Answer:
Have we inventoried the third party relationships that exist in our organization today?
How are we identifying and tracking new or changing relationships?
Have we assessed and prioritized the risks related to those relationships?
When evaluating new relationships, do our selection criteria address risks to the organization?
Where applicable, do our agreements and contracts include adequate terms and conditions to require third-parties to provide independent assurance to mitigate potential risks, convey trust and confidence, and demonstrate compliance with laws and regulations?
Are responsibilities to manage these risks clearly defined individually for each third-party and as a whole?
Are we monitoring the various risks and contract requirements associated with each existing relationship and at what interval?
Are these relationships dependent on subservice organizations?
How do we gain comfort that information provided by third-parties is valid, accurate, and complete?
Does our risk assessment process identify potential negative events resulting from third party relationships and include procedures in place to respond?