Supplier Security and Privacy Assurance (Partner Vendor Audit)

Trust is built on the foundation of strong privacy and security procedures. Microsoft's Supplier Security and Privacy Assurance (SSPA) project, which applies to all suppliers who handle Microsoft personal or confidential data on the company's behalf, is aimed to standardise and reinforce the handling of sensitive information on a global scale.
BDO can assist current and future Microsoft vendors in meeting SSPA programme
requirements as they seek to establish or renew contracts as a Microsoft Preferred Assessor. Our team of professionals is equipped—and trusted by Microsoft—to guide clients at each stage of the process, having engaged with the Microsoft SSPA team on the newest programme upgrades.
Organizations perform due diligence on third-party ecosystems and security, but they must audit and regularly monitor their providers to truly secure themselves. Not only do companies audit their vendors, but standards and laws frequently demand that the company's vendor management programme be audited as well. Vendor risk management audit methods must be efficient in order for audits of vendor management programmes to go smoothly.
This image for Image Layouts addon

Enjoy a proper audit control from DigiAlert

This allows the manufacturer to watch the vendor's or supplier's reaction to the proposed audit. The manufacturer should be concerned if the vendor hesitates or refuses to schedule the audit; suppliers should welcome the manufacturer and have no trouble scheduling an audit. Before hanging up, double-check that there are no misunderstandings and that the vendor/supplier knows why the audit is being conducted. Allow enough time for the vendor to prepare for the audit. The vendor/supplier will require time to obtain the audit schedule and ensure that all necessary papers are in place and accessible.

Professional audit of development

A development audit focuses on areas that require specialised attention and may be used to solve a CAPA. This audit is done after a new vendor/supplier audit or a scheduled audit, and it is usually done when there are observations that need to be corrected. Upon obtaining an audit report, the vendor should have sent a CAPA to the manufacturer. Once on-site, the manufacturer will check to see if the CAPA has been applied and that the issues are being addressed.

The right verification audit

To guarantee compliance with rules, a verification or follow-up audit is conducted to address the implementation of a corrective action. The manufacturer is on-site during this type of audit to check that a corrective action has been taken and that the facility is in conformity with CGMPs or related ISO regulations. The manufacturer is merely there to watch the corrective activities, not the general operation of the vendor or supplier.

The right observations for a better growth

Any non-conformance or non-compliance that, if permitted to continue, has a low risk of impacting product quality is considered a small observation. The observation denotes small or insignificant flaws in one or more quality systems.
Any non-conformance or non-compliance that, if permitted to persist, has a moderate risk of harming product quality is a serious observation. The finding indicates major flaws in one or more quality control systems.
Any non-conformance or non-compliance that has already occurred, or if permitted to continue, poses a high risk of negatively compromising product quality.

DigiAlert offers the best closing audit to the vendors

A closure meeting should be scheduled after the manufacturer has completed the audit to inform the vendor/supplier of any findings made during the audit. Any questions from the manufacturer to the vendor or supplier, and vice versa, must be clarified. The manufacturer will want to discuss all of the audit findings, including all observations, with the vendor/supplier so that they are not shocked when they receive the audit report. This meeting is also an opportunity to tell the provider what it is doing well. End the discussion on a positive note by informing the vendor/supplier that, despite a few criticisms, good work is being done.

What is our methodology?

  • SSPA Data Protection Requirements (DPR) self-attestation is required by Microsoft.
  • Microsoft receives the completed and submitted self-attestation from the supplier.
  • Microsoft examines the self-attestation of suppliers and requires an independent assessment.
  • BDO collaborates with the Supplier to define the scope, cost, and timeliness of the Independent Assessment.
  • To prepare for the Independent Assessment, BDO offers an artefact and inquiry request list to the Supplier.
  • Independent Assessment inquiry and artefact inspection dates are set by BDO.
  • Independent Assessment inquiry and artefact inspections are conducted by BDO (can typically be performed remotely)
  • For the Supplier's repair, BDO offers a list of discovered compliance deficiencies.

Solutions we serve you with

does it cover the protection of human resources?
Is there any mention of physical and environmental security?
Is it possible to set baseline security criteria for networks and systems?
Is there a set of data security requirements that it establishes?
Is there a set of requirements for access control that it establishes?
Is it necessary for vendors to document their vendor management program?
Does it spell out the vendor's duties for incident response management?
Does it spell out the vendor's responsibility for business continuity and disaster recovery?
Is it clear about the vendor compliance requirements?

Why choose us?

Companies must develop a risk assessment strategy and methodology for categorising their business partners before analysing third-party providers or constructing an operational model.  This process include matching corporate goals to vendor services and explaining the reasons to senior management and the Board of Directors.

  • When auditors examine risk assessments, they need proof of the evaluation process as well as monitoring from the Board. This is where our professionals help them.
  • When selecting a software vendor for their quality management system, for example, risk thresholds must be established.
  • The auditor will analyse the vendor category and concentration as part of the risk assessment approach.

In today's world, information security has an impact on various aspects of vendor management, necessitating documentation for audits. Vendors are at danger of data breaches that threaten their financial security as a result of poor information security programmes, which is an important aspect of risk assessment and qualification. Upstream clients are impacted by a vendor's permission management because it puts them at risk of internal actors gaining unauthorised access to systems and databases. Suppliers must be monitored by vendors, but supply chain risks develop when upstream organisations rely without verifying. DigiAlert platform can be used to generate an audit trail for a vendor management programme.

Upcoming Events

There are no up-coming events