All Things Internal Audit Tech: The Rise of Fourth-Party Threats

In this episode, Mike Levy and Shontelle Mixon discuss the growing risks tied to fourth-party relationships. They discuss how internal auditors can leverage technology, enhanced contracts, and cross-functional collaboration to pinpoint, track, and reduce those downstream risks. They break down how internal audit's role is evolving in a world shaped by cybersecurity, AI, and shifting regulations.

Host:

Mike Levy, CIA, CRMA, CISSP

CEO, Cherry Hill Advisory

Guests:

Shontelle Mixon, CPA

Divisional SVP, Internal Audit and Special Investigations, Healthcare Service Corporation

Key Points

Introduction [00:00–00:00:38]
What Is Fourth-Party Risk? [00:00:38–00:01:52]
Evolution of Risk and Offshoring Trends [00:01:52–00:02:32]
Mitigating Fourth-Party Risks [00:02:32–00:03:47]
Steps for Maturing a Vendor Risk Program [00:03:47–00:04:50]
The Challenge of Shadow IT [00:04:50–00:05:54]
Data Mining and Continuous Monitoring [00:05:54–00:06:59]
Beyond the SOC Report [00:06:59–00:08:27]
Getting Started Without Tech [00:08:27–00:09:32]
Cybersecurity as a Starting Point [00:09:32–00:10:44]
Educating the Audit Committee [00:10:44–00:12:00]
Real-Time Monitoring and Vendor Audits [00:12:00–00:13:09]
Misconceptions About Outsourcing Risk [00:13:09–00:13:56]
Preparing for the Future [00:13:56–00:15:32]
Pitfalls in Contracting [00:15:32–00:16:38]
First Step for New Audit Functions [00:16:38–00:17:12]
Aligning with Organizational Risk Priorities [00:17:12–00:18:36]
Getting Executive Buy-In [00:18:36–00:20:06]
Supporting Smaller Audit Shops [00:20:06–00:21:14]
Final Advice [00:21:14–00:21:58]

The IIA Related Content

Interested in this topic? Visit the links below for more resources:

Visit The IIA's website or YouTube channel for related topics and more.

View More Episodes

Get the Transcript

00:00:02 Speaker 1

The Institute of Internal Auditors presents all things internal audit tech in this episode, Mike Levy and Chantelle Mixon discussed the growing risk tied to 4th party relationships. They break down how internal auditors role is evolving in a world shaped by cyber security, AI and shifting regulation.

00:00:22 Speaker 2

So we're talking about one of my favorite topics I as a when I was a cafe before I became a consultant, I had third party risk was one of the areas that we had oversight over. But you know, here we're talking about fourth party risk and I think it's an often overlooked area that I think really deserves a lot of attention because ultimately.

00:00:41 Speaker 2

Everybody's focused on managing risks within their organization. Oftentimes, we've outsourced a lot of operations to third parties, but where the risk really lies is with the four part, the fourth parties. I think just for our, for our listeners, it might be helpful just to kind of talk about from your perspective what is fourth party risk and why do we care about it.

00:00:59

Sure.

00:01:00 Speaker 3

Third party and 4th party risks have become more critical to organizations as they embark upon outsourcing certain competencies to not only address gaps in their current structure, but also to give them leading edges on areas of opportunity or risk 4th party risk associated with parties who are essentially.

00:01:20 Speaker 3

The 4th or downstream entices cause, believe it or not, you have six party risks too. And so those entities have been contracted by third parties who we directly contract with but don't have a contract directly with. And so the risk has increased because companies don't always include the appropriate contractual obligations.

00:01:41 Speaker 3

In their contracts as well as identify them early enough.

00:01:45 Speaker 3

Given the rapidly changing environment due to acquisitions, consolidations, entities changing overall corporate structures.

00:01:52 Speaker 2

How have you seen that the nature and landscape of that evolve over the years at the end of the day, I think for me thinking about cloud based technologies, I think created a whole host of other risks on the third party side. But how have you seen the evolution of 4th party risk within organizations?

