Is TPRM integrated into procurement workflow as a hard gate (cannot sign without TPRM sign-off)?
Demonstrate that the organization has enforced automated or procedural controls that prevent contract signature and vendor onboarding without documented TPRM approval.
Description
What this control does
This control mandates that Third-Party Risk Management (TPRM) approval acts as a blocking requirement in the procurement workflow, preventing contract execution or purchase order issuance until a formal TPRM assessment is completed and approved. Implementation typically involves workflow automation in procurement systems (e.g., ERP, CLM, or procurement portals) that enforces status checks and prevents signature authority from advancing until TPRM clearance is recorded. This hard gate ensures no third-party vendor relationships commence without due diligence on cybersecurity, privacy, compliance, and operational risks.
Control objective
What auditing this proves
Demonstrate that the organization has enforced automated or procedural controls that prevent contract signature and vendor onboarding without documented TPRM approval.
Associated risks
Risks this control addresses
- Procurement teams bypass TPRM reviews to expedite vendor onboarding, exposing the organization to unvetted supply chain threats
- Vendors with inadequate security controls gain access to sensitive data or critical systems without risk assessment
- Legal agreements are executed without security addenda or vendor obligations for breach notification and security standards
- Shadow IT and unapproved third-party integrations proliferate due to lack of enforced governance at contract stage
- Regulatory non-compliance occurs when high-risk vendors (e.g., those handling PII or payment data) are onboarded without proper due diligence
- Incident response and liability attribution become unclear when vendor security posture and contractual obligations are undocumented
- Post-breach forensic analysis reveals the attack vector originated from a vendor that was never subjected to TPRM evaluation
Testing procedure
How an auditor verifies this control
- Obtain and review the organization's procurement policy and procedure documentation to confirm TPRM sign-off is defined as a mandatory gate before contract execution.
- Identify all procurement workflow systems (ERP modules, contract lifecycle management platforms, procurement portals) used to process vendor contracts and purchase orders.
- Request system configuration exports or screenshots demonstrating workflow states, approval routing rules, and signature authority controls that reference TPRM status.
- Select a representative sample of 15–20 vendor contracts executed within the past 12 months, stratified by risk tier (high, medium, low) and procurement type (IT services, SaaS, consulting, hardware).
- For each sampled contract, trace the approval workflow in the procurement system to verify that TPRM assessment records exist and were approved prior to signature timestamp.
- Attempt to identify any override mechanisms, emergency procurement processes, or exception workflows that permit contract execution without TPRM approval, and review associated governance and logging.
- Interview procurement and TPRM team members to confirm operational enforcement and inquire about any instances where contracts were signed before TPRM completion, including documented exceptions.
- Cross-reference the sampled contracts against the TPRM assessment repository to confirm that all vendors have corresponding risk assessments completed before contract effective dates.