External assessment workflow

1. The TPR admin creates questionnaire and document request templates.
2. The TPR manager creates internal assessment and external assessment templates, and also creates the notifications associated with the workflow.
3. The TPR manager prepares and sends the IRQ to internal stakeholders.
4. Internal stakeholders complete and submit the assessment.
5. After receiving the completed risk tiering assessments, the TPR assessor updates and closes the tiering assessment.
6. The TPR manager sends the assessments to the third party's primary contact. External risk assessments can be sent automatically based on changes to a risk score or risk tier.
7. The third-party contact signs into the Third-party portal to complete the risk assessment.

   The Third-party portal displays a list of assessments and the status of each. From the portal, the primary contact can invite other third-party collaborators to complete portions of the assessments. After other collaborators are identified, the primary contact submits the assessment.

8. The TPR assessor reviews the results of the assessments and closes each third-party assessment, creating issues for remediation as necessary. When an issue is created for a particular question, a visual indicator appears in the Third-party portal for the question.

Remediating

Remediating an issue means that the underlying issue causing the control failure or risk exposure will be fixed.

Accepting

Accepting an issue means you create an exception for a known control failure or risk. Controls that are Accepted remain in a non-compliant state until the control is reassessed. In this way, the issue can be used to document observations during audits.