TPRM Fundamentals
What does TPRM stand for?
Third Party Risk Management
Which of the following lists the correct stages of the Third Party Relationship Lifecycle?
A) Planning, Due Diligence, Risk Assessment, Final Approval, Contracting, BL Ongoing Monitoring, Reassessment, Termination
B) Initiation, Execution, Closure
C) Identification, Contract Signing, Renewal
D) Proposal, Approval, Delivery
Correct Answer: A) Planning, Due Diligence, Risk Assessment, Final Approval, Contracting, BL Ongoing Monitoring, Reassessment, Termination
Who owns the TPRM Policy?
Corporate TPRM who is a second line of defense governance and oversight group providing independent risk management over third party risk.
How does CAS integrate TPRM into its risk-based audit plan?
A) Each audit engagement evaluates third-party risk as part of its scope
B) ECMs are deployed when significant changes or emerging risks require targeted oversight
C) Routine continuous monitoring identifies trends and risk indicators, feeding into audit planning and triggering ECMs or plan adjustments when heightened risk is detected
D) All of the above
Correct Answer: D) All of the above
Correct Answer: D) All of the above
Which of the following is NOT part of CAS continuous monitoring of TPRM?
A) Quarterly formal meetings with TPRM leadership to review program changes and emerging risks
B) Monthly and ad-hoc touchpoints to address new risk items or material changes
C) Review of TPRM’s monthly management reports and issuing credible challenges when needed
D) Participation in governance committees like ORC and TPRC
E) Monitoring emerging risks and events, including complaints, security incidents, and regulatory changes
F) Documentation of all continuous monitoring activities in Archer for traceability
G) Outsourcing continuous monitoring activities to external audit firms
Correct Answer: G) Outsourcing continuous monitoring activities to external audit firms
CAS performs these activities internally and documents them in Archer; outsourcing is not part of the process.
True or False: The primary objective of the TPRM Policy is to establish the Company’s expectations for managing Third Party risks and consistent Third Party contracting practices across the Company?
TRUE: Establish the Company’s expectations for managing Third Party risks and consistent Third Party contracting practices across the Company
True or False:
The purpose of initial due diligence is to confirm contract signatures after engaging a third party.
False: The purpose of Due Diligence is to assess risk before engaging a third party
Which of the following is NOT an avenue to report or escalate third-party risk within the Company?
A) TPRM’s Monthly Management Report
B) Operational Risk Committee
C) TPRM’s Monthly Management Report
D) Posting concerns on public social media platforms
Correct Answer: D) Posting concerns on public social media platforms
Which of the following is NOT a tool used by Corporate Audit Services (CAS) to aid in oversight of third-party risk?
A) TeamMate+ Audit Shell – Guides auditors through standardized steps for evaluating third-party risk during engagements
B) CAS SharePoint Resources – Hosts microlearning videos and templates for federated teams performing third-party testing
C) Centralized Tracker Tool – Maintains real-time visibility of third-party risk activities across CAS engagements
D) Public Vendor Review Forum – Allows external vendors to post compliance updates directly to CAS
Correct Answer: D) Public Vendor Review Forum
How does CAS identify emerging risks in TPRM?
A) Continuous monitoring of management reports and risk indicators
B) Participation in governance committees
C) Industry and regulatory scanning
D) Analysis of audit issue trends and concentration metrics for critical activities
E) All of the above
Correct Answer: E) All of the above
CAS uses a combination of monitoring, governance participation, external scanning, and trend analysis to detect emerging risks and adjust audit plans accordingly.
Which regulatory bodies influence TPRM requirements?
True or False: All third party relationships are reassessed annually.
False: In-scope third parties are reassessed based on their inherent risk tier at a risk-based frequency. High risk third parties, including Concentration and Critical Activity, will be reassessed annually (12 months), medium risk biennial (24 months), low risk triennial (36 months) and minimal risk quadrennial (48 months) from the time the last assessment was final approved.
True or False:
Risk and Compliance Specialists are responsible for conducting domain-specific risk assessments, credibly challenging risks, and recommending mitigation measures during the Third Party Risk Management lifecycle.
True: A Risk and Compliance Specialist (RCS) provides independent challenge and subject matter expertise within the TPRM program by reviewing third-party risk assessments, validating control effectiveness, and ensuring compliance with policy and regulatory requirements throughout the vendor lifecycle. They also document decisions in Archer and collaborate with business lines and Corporate TPRM to mitigate high-risk exposures.
How does CAS obtain TPRM audit coverage?
True or False:
A CAS Third Party Risk Owner provides strategic oversight for a specific risk domain, develops the risk approach, ensures audit coverage aligns with enterprise methodology, serves as a subject matter expert during planning and execution, monitors emerging risks, reviews related findings, collaborates with Audit Engagement Owners, and escalates significant issues to CAS leadership when necessary.
