I sent a PM to ene0712, perhaps he will forward to you. IMHO, you cannot use a canned template when preparing to audit a vendor. What you will be reviewing will be largely determined by the regs governing the outsourced function, your contract with the vendor, and/or any service level agreements with the vendor or downstream processes. This should be your starting point and should be done before you set foot in the vendors door. You should also examine the vendors financial statement, and pull a D&B at minimum. You don't want to risk a critical function to a vendor that may not exist a year from now. Once that is done, you should audit the vendor as if the function were still in-house.