Skip to main content
Image coming soon

Third Party Risk Assessment as Audit Evidence

$199.00
Adding to cart… The item has been added

A focused course, tailored for you

Third Party Risk Assessment as Audit Evidence

Build the end-to-end TPRM workflow that turns vendor assessments into regulator-ready documentation.

Your vendor register has hundreds of completed assessments. When a regulator asks what changed between this quarter and last for your top-tier critical vendors, the answer requires pulling three spreadsheets, two email threads, and a meeting with IT. That is not audit evidence. This course fixes the documentation chain.

$199 one-time
Tailored to your situation. Access within 24 hours. 30-day money-back.

Includes a hand-built implementation playbook delivered alongside course access, generated for your specific situation.

Why this course

Third-party risk assessments at financial institutions collapse at the evidence layer. The questionnaire gets completed. The inherent risk score gets logged. The residual risk gets signed off. Then the cycle closes and nothing ties it to the next review. When APRA or FCA examiners arrive, they ask questions the register cannot answer: What drove the risk-rating change in Q3? Where is the board's visibility on concentration exposure to this vendor? What triggered the last escalation? The answers exist somewhere in emails and meeting notes, but they are not part of the documented assessment record. CPS 230 operational resilience requirements specifically demand that critical vendor arrangements have board-level accountability and documented exit assumptions. That standard cannot be met with a questionnaire workflow that treats each assessment as a standalone event.

What you walk away with

  • Build a vendor tiering model that drives review frequency decisions and can be demonstrated to regulators as methodology-based, not arbitrary.
  • Design the ongoing-monitoring artefact set that satisfies both APRA CPS 230 and FCA SYSC requirements within a single review cycle.
  • Construct a concentration-risk report that uses existing register data and presents to board level without requiring a separate analytical exercise each quarter.
  • Document fourth-party exposure for critical vendors using a register structure that does not depend on vendor cooperation to keep current.
  • Build the exit-assumption record that CPS 230 requires without treating it as a separate project from the ongoing assessment programme.
  • Write escalation-path documentation that ties a specific monitoring trigger to a specific response and leaves an auditable trail of what happened and when.

The 12 modules

Module 1. The Assessment-Evidence Gap
Maps the difference between a completed assessment and audit-ready documentation. Covers the five questions APRA and FCA examiners routinely ask that a standard questionnaire workflow cannot answer, and introduces the documentation chain this course builds across the remaining modules. Uses the CPS 230 operational resilience standard as the primary frame, with FCA SYSC 8 and MAS TRM as secondary requirements.
Module 2. Vendor Tiering That Holds Under Examination
Builds the tiering methodology from first principles: critical, material, standard, and low-risk tiers with defensible criteria for each. Covers how to document the tiering decision itself, not just the outcome, so that the methodology is reproducible and can be explained to an examiner who asks why Vendor X is in tier two and Vendor Y is in tier one. Includes a worked example of a reclassification event and the documentation it requires.
Module 3. Review Frequency and the Monitoring Calendar
Translates tier assignments into a documented monitoring schedule. Covers how to build a calendar that ties vendor tier to review type, interval, and responsible owner, and how to maintain the schedule as vendors move between tiers. Addresses the practical challenge of high-volume tier-three registers where full annual reviews are not feasible, and documents the risk-based rationale for a lighter-touch cycle.
Module 4. The Ongoing-Monitoring Artefact Set
Defines the specific documents that constitute ongoing monitoring evidence: the between-cycle event log, the control-performance attestation, the financial-health indicator record, and the operational-incident register for the vendor relationship. Covers how to collect each artefact in a way that attaches to the vendor record rather than living in a separate file or email thread. Worked example uses a cloud infrastructure vendor with both APRA and FCA regulatory exposure.
Module 5. Risk-Rating Change Documentation
Builds the protocol for documenting a risk-rating change mid-cycle: what triggered the review, what evidence was gathered, who made the rating decision, and what the next monitoring action is. Covers both upgrades and downgrades, and includes the specific documentation required when a rating change triggers a board escalation under CPS 230. This module produces the change-event record that closes the gap examiners most frequently find.
Module 6. Concentration Risk: From Register Data to Board Report
Translates a standard vendor register into a concentration-risk view that names the services, geographies, and technology dependencies that are concentrated in a small number of vendors. Covers the calculation methodology, the threshold-setting process, and the board-report format that presents findings without requiring a separate analytical project. Addresses the specific CPS 230 requirement for board-level visibility on material operational risks arising from third-party arrangements.
Module 7. Fourth-Party Exposure Without Vendor Cooperation
Designs a fourth-party register that uses contract terms, public filings, industry-standard sub-processor lists, and regulatory disclosures rather than vendor questionnaires as the primary source. Covers which critical vendors require active fourth-party management versus passive monitoring, and builds the update protocol that keeps the register current without triggering a full re-engagement each quarter. Addresses MAS TRM and FCA SYSC requirements for sub-outsourcing visibility.
Module 8. Exit Assumptions: The CPS 230 Requirement
Builds the exit-assumption record for each critical vendor: the substitutability assessment, the migration-complexity estimate, the data-portability position, and the minimum-notice requirement. Covers how to document assumptions without creating a full exit plan for every vendor, and how to present the record to the board and to APRA in a way that demonstrates the programme has genuinely assessed exit feasibility rather than noting that a plan exists.
Module 9. The Escalation Path as an Audit Trail
Designs escalation triggers and the documentation that ties each trigger to a specific response action and a responsible owner. Covers how to build the escalation record so that an examiner can reconstruct the timeline of a specific event: what was observed, when it was escalated, to whom, what action was taken, and how the vendor record was updated. Addresses the practical challenge of escalations that get resolved informally and never make it into the documented record.
Module 10. Multi-Jurisdictional Alignment Without Duplication
Builds the mapping between APRA CPS 230, FCA SYSC 8, and MAS TRM requirements so that a single assessment cycle produces evidence that satisfies all three. Covers the points of divergence, particularly around board escalation thresholds and exit-plan depth, and designs the assessment record structure so that jurisdiction-specific evidence sits in identifiable sections rather than requiring a separate review per regulator.
Module 11. Integrating TPRM Evidence into the GRC Platform
Addresses how to structure the documentation chain described in this course within a GRC or vendor management platform, including how to handle the gap between what most platforms capture natively (questionnaire responses, risk scores) and what the audit-evidence standard requires (change events, monitoring artefacts, escalation records). Covers the minimum viable field structure and the attachment protocol that keeps evidence linked to the vendor record without requiring custom development.
Module 12. The Examiner-Ready TPRM File
Assembles the complete documentation set for a single critical vendor: tiering record, monitoring calendar, artefact set, change-event log, concentration-risk position, fourth-party register entry, exit assumption, and escalation history. Reviews what an APRA or FCA examiner looks for in the first 20 minutes of a TPRM review, and maps each file component to the specific question it answers. This module produces the template you take back to your existing vendor records.

