u/Big-Razzmatazz3034

I feel burnt out with my job, need to get some advice.

My audit shop has a strict, unwritten rule: We are never allowed to issue clean audit reports. We are forced to find at least 4-5 observations in every single engagement.

Still, there are lots of restriction on what's not qualified as an audit point:

• If it costs money (like implementing a data classification tool to stop data leaks), it’s banned for being too expensive.
• If it’s an industry best practice (like sending security questionnaires to vendors), it’s banned for being "too academic" with no immediate, visible effect.

I’m currently halfway through an audit on Third-Party Risk Management. With these constraints, I am struggling to come up with any valid points. The deadline is looming, and my anxiety is through the roof. Please help.

My company use CyberArk as our PAM solution and have an approval workflow in place before any third party gets access to our designated IT resources. However, I'm trying to understand what checks people are actually doing on the third party's own systems and environment before granting that access — not just the identity and approval side of things.

Would you be verifying things like whether their endpoint meets a minimum security baseline (patched OS, AV/EDR installed, etc.)? Are you requiring device certificates? Do you do any kind of pre-connect posture check before the PSM session is allowed to establish?

Thanks in advance!

Hey all, looking for some practical, real-world advice on vendor risk assessment. I work at a small company in a non-regulated industry and handle vendor risk assessment as part of my job.

We currently have quite a lot of vendors onboarded and are now starting to think about the risks we may have, but have no idea what we actually need to check before letting a vendor in. What's the stuff you'd feel genuinely uncomfortable skipping, versus the stuff that's just box-ticking that nobody actually uses?

Is there a short questionnaire you've settled on? A handful of contract clauses you always insist on? Specific red flags in vendor responses that make you walk away? Anything that has saved you in hindsight?

We're trying to set up a simple workflow — something where if something goes wrong, we can at least show we did the reasonable and sensible things given our size and constraints.

Appreciate any real-world experience are willing to share. Thanks in advance!