Getting Started With: Third-Party Risk

In this episode, Getting Started With: Third-Party Risk, viewers will learn:

What third-party risk is
Why it matters
When to get involved
Third-Party Topical Requirement

New to internal auditing? Build a strong foundation with Tools for New Auditors! This course covers essential skills, industry best practices, and practical insights to help you succeed in the profession. Enroll today and take the first step in your internal audit journey!

View our Podcasts & Video page for more related content!

00:00:03 Logan Wamsley

Hello, welcome to Getting Started With, where our job is to make your job easier.

00:00:09 Logan Wamsley

On this episode, we're getting started with third-party risk, one of the most common and most misunderstood risk areas that organizations face today.

00:00:19 Logan Wamsley

In this video, you'll learn what third-party risk really is, why it matters, when internal audit gets involved, and how the third-party topical requirement helps auditors approach this risk in a consistent, structured way.

00:00:32 Logan Wamsley

So, let's get started.

00:00:35 Logan Wamsley

Imagine you're constructing a large office building.

00:00:37 Logan Wamsley

You hire electricians, plumbers, engineers, and security installers.

00:00:42 Logan Wamsley

You may not be swinging the hammer yourself, but if something goes wrong, the responsibility still lands with you.

00:00:49 Logan Wamsley

That's exactly how third-party risk works.

00:00:51 Logan Wamsley

Organizations can outsource services, but they can't outsource accountability.

00:00:56 Logan Wamsley

What's important to understand about third-party risk is what happens when someone outside your organization helps you achieve your objectives and what could go wrong along the way.

00:01:07 Logan Wamsley

Third-party risk exists whenever an organization depends on someone outside its walls to help get the job done.

00:01:15 Logan Wamsley

Before we dig into risks, let's define third party, which is our first term to learn.

00:01:21 Logan Wamsley

A third party is an external individual, group, or entity that provides products or services to an organization.

00:01:27 Logan Wamsley

Third parties can include vendors, suppliers, contractors, consultants, outsourced service providers, and even their subcontractors.

00:01:36 Logan Wamsley

And yes, that means risks can extend beyond your direct relationship.

00:01:40 Logan Wamsley

Which leads us to our next term to learn, fourth party, defined as a subcontractor used by your third party to deliver part of the service.

00:01:50 Logan Wamsley

Working with third parties can reduce costs and increase efficiency, but it also introduces risk.

00:01:56 Logan Wamsley

These risks can be strategic, operational, financial, reputational, ethical, cybersecurity-related, regulatory, or even environmental and social.

00:02:06 Logan Wamsley

If a third party fails to deliver, behaves unethically, suffers a cyber incident, or goes out of business, the organization feels the impact, not the vendor.

00:02:15 Logan Wamsley

That's why third-party risk management isn't just a procurement issue or a legal issue.

00:02:20 Logan Wamsley

It's an enterprise risk issue.

00:02:22 Logan Wamsley

An internal audit plays a key role in evaluating how well it's managed.

00:02:27 Logan Wamsley

Internal audit applies to third-party topical requirement when third-party risk is significant enough to warrant assurance.

00:02:34 Logan Wamsley

That can happen in three common ways.

00:02:36 Logan Wamsley

A planned audit is focused on outsourced services.

00:02:40 Logan Wamsley

Third-party risk is identified during another engagement.

00:02:43 Logan Wamsley

An unplanned issue involving a vendor requires immediate review.

00:02:47 Logan Wamsley

In all cases, internal audit uses risk assessment and professional judgment to determine how the topical requirement applies.

00:02:55 Logan Wamsley

Here are three valuable terms to learn that'll help you not only build your vocabulary, but also become more comfortable around third-party concepts.

00:03:04 Logan Wamsley

Third-party governance,

00:03:05 Logan Wamsley

which defines how the organization sets expectations, assigns accountability, and oversees third-party relationships.

00:03:13 Logan Wamsley

Third-party risk management, which describes the processes used to identify, assess, prioritize, and respond to risks associated with third parties.

00:03:23 Logan Wamsley

Third-party controls, which are the policies, procedures, and monitoring activities used to reduce third-party risk to acceptable levels.

00:03:32 Logan Wamsley

Together, these three elements form the backbone of the third-party topical requirement.

00:03:38 Logan Wamsley

Here's a pro tip.

00:03:39 Logan Wamsley

Not every vendor needs the same level of attention.

00:03:42 Logan Wamsley

Internal audit focuses on the third parties that matter most.

00:03:46 Logan Wamsley

To evaluate third-party risk, internal audit looks across the entire relationship, not just the contract.

00:03:53 Logan Wamsley

Think of it like a life cycle.

00:03:55 Logan Wamsley

Start with selecting, move to contracting, onboarding, monitoring, and then offboarding.

00:04:00 Logan Wamsley

It's like inspecting a building at every phase, not just after it's finished.

00:04:04 Logan Wamsley

Internal auditors assess whether governance, risk management, and control processes exist at each stage and whether they work.

00:04:13 Logan Wamsley

Here's a pro tip.

00:04:14 Logan Wamsley

A strong contract doesn't eliminate risk.

00:04:17 Logan Wamsley

Ongoing monitoring is where many organizations struggle and where internal audit insights add the most value.

00:04:24 Logan Wamsley

Here's A time-saver.

00:04:25 Logan Wamsley

Leverage existing artifacts like risk assessments, vendor inventories, and SOC reports instead of recreating documentation from scratch.

00:04:34 Logan Wamsley

Remember, SOC reports result from a third-party audit of a service provider's controls.

00:04:39 Logan Wamsley

Third-party risk is about visibility, oversight, and resilience, especially as organizations rely more heavily on external partners.

00:04:47 Logan Wamsley

Let's quickly recap what you just learned.

00:04:50 Logan Wamsley

Organizations can't outsource accountability.

00:04:54 Logan Wamsley

Third-party risk extends beyond direct vendors.

00:04:57 Logan Wamsley

Risk exists across the entire life cycle, and internal audit provides independent assurance.

00:05:05 Logan Wamsley

Thanks for watching Getting Started with Third-Party Risk.

00:05:08 Logan Wamsley

Don't forget, the IIA has also issued a topical requirement focused specifically on third-party risk.

00:05:14 Logan Wamsley

Next, visit the ia.org to download the global internal audit standards, topical requirements, and user guides, and keep building your knowledge one audit at a time.

00:05:25 Logan Wamsley

You can find these and other helpful resources, including tools, podcasts, and training, at the links below.