Shared Assessments Third Party Risk Management CTPRP Question # 6 Topic 1 Discussion
CTPRP Exam Topic 1 Question 6 Discussion:
Question #: 6
Topic #: 1
Which statement is FALSE regarding analyzing results from a vendor risk assessment?
A.
The frequency for conducting a vendor reassessment is defined by regulatory obligations
B.
Findings from a vendor risk assessment may be defined at the entity level, and are based o na Specific topic or control
C.
Identifying findings from a vendor risk assessment can occur at any stage in the contract lifecycle
D.
Risk assessment findings identified by controls testing or validation should map back to the information gathering questionnaire and agreed upon framework
The frequency for conducting a vendor reassessment is not necessarily defined by regulatory obligations, but rather by the risk rating and criticality of the vendor, as well as the changes in the vendor’s environment, performance, and controls. Regulatory obligations may provide some guidance or minimum requirements for vendor reassessment, but they are not the sole determinant of the reassessment frequency. According to the Shared Assessments Program Tools User Guide, "The frequency of reassessment should be based on the risk rating and criticality of the vendor, as well as any changes in the vendor’s environment, performance, or controls. Regulatory guidance may also influence the frequency of reassessment."1 Similarly, the CTPRP Study Guide states, "The frequency of reassessment should be based on the risk rating and criticality of the vendor, as well as any changes in the vendor’s environment, performance, or controls. Regulatory guidance may also influence the frequency of reassessment."2
References:
Shared Assessments Program Tools User Guide
CTPRP Study Guide
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit