In today’s global business environment, most organizations rely on complex networks of external service providers, distributors, partners, and other entities. As critical as these third-party relationships are, their widespread use poses significant risks related to regulatory scrutiny, cost pressures, compliance issues, data privacy, and the organization’s overall reputation.
Executives and boards also are demanding more from their internal audit departments and want them to proactively identify risks. While even the largest organizations continue to struggle with third-party risk events, in many organizations there is an opportunity for internal audit to add value in this area.
A recent cross-industry survey of chief audit executives (CAEs) conducted by The IIA Research Foundation (IIARF) and Crowe Horwath LLP found that many large organizations are concerned about their vulnerability to third-party risk. A majority (82 percent) said they devote less than 20 percent of their internal audit resources to the issue, and more than three-quarters (78 percent) said they had either “some concern” or “high concern” about difficulties in monitoring third parties’ risk management practices.
Third-party risk often is managed differently even in organizations within the same industry. Contrary approaches and different risk profiles set the stage for varying levels of involvement for internal audit, as well as some barriers.
Research suggests that one challenge of improving third-party risk management is simply a lack of clear ownership of third-party risk responsibilities. For example, CAE participants in the IIARF/Crowe survey were presented with a list of eight third-party risk management functions and asked to identify the departments or individuals responsible for managing them. The responses indicate that internal audit generally plays the leading role in only one of these activities — evaluating reports required by Statement of Standards for Attestation Engagement No. 16. Leading internal audit departments have expanded their involvement into other areas of assurance; some are even participating in due diligence efforts on risky vendors by consulting with management on controls or risk management techniques associated with a specific agreement or third-party category.
Nearly one-third of respondents said internal audit is responsible for periodically auditing or obtaining assurance related to compliance with agreements, but a somewhat larger number (36 percent) said primary responsibility for this task resides elsewhere in their organizations. In addition, the responsibility for many functions in which internal audit would seem to have an obvious role to play — such as confirming compliance with company policies, laws, and regulations — is most often assigned to others in the organization, such as those in the line of business or other compliance functions not associated with internal audit.
In short, the IIARF/Crowe survey revealed that internal audit is most often associated with managing certain technical aspects of third-party risk management, while activities focused on other risk areas often are assigned elsewhere — most often to those in operational areas of the business who directly manage the individual relationship.
In addition to this lack of clear ownership of third-party risk, several other factors, both within the organization and outside of it, tend to limit or otherwise challenge internal audit’s involvement, including:
A reactive approach to risk management. In many organizations, risk management involving third-party relationships is not addressed until a problem arises. By that time, risk exposure might already have increased, and the opportunity to mitigate may have decreased.
Performance metrics that do not address risk. Scorecards for vendor selection typically focus on quality, cost, and delivery, but give little consideration to relationship risk or compliance risk, including the likelihood and associated potential cost of adverse events.
Complex, global supply chains. Traditional ways of evaluating and mitigating risk are often inadequate in an environment of shortened product life cycles, just-in-time inventory, and fragmented supply chains that frequently require assessing and auditing compliance in remote relationships. Further, the complexity of the supplier web makes understanding the risk profile even more challenging.
Complex invoicing. In many supplier relationships, prices are pegged to a market index or other third-party standard; in others, the timing of invoicing and payment depends on inventory movement. Such provisions add significant complexity to internal audit’s potential role in monitoring compliance.
Contract shortcomings. In many cases, business leaders have a limited, unclear, or inaccurate understanding of important contract terms. As a result, aging agreement terms might not adequately mitigate emerging risks.
Building a business case for greater third-party risk management involvement by the internal audit team depends in large measure on the skills of the team itself. In most organizations, the internal audit function can provide significant value in a variety of ways:
- Assist management with identifying the third-party risk universe and risk rankings.
- Identify, quantify, and assess third-party risks.
- Enhance management’s understanding of how third parties comply with regulations or policies that should be in place.
- Evaluate the relative maturity of the organization’s third-party risk management program.
- Compare third-party risk management approaches to those used in the organization’s enterprise risk management (ERM) program.
- Determine the adequacy and effectiveness of assurance activities.
- Test for compliance with agreements and regulations or policies.
