Thank You!

You are attempting to access subscriber-restricted content.

Are You Ready to Experience Everything Internal Auditor (Ia) Has to Offer?

​The Risk Lurking in the Background: Vendor Management

 What was once a transactional relationship with a supplier is now often a close, ongoing partnership.

Comments Views

​Corporate board directors and chief audit executives (CAEs) alike know that vendors and suppliers can pose risk to their organizations — but after agreement on that abstract point, things start to get a lot murkier. 

At least, that's one way to interpret the data in The IIA's recent OnRisk Report for 2022. For example, board directors are quite confident about vendor and supplier risk: 57% rate their firm's ability to handle the issue as quite high — but only 37% of CAEs say the same. At the same time, 77% of CAEs also say supplier and vendor management is an important risk for their business, but only 60% of board directors say the same.

Put those two findings together, and the picture looks like this: CAEs are less confident about organizations' control over a risk that they say is more important to the business. Meanwhile, board directors are taking the opposite view: they have more confidence about a risk that fewer of them say is important.

That suggests a disconnect between board and audit team, which is unsettling. Or is it?

"I'm not surprised by those statistics," says Narelle Sheppard, who sits on the audit committee for IIA–Australia and is a former CAE at several Australian government agencies. "My experience is that internal auditors have more exposure to the day-to-day running of an organization than audit committee members do, and they are therefore more attuned to the risks and how they're being responded to. It may be that the audit committee is not so worried because the seriousness of these risks is not being relayed to them."

That would be an alarming situation for any organization. The remedy, obviously, would be for the CAE to guide the audit committee to a more appropriate level of concern about vendor risk. So perhaps we should begin with a more fundamental question: Exactly what is "vendor risk," and what the heck is going on with it these days? 

Relationships and Risk in Flux

The OnRisk report defines vendor risk as the need to "maintain healthy and fruitful relationships with its external business partners and vendors." Success at managing vendor risk depends on the organization's ability to select — and then monitor and cultivate — productive third-party relationships.

Once upon a time that task was simpler because it was mostly about managing suppliers of goods: The organization needed reliable access to raw materials and other components. Today vendor risk management is more complex because vendors also supply services, and lots of them — everything from human resources and payroll, to software development, to sales and marketing, and much more. What had been much more of a transactional relationship ("Deliver this stuff at this price, and we'll see you next month") is now a close, ongoing partnership ("Run this mission-critical system for us at all times"). 

Martin Jung, vice president of internal audit at health insurer Premera Blue Cross in the state of Washington, says he has seen exactly that shift at his own company over the last five years. "Increasingly, we work with vendors in a much more strategic fashion," Jung says, and he raises an important implication. In such a world, where vendors provide services as often as they deliver goods, what had previously been an in-house operational risk turns into a vendor management risk — which might need different tools, processes, and people to address.

Indeed, one anonymous respondent in the OnRisk report raised precisely that point. His business had great vendor relationships, the respondent said, but he rated his company's ability to manage those relationships on the lower end "because data privacy, protection, cybersecurity ... those things are harder to manage with our suppliers." 

That subtle evolution in vendor relationships might explain much of the disconnect in those statistics. 

Jung, however, isn't so sure that those perception gaps are a bad thing. "It gives internal audit the opportunity to say, 'Let me shine some light on this, to let you know if you should be more concerned than you are,'" he explains. "So I don't necessarily view that discrepancy as bad."

Fostering a Better Board-CAE Conversation

Jung might be onto something. It's better to view any disconnect between the board and internal audit function as a conversation to be had or a gap to be closed — not as a binary, "I'm right and you're wrong" impasse. Sheppard, for example, has a standard agenda item for her audit committee meetings to discuss risk. "I've requested that owners of any risks outside tolerance be invited to the audit committee meeting to present on these risks," she explains. "I would expect to see vendor risks included in these reports." 

The trouble might start if the board, internal audit, and management disagree about what should go into the audit plan. If the audit committee clearly steers the CAE elsewhere, that's not good. 

On the other hand, "vendor risk" can be a fuzzy phrase that encompasses myriad specific risks: cybersecurity, financial, compliance, operational, and more. So it's also incumbent on the audit executive to articulate precisely what he or she wants to assess within that wide world of vendor risk. "That's the key, to be clear with the board about what the vendor risks are, and what new controls might be necessary," Jung says.

That raises another point: For CAEs to understand vendor risks fully, they need to consult closely with operating business functions. In an ideal world, Jung says, internal audit might even be involved in shaping contract language before a request for proposals goes out.  

"We try to be as close to that front end as possible," Jung says. "I'd much rather be providing consultative input and guidance in lieu of audits down the road." 

Understanding the role vendors play in the enterprise, and understanding it early so that the organization can avoid problems, will become more important over time as vendors play more ongoing, mission-critical roles for businesses. The alternative will be to disentangle a vendor relationship gone wrong after that relationship is underway — which almost inevitably is harder and more expensive to do.

"I want management to maintain a close watch over critical service providers and escalate early," Sheppard says, "not after these risks have been realized and it's too late to act to prevent them." 

She says much the same for the internal audit function. "I want internal audit to act early and meet with the audit committee chair outside the audit committee meeting, if necessary, to assure these risks are escalated and the organization is positioned to respond."

The importance of clear communication and acting early helps avoid risk disasters. Those are things everyone can agree upon, after all.

Matt Kelly
Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to remove comments.

About the Author



Matt KellyMatt Kelly<p>​Matt Kelly is editor and CEO of, an independent blog about audit, compliance, and risk management issues, based in Boston. ​</p>


Comment on this article

comments powered by Disqus
  • AuditBoard-January-2022-Premium-1
  • CIA-January-2022-Premium-2
  • 2022-GAM-January-2022-Premium-3



Stopwatch Auditing Auditing
Thanks, We Already Know That, We Already Know That
Remember the 98 Account the 98 Account
Hidden Goals Goals