IT Examiner School - Oct 2025

CONTROLLED//FDIC INTERNAL ONLY

Procedure 5 – Development and Acquisition (D&A) Core Module Procedures 2 – 5 Assessment of the effectiveness of vendor management and service provider oversight programs. Determine whether the bank:  Exercises appropriate due diligence in selecting its service providers.  Requires its service providers by contract to implement appropriate measures designed to meet the objectives of these Guidelines.  Monitors its service providers to confirm that they have satisfied their contractual obligations. As part of this monitoring, an institution should review audits; summaries of test results; or other equivalent evaluations of its service providers. Reference InTREx Core Procedures – D&A Core Module Procedures 2 – 5 as prescribed below: D&A Core Module Procedure 2 – Third-Party Risk Management (TPRM) Evaluate whether a risk-based vendor management program has been implemented to monitor third party relationships, including supply chain risk, as applicable. Consider the following:  Coverage of service providers and vendors, including affiliates, in the risk assessment process  Foreign-based risks, as applicable

Click here to enter comments

InTREx Abbreviated Core Examination Procedures Module July 29, 2025

Page 13 of 17