00:02:07 Speaker 3

I think it's increased greatly because of the increase in offshore activities as companies scale back. Look for ways to.

00:02:17 Speaker 3

Decrease expenses. They are outsourcing a lot of their functions off our shores and as that has increased and their need to identify those competencies offshore, you're seeing more 4th party risks because they don't exist onshore.

00:02:32 Speaker 2

I've seen a lot of organizations stumble here, and I think there's been some really over the last five to 10 years, you've seen some really high profile things like cyber data breaches and things like that that are happening at the 4th party level and then having really dramatic impacts to organizations. When we think about that in terms of our risk management strategy and some of the reputational or financial risks that might.

00:02:53 Speaker 2

This how has internal auditors, how do we, how do we mitigate some of those things? What should we be concerned about, you know, especially if I'm an internal auditor, that's never really thought about fourth party risk, where where do those risks lie?

00:03:04 Speaker 3

Right. I think during the inherent risk assessment process, which is the first step which we often stumble through as companies and then making sure due diligence processes include those that identify financial related areas such as concentrations of risk such as the actual ability for the company to sustain.

00:03:25 Speaker 3

Its operations over the long term and align with those imperatives as they change. I think when it comes to reputational risk, we don't always think about as comma.

00:03:33 Speaker 3

Means that we want a partner.

00:03:36 Speaker 3

Almost like a marriage with people who have like values and see things as we see them and want to comply, especially if we're in a highly regulated industry.

00:03:47 Speaker 2

Makes a lot of sense if you're an audit function that's maturing this process.

00:03:50 Speaker 2

What would you?

00:03:51 Speaker 2

Think of as the first few steps for them to really go through to make sure you've even identified the population.

00:03:57 Speaker 2

Of what?

00:03:57 Speaker 2

3rd and then third parties, but then ultimately what the 4th and downstream parties?

00:04:01 Speaker 3

Are. Yeah, I think the first step is to make sure that you are aligned with what your senior leadership thinks. 3rd and 4th party risk is. It seems really basic, but I think we forget that first identifying who you're targeting is the first step to identify what risk you're trying to manage.

00:04:18 Speaker 3

And so as senior leadership identifies and defines that population, the next step is once you know who those parties.

00:04:25 Speaker 3

Are whether it's the third party or 4th party, which I will tell you for the 4th party is a little bit more complicated, right? Because as I mentioned, you don't have a direct contract with them, so it's really getting your arms around your third party first.

00:04:37 Speaker 3

That you can identify ways that you can engage with them in different ways to identify if they have any fourth parties that they haven't made you aware of, and then modify contracts and then assess those risks as you identify those.

00:04:50 Speaker 2

Contracts. I remember when we were managing this and when I was a, it was the identification was.

00:04:56 Speaker 2

Most this is the most difficult part. At the end of day because we were having a look in a lot of different places to identify those third parties and then ultimately get to the fourth parties because it wasn't just contract repositories for us. We were finding that there were third parties that happened through credit card spend at the company. So we actually ended up pulling not only contracts, but we were looking at accounts payable and credit card T&E spend because to the extent.

00:05:17 Speaker 2

Someone subscribed to a SAS based vendor and put it on their expense report. It wasn't always identified in the process, and it's that concept of shadow IT that sort of creeps up and it's a risk. But once we had that population, you know for for us that risk assessment of those third parties and.

00:05:33 Speaker 2

Where do we think this most significant risk and impact would be and who has sensitive data? Who's had risk? I mean, how does an auditor even think start thinking about these because it feels very voluminous for what's often an audit team that's already has a fairly full body of work and what they need.

00:05:48 Speaker 3

To do yes. You know, you identify what I will call the second phase. Here is the data mining.

00:05:49

Yeah.

00:05:54 Speaker 3

You know, I think I think about any area of completeness of accuracy of any type of.

00:06:00 Speaker 3

Story similar to how we think about just inventory in general right tag the floor floor to tag that old school way of looking at it. And so the ways that you identify that in this risk management space for third or fourth parties is you start with the payments. So you mentioned accounts payable, you have EFT's, you have ways by which you are gathering information through.

