Do You Know What Your Third Parties Are Up To?

Richard Chambers, CIA, CGAP, CCSA, CRMA, shares his personal reflections and insights on the internal audit profession. 


Internal auditors are right to be concerned about third-party risks. The days of a company’s suppliers or partners being well-known and trusted businesses on the same street or town are a distant memory.

In the interconnected, global economy of the 21st century, you are apt to be purchasing raw materials, components, or services from business entities halfway around the world. In turn, these unfamiliar partners may be acquiring subcomponents from other businesses whose very existence may be unknown to us. Third parties can create extraordinary risks for an enterprise, as we have seen played out repeatedly on the global stage.

Hiring practices, working conditions, conflict minerals, carbon footprint, political conflict, data security, financial stability, intellectual property — the list goes on. No brand is immune; no partner too pure. Third-party relationships can reside in any part of an organization, with one contract often having little bearing on another.

But internal auditors, with their broad understanding of internal controls, risk management, and their organization’s operations, are in an excellent position to weigh these risks in aggregate and recommend policies and mitigation strategies.

The need is clear. More than three-quarters (78 percent) of the 164 chief audit executives who responded to a 2013 survey by The IIA Research Foundation and Crowe Horwath LLP expressed “some concern” or “high concern” about the difficulty of monitoring the risk management practices of third parties engaged by their organization. Yet, by their own admission, they’re doing little about it.

The survey report, Closing the Gaps in Third-Party Risk Management: Defining a Larger Role for Internal Audit (free PDF download for IIA members) notes that 82 percent of respondents allocate less than 20 percent of their internal audit resources toward assessing third-party risks (see an article on this topic in the February 2014 issue of Ia magazine for more on the survey report). 

With so many critical functions — up to and including customer financial data processing and storage — being outsourced, internal auditors should be ensuring closer scrutiny and helping managers develop risk management programs. The challenge is making sure there are adequate resources and executive-level support.

A big part of the problem is that there seems to be significant disagreement over who owns third-party risks. This conflict in itself is a risk.

The study recommends nine ways internal audit can help clarify roles and provide assurance that the right questions are being asked:

  1. Assist management in identifying the third-party risk universe and risk ranking.
  2. Identify, quantify, and evaluate risks to an organization that arise from third-party relationships.
  3. Identify or evaluate management’s understanding of how third parties comply with regulations or policies that should be in place.
  4. Evaluate third-party risk management activities that are in place, and the relative maturity of the risk management program related to the risk exposures of the organization.
  5. Compare third-party risk management approaches with those used in the organization’s enterprise risk management program.
  6. Determine the adequacy and effectiveness of assurance activities.
  7. Perform testing for compliance with agreements and regulations or policies.
  8. Confirm that service-level agreements are being met.
  9. Identify process improvements for third-party interactions.

These opportunities will vary by organization and the relative maturity of risk management capabilities. I mention them here to spark discussion.

Do you know what your third parties are up to? How did you make the case for audit resources? Please share your struggles and successes in the comments section below.

Posted on Feb 4, 2014 by Richard Chambers

Share This Article:    

  1. The article is very clear and its concepts are true. In my understanding, and related to third parties, there is another big risk behind that must be disclosed: lack compliance with FCPA and OFAC. If we fail in keeping these topics in mind,  we may put the whole company at risk.

  1. Businesses cannot do it alone. The extended scale of operation demand that specialised services are contracted. Having business relationship with others, indeed exposes the elements to risk. Internal Auditors should have a seat at the point of selection, to evalaute the risks that maight arise when businesses are outsourced. However, as a practitioner, i think the greatest challenge is in evalauting the indication or possibility of bribery and the element of corruption likely to creep in while the business is being negotiated or during the service delivery. Having a potential vendor sign the ethics and anti-bribery and anti-corruption form as part of the pre-qualification exercise is a good practice, but ensuring these curtail the possibility of occurence is a food for thought. 

Leave a Reply