Follow-up questionnaires

If controls are unvalidated or questions are unanswered after assessment review, you have the power to initiate a follow-up to gather more information directly from the vendor.

How to Automate Follow-up

If there are any unvalidated controls or unanswered questions after we review your assessment, you can follow up with the vendor.

• Always ask before following up: You'll have the option to review the results of the AI assessment and choose to follow up or close the assessment.
• Conditional based on residual risk: set a threshold based on residual risk to automatically follow up. For example, follow up with the vendor if residual risk is greater than or equal to Medium. For all other assessments, you’ll have the option to review the results of the AI assessment and choose to follow up or close the assessment.

There are three options for configuring these settings.

• Set for a single assessment by starting a collection request. On a vendor relationship, click Add Artifacts > Request Artifacts > Advanced settings.
• Set for a single relationship by navigating to the Relationship > Assessments > Assessment settings (gear icon).
• Set for the entire organization by navigating to Settings > Assessments > Collection. Learn more

Reviewing Follow-Up

If you selected Always ask before following up, once the initial artifact upload has been processed, you’ll have the option to review remaining controls.

1. Review Follow-Up
   1. Go to the Assessments tab on the Relationship Details Page.
   2. Click the Review Follow-Up button on the assessment report.
2. Review residual risk and missing controls
   1. View the current inherent and residual risk, any unvalidated controls, and unanswered supplemental questions.
3. Send follow up questionnaire
   1. If you choose to follow up, the assessment status will change to Collecting Information, and the vendor will receive a short questionnaire targeting the identified gaps.
   2. The vendor will have 7 days to respond to the follow-up questionnaire request.
   3. VISO TRUST auditors will validate the response to the follow-up questionnaire and complete the assessment. Then, you will have the choice to proceed with Remediation or Risk Acceptance.
4. Or choose to proceed without following up
   1. If follow-up is not needed, you may complete the assessment and proceed with Remediation or Risk Acceptance.

Frequently Asked Questions (FAQs)

What questions are included in a follow-up questionnaire?

• Only questions that could not be answered with the provided artifacts are included, keeping questionnaires concise.

Can I change my follow-up configuration after starting an assessment?

• Yes, until the auditor review is complete and the follow up is sent, you are able to change your follow-up configuration. Above the assessment timeline, click Edit follow-up to see configuration options.

How long does the vendor have to respond to a follow-up questionnaire request?

• You can set how long the vendor has to respond in the assessment settings. By default, the vendor has 7 days to respond. You can adjust this timeline in the assessment settings. Learn more.

What if my vendor does not respond to a follow-up questionnaire request?

• If the vendor doesn’t respond within the seven-day period, the assessment will be marked complete. You can request remediation if necessary.

Are supplemental questions included in follow-up questionnaires?

• Yes, any unanswered supplemental questions will automatically be included in the follow-up questionnaire. Learn more about supplemental questionnaires.

What is the difference between follow-up questionnaires and remediation?

• Follow-Up Questionnaires: Short questionnaires focused on collecting information about specific controls; the vendor has seven days to respond to potentially reduce residual risk.
• Remediation Requests: Allows the vendor more time (duration specified by you) to gather additional artifacts or address security gaps. Learn more about remediation and risk review.