Quick Links


Home > Services > Risk Assurance & Advisory > Third-Party Assurance

Third-Party Assurance/Vendor Risk Management

Our Approach

Outsourcers and their vendors are under increasing scrutiny for control weaknesses that can enable fraud and cyberattacks. Clients want assurance that their vendors are protecting their data and assets with effective, secure third-party controls and risk management. Armanino is a leading provider of third-party assurance and vendor risk management services.

Armanino's approach is collaborative and coordinated. We synchronize the third-party assurance services for our clients with their ongoing SOC, SOX and external audit programs. This helps to create a clear line of sight for all parties and relevant controls, and to ensure that issues or industry trends are addressed quickly and resolution steps are taken to tackle those issues collaboratively.

Additionally, Armanino views continuous improvement as vital for all aspects of third-party assurance and vendor risk management programs. We review our clients’ people, processes and technology to make sure that best practices are in place to ensure efficiency and effectiveness of their controls.


Armanino’s risk advisory and assurance services meet the stringent requirements of the industry-leading organization, The Santa Fe Group’s Shared Assessments program. By working with member organizations, Armanino provides best practices and utilizes efficient, effective tools such as the:

  • Standardized Information Gathering (SIG) questionnaire. This tool allows Armanino to assess and collect the information necessary to conduct an initial assessment of a service provider’s controls. The information is collected once and used to meet the requirements for the hundreds of vendor security questionnaires that are issued annually to our clients.
  • Shared Assessments Agreed-Upon Procedures.We leverage the Shared Assessments model based upon the SIG to perform an AUP engagement that our clients can share with their current and prospective customers.
  • Standardized Control Assessment (SCA). These procedures are used by Armanino to conduct onsite and additional validation assessments, verifying clients’ responses to the SIG.
  • Vendor Risk Management Maturity Model (VRMMM).Armanino provides benchmarking data to clients using this model, providing them with a report on the maturity of their third-party risk management programs in comparison to industry best practices.