IT Examiner School - Oct 2025

Internal Use Only

Risk Management Considerations • Perform risk assessments early & update each phase • Include security, compliance, vendor, operational risks.

• Track mitigation actions & approvals. • Feed results into testing & go/no-go decisions

Internal Use Only

Acquisition & Vendor Tie-In A proper due diligence process should focus on the prospective third-parties: • Ability to provide the services needed • Knowledge & experience of applicable laws and regulations • Reputation (check references, public information, litigation) • Scope of operations and deliverables (can they provide adequate service and support?) • Effectiveness of controls (will they make audit reports available?) • Use of subcontractors and other parties • Escrow Agreements • Financial condition • Industry expertise