Vendor Risk from the Internal Audit Lens —
What Auditors Consistently Find
(and What Boards Should Know)
Regulators are no longer satisfied with process documentation. They want proof that controls operated — and the gap between "we have a policy" and "here is the evidence" is where most vendor risk programmes quietly fail.
Having spent years inside Big4 audit practices reviewing vendor risk programmes at banks, insurers, and regulated corporates, a pattern becomes unmistakable: organisations routinely invest in vendor risk policies, governance charters, and third-party assessment templates — and then fail the one test that matters. When an auditor asks for evidence that the policy actually ran, the room goes quiet.
The era of process-first vendor risk is ending. The Institute of Internal Auditors' Global Internal Audit Standards increasingly frame third-party risk as a first-class audit universe — not a peripheral compliance checkbox. Simultaneously, regulators from the RBI to the SEC are shifting their inspection methodology: they arrive with data requests, not just questionnaire forms. The question is no longer "do you have a vendor risk programme?" It is "show us the last 12 months of monitoring evidence, and show us it is complete."
This article is written for those who either conduct these audits or live in fear of them — internal auditors, chief audit executives, CROs, and compliance directors who need to understand exactly what the audit lens reveals, and how to close the gaps before an inspector arrives.
A practical framework for building complete, regulator-defensible evidence trails across your vendor programme — templates, checklists, and gap diagnostics included.
Why Vendor Risk Is Now a Board-Level Audit Priority
The shift has been structural, not incremental. Three converging pressures have moved vendor risk from a compliance team concern to a standing agenda item in audit committees and board risk forums.
First, regulatory inspection methodology has evolved. Historically, RBI inspections of outsourcing governance involved reviewing board-approved policies and spot-checking a sample of vendor contracts. Today, inspectors request the full outsourcing register, concentration risk analyses, evidence of periodic review cycles, and monitoring logs — and they compare what the policy says should happen against documented proof that it did. The SEBI circular on operational risk governance and the RBI Master Direction on Outsourcing both contain explicit documentation requirements that translate directly into audit evidence obligations.
Second, third-party breaches have become the dominant vector for enterprise risk events. When a payment processor suffers a data compromise, the liability — regulatory, reputational, and operational — lands on the contracting organisation. Boards have learned, often painfully, that outsourcing a function does not outsource the accountability.
Third, the supply chain has deepened. The vendor your organisation contracted may itself depend on three or four sub-processors, each carrying its own concentration risk, data handling obligations, and operational vulnerabilities. Internal audit now needs to assess not just direct vendors, but the architecture of dependency beneath them.
In a representative internal audit review of a mid-tier financial institution, 34% of critical-tier vendor contracts reviewed had no right-to-audit clause. The vendor contracts had been executed, renewed, and in some cases renegotiated — without the omission ever surfacing in a formal review cycle. This is not an outlier. It is among the most common findings in vendor risk audits across sectors.
The implication for audit committees is direct: vendor risk governance requires the same audit rigour as financial controls. The question the Chief Audit Executive needs to ask is not whether a third-party risk function exists, but whether it is producing verifiable, documented evidence of its operation — evidence that will stand up to external scrutiny.
The 5 Gaps Internal Auditors Consistently Find in Vendor Programmes
Across industries and geographies, the internal audit findings in vendor risk programmes cluster around the same five structural weaknesses. Each represents not a failure of intention — most organisations have written policies addressing all five — but a failure of execution and documentation.
Gap 1 — No Complete Vendor Inventory
The audit typically begins with a simple request: provide the current vendor register. What organisations produce is usually a procurement list, a contracting log, or an IT asset register — none of which is a vendor risk inventory. A risk-complete vendor inventory captures not just who the organisation contracts with, but the nature of data access, the criticality tier, the regulatory classification, the sub-processor chain, and the last review date for each relationship.
In practice, auditors find shadow vendors — suppliers engaged by individual business units without procurement involvement, SaaS tools licensed on a corporate card, and consulting relationships that quietly became operational dependencies. Each represents a risk exposure that the organisation cannot manage because it does not know it exists. According to NIST SP 800-161r1, a foundational control for supply chain risk management is the maintenance of a comprehensive, current inventory of all supplier relationships and the systems they touch. Most organisations fail this baseline.
Gap 2 — Onboarding Without Risk Classification
Organisations often have risk tiering frameworks — critical, high, medium, low — but the classification is applied inconsistently, or not applied at all at the point of onboarding. Auditors regularly encounter critical vendors who went through the same abbreviated onboarding questionnaire as a low-risk stationery supplier. The consequence is that due diligence depth, contract requirements, and ongoing monitoring intensity are not calibrated to actual risk — they are uniform and therefore inadequate for the vendors that matter most.
