Whether they know it or not, consumers in today’s economy are likely being impacted by an organization’s third parties daily. From online merchants, and the delivery partners they use to complete the transaction, to call centers and other support services, third parties support organizations in almost every imaginable way.
In the end, these end-to-end business “ecosystems” are what drive value creation and revenue for today’s organizations. Some examples may not be in the control of the organization or its third parties, such as the recent coronavirus outbreak that has had a global impact on operational value chains. And as things go wrong, it is likely that the organization with the brand name is the one impacted and not the third party supporting the product or service in the marketplace.
Understanding an organization’s end-to-end processes and how those processes deliver value should be the objective and outcome of an internal audit. That means internal auditors must look beyond third parties to incorporate key fourth, fifth, and sixth parties into planning, scoping, and executing every audit — a process known as “ecosystem management.”
Shifting the Emphasis
Focusing on an organization’s ecosystem can change the underlying approach and output of an internal audit. Aiming scoping questions, walk-throughs, and outputs at the organization’s external partners shifts the emphasis from control gaps, issues, and items requiring resolution to how the business protects its value-driving activities and profit-making ability. This doesn’t mean that an organization should change how it plans its annual internal audit schedule. Instead, it should integrate three key principles into how it executes each audit. In other words, the annual audit schedule should continue to focus on higher risk areas, but the scope of each audit should include the ecosystem principles. This approach may result in longer and more complex audits.
Focus on End-to-end Processes Audits should focus on the auditable entity and how each process supports the desired inputs and outputs. The scope of the audit of each end-to-end process should include a view of third, fourth, and fifth parties that drive business value. This approach requires auditors to conduct activities as if the external parties are internal to the organization. The audit should demonstrate how the auditable entity delivers value: through internal people, processes, and technologies only; external parties; or a mix of both.
Focus on Return on Investment (ROI) and Value-generating Activities Audits should focus on how each process and end-to-end activity supports ROI generation. If the process doesn’t support the organization’s ROI, auditors should question its role in the broader organizational ecosystem. The role of external parties in supporting value-generating activities should be a key focus of this exercise.
Include Business Resilience in the Context of Business Activities To get operational resilience right requires a change in perspective by management, boards, IT functions, and control functions. For a long time, organizations have focused on determining the probability of an adverse event occurring and ways to prevent it or minimize the damage. As part of this approach, most organizations have developed business continuity and disaster recovery plans, including simulated testing. Business resilience is broader than those traditional topics, though, encompassing business, cyber, infrastructure, and third-party resilience. Internal audit can help drive the broader perspective of operational resilience by integrating these concepts into its ecosystem management approach.
Integrate Process Documentation
When conducting integrated ecosystem audits, internal audit should combine internal and external process documentation into a single and consistent documentation standard. Auditors should communicate this standard to the auditable entity to allow enough time to capture external party documentation in the preferred format, including process and control information.
This approach gives internal audit and other internal parties a single viewpoint on how business activities are driving value and profits. Additionally, it enables internal audit to effectively challenge each auditable entity on the risks and underlying strength of its controls, and how they protect the interests of the organization.
Manage Third and Fourth Parties
|Ecosystem and Extended-party Risk Questions|
The following examples are questions specific to third-party management that can be used in ecosystem audits:
- Does a third party support the business activity in meeting its market and customer needs?
- How does the organization monitor the quality of its third parties and their ability to continue to meet the organization’s needs?
- Does the decision to leverage a third party align with the organization’s strategic decisions and key competencies?
- Does the use of a third party expose the organization to additional reputation and brand risks that must be monitored and managed?
- What outputs of the process drive value- and profit-generating activities for the organization?
- Does the use of a third party create potential disruption risks, including impacting the organization’s ability to continue to operate and generate value?
- Does the third party maintain plans to ensure its services would continue in the event of a disruption?
Does the organization know who its third parties are and how they support value-generating activities (see “Ecosystem and Extended-party Risk Questions” at right)? If it does not know, that could spell problems for the organization as a whole and for auditors conducting an audit, as it should be the starting point to completely understanding the ecosystem.
Maintaining a list of contracts and data that does not explain which processes are supported by third parties does little to enhance this understanding. Organizations should go beyond such lists by determining who the third parties of the third party (fourth parties) are. This exercise boils down to two questions:
- Does the organization understand how it delivers its value proposition to the marketplace?
- Does that understanding include how its suppliers, service providers, or other entities contribute to that overall mission?
The organization does not need to know every single party within the chain of external relationships. However, it should have a solid understanding of those parties that help to support its value-generating activities. Parties that have direct inputs are defined as value-generating.
Once an organization has an end-to-end view of internal and external processes, it should consider controls among the entities. This requires internal audit to document the operating controls of both the auditable entity and the external parties supporting the delivery of the activity. They also must capture the controls monitoring the transition of processes (hand-offs) between the entities.
