control, and governance
Closing the Gaps in Third-party Risk Management
Internal audit can add value by assessing risk around the organization’s business relationships.
Patrick D. Warren
In today’s global business environment, most organizations rely on complex networks of external service providers, distributors, partners, and other entities. As critical as these third-party relationships are, their widespread use poses significant risks related to regulatory scrutiny, cost pressures, compliance issues, data privacy, and the organization’s overall reputation.
Executives and boards also are demanding more from their internal audit departments and want them to proactively identify risks. While even the largest organizations continue to struggle with third-party risk events, in many organizations there is an opportunity for internal audit to add value in this area.
A recent cross-industry survey of chief audit executives (CAEs) conducted by The IIA Research Foundation (IIARF) and Crowe Horwath LLP found that many large organizations are concerned about their vulnerability to third-party risk. A majority (82 percent) said they devote less than 20 percent of their internal audit resources to the issue, and more than three-quarters (78 percent) said they had either “some concern” or “high concern” about difficulties in monitoring third parties’ risk management practices.
Third-party risk often is managed differently even in organizations within the same industry. Contrary approaches and different risk profiles set the stage for varying levels of involvement for internal audit, as well as some barriers.
Research suggests that one challenge of improving third-party risk management is simply a lack of clear ownership of third-party risk responsibilities. For example, CAE participants in the IIARF/Crowe survey were presented with a list of eight third-party risk management functions and asked to identify the departments or individuals responsible for managing them. The responses indicate that internal audit generally plays the leading role in only one of these activities — evaluating reports required by Statement of Standards for Attestation Engagement No. 16. Leading internal audit departments have expanded their involvement into other areas of assurance; some are even participating in due diligence efforts on risky vendors by consulting with management on controls or risk management techniques associated with a specific agreement or third-party category.
Nearly one-third of respondents said internal audit is responsible for periodically auditing or obtaining assurance related to compliance with agreements, but a somewhat larger number (36 percent) said primary responsibility for this task resides elsewhere in their organizations. In addition, the responsibility for many functions in which internal audit would seem to have an obvious role to play — such as confirming compliance with company policies, laws, and regulations — is most often assigned to others in the organization, such as those in the line of business or other compliance functions not associated with internal audit.
In short, the IIARF/Crowe survey revealed that internal audit is most often associated with managing certain technical aspects of third-party risk management, while activities focused on other risk areas often are assigned elsewhere — most often to those in operational areas of the business who directly manage the individual relationship.
Building a business case for greater third-party risk management involvement by the internal audit team depends in large measure on the skills of the team itself. In most organizations, the internal audit function can provide significant value in a variety of ways:
Each of these areas presents an opportunity for internal audit to provide an objective point of view on how well third-party risks are being managed and to deliver consulting services on an area of growing importance.
JUMP-START YOUR PROGRAM
Starting the Conversation
While concern about third-party risk persists in most audit departments, and as internal audit looks to provide more assurance to the organization, the question often asked is: “What does a third-party risk management program look like?” From a practical standpoint, a successful third-party risk management program generally can be implemented in three phases.
The mission of many organizations includes a focus on strengthening overall relationships with third parties. The objective of this phase is to build on that general focus, using input from various stakeholders, to develop a specific, step-by-step, third-party risk management road map tied to the inherent risks of the business and its third-party relationships. This road map might include establishing a cross-functional steering committee and establishing risk tolerances, policies, and procedures for dealing with all types of third-party issues.
Phase 2: Evaluate Risks Developing a comprehensive risk landscape is necessary to avoid settling for a one-size-fits-all approach. After understanding and documenting the risk profile of the entire organization, it will be possible to focus efforts on the areas that present the highest potential risk, as well as reward.
The purpose of this evaluation is to quantify the risks, making it possible to assign the appropriate resources to address specific clauses in an agreement, or specific types of relationships or categories of risk. Often, the biggest challenge is simply gathering a list of third parties. Once this is complete, the skill sets that reside in internal audit help the organization define a method for rating and aggregating risk rankings across the population.
Phase 3: Audit, Monitor, and Assess A successful third-party risk management program goes beyond gaining assurance or attestation. It also addresses the broader risk landscape by encompassing risk measurement and monitoring, performance measurement and monitoring, benchmarking of performance and costs, incident tracking, and evaluation of the value received from the relationship. These activities are important for determining when or whether to renegotiate the agreement terms.
The organizations most successful at this monitoring function are those that augment typical data on volume, spending, and quality with the related risk. Seeking new types of data on third parties enables businesses to more accurately predict areas of risk and analyze trends of incidents across multiple relationships — a critical missing element when primary responsibility for third-party risk management is assigned to individual business units or departments.
Other success factors include the ability to customize risk management efforts or assessments to each relationship, such as focusing on a group or category of higher risk third parties, and the effective use of automation to streamline the assurance process.
STEPPING UP TO THE CHALLENGE
As a consequence of today’s global economy and increasingly complex business relationships, third-party risk management is more critical than ever. Risks that require managing range from financial, operational, legal, and regulatory concerns to environmental, reputational, and technology-related risks.
With such a broad range of potential risks, the third-party risk management effort must be comprehensive and clearly tied to the organization’s overall risk management program. This situation suggests that opportunities exist for greater internal audit involvement in identifying and assisting management in its efforts to manage third-party risks. Indeed, a larger role for internal audit would be essential.
Patrick D. Warren, CIA, CRMA, is a principal with the risk consulting unit of Crowe Horwath LLP in Atlanta.
COMMENT ON THIS ARTICLE
Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.