One of my jobs is internal auditor and compiling vendor management docs on our vendors, so our vendor management is audited during external IT audit since I can't audit myself. Wish I had an audit sample for you. External auditor reviews our Vendor Management Policy for adequacy with regulatory requirements and verifies our policy requirements for a vendor are followed and supporting docs are in file. We (policy) requires additional review on vendors that we spend $5000 or more with annually and are rated high/moderate risk. A file is developed that includes a Vendor and Service Provider Risk Rating Form we complete, contract, depending on type of vendor file includes SSAE16/SOC 1, insurance, financials, business continuity plan, FFIEC Report of Examination; they verify that all of the items required by policy are current, reviewed, in file.
_________________________
In God we trust, all others pay cash. . . Jean Shepherd