How prepared are organizations to assess and mitigate technology risks related to third parties?
Leifermann Organizations are becoming more dependent on technology for their business-critical functions, and simultaneously relying on third parties to provide this technology for infrastructure and services. This means that the level of technology risks, and specifically technology risks related to third parties, is continually increasing. Although organizations are identifying, assessing, and mitigating technology risks, this is often more focused on what happens inside their IT departments, rather than what happens outside the organization in their service providers. Accordingly, organizations need to do more to manage technology risks related to third parties, to minimize both the likelihood of these risks occurring and the impact if they actually occur.
Sorensen Most organizations engage third parties to take advantage of specialization and cost savings. If the internal audit function is not a key player in the foundation of these underpinning agreements, organizations often have limited ability and access to make an independent assessment of the control environment of third parties. Most organizations have little ability to manage risks in third parties, and trying to change an existing agreement to gain additional access rarely happens.
What are the biggest technology risks related to third parties?
Sorensen There are many risks associated with outsourcing operations to third parties, but broadly speaking, they fall into these categories: process integrity, data governance, and cybersecurity. Data is the currency, and protecting it from misuse, errors, and exposures to unauthorized parties is required; otherwise, the entire purpose of outsourcing will be lost. Sadly, most organizations realize this only after suffering a data breach or a public relations disaster.
Leifermann The biggest technology risk related to third parties is cloud computing, as organizations are using more and more cloud services for both infrastructure and systems. Not only does cloud computing present risks in and of itself, but it also presents risks related to legal, compliance, privacy and data breaches, as well as consequential risks related to the organization’s reputation.
Other technology risks related to third parties include artificial intelligence, robotics, virtual and augmented reality, blockchain, 5G, and the Internet of Things.
How should internal auditors be using data analytics to assess third-party risks?
Leifermann Although internal auditors have been using data analytics for more than 30 years, many internal audit departments have struggled to get value from them. Recently, we have seen two trends related to risk assessments — more regular risk assessments and data-driven risk assessments. More regular risk assessments move away from traditional annual assessments to quarterly, monthly, or even continuous ones, while data-driven risk assessments use data from business systems to support these assessments. Data-driven risk assessments provide a great opportunity to use data analytics to regularly analyze this data, including data related to third parties, and identify trends related to business-critical risks, thereby getting more value from the data analytics.
Sorensen Like any integrated audit, a risk assessment should be performed. Once key controls are identified, data analytics can efficiently hone in on control breakdowns. However, with outsourced operations, this can be difficult, for internal audit often will not have access to any data beyond what is contractually obligated. High-level service agreement metrics often hide underlying problems, and internal audit needs to push for details on how those metrics were calculated. Again, timely access to underlying data should be in the agreement from the beginning, or data analytics will have limited success.
How can CAEs raise organizational awareness of these risks?
Sorensen Chief audit executives (CAEs) can often make the greatest impact on executive leadership via anecdotal evidence. There is no shortage of stories in the media about fraud, hacks, exposure of sensitive information, and ransomware. Presenting the audit committee with a similar scenario and asking for a concrete action plan often brings the point home with decision-makers. Even so, internal audit needs to take a lead role in all arrangements with third parties. If it is late to the party, there could be repercussions for years to come.
Leifermann Working with their risk management departments, CAEs can raise organizational awareness of technology risks related to third parties. However, there is a distinct difference between their responsibilities, with risk management departments responsible for assisting management in managing technology risks related to third parties at the second line, and CAEs responsible for ensuring that all technology risks related to third parties are appropriately managed at the third line. CAEs should ensure that third-party technology risks have been identified and that controls in place to mitigate these risks have been assessed, and where controls are absent or lacking, that these deficiencies are raised with management for corrective action.
What are the technology risks related to fourth parties?
Leifermann By looking at our third parties, we are attempting to ensure that the technology they use provides reliable and secure infrastructure and services. However, our service providers also rely upon third parties — our fourth parties. For example, our third party is an IT company that hosts our data center, but its third party is a telecommunications company that manages the high-speed connection between this data center and our head office, making it our fourth party. In the same way that internal audit ensures that all technology risks related to our third parties are appropriately managed, internal audit should also ensure that our third parties identify, assess, and mitigate their technology risks related to their third parties.
Sorensen Many organizations do not realize how common fourth parties are. Increasingly, the outsourcers are themselves outsourcing to even lower cost countries, making it extremely difficult to limit access and effectively protect the information. Logical access control, cybersecurity, and control over information becomes extremely challenging and virtually impossible to legally enforce across multiple countries. From an operational perspective, communication becomes a nightmare, and accountability is very difficult to establish in the event of failures. The only times I have seen this work successfully are when the first-party company controls the IT systems and uses third and fourth parties as a workforce, while still retaining ownership and transparency over the data at all times. To the greatest extent possible, service agreements should grant complete transparency over information, at all stages of processing, or third-party arrangements can change from assets to liabilities.