The tiering failure also propagates forward: if a vendor was not classified as critical at onboarding, it will not trigger enhanced monitoring alerts, and it will not receive enhanced contractual protections, regardless of what the policy requires.
Gap 3 — Questionnaires Sent, Never Followed Up
This is perhaps the most operationally damaging pattern auditors encounter. An organisation dispatches a due diligence questionnaire — on information security, financial health, business continuity, or data handling — and records the dispatch as a control activity. The vendor's response, if it arrives at all, is filed without substantive review. Remediating exceptions are not tracked. The control, in audit terms, has not operated effectively; it has simply created paperwork.
When auditors pull a sample of vendor questionnaire files and ask for evidence of review, remediation tracking, and closure, the typical finding is an unanswered response document, a partially completed template, and no record of the risk team having assessed what the vendor reported. The questionnaire became a ritual, not a control.
Gap 4 — No Continuous Monitoring Between Reviews
Annual vendor reviews are still the dominant rhythm in most TPRM programmes. The audit finding that accompanies this model is predictable: the organisation knows the state of its vendors once a year, on a date of its choosing, using information that the vendor itself provides. Everything that happens between reviews — a leadership change, a regulatory sanction, a financial deterioration, a breach at a sub-processor — is invisible until the next scheduled assessment cycle.
Regulators have begun specifically challenging this model. The RBI's guidance on operational risk management for financial institutions expects near-continuous visibility into the operational health of critical outsourced service providers. An annual review against that expectation is not a compliant posture — it is a documented gap.
Gap 5 — Vendor Exit Without Documented Control
Vendor offboarding is the least mature control in most programmes. When an organisation ends a vendor relationship — whether due to contract expiry, performance failure, or strategic change — the risk event that must be managed is the continuation of access. Data held by the vendor must be retrieved or destroyed. System access must be revoked, confirmed, and logged. The offboarding process must be documented end-to-end.
Auditors routinely find former vendors with active API credentials, data that was never formally returned or certified as destroyed, and no evidence of a structured exit process. For regulated industries, this is not a minor finding — it represents an ongoing data governance and access control failure that may need to be reported to a regulator.
Key Controls Auditors Test in TPRM
When internal and regulatory auditors engage a vendor risk programme for substantive testing, they are evaluating a defined set of controls. Understanding what auditors look for — and what evidence satisfies each test — allows risk and compliance teams to build programmes that are defensible by design rather than scrambled in response to an audit request.
Right-to-Audit Clauses. Auditors review a representative sample of vendor contracts to confirm that the right-to-audit provision is present, specific, and enforceable. "Specific" means the clause identifies who may conduct the audit, under what notice conditions, what records and systems are within scope, and the vendor's obligation to cooperate and provide access. A generic reference to "information security rights" does not satisfy this test. For RBI-regulated entities, the RBI's Master Direction on Outsourcing of Financial Services explicitly mandates this provision for material outsourcing arrangements — its absence is a reportable finding.
Evidence Repository Completeness. The auditor will request access to the vendor risk evidence repository and test for completeness: does every active vendor have a current risk tier assignment, a completed due diligence record, an executed contract with required clauses, and a monitoring activity log? Evidence repositories that rely on email folders, shared drives, or manually updated spreadsheets almost always fail the completeness test — not because evidence does not exist, but because it cannot be reliably retrieved and cross-referenced.
Incident Notification Trails. Material outsourcing arrangements require vendors to notify the contracting organisation within defined timeframes when incidents — operational, information security, regulatory — occur. Auditors test whether notification obligations are contractually specified, whether vendors have actually notified when relevant incidents occurred, and whether the organisation's response to such notifications is documented. Silent incident history is a red flag, not a clean record.
Access Termination Logs. For vendors with system access, auditors pull access termination logs and test two things: that access was revoked promptly upon contract termination or personnel change, and that the revocation was confirmed and logged. Privileged access left open after a vendor relationship has ended is among the highest-severity findings in an IT audit of vendor controls.
Data Handling Obligation Tracking. As data privacy frameworks — DPDP Act, GDPR, and sector-specific regulations — impose specific obligations on how vendors process and protect personal and sensitive data, auditors now test whether data handling clauses in vendor agreements are tracked, enforced, and evidenced. This includes data processing agreements, data localisation confirmations, and evidence that the vendor's sub-processors are themselves covered by equivalent obligations.
Crest's Intelligence Platform creates a timestamped, searchable evidence repository across every vendor — continuously updated, audit-ready on demand, without manual effort.
