Does TPRM report to the board (or audit committee) at least annually with material risk findings?
Demonstrate that the TPRM function delivers structured annual reporting to the board or audit committee containing material third-party cybersecurity risk findings, and that governance bodies receive sufficient information to exercise oversight.
Description
What this control does
This control requires the Third-Party Risk Management (TPRM) function to provide formal reporting to the board of directors or its audit committee at minimum annually, specifically addressing material risks identified through vendor assessments, ongoing monitoring, and incidents. The report typically includes high-risk vendor findings, critical vulnerabilities in third-party systems, vendor security incidents, concentration risks, and changes to the third-party risk landscape. Board-level oversight ensures executive accountability for supply chain and vendor-related cyber risks that could materially impact the organization's security posture, operations, or regulatory compliance.
Control objective
What auditing this proves
Demonstrate that the TPRM function delivers structured annual reporting to the board or audit committee containing material third-party cybersecurity risk findings, and that governance bodies receive sufficient information to exercise oversight.
Associated risks
Risks this control addresses
- Board remains unaware of critical vendor security weaknesses until a supply chain breach occurs, preventing proactive risk treatment decisions
- Vendor concentration risks go unreported, creating single points of failure that could disrupt critical business operations
- Material third-party data breaches or security incidents affecting customer data are not escalated to governance level, resulting in regulatory penalties for inadequate oversight
- High-risk vendors with access to sensitive systems continue operations without executive-level risk acceptance or mitigation mandates
- Executive leadership allocates insufficient resources to TPRM programs due to lack of visibility into third-party threat landscape
- Audit committees cannot fulfill fiduciary duties regarding supply chain risk oversight without documented evidence of material risk reporting
- Regulatory examinations identify governance gaps when board meeting minutes lack evidence of third-party cybersecurity risk discussions
Testing procedure
How an auditor verifies this control
- Request and review the board of directors and audit committee meeting calendar for the most recent 12-month period to identify scheduled governance meetings
- Obtain copies of board or audit committee meeting minutes and materials packages for the past 12 months to identify TPRM reporting instances
- Retrieve all formal TPRM reports presented to the board or audit committee within the audit period, including slide decks, executive summaries, and supporting documentation
- Verify the TPRM report content includes material risk findings such as high-risk vendor assessments, critical vulnerabilities, security incidents, concentration risks, and remediation status
- Confirm the report identifies specific vendors by name or category when presenting material risks, rather than only aggregate statistics
- Review board or audit committee minutes to verify acknowledgment, discussion, or action items resulting from TPRM risk presentations
- Interview the Chief Information Security Officer, Chief Risk Officer, or TPRM program owner to confirm the reporting cadence, escalation thresholds for materiality, and board feedback mechanisms
- Cross-reference material risks reported to the board against internal TPRM risk registers and vendor assessment results to validate completeness and accuracy of escalated findings