A (data) controller is and remains responsible for the data, even if it is processed by another party (a processor). A controller is obliged to investigate and verify, by means of an annual audit, that the processor complies with the agreed technical and organizational measures to protect the data.
A processor must ensure compliance with the technical and organizational measures that the controller imposes. Measures must be agreed in a processing agreement. The processor is obliged to participate in an annual audit.
As the controller, you are obliged from the AVG to ensure that your processors adhere to the agreements agreed with you. The AVG says the following about this in Article 28, paragraphs 3 and 3h:
GDPR article 28 paragraph 3: Processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller. That contract or other legal act shall stipulate, in particular, that the processor:
...(h) makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in this Article and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.
It is important that you include that there will be annual audits in your processing agreements. It is also recommended to include in the processor agreement that in the event of data breaches, or strong suspicion of non-compliance with this agreement, an additional audit will take place. If it turns out that the processor has his affairs in order, the costs for the audit are for the controller. However, should it appear that the processor does not comply with the agreed requirements as stated in the processing agreement and its appendices, the processor must bear the costs for the additional audit.
Please contact me for questions and quotes regarding Vendor Assessments and Auditing.