- Confirm that service-level agreements are being met.
- Identify process improvements for third-party interactions.
- Provide consultation as contracts are being developed with third-party vendors.
Each of these areas presents an opportunity for internal audit to provide an objective point of view on how well third-party risks are being managed and to deliver consulting services on an area of growing importance.
Starting the Conversation
The answers to these questions will help internal audit better understand the organization’s risk management maturity, and help build a business case for taking on greater responsibility in third-party risk management.
- Does the organization have a full inventory of its third-party relationships and agreements?
- Has an assessment of the risks to the business or the brand for each of the relationships been performed?
- Who owns the assessment of risks? Is the assessment linked to the organization’s ERM approach?
- What are the primary relationship risks, and what processes are in place to manage them? Who is responsible for managing and monitoring these risks?
- How do you know that your relationships are complying with the agreements in place?
- How do you know your relationships are complying with various laws and regulations?
- What are the organization’s policies related to auditing agreements for compliance?
- Which significant relationship agreements or statements of work have not been reviewed by legal counsel in the last three to five years?
- What procedures are followed to reassess the risks associated with a relationship prior to the renewal of a contract?
- What types of risks are considered in the selection or renewal process? Are any significant risks not considered?
- What types of monitoring are performed on third parties?
- Do standard agreements address the most important risks of a majority of relationships?
Jump-start Your Program
While concern about third-party risk persists in most audit departments, and as internal audit looks to provide more assurance to the organization, the question often asked is: “What does a third-party risk management program look like?” From a practical standpoint, a successful third-party risk management program generally can be implemented in three phases.
Phase 1: Establish Ownership and Buy-in In most organizations where the ownership of third-party risk is dispersed among multiple stakeholders and owners, planning for change is a critical first step. This planning requires cross-functional coordination, executive leadership and oversight, and clear goals.
The mission of many organizations includes a focus on strengthening overall relationships with third parties. The objective of this phase is to build on that general focus, using input from various stakeholders, to develop a specific, step-by-step, third-party risk management road map tied to the inherent risks of the business and its third-party relationships. This road map might include establishing a cross-functional steering committee and establishing risk tolerances, policies, and procedures for dealing with all types of third-party issues.
Phase 2: Evaluate Risks Developing a comprehensive risk landscape is necessary to avoid settling for a one-size-fits-all approach. After understanding and documenting the risk profile of the entire organization, it will be possible to focus efforts on the areas that present the highest potential risk, as well as reward.
The purpose of this evaluation is to quantify the risks, making it possible to assign the appropriate resources to address specific clauses in an agreement, or specific types of relationships or categories of risk. Often, the biggest challenge is simply gathering a list of third parties. Once this is complete, the skill sets that reside in internal audit help the organization define a method for rating and aggregating risk rankings across the population.
Phase 3: Audit, Monitor, and Assess A successful third-party risk management program goes beyond gaining assurance or attestation. It also addresses the broader risk landscape by encompassing risk measurement and monitoring, performance measurement and monitoring, benchmarking of performance and costs, incident tracking, and evaluation of the value received from the relationship. These activities are important for determining when or whether to renegotiate the agreement terms.
The organizations most successful at this monitoring function are those that augment typical data on volume, spending, and quality with the related risk. Seeking new types of data on third parties enables businesses to more accurately predict areas of risk and analyze trends of incidents across multiple relationships — a critical missing element when primary responsibility for third-party risk management is assigned to individual business units or departments.
Other success factors include the ability to customize risk management efforts or assessments to each relationship, such as focusing on a group or category of higher risk third parties, and the effective use of automation to streamline the assurance process.
Stepping Up to the Challenge
As a consequence of today’s global economy and increasingly complex business relationships, third-party risk management is more critical than ever. Risks that require managing range from financial, operational, legal, and regulatory concerns to environmental, reputational, and technology-related risks.
With such a broad range of potential risks, the third-party risk management effort must be comprehensive and clearly tied to the organization’s overall risk management program. This situation suggests that opportunities exist for greater internal audit involvement in identifying and assisting management in its efforts to manage third-party risks. Indeed, a larger role for internal audit would be essential.