Third-parties still present the highest risk around compliance. Indeed, in the area of third-parties the 2019 Guidance, posed the following question in a section entitled, Management of Relationships – How has the company considered and analyzed the compensation and incentive structures for third parties against compliance risks? How does the company monitor its third parties? Does the company have audit rights to analyze the books and accounts of third parties, and has the company exercised those rights in the past? 
It is therefore critical that you use monitoring and auditing when it comes to continuous improvement for this high-risk area. Next, we consider three aspects of a company’s audit program for its compliance function: the types and purpose of third-party audits, planning for third-party audits and interviewing third-parties.
Three key takeaways: 

1. Start planning your third-party audit 4-6 weeks in advance of the actual audit.
2. Use your business sponsor to help facilitate the process with the third-party.
3. This is not a “gotcha” interview but an open Q&A process where you have a golden opportunity to educate as you ask questions.