Do you use a TPRM/GRC platform (or fit-for-purpose system) rather than spreadsheets?
Demonstrate that the organization utilizes a dedicated TPRM or GRC platform with defined workflows, centralized vendor records, and audit capabilities to manage third-party risk rather than relying on spreadsheets or manual documentation methods.
Description
What this control does
This control requires organizations to manage third-party risk using a dedicated TPRM (Third-Party Risk Management) or GRC (Governance, Risk, and Compliance) platform rather than relying on spreadsheets or ad-hoc tools. Dedicated platforms provide centralized vendor inventories, automated risk scoring, workflow management, audit trail capabilities, and standardized assessment templates that spreadsheets cannot reliably deliver at scale. The control addresses the operational and security risks inherent in decentralized, version-controlled, and permission-ambiguous spreadsheet-based processes. Implementing a fit-for-purpose system ensures consistent application of risk criteria, reduces manual errors, and provides auditable records of third-party evaluations and ongoing monitoring.
Control objective
What auditing this proves
Demonstrate that the organization utilizes a dedicated TPRM or GRC platform with defined workflows, centralized vendor records, and audit capabilities to manage third-party risk rather than relying on spreadsheets or manual documentation methods.
Associated risks
Risks this control addresses
- Loss of vendor risk data due to spreadsheet file corruption, accidental deletion, or lack of version control leading to uninformed access decisions
- Inconsistent application of risk assessment criteria across vendors when multiple spreadsheets exist without standardized templates or validation rules
- Unauthorized modification of vendor risk ratings or assessment outcomes without audit trails in uncontrolled spreadsheet environments
- Failure to identify overdue vendor reassessments or expiring contracts when relying on manual tracking in static spreadsheets
- Incomplete vendor inventories resulting from decentralized spreadsheet ownership across departments with no single source of truth
- Data breach or unauthorized disclosure of sensitive vendor information stored in unsecured spreadsheets transmitted via email or shared drives
- Inability to aggregate risk metrics or generate executive reports on third-party exposure when data exists in fragmented spreadsheets
Testing procedure
How an auditor verifies this control
- Request documentation of the current third-party risk management process including tool or platform specifications and access credentials for audit review
- Verify the organization maintains a centralized TPRM or GRC platform by logging into the system and confirming it contains an active vendor inventory with risk assessment records
- Inspect the platform configuration to confirm presence of standardized risk assessment workflows, questionnaire templates, approval chains, and automated reminders for reassessment
- Review audit log capabilities within the platform by generating activity reports showing user actions, timestamp records, and field-level change tracking for vendor risk data
- Select a sample of 10-15 third-party vendors and trace their risk assessment lifecycle from initial onboarding through current status within the platform to verify completeness
- Interview TPRM personnel to confirm spreadsheets are not used as the primary system of record and verify any spreadsheet exports are for reporting purposes only with source data maintained in the platform
- Examine access control configurations to verify role-based permissions restrict who can create, modify, or approve vendor risk assessments within the platform
- Validate integration capabilities by reviewing evidence of platform connections to contract management, security questionnaire tools, or continuous monitoring services that augment spreadsheet limitations