control, and governance
Curbing Outsourcing Risks
Internal audit should examine closely the oversight of the organization’s third-party relationships to enhance effective governance and decrease risk.
The outsourcing of certain business activities has been common for more than a decade across industries, organizations, and functions. But there are significant financial, legal, and compliance risks associated with these relationships. The ability to execute a solid audit plan for fieldwork at the third-party service provider will vary depending on the contractual terms, materiality, location, and type of service of the provider. However, as part of their reviews, auditors should identify internal risks and control gaps related to processes that directly affect their organization’s third-party providers. In addressing internal risks, the audit department has an opportunity to create a balanced audit approach that could improve the effectiveness of internal controls for both internal and third-party operations.
KNOW YOUR PROVIDER
Many auditors work in organizations that operate in silos, where organizational personnel don’t fully understand their third-party service providers or their products or services, customers, management hierarchy, affiliated companies, or financial stability and the procurement process may not have been fully vetted. This may become apparent as internal audit completes its annual risk assessment, attends various risk or steering committees, or begins the planning phase for a service provider audit. These attributes may point to additional risks around the organization’s procurement process when placing business with external parties. During the procurement process, the organization may not have performed a full cost/benefit analysis to ensure that the placement of outsourced activities made sense in the first place, or the company’s risk analysis and due diligence procedures may not have been sufficiently performed before executing the contract. There may be gaps in the procedures for selecting, onboarding, and monitoring new providers that need to be filled. There also may be a lack of involvement from key business units and, at times, the organization may seem to rely solely on due diligence procedures performed by internal audit to help determine business decisions. If this is the case, internal audit should consider adding a procurement or legal audit to its audit plan.
With any third-party audit, internal audit should start with the contract and any related amendments or schedules. However, just obtaining an updated contract, or tracking down someone who understands certain contract terms, may be problematic for some audit departments due to the size and structure of the organization. When identified, certain risks may warrant additional discussion with the legal department or audit procedures aimed at the contracting process.
Lack of policies and guidelines for the contracting process and delegation of authorities for the signing of contracts. For example, some business units complete standard legal templates with the approval of the legal department because they’re considered less complex in nature; however, this authority should be documented in guidelines that are understood and accessible by the organization and also should reflect both domestic and international operations. Some companies may not have a global legal function, and as such, it is more important that individuals at decentralized locations have the appropriate authority levels.
Required contractual clauses may not be defined or understood by the legal department and all contracting parties. Management may not be able to give a reason why certain clauses are included in agreements or what they mean due to lack of experience in the role, turnover in the legal department or management, or age of the contract. It may be an organization’s “business practice” to include certain language in a contract that may not be relevant to the business structure. Many times, service providers and company management are not aware that certain clauses exist in their agreements or have interpreted clauses differently than what was intended. This can happen when contractual terms are vague.
Lack of a central repository to store all contracts. This poses a variety of risks to an organization — missing agreements or amendments — that are heightened even more given the increased globalization of business. If the company does not maintain all agreements in a centralized legal department — such as a contracts administration department — or outsource the legal function, then the company should have formal policies outlining required procedures for business units or external parties, and internal audit should ensure these procedures are executed.
Contracts are out of date or don’t protect the organization from emerging risks. The risk landscape of businesses will evolve based on new geographic markets, products, customers, legislation, and business strategies. As the landscape changes, there may be additional risks associated with the U.S. Foreign Corrupt Practices Act, the U.K. Bribery Act, or privacy laws (among others) that are not addressed in the contracts. Contractual deficiencies can be identified simply by comparing recently executed contracts to older contracts. Business risks could change rapidly, and contracts should be updated to ensure changes in the risk universe are captured. All agreements should include right-to-audit clauses to give the organization, or contracted agents, the ability to review all records. Any pushback on the execution of these rights should be a red flag and elevated appropriately.
Ineffective monitoring of contractual requirements can significantly impact an organization’s financial and operating results and customer satisfaction, and can increase the fraud and legal risks associated with the third party. Though an organization’s procurement and contracting processes may be effective, the organization might not monitor all contractual requirements. Perhaps there are required clauses regarding business continuity, disaster recovery, customer privacy, adherence to laws and regulations, or the maintenance of certain financial ratios or key performance indicators. The organization may tend to lean on internal audit to review compliance with these clauses, but this probably isn’t an effective approach due to other responsibilities and priorities associated with execution of the audit plan.
Getting other departments to accept additional responsibility for monitoring business relationships can be an uphill battle at times. For example, the insurance and banking industries are highly regulated. Auditors may not have the expert knowledge needed to ensure providers are complying with all laws and regulations. As such, internal audit should coordinate procedures with the compliance or legal department to ensure material compliance and legal risks are addressed in the third-party audit. However, there also is a responsibility for the compliance or legal department to monitor third-party service providers’ adherence to laws and regulations, especially if it’s a contractual requirement and an internal audit is not scheduled for that provider. This also can apply to other areas, such as the finance department.