How this addresses your situation

Specific modules that map to what you said you are dealing with.

CPS 230 board accountability for critical vendors: Modules 2, 6, 8 build the three artefacts the standard specifically requires.
FCA and APRA dual-jurisdiction review cycle: Module 10 designs the alignment so one cycle satisfies both.
Auditor asks 'what changed between Q2 and Q3 for this vendor': Module 5 is the specific answer.
Fourth-party visibility without quarterly vendor questionnaires: Module 7 builds the alternative method.

What you get with this course

  • 12 written modules covering the full TPRM documentation chain from tiering to examiner-ready file
  • Downloadable tiering methodology template with defensible criteria and worked reclassification example
  • Ongoing-monitoring artefact set: event log, control-performance attestation, financial-health indicator record, operational-incident register
  • Concentration-risk board-report template that uses existing register data
  • Fourth-party register template with update protocol
  • Exit-assumption record template for CPS 230 compliance
  • Escalation-path documentation template with audit-trail structure
  • Multi-jurisdictional alignment map: APRA CPS 230, FCA SYSC 8, MAS TRM
  • Hand-built implementation playbook delivered alongside course access, scoped to your register structure and jurisdictional mix

What you will have in hand by Day 1, Week 1, Month 1

Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.

Before and after

Before

Completed questionnaires in the register, ongoing-monitoring evidence scattered across emails and spreadsheets, concentration risk calculated ad hoc before board meetings, exit assumptions documented as a note rather than a structured record. When an APRA or FCA examiner asks what changed for a critical vendor between reviews, the answer requires reconstructing a timeline from three sources under time pressure.

After

A documented chain from tiering decision through ongoing monitoring through change events through board escalation. Each critical vendor has a file that answers the five questions examiners ask in the first 20 minutes. Concentration risk surfaces from existing register data without a separate project. Exit assumptions are documented at the vendor level, not as a programme-level aspiration. The next examination review is a file retrieval, not a reconstruction exercise.

What happens if you do not address this

CPS 230 operational resilience requirements are in effect. The documentation standard they set for third-party risk is higher than most existing programmes meet. The gap is not in assessments performed but in evidence retained. The next APRA examination cycle will surface that gap specifically.

Who it is for

You run or own third-party risk at a financial services firm operating across multiple jurisdictions. You have a register, a questionnaire workflow, and probably a GRC platform. The gap is not tooling. It is the connective tissue between each assessment cycle: how risk-rating changes get documented, how ongoing monitoring evidence gets attached to the vendor record, how concentration and fourth-party exposure surface in a format the board and regulators can interrogate. You are accountable for a programme that has to satisfy APRA, FCA, and potentially MAS or SEC simultaneously, and the audit-evidence standard for each is different.

Who this is NOT for. Procurement teams doing supplier due diligence for commercial terms. Information security teams managing vendor access reviews. Risk teams at non-financial firms where APRA and FCA requirements do not apply. Anyone looking for a GRC platform implementation guide rather than a documentation methodology.

How it arrives

Text-based course in the Art of Service learning environment, plus downloadable templates and worked examples for every module, plus the hand-built implementation playbook delivered alongside course access.

Time investment. Approximately 8-10 hours across the 12 modules, structured so each module produces a usable artefact or template rather than notes to act on later.

Why $199 is the right number

A TPRM consulting engagement scoped to documentation remediation runs $40,000-$80,000 and produces artefacts you cannot easily adapt for the next cycle. GRC platform vendors offer TPRM modules but address the tooling layer, not the documentation methodology. This course builds the methodology you take into whatever tooling environment you already have, for $199.

FAQ

Does this course cover a specific GRC platform?
No. Module 11 covers how to structure the documentation chain within a GRC platform generically, including the field structure and attachment protocol that most platforms support. The methodology applies to any platform or to a well-structured spreadsheet-based programme.
Is this relevant if we already have a vendor register with hundreds of entries?
Yes. The course is designed for programmes that already have an established register and assessment workflow. The focus is on the documentation layer that sits on top of the existing register, not on building a register from scratch.
Does the course cover APRA CPS 234 as well as CPS 230?
The course focuses on CPS 230 operational resilience and third-party risk. CPS 234 information security obligations for service providers are addressed where they intersect with the TPRM documentation chain, specifically in the monitoring-artefact and fourth-party modules.

30-day money-back guarantee. If after a week of working through the materials this is not what you needed, reply to the receipt email and a full refund is processed. No questions, no forms.

Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.