00:06:20 Speaker 3

Advise and RFP's with relationships with current third parties and so through all those you're out able to employ data analytics throughout your internal.

00:06:30 Speaker 3

Programs and throughout your strategy such that you're always continuously monitoring those activities to identify those fourth parties that you might not have identified and that includes other inventories as well. So that's the financial way. But you also have other risks that are identifying third parties and fourth parties like AI, right.

00:06:50 Speaker 3

AI models through that procurement process so that RFI and RFP identifies other means by which you can inventory across the company too.

00:06:59 Speaker 2

So when we Fast forward through, yeah, we have our, we have our inventory identified of third and we started to identify the 4th.

00:07:06 Speaker 2

Risk. What is? What is that mechanism? I know we used to use. We used to look at like third party assurance reports like a SoC 2 report for example and see what what parties existed. Sometimes we would do surveys of of our vendors.

00:07:19 Speaker 2

It always found found I always found a mixed set of results there. You know, sometimes third parties were very willing to share information. Other times there's a bit of finesse that happened there. How do you navigate that typically?

00:07:31 Speaker 3

You know it's getting tougher and tougher. I will not lie to you, Mike. I think I think the SoC one and SoC, 2 reports post several of the very large cyber security incidents has revealed the need for those particular auditors to do more due diligence and not only isolating what we think are the key processes and controls around whatever.

00:07:51 Speaker 3

Scope is within those reports, but also making sure that the actual party doing that work and performing those controls with the business owners is actually either in house or.

00:08:04 Speaker 3

Out of house out of house means that we might have to go to an off-site location. We might have to actually engage with the third party to make sure that we actually have the controls rightly identify in those reports, which in the past I would tell you, we would just look at the surface of the reports and audit the controls that were written, not necessarily diving the next layer down to make sure we've got the right person.

00:08:27 Speaker 3

Performing the controls and therefore the right entity included in the reports.

00:08:31 Speaker 2

Are you using and just? You mentioned like when I think about all of this, I mean, there's a lot of steps in that process and you're dealing with a lot of different people and a lot of different.

00:08:39 Speaker 2

Vendor contacts and things like that. Are you finding that using tools and technology to help support that or is that a manual process with that organizations? I'm just trying to think through if I'm a an audit function that doesn't have some of these things, how do I even get started on this?

00:08:51 Speaker 3

Yeah. You know, I think when you think about just the profession in general, I think we're learning through recent opportunities to attend conferences and such.

00:09:01 Speaker 3

That an internal audit department that's not thinking about technology is probably already behind in this space. And so I think when you think about, if you don't have it today, the most simple way to get started is to make sure that the proper universes exist in those daily functions. In the first line, we are the third line, right. And so.

00:09:22 Speaker 3

There's a second line in between us, and so between the second line and third line, they should have adequate means already for us to at least get started. If we don't have the technology.

00:09:32 Speaker 3

And then employing the technology later on.

00:09:34 Speaker 2

I'm so glad you mentioned the second line as part of this process, because I think one of the varying things I've seen as I've worked with different organizations is sometimes third party risk management sits in, is housed within the internal audit function in the third line, but it's oftentimes it's really a second line activity and it really depends on the organization where.

00:09:51 Speaker 2

It's at so.

00:09:52 Speaker 2

For me, where I've been successful in the past and curious if this is your.

00:09:55 Speaker 2

Too is sometimes if I have nowhere to start, I will start with my IT security team and IT compliance, because there's often.

00:10:04 Speaker 2

Some population of third party risks that they are actively managing and navigating on the cyber security front, I think cyber risk is a huge part of third party and 4th party risk.

00:10:14 Speaker 2

But it's probably not the only risk at the end of the day that we need to think about.

00:10:17 Speaker 3

Is that consistent with what you're experiencing? Yes, very consistent. I think that relationship with the second line is really critical in this space. There are several enterprise related risk because we partner a lot with our ERM team as well.

