A lot would depend upon the type of service the vendor is providing for you. I know that we conduct annual onsite inspections of the company that does our shred/disposal for us. We show up pretty much unannounced. A well run organization should not be hesitant to provide a tour of their facilities. We ask questions about the handling of our documentation from the time it leaves the bank until it reaches it's final destination. You want to make sure the facility is secured. Ours has barbed wire around the facility and has an electronic gate that you must go through to reach the building. Ask about how they dispose of the documents, what procedures do they have in place for ensuring their is no breach of information during transit, ask if they have privacy agreements that their employees have to sign when they are hired, do they do background checks on their employees, etc....
This is the same type of process you would do for each vendor that provides a critical function as it relates to information security. Does the operation appear sound, do you like the way they answer your questions regarding the privacy of your information, do they appear hesitant to allow you to do a walk through?, is the facility neat (no documents piled in corners in boxes that are 15 years old.. If they have your customer's information in an electronic form then how are they ensuring that it is not compromised? What types of internal controls do they have to make sure that only employees with a business need have access to that information? What about their contingency plans? Are there backup tapes - if so how are those handled/secured?
Basically you want to hear about the same responses from your vendors as you would give to an examiner. For as long as this law has been out vendors are getting use to us asking these questions and for most it won't come as a surprise.