That last category becomes more important for key activities that are outsourced to fourth, fifth, or sixth parties. In such scenarios, the organization may rely on an external entity to monitor the quality of delivery of those activities. While this may seem like a lot of additional work, in theory, the business already should have a view of these key activities and monitoring protocols in place to protect its own interests.
If a third party refuses to provide the requested support or documentation, auditors should still be able to understand how the auditable entity monitors third parties’ performance in delivering inputs or services. That knowledge can improve their understanding of the value external parties deliver to the entity.
Link to Operational Resilience
Business resilience requires organizations to focus on activities that are critical to their customers and markets, and the infrastructure needed to continue to provide those services. Within ecosystem audits, internal audit should help capture and challenge the business understanding of the end-to-end ecosystem, and whether business leaders are considering all the risks associated with it. Auditors should leverage recent industry and world events as examples to challenge the business on whether it is truly resilient to known and unknown risks to value-generating activities.
Identify Critical Services The organization should identify which of its activities are critical to customers, other market participants, the ongoing continuity of the organization, or the economy. It should prioritize these services for resiliency and have clear tolerances for disruption to those services.
Understand Impact Tolerance The organization should use scenarios to estimate the extent of disruption to a business service that it could tolerate. Scenarios should be severe but plausible and assume that a failure of a system or process has occurred. The organization must then decide the point at which disruption becomes no longer tolerable. While using cyber events for such scenarios can focus attention, the organization also should use other events in scenario analysis such as failure of change or IT implementation, and disruption at third parties, outsourced providers, or offshore centers. Senior management and the board should use the information to update policies and contractual agreements, and drive investment decisions around improving business processes.
Understand Change Processes The operational resilience program should evolve with the business as it changes. The organization should understand what external or internal factors could change over time and the trends that could impact key business services, and adjust its resilience plans accordingly.
Focus on Value
Embedded in the audit methodology should be a focus on the business’ value-identification, value-generation, and value-realization activities. Every business audit should capture documentation consistently to support the understanding of internal and external processes and controls.
Internal auditors should ask about external entities and collect data to understand the future state of key third parties. They should discuss the criticality of activities and their relation to value-generating activities. Auditors should link the concept of key activities, third parties (and additional parties), and process inputs and outputs to value generation and ROI across the organization. Finally, they should provide an opinion on whether activities are generating the most value possible and whether the business is allocating the necessary resources to meet that objective.
Business-as-usual Audits Integrating these concepts into business-as-usual audits can benefit the organization by focusing on the criticality of value-generating activities. As a result, they can help the organization identify key business risks. During these audits, business personnel typically are more comfortable discussing why the business operates in the manner it does. Moreover, integrated audits limit the need to perform targeted audits on third-party risk, business continuity, cyber risk, and operational resilience.
Standalone Audits For organizations that can’t integrate these ecosystem concepts into business-as-usual audits, an ecosystem management audit can help them understand how the business delivers value. That understanding is fundamental to gaining a holistic view of the organization’s risks. Conducting this audit starts with answering questions about the value delivered to external and internal stakeholders.
Questions for external stakeholders include:
- What products and services does the organization offer?
- How does the organization deliver its products and services?
- What would happen if the organization couldn’t deliver its products and services?
- How does the organization confirm that its products and services are meeting the needs of the market?
- How does the organization confirm that its products and services are meeting its legal and regulatory obligations?
- For internal stakeholders, auditors should ask:
- How does the organization continue to operate profitably and promote its core values?
- How does the organization continue to meet board members’ expectations?
- How does the organization promote the continued success of its employees and their future well-being?
Risk Management Program The answers to these questions can help the organization build core data to support an ecosystem risk management program. The organization can leverage this data across its enterprise risk management frameworks to provide a common taxonomy for how the business drives value.
Moreover, the answers can help the organization address additional questions that could provide a basis for developing an ecosystem mindset for future-state audits:
- What products and services do we offer, and how do we deliver them? For example, does the organization provide 100% of products and services through internal processes, or does it rely on third parties to provide 50% of inputs, outputs, or continued servicing?
- What are the core business objectives, and how does the organization manage them?
- Does the organization’s culture align with its products and services, and is it consistent with the core business objectives?
A Deeper Understanding of the Business
Some internal auditors may find the ecosystem management audit concept far-fetched. These professionals may think such audits are beyond their organization’s capabilities. While this is a reasonable view, those practitioners should keep in mind that without the value the business generates, their role within the organization would not exist.
Internal audit functions should drive value to an organization wherever possible. Standalone audits of value-chain operations can be beneficial to ensuring they function effectively. However, by embedding ecosystem management concepts into business-as-usual activities, internal auditors can drive a deeper understanding of the organization’s value-generating activities and most profitable businesses.