00:10:30 Speaker 3

Where you want to make sure that you've isolated those enterprise level risks with their assistance and any tools that they're currently using as a starting point, especially back to your reference to smaller shops without that technology. So I do.

00:10:44 Speaker 2

Agree. So when we go back to, we talk about technology. I'm just thinking about some of the different opportunities here. You know one of the other things I've seen organizations.

00:10:51 Speaker 2

It does tend to layer on the cyber front, but if I'm an audit committee and you know, audit committees aren't.

00:10:56 Speaker 2

As in the loop on 3rd party and 4th party risk and as I think about you know the role of a CAE and educating and training up their audit committee so that they understand where some of the key risks of the organization are sometimes be able to give them reporting and a lens into what does the holistic risk of an organization look like and having them understand that.

00:11:17 Speaker 2

Is a very significant component of that may reside at a fourth or third party that you have the only control you have over that is the contract. When I think about how I demonstrate and show that.

00:11:27 Speaker 2

It's to me, it's the what procedures we're doing over those third or fourth parties, but it could also be what public facing data points can I get. So I know you know, I always think about things like DMV reports or ESGA clarity. AI has like an EEG study, but there's also a lot of public facing cyber scanning you can do in your experience with 3rd when we're looking at third party and measuring the.

00:11:49 Speaker 2

Will risks that we think we exist.

00:11:52 Speaker 2

How have you sort of brought all that data together in terms of reporting for executives or the board or the second line when we're evaluating?

00:12:00 Speaker 3

You know, I would tell you prior to cybersecurity, really, really becoming a high level enterprise risk for most industries. We would just continue to have services. So we have subscriptions with certain services where we're able to data mine directly and or obtain reports, push pull reports with.

00:12:20 Speaker 3

There's several organizations that.

00:12:22 Speaker 3

Within our industry also give us updates every quarter. So using those external data endpoint exports of information so that we can data mine it and review any of their insights. Now Fast forward with cyber security being a higher profile risk. I would tell you that that seems already behind.

00:12:43 Speaker 3

In terms of getting an understanding of what the risk are, making sure that we're on top of responding to concerns by the audit committee. And So what we use now, believe it or not, is we have ongoing quarterly monitoring where we may directly go audit some of these entities on site.

00:13:00 Speaker 3

Right. I'm in partnership with mainly the second line and some first line business partners that have our higher profile third or fourth parties.

00:13:09 Speaker 2

What do you think is the biggest misconception about vendor risk management? And third, yeah, third party risk specifically and 4th party.

00:13:15 Speaker 3

You know, I think the most often response that we have when we work with business owners or contract owners who are in first line is.

00:13:23 Speaker 3

I outsourced this through a contract to a third or fourth party and I don't have.

00:13:27 Speaker 3

Any other responsibility?

00:13:29 Speaker 3

And I think what they fail to realize is the minute you give your responsibility to someone else, it actually increases your responsibility.

00:13:39 Speaker 2

There's a saying in the cyber world that it's a there's no such thing as the cloud.

00:13:43 Speaker 2

It's just somebody else's computer and I think that I think that really resonates here too, because at the end of the day, we're not really out. Maybe someone else is better at managing these. Yeah, managing the technology itself. But if we're not evaluating that risk, I mean.

00:13:56 Speaker 2

Anything that could create business disruption, financial risk, reputational risk for an organization, whether or not there's a contract in place. I mean, we need to make sure we are understanding and navigating what controls they have in place and what their process is for sure.

00:14:08 Speaker 2

Absolutely, absolutely. And then, you know, in terms of when you think about maturity of where that landscape is today in fourth party risk, where do you see it going? I mean, we've talked about AI a little bit earlier.

00:14:19 Speaker 2

But when you look a year out from now or two years or three years, where do you see that landscape evolving to and maturing to and how do you see audit?

00:14:26 Speaker 2

Being involved in that.

00:14:27 Speaker 3

Yeah, I think internal audits role is going to increase with the increased risk that we're seeing in particularly cyber we're seeing in AI that we're seeing in the relationships that have.

