There is a danger in the use of the term third-party risk. For some, it implies that the risk lies outside the organization with someone else. Internal auditors know this is simply not true.
The risk from the ever-increasing use of third parties lies solidly within the organization, interwoven in an intricate network necessary to sustain outsourcing and cosourcing, creating significant financial, reputational, and strategic risks. All the steps taken to identify the need for an outside vendor, all the steps taken to hire, communicate with, and pay an outside vendor, are interrelated, forming an entire ecosystem of risk that can't be assumed to be someone else's responsibility.
That said, the average audit function allocates only about 4% of its resources to third-party risk assurance, according to The IIA's 2019 North American Pulse of Internal Audit survey. Yet, in just the first half of 2018, hackers exploited weaknesses in point of sales systems, customer service platforms, and scheduling systems that exposed a quarter of a billion customer records, a conservative estimate only scratching the surface of third-party risks. And notice how the fallout does not hit the vendor, but instead severely damages the organization whose customers were impacted.
We know from the Pulse that organizations are deeply reliant on third parties, particularly for IT and business services. Chief audit executives (CAEs) reported that 8 in 10 organizations have third-party contracts for IT services, and 7 in 10 have them for services such as supply chain or accounting. However, the CAEs reported very low confidence in management's process for selecting third parties, and only 9% of the more than 500 respondents described management's oversight of third-party providers as "strong."
Organizations are learning, albeit slowly, about the extreme disruption they face when third parties fail. Let's raise the bar of understanding. Here are five tips for getting started on third-party risks in your organization:
- If one doesn't already exist, create an inventory of the third parties your organization is using. Prioritize these by complexity, size of contract, potential impact, etc.
- Understand how your organization selects third parties. Is there a standardized process, or is it ad hoc by business unit? What documentation exists?
- Identify who, within management, is the relationship owner for each of the third parties identified. Do they understand their role? What controls have they put in place?
- Work with your legal department to understand the contracts that are being used. Are the contracts comprehensive? Do the contracts have a right-to-audit clause? Does management have the right to access the information necessary to properly monitor the vendor's activity?
- Determine if the board is receiving sufficient information regarding third-party risks. Do board members understand, or even know, that certain business functions have been outsourced?
These are just a few ideas. For more, please check out The IIA's Practice Guide on Auditing Third-party Risk Management.
Internal audit has a clear opportunity to help its organization better understand and ultimately mitigate third-party risks. It is critical for internal auditors to be informed and understand how third parties are selected and managed. Only 28% of Pulse CAEs were "mostly satisfied" with their organization's management of risk related to third-party vendors. Only 2% were "extremely satisfied." Clearly, there is a lot of room for improvement.
Third-party risks aren't new. They've always been part of an organization's larger risk ecosystem. However, with the variety and velocity of risks hitting organizations, it's sometimes easy to push these risks aside as someone else's responsibility. Don't let your organization get caught off guard.
That's my point of view. I'd be happy to hear yours. For more from the 2019 Pulse of Internal Audit survey, click here.