Correct Answer: True
These responsibilities define the CAS Risk Owner’s role in maintaining comprehensive third-party risk coverage.
Which of the following best describes the risk tiers used by Corporate TPRM for third-party relationships?
A) Tier A to Tier D
B) Tier 1 to Tier 4
C) Low, Medium, High
D) Level 0 to Level 3
B) Tier 1 to Tier 4
Tier 1 – High Risk
Tier 2 – Medium Risk
Tier 3 – Low Risk
Tier 4 – Minimal Risk
Further, relationships may be designated a Critical Activity, which could cause significant risk or impact if disrupted – determined by high Compliance, Cyber, or Resiliency risk. Or a Concentration Risk which occurs when a Third Party provides five or more high risk products/services or have been designated through expert judgement.
Which of the following is NOT a purpose of ongoing management in Third Party Risk Management?
A) Ensuring consistent satisfaction of the Company’s business objectives and performance expectations
B) Confirming third-party adherence to contract terms and Company policies
C) Confirming compliance with applicable laws, regulations, and standards
D) Finalizing initial due diligence before engagement
Correct Answer: D) Finalizing initial due diligence before engagement
Ongoing management occurs after engagement and focuses on monitoring and compliance, not initial due diligence.
What other policies/procedures have third party impact/relevancy?
True or False:
The minimum risk rating for any auditable entity (AE) that has a critical activity mapped to it is High.
Correct Answer: True
The minimum risk rating for any auditable entity (AE) that has a critical activity mapped to it is High. This is because critical third-party relationships pose significant operational and compliance risks, and failure of these parties could result in major business disruption. If no critical activity is associated with an AE, the rating is based on the volume and collective risk profile of third parties engaged.
What is the CAS approach to monitoring critical activity vendors?
CAS monitors critical activity vendors through a risk-based approach that includes monthly reconciliations to map critical third parties to auditable entities and confirm coverage due dates, continuous monitoring of TPRM reports and governance discussions to identify emerging risks, and deployment of enhanced continuous monitoring (ECM) when material changes or heightened risks occur. These activities are supported by centralized tracking tools and periodic communications to ensure compliance with cycling requirements and maintain timely oversight.
True or False:
The Corporate Directed Program is a centralized process where Corporate TPRM individually manages third-party relationships, while the Business Directed Program delegates management of similar third-party relationships to Business Lines under Corporate TPRM oversight.
TRUE:
True or False: The contracting system of record is Archer?
False. Archer is not the current contracting system of record for third-party contracts. It was previously used for contract lifecycle management and as a repository for third-party contracts, but it has been replaced by the Contract Lifecycle Management (CLM) tool (Agiloft) as the official system of record for contracting activities.
Which of the following is NOT a role of the Third Party Global Delivery Oversight team within Corporate TPRM?
A) Partner with the Data Protection Team to promote the protection of Confidential or Personal information provided to Third Parties
B) Minimize opportunities for the loss, compromise, or unauthorized access to Confidential or Personal information
C) Provide assurance of compliance with legal, regulatory and contractual data protection obligations by ensuring Third Parties are analyzed in a manner consistent with the Company’s risk appetite
D) Negotiating third-party contracts and pricing on behalf of Business Lines
Correct Answer: D) Negotiating third-party contracts and pricing on behalf of Business Lines
Contract negotiation is handled by Procurement and Business Lines, not the Global Delivery Oversight team. The team focuses on global delivery risk oversight and compliance activities.
Which of the following best describes how CAS tracks third-party coverage?
A) CAS uses a public vendor portal to collect compliance updates from external parties.
B) CAS maintains a tracking tool that consolidates coverage for relationship management and operational risk across all engagements.
C) CAS relies on quarterly audit reports where third party risk is in-scope.
D) CAS uses informal email updates from relationship managers to monitor coverage.
Correct Answer: B) CAS maintains a tracking tool that consolidates coverage for relationship management and operational risk across all engagements.
This tracker maps each critical activity to its corresponding auditable entity and records when coverage was last obtained.
How often are critical activity vendors audited according CAS' strategy/approach?
A) Every 6 months after being identified as critical
B) Within 12 months of being identified as critical and at least every 24 months thereafter
C) Once every 36 months regardless of risk level
D) Only when a significant risk event occurs
Correct Answer: B) Within 12 months of being identified as critical and at least every 24 months thereafter
CAS monitors compliance through monthly reconciliation. The reconciliation is communicated to CAS Managers and Directors along with the relationship’s next coverage due date. The reconciliation also maps each critical activity to the corresponding Auditable Entity where coverage is expected to be obtained.