00:14:40 Speaker 3

Have full accountability for core services and or goods that organizations and what I mean increase. That means that we'll either have direct responsibility for auditing those entities each year within the audit plan in partnership with second and third line accordingly. But then more importantly, contracts directly with them. I think what we're finding.

00:15:01 Speaker 3

And the modification just overall in the industry of contracts with third parties is while you may have the appropriate clauses to be able to get policies and procedures that align with yours.

00:15:12 Speaker 3

Opportunity. See the review audit results and or go audit them yourselves and last and certainly not least performance monitoring right where they're submitting data reports or quality review results to you on an ongoing basis, that's just not going to be good enough anymore, right? It's the old trust, but verify internal audit saying right and so that.

00:15:32 Speaker 3

Verification Audit Committee is gonna expect you to do.

00:15:34 Speaker 2

Directly, I think that's that's really valid and I I I think you know to me and I'm curious to get your perspective, is that contract that we that we talked about, I mean making sure audit and risk is part of the contracting process and making sure.

00:15:46 Speaker 2

They've at least aligned on what some of the key contract points are, and every organization is a little bit different in terms of what they are. That's sometimes where I see the biggest early pitfall because a lot of times if someone just goes out and signs a contract and they're not sure that some of those clauses are there other than sort of negotiation after the fact, you can't always dictate some of the terms if it's.

00:16:06 Speaker 2

If you've done that after the fact.

00:16:08 Speaker 3

You can. That's the greatest pitfall.

00:16:10 Speaker 3

Think that you'll see in this third and 4th party spaces that unfortunately a lot of the AHA moments come a little too late.

00:16:19 Speaker 2

For me, it's like that right to audit clause specifically. I mean there are a number of specific clauses that I think we should make sure there to make sure.

00:16:26 Speaker 3

Limited liability termination all of those, yes, yes.

00:16:28 Speaker 2

But if you can't audit if you can't audit your third parties and ultimately get to those fourth parties, there's it's almost impossible to even identify who the 4th or 5th or 6th parties are in the in the.

00:16:38 Speaker 2

Organization.

00:16:39 Speaker 2

And then I guess ultimately when you think about an internal audit function that's just starting in this or they're look, they're looking to take this to the next level, what's the, you know, one step, you would have an organization take today to improve their approach here. We've talked about a lot of different things here. But if you, if you had to pick like the one like the one most impactful thing that they could do to better align.

00:16:57 Speaker 3

Identify their critical 3rd and 4th party relationships using whatever means you have necessary through first and second line. As I mentioned previously to identify those because if you don't know who they are, you can't manage the risk.

00:17:12 Speaker 2

I think that's extremely well said to your point, if you don't know who they are, you might find out who they are at some point, but it's it's not going to be the way you want to know that they they exist at the end of the day. And I also to your point, I mean you said it earlier, I think that thinking about some of the key risks to your organization and where the biggest impacts could be probably dictate how to develop and mature a program too because ultimately.

00:17:20 Speaker 3

It is not.

00:17:33 Speaker 2

If cyber and data breaches and data liability and just unintentional disclosure are things that you're concerned about, you probably structure your program to be more focused on that to start. If you're really concerned about your sustainability reporting, maybe that's an area of focus for you too, but I also think that lens becomes really important as you are thinking about how to develop and mature a program.

00:17:53 Speaker 3

It does, which is why I mentioned that senior leadership.

00:17:57 Speaker 3

Definition of not only what a third or fourth party is, but what is their intention, what are the risks that are most critical to?

00:18:03 Speaker 3

Them at the.

00:18:03 Speaker 3

Enterprise level because I think where we also get short sighted as internal auditors is we believe that risk are specific to the third party or 4th party type and that is not true in this new environment cyber is.

00:18:17 Speaker 3

Related to every 3rd and 4th party right AI could be related to any type of 3rd and 4th party you mentioned several others. Resiliency, there's certain areas privacy that I am particularly interested in. If I'm a senior leader, if it happens no matter who the 3rd or 4th party is. And so identifying those key risks up.

