reviews of documentation and sample checking.

We aim to provide written reports to you within ten working days of the audit.

For lower-risk contracts, you may prefer to send questionnaires that third parties can complete themselves and return to us for review.

We typically allow three weeks for the third party to complete and return the questionnaire and aim to provide written reports to you within ten working days of receiving the completed questionnaire.

If you wish, our consultants can work with your audit subjects to help them address areas of non-compliance. We maintain strict independence between our audit and consultancy teams.

Consultancy solutions
Bespoke solutions

Service benefits

  • Assure stakeholders and customers that your supply chain adheres to their contractual and legal obligations.
  • Get value for money from your suppliers by ensuring you receive the service you are paying for.
  • Let us deal with the difficulties associated with supplier contracts.
  • Use the expertise of the DQM GRC Audit team to conduct audits and provide an independent, risk-based view of the organisation you work with.

Speak to us about Supply Chain Audits today

Fill in the contact form below and our team will contact you within one working day to discuss your requirements.

Speak to an expert