What Audit-Ready Vendor Documentation Looks Like
The distinction that separates organisations that pass vendor risk audits from those that struggle is not the sophistication of their policies — it is the completeness of their execution record. Regulators and internal auditors have become fluent in the gap between process documentation and operational evidence. A policy document is a statement of intent; an audit is a test of whether that intent was executed.
Audit-ready vendor documentation has four defining characteristics:
Completeness across the vendor lifecycle. Documentation covers onboarding (risk classification decision, due diligence record, contract execution confirmation), ongoing operation (periodic review records, monitoring activity logs, incident notifications and responses), and exit (access termination confirmation, data handling disposition, offboarding sign-off). Gaps in any phase create audit exposure regardless of how strong the other phases are.
Timestamping and immutability. Evidence that can be backdated or amended after the fact has low probative value in an audit. Auditors look for system-generated timestamps, workflow audit trails, and evidence that the record of an activity was created contemporaneously with the activity itself — not assembled in preparation for the audit visit.
Traceability to individual decisions. When a vendor was classified as "medium risk" rather than "high risk," the record should show who made that determination, on what basis, and whether it was reviewed and approved. Risk ratings without decision rationale create audit findings because there is no way to assess whether the judgement was defensible.
Exception tracking through to closure. Where due diligence or ongoing monitoring identified a gap or concern — a vendor's InfoSec controls rated below required standard, a sub-processor without an executed data processing agreement — the documentation should show the gap, the remediation requirement, the agreed timeline, follow-up activity, and closure confirmation. Open exceptions without documented resolution are a consistent source of audit findings.
Crest customers report completing vendor due diligence 70% faster using the platform's automated questionnaire workflows, evidence collection, and AI-powered risk scoring — without trading completeness for speed.
How to Prepare Your Vendor Programme for Audit
Audit preparation is not a sprint activity that begins when an audit is announced. Programmes that consistently perform well in internal and regulatory reviews treat audit-readiness as an operational state, not an event. The following six steps represent the foundational actions required to move from a reactive to a continuously audit-ready posture.
Build and Validate a Complete Vendor Inventory
Cross-reference procurement records, IT asset registers, AP systems, and business unit inputs to construct a unified vendor register. Assign a risk tier to every entry. Schedule quarterly reconciliation to capture new relationships and retired contracts.
Audit Your Contract Library for Required Clauses
Systematically review all active vendor contracts — prioritising critical and high-tier vendors — for the presence of right-to-audit, incident notification, data handling, and subprocessor transparency clauses. Track missing clauses as open exceptions with remediation timelines.
Close the Questionnaire Loop
Implement a workflow that requires documented review of every vendor questionnaire response, not just dispatch confirmation. Track exceptions through to remediation, with documented follow-up at defined intervals. Record the review in a retrievable, timestamped format.
Implement Continuous Monitoring for Critical Vendors
Move beyond annual assessment cycles for critical and high-risk vendors. Deploy monitoring across news, regulatory, financial, and operational intelligence sources. Ensure that alerts are triaged, responses documented, and escalation paths clear and tested.
Establish Formal Offboarding Controls
Document a structured exit checklist covering access revocation, data disposition, final invoice and dispute resolution, and relationship closure confirmation. Retain completed offboarding records for the duration required by applicable regulation.
Produce an On-Demand Audit Pack
Create — and test — the ability to generate a complete vendor audit pack within 24 hours of a request: vendor inventory, risk tier assignments, due diligence evidence, monitoring logs, contract clause confirmation, and open exception status. Test this capability before an auditor requests it.
Organisations that have implemented a platform-based approach to TPRM — using tools like Crest's Intelligence Platform, which continuously aggregates data from over 3,300 sources — find that steps four and six become structural outputs of the system rather than manual assembly tasks. The audit pack already exists, updated daily, ready to export.
India-Specific Audit Considerations
For organisations operating under Indian regulatory frameworks, the audit obligations for vendor risk management carry specific evidentiary requirements that go beyond general international standards. Three regulatory domains are most directly relevant.
RBI Outsourcing Governance. The RBI's Master Direction on Outsourcing of Information Technology Services and the broader outsourcing framework applicable to banks and NBFCs require board-approved outsourcing policies, a documented risk assessment for each material outsourcing arrangement, concentration risk analysis across the vendor portfolio, and specific contractual provisions including right-to-audit and incident reporting obligations. RBI inspection findings have consistently flagged the absence of formal vendor risk registers, gaps in sub-contractor visibility, and the failure to conduct and document periodic reviews with the frequency that board-approved policies require. Regulators have made clear that the policy document and the operational record are two different things, and they expect both.