00:18:36 Speaker 3

Want and making sure that you're managing them consistently across the organization, 3rd or 4th party related is really key to the success of any type of program or framework.

00:18:46 Speaker 2

And you hit on something that I think is really interesting. I'm curious to how it see how.

00:18:49 Speaker 2

You've been successful at this.

00:18:51 Speaker 2

Working with the senior leadership on this is I've found very an interesting dynamic I what has been your experience there? Because I feel like sometimes in my experience at least, the senior leadership team doesn't always have full visibility and not always as focused on 3rd and 4th party risk. So I'm really interested to hear how how you've sort of educated and developed some of those relationships to to make sure that it is an area that they're focusing on from an open.

00:19:13 Speaker 3

Perspective, right? You know, I've spent my entire career in financial services. And so I would tell you I don't have a whole lot of experience with seniors who don't know how important this in this part of risk is. You know, we do a lot of our business with third and fourth parties. And so they are not only in tune.

00:19:34 Speaker 3

But they are asking and keenly aware of the risks that exist in this space. What I have seen, as you know, the industry has evolved over the years, is a need For more information.

00:19:46 Speaker 3

And more KPI's and metrics to be able to identify issues become before they become a problem, right. You know, I think the data analytics have just got so advanced in being able to isolate and identify potential areas of concern before it even hits the radar of a performance report before it hits the radar.

00:20:06 Speaker 3

Of an ongoing quarterly performance meeting with those vendors. And so I think over the years they are more keenly aware at least in financial services and are wanting that information before it becomes a problem.

00:20:19 Speaker 2

That's, I mean, that's an interesting point too, because I think that is a barometer of a.

00:20:23 Speaker 2

Successful program and function. If your leadership is asking for things like that, it shows that they're deeply engaged and I think that's a hugely important thing that we should not overlook in terms of the an auditor trying to mature the process.

00:20:35 Speaker 3

Right. And I think you know you for smaller companies, I think that's really critical for them because if they are aligned with senior leadership, identification of what first, third and fourth parties are and then #2 the risk that they're most concerned about, they could just focus on those and let the contract owners focus on the day.

00:20:53 Speaker 3

Day, right, which they are ultimately and accountable for, because that's also a misnomer in that when you centralized this function, all of a sudden that day-to-day monitoring becomes that centralized we we don't have that relationship with those vendors directly. We leave that day-to-day monitoring with the business owners where the appropriately should reside.

00:21:14 Speaker 2

Well said. Is there anything else you want to leave our listeners with in terms of things to think about or key important aspects from a fourth party risk perspective?

00:21:22 Speaker 3

You know, I think about.

00:21:24 Speaker 3

So I've been a, you know, an auditor for a very long time, and this area could be a little daunting for, you know, especially less skill auditors or smaller shops. I think what I want to leave with them is you are already equipped to understand what risks are just because another party is doing it outside of your company.

00:21:45 Speaker 3

Doesn't necessarily mean that you can't get a handle on it and develop the appropriate. I would say scale.

00:21:52 Speaker 3

And understanding quickly such that your team can focus on the right risk at the right time.

00:21:58 Speaker 2

Well said. Thank you so much for joining us today. It was a pleasure having you and looking.

00:22:02 Speaker 2

Forward to having you back soon. Pleasure talking to.

00:22:04 Speaker 3

You too, Mike. Thanks for having me again.

00:22:07 Speaker 1

Hey, audit pros ready to supercharge your skills and connect with the best in the field? You absolutely need to check out the IRA's 2025 international conference happening July 14th through the 16th in Toronto and virtually this is your chance to dive into emerging risk.

00:22:23 Speaker 1

Cutting edge tech and global best practices that will elevate your internal audit game don't get left behind and register now at the iaa.org.

00:22:33 Speaker 1

If you like this podcast, please subscribe and rate US. You can subscribe wherever you get your podcasts. You can also catch other episodes on YouTube or at the iaa.org that's theia.org.