Under your toolkit the "Operating Procedures for information and communication technology". Point number 4 Managing records based on this document states
"Reports and records related to monitoring and auditing suppliers/ partners - electronic and paper form"
I'm confused as to who we are supposed to audit and how we are supposed to audit them ?
The procedure for auditing of suppliers and outsourcing partners is outlined in section 3.2 of "Operating procedures for information and communication technology" - basically, this auditing should be performed only if those suppliers or outsourcing partners create great risks for your company. E.g. if you are a bank, and a software company develops your core transaction application, then certainly you want to make sure they safeguard the security of your information.
To be able to perform the audits, you have to include such a clause in the contract with the supplier/partner - you have an example of such clause in a document called "Security clauses for suppliers and partners". So, once you are authorized to perform an audit, you can do it either on-site (by visiting them) or off-site (they send you the documentation and other evidence by email).
You can perform the audit yourself, or you can hire a professional auditor to perform the job - in any case, the goal of such audit is to determine whether the supplier/partner complies to all the security requirements you have stated in your contract.
The audit is normally performed once a year, or once in three years.