Many agreements contain clauses requiring third parties to have their financial statements audited and to maintain certain financial balances. But what does the organization do with that information, and who reviews and monitors the financial statements? The organization can rectify this by inventorying the agreements containing these clauses and creating a rolling schedule to review the audited financial statements and credit risk of service providers. During audit planning stages, auditors should be meeting with key business unit stakeholders to determine any gaps in the monitoring of contractual requirements.
When practical, creating a governance committee comprising senior management across various departments, including internal audit, to guide the organization’s strategy and use of external service providers, can be a mitigating measure. This can be a platform to discuss trends in audit issues noted across third-party service providers, discuss next steps for control gaps that remain unremedied, provide a forum to discuss potential new third parties, and examine how internal audit can help the organization mitigate third-party risks.
Any audit of third-party service providers should include procedures around how the provider data is received, validated, and reported by an organization. Auditors should understand this process and related application or manual controls that ensure data is complete and accurate. Including application control testing as part of the audit plan for each in-scope service provider can reveal design issues with the application control or missing controls altogether.
Auditors may find that certain application controls are different for various providers, even though the organization has the same data field layout requirements as outlined in its contracts. In some cases, there even may even be a general lack of automation where information is received and reviewed manually instead of being uploaded to a system. To address these items, internal audit can report on recommendations to automate the receiving and processing of external data; however, as with many organizations, the development and implementation of technology-related project requests can take time, and the organization should consider additional manual controls in the interim. Internal audit should test these manual controls to ensure they are effective.
Internal auditors also should understand how data errors are reviewed and reported to third-party providers. Perhaps the organization isn’t reporting data errors timely to the provider — or is not adequately communicating the root cause of the errors — which could lead to dissatisfaction, confusion, and delays in remediation. If there tends to be a great number of data errors, the third-party service provider may not have received sufficient training from the IT department on data requirements and how and when data should be submitted. Auditors should be aware that data errors also may have a financial impact to the organization, and IT should be discussing data errors with the finance department.
Additionally, there may be a lack of agreed-upon information security policies, guidelines, and monitoring. Are data files required to be encrypted before being submitted by the service provider, and if so, who is ensuring they are? Once received, are data files maintained on a protected network? With the move to mobile computing, security policies should consider the protection of the organization’s data on provider’s phones, tablets, and laptops. The security of data should be of utmost importance with all contractual agreements and may even be required by domestic or international law.
Audits of service providers should include a review of their IT general controls and procedures to understand how the third party receives, balances, reports, and protects critical data. Auditors should review the third party’s disaster recovery and business continuity procedures to recover critical data. Lastly, data analysis techniques can enable auditors to reperform application controls on 100 percent of the data for the period under review and identify control weakness trends.
Alternatively, an external review may already have been performed for the service provider in accordance with the American Institute of Certified Public Accountants’ Statement on Standards for Attestation Engagements No. 16, formerly known as a Statement on Auditing Standards No. 70. This may limit the need for an internal audit of the organization; however, the organization should review the Service Organization Control report to determine the impact to the organization. Additional review procedures by the organization may be needed if there are control deficiencies noted in the report.
Once the business relationship is established, organizations have to determine how the service provider will be monitored and who will be responsible. Individuals accountable for managing such relationships often act as liaisons between the third party and other internal departments. Those with such responsibilities may not fully understand the nature of internal controls and the impact and importance of controls at the third party, and they may be reluctant to be a champion of change given the nature of their role. They also may not understand internal audit’s role in protecting organizations from risks.
To help alleviate this problem, internal audit can provide training to the organization regarding internal controls, the role of internal audit in the organization, and the typical audit process of the company’s third-party service providers. Also, in coordination with account management, auditors can consult and meet with representatives from other departments to discuss and review the current state of its service providers. This can increase organizational stakeholders’ understanding of service providers’ evolving risks, mitigating controls, and process improvements, as well as the business objectives of the relationship and the status of audit recommendations.
Finally, audit apprehension may be reduced if the work of third-party service providers’ internal audit department can be leveraged. The provider’s auditors may have addressed certain aspects of the audit scope, which could be reviewed and retested. Auditors may have to review the qualifications of the internal auditors performing the work and obtain approval for review of the workpapers. Leveraging the service provider’s audit results may help identify control recommendations that otherwise would not have been identified during the outside audit of the third party.
Ignoring warning signs of ineffective third-party governance could expose the organization to increased business risk that could be detrimental to its operating health. It is important to consider the audit procedures and additional organizational risks associated with third parties to increase the value of the service provider audit and, ultimately, the efficiency and effectiveness of the governance of outsourced activities.
Mark Wayman, CIA, CPA, CFE, CRMA, is an internal audit manager for a Chicago-based insurance company.
Also in this issue:
COMMENT ON THIS ARTICLE
Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.