Skip Ribbon Commands
Skip to main content
The Institute of Internal Auditors North AmericaBreadcrumb SeparatorStandards and GuidanceBreadcrumb SeparatorRecommended GuidanceBreadcrumb SeparatorPractice GuidesBreadcrumb SeparatorPractice Guide: Auditing Third-party Risk Management

NEW! Practice Guide: Auditing Third-party Risk Management
Recommended Guidance 

Practice Guide: Auditing Third-party Risk Management CoverThis practice guide is a useful tool to become better informed on risks related to third-party provider management. Risks across the full vendor life cycle are considered, including the appropriate sourcing, ongoing management, and termination of vendors.

Further exploration into risks resulting from the types of services being provided and the sensitivity of data being shared is covered. Sample audit guidance is offered, making this a robust resource with tangible tools.

Topics include:

  • Outlining key roles, responsibilities, and risks in managing third-party providers.
  • Defining a third-party risk audit coverage approach.
  • Developing a structure for scoping, planning, and executing third-party risk audits.
  • Appropriately engaging and assessing third-party risk management activities across the business, oversight, and control functions.
  • Determining whether the organization has a third-party risk management structure that results in a “patchwork” approach, and, if so, how to bring it together into an enterprisewide framework.

Downloads and Links

Practice Guides are restricted to IIA members only.

Non-members may purchase this Practice Guide from the IIA Bookstore.


An updated edition of the International Professional Practices Framework (IPPF) guide, more commonly known as the Red Book, is now available. Visit the IIA Bookstore for more information.