SEBI Audit Trail Requirements. For market infrastructure institutions, brokers, and regulated intermediaries, SEBI has introduced requirements for complete and immutable audit trails across technology and operational systems — requirements that extend to technology vendors providing services to these entities. Audit trail completeness for vendor-provided systems is now a standing item in SEBI technology audits. Organisations that cannot demonstrate continuous, unbroken audit logs for critical vendor-hosted systems face material compliance findings.
Digital Personal Data Protection Act, 2023. The DPDP Act introduces obligations that directly affect vendor risk documentation. Where a vendor acts as a data processor — handling personal data on behalf of the contracting organisation — there must be a valid data processing agreement specifying the purposes of processing, the security obligations of the processor, and the data principal's rights. The contracting organisation, as data fiduciary, remains liable for the processor's compliance. Audit evidence required under this framework includes executed data processing agreements with each applicable vendor, records of data localisation compliance where required, and evidence that sub-processors engaged by the vendor are themselves covered by equivalent protections.
Taken together, these three frameworks create a layered documentation obligation that a mature TPRM programme must satisfy simultaneously. The measurable impact of a structured, platform-supported approach is most visible here: organisations that attempt to manage this documentation landscape through manual processes routinely find themselves unable to demonstrate compliance across all three frameworks simultaneously when an inspection team arrives.
Key Takeaways
- Vendor risk audits have shifted from process review to evidence testing. Regulators want proof that controls operated, not documentation that they were designed.
- The five gaps auditors find most consistently — incomplete inventory, missing risk classification, unreviewed questionnaires, absence of continuous monitoring, and undocumented offboarding — are all addressable through process and platform investment.
- Right-to-audit clauses, evidence repository completeness, incident notification trails, access termination logs, and data handling obligation tracking are the core controls auditors test. Each requires contemporaneous, retrievable documentation.
- Audit-ready documentation requires completeness across the vendor lifecycle, system-generated timestamps, traceable decision rationale, and exception tracking through to closure.
- India's regulatory landscape — RBI outsourcing directions, SEBI audit trail requirements, and DPDP Act obligations — creates layered documentation demands that require a structured, platform-supported approach to satisfy simultaneously.
- Audit-readiness is an operational state, not an event. Organisations that maintain continuous monitoring and documentation do not prepare for audits — they are already ready for them.
Frequently Asked Questions
Internal auditors evaluate whether an organisation has a complete vendor inventory, a risk-tiered classification system, documented due diligence records, evidence of ongoing monitoring, and formal offboarding controls. They look for documented evidence of execution — not just policies — including right-to-audit clauses in contracts, incident notification trails, access termination logs, and a centralised evidence repository that can be reviewed without notice.
Audit-ready vendor documentation is the complete, time-stamped evidence trail demonstrating that vendor risk controls have been designed and are operating effectively. It goes beyond having a TPRM policy — it includes completed and signed questionnaire responses, risk assessment records with rationale, remediation tracking logs, monitoring alerts with responses, contract clause evidence, and data handling obligation records. The distinction regulators make is between "we have a process" and "here is proof the process ran."
In India, RBI inspections require demonstration of board-approved outsourcing policies, risk-tiered vendor classification, concentration risk assessments, and documented right-to-audit provisions. SEBI mandates complete audit trails for market infrastructure institutions, and the DPDP Act 2023 introduces obligations around data processor agreements and evidencing data handling compliance across the vendor chain. Regulators increasingly request live access to monitoring systems, not just point-in-time reports.
A right-to-audit clause is a contractual provision giving your organisation — or a designated third party — the right to inspect and review a vendor's operations, controls, and records relevant to the services they provide. Without it, you have no enforceable mechanism to verify vendor claims or respond to regulator requests for third-party evidence. RBI Master Direction on Outsourcing explicitly requires this clause for regulated financial service providers. Its absence is one of the most common and consequential findings in vendor risk audits.
A well-implemented TPRM platform builds audit-readiness into the workflow rather than treating it as a periodic scramble. It maintains a real-time vendor inventory, automates risk classification and questionnaire dispatch, tracks evidence completeness, generates monitoring alerts with response logs, and produces exportable audit packs on demand. Platforms like Crest, built on 3,300+ data sources with 365-day continuous monitoring, mean that when an auditor requests evidence of ongoing oversight, the record already exists — timestamped and complete — rather than being reconstructed after the fact.
Built for Audit-Ready Vendor Risk Management
Modern vendor risk is not about periodic checks — it is about continuous intelligence. Crest's AI-driven Vendor Intelligence Platform helps you automate due diligence, monitor risks 365 days a year, and stay audit-ready by design. Built by ex-Big4 risk professionals. Powered by 3,300+ data sources.