Many IT audits focus on how to choose IT vendors, what to include in contracts and the need for oversight of these vendors after the contract is signed. Make sure that your organization avoids these common worst practices. Not asking for, reviewing or properly using a 3rd party report is more popular than what many organizations would like to admit. Not knowing who your vendors are involved in higher risks, such as processing or maintaining protected information, should raise red flags in the oversight program. Not knowing vendor incident response and business continuity plans is a question of when rather than if.”]