Third-Party Risk Management (TPRM)
Domain 5 — Protection of Information Assets
Definition
Third-Party Risk Management is the process of identifying, assessing, and monitoring risks arising from relationships with vendors, service providers, business partners, and other external parties. It includes due diligence before engagement, ongoing monitoring of provider security posture, contract clauses for audit rights and data protection, and termination procedures. IS auditors evaluate TPRM by reviewing vendor assessment documentation, contract terms, and incident notification provisions.
Real-World Audit Scenario
A financial client suffered a data breach because their cloud-based payroll provider had weak access controls. The client had never performed a security assessment of the payroll provider before signing the contract. When I asked to see the vendor due diligence documentation, there was none — they had chosen the provider based on a recommendation from another company in their network. We recommended a vendor risk assessment program with tiered due diligence requirements based on the sensitivity of data shared with each vendor.
Common Exam Trap
The exam often tests whether the auditor should rely on a third-party's SOC 2 report. The answer is "yes, but only after reviewing the report scope, testing period, and any exceptions." A SOC 2 report is not a blanket endorsement — it covers specific controls over a specific time period.
Test Your Understanding
Try a free practice question on this topic — see our 4-layer explanations and find out where you stand.
Try a Free Question →150 Free Practice Questions →