According to a 2020 Ponemon survey [1], the number of third parties organisations deal with is growing by 15 percent each year. With so many third parties, organisations often end up focusing their attention on a small number of vendors (usually the largest) and ignore smaller ones that may actually pose the greatest risk.
On the ground gaps are also evident [2]. Most organisations rely on legal clauses specifying security and privacy practices, or self-assessments – without ever checking if they are actually followed. Despite a clear understanding that third party cyber security incidents are increasing, a vendor’s reputation or subjective confidence is still a deciding factor on whether to conduct an audit.
The introduction of AI has complicated the picture, especially when it comes to third parties that provide safety products or an AI integrated product. Deployers of such systems potentially have obligations under the law (such as the EU AI Act) or other AI Governance standards adhered to. Without in-house subject matter expertise, audits are likely to be cost prohibitive.
Every digital cloud though have a silver lining! At ComplyMe.AI, we believe the power of AI can help ease, not increase your compliance burden. See below for how easy an AI, privacy or information security audit can be.
1. Create an Audit
Figure out who you’d like to audit, the objectives for the audit, the due date and the contact email for the third party to be audited.
2. Select Controls
Next decide what type of controls you want to audit against, then search for the most relevant one. ComplyMe.AI comes with thousands of controls already built in. These are drawn from leading industry standards for privacy and information security (NIST SP800-53, R5, NIST CSF 2.0, ISO/IEC27001:2022, HIPAA) as well as AI (NIST AI RMF, ISO42001:2023). We also provide questions and suggested required evidence for each control, which you can customise to
your specific needs.
3. Add Audit
Once you’ve decided on a list of suitable controls, add them to the audit and launch it.
4. Undertake Audit
Audited third parties simply reply to each question they are asked. They also have the option of uploading files to support their answer. When ready, they can ask ComplyMe.AI to assess the response.
5. View Audit Assessment
Once all questions have been answered and assessed, you can view a conformance report. The report details each control's assessment against:
- How relevant the responses are;
- Their accuracy, sufficiency, appropriateness and objectivity;
- Their support for the control in question, and
- Their strengths and weaknesses.
An actionable conclusion you can use to determine your next steps is also provided.