IT Examiner School - Oct 2025

CONTROLLED//FDIC INTERNAL ONLY

D&A Core Module Procedure 3 – TPRM Due Diligence Process and Selection Process Evaluate the due diligence process in selecting key vendors and third-party relationships (including supply chain as applicable). Reviews should focus on an entity’s financial condition, relevant experience, knowledge of applicable laws and regulations (e.g., transactions with affiliates), reputation, scope of operations, and effectiveness of controls.

Consider management’s review of the following: Business background, reputation, and strategy  Business reputation, corporate history, and status in the industry

 Qualifications and competencies to perform the service  Strategies and goals, including service philosophies Financial performance and condition  The service provider’s most recent financial statements regarding capital strength, liquidity, and sustainability  Insurance coverage  Ability to perform proposed functions using current systems or the need to make additional investments  Identification of potential conflicts of interest Operations and internal controls  Business resumption strategies and contingency plans  Knowledge of relevant consumer protection regulations  Management information systems  Record retention and maintenance practices  Information security and physical security controls  Established third-party relationships (i.e., subcontractors, supply chain relationships, etc.) evaluation, selection criteria, and appropriate authority for approval  Communication with key stakeholders (e.g., board of directors, senior managers, business line management, users) and existing customers Click here to enter comments

InTREx Abbreviated Core Examination Procedures Module July 29, 2025

Page 14 of 17