During the initial scoping phases of an organization’s audit engagement, your auditor will partner with you to help you narrow down the third-party vendors to be included in your engagement. In order to ensure that your organization’s security posture is and remains strong, you need to consider the impact that the third-party vendors you’ve entrusted sensitive data with could have on your organization.
This means that you’ll need to be able to list who your third-party vendors are, what services they provide to you, and whether they’ve gone through audits themselves. Knowing this information will help you determine whether or not you need to carve them out of your audit or include them. What’s the difference between carving out or including third-party vendors in an audit? Let’s take a look.