2ndly
At our last technology exam we were criticized because we did not include our outsourced Internal Audit firm as a critical vendor. Our thought process was although they do have access to consumer information ... it is only what we provide; they do not actually have access to our system; and while it would be inconvenient there are others we could contract if this one could not provide the service. Our feeling is significant vendor at best. What do others do? If it matters we are under $250 in asset size.
Neither my internal or external audit provider is a "critical" vendor. We are OCC, $455 million in assets.
My logic for excluding them includes:
*The bank can easily function without them tomorrow should they have a disaster and take a week to be back up and running. External audit is two visits a year, internal is 6, they can be rearranged. If they go out of business, there are half a dozen other firms in town I can have in place in no time.
*The confidential information we share with them is only done through secure portals and monitored while on site.
The OCC has not questioned this logic/argument...yet. Hope that helps.