Internal auditors are right to be concerned about third-party risks. The days of a company’s suppliers or partners being well-known and trusted businesses on the same street or town are a distant memory.
In the interconnected, global economy of the 21st century, you are apt to be purchasing raw materials, components, or services from business entities halfway around the world. In turn, these unfamiliar partners may be acquiring subcomponents from other businesses whose very existence may be unknown to us. Third parties can create extraordinary risks for an enterprise, as we have seen played out repeatedly on the global stage.
Hiring practices, working conditions, conflict minerals, carbon footprint, political conflict, data security, financial stability, intellectual property — the list goes on. No brand is immune; no partner too pure. Third-party relationships can reside in any part of an organization, with one contract often having little bearing on another.
But internal auditors, with their broad understanding of internal controls, risk management, and their organization’s operations, are in an excellent position to weigh these risks in aggregate and recommend policies and mitigation strategies.
The need is clear. More than three-quarters (78 percent) of the 164 chief audit executives who responded to a 2013 survey by The IIA Research Foundation and Crowe Horwath LLP expressed “some concern” or “high concern” about the difficulty of monitoring the risk management practices of third parties engaged by their organization. Yet, by their own admission, they’re doing little about it.
The survey report,
Closing the Gaps in Third-Party Risk Management: Defining a Larger Role for Internal Audit (free PDF download for IIA members) notes that 82 percent of respondents allocate less than 20 percent of their internal audit resources toward assessing third-party risks (see
an article on this topic in the February 2014 issue of
Ia magazine for more on the survey report).
With so many critical functions — up to and including customer financial data processing and storage — being outsourced, internal auditors should be ensuring closer scrutiny and helping managers develop risk management programs. The challenge is making sure there are adequate resources and executive-level support.
A big part of the problem is that there seems to be significant disagreement over who owns third-party risks. This conflict in itself is a risk.
The study recommends nine ways internal audit can help clarify roles and provide assurance that the right questions are being asked:
- Assist management in identifying the third-party risk universe and risk ranking.
- Identify, quantify, and evaluate risks to an organization that arise from third-party relationships.
- Identify or evaluate management’s understanding of how third parties comply with regulations or policies that should be in place.
- Evaluate third-party risk management activities that are in place, and the relative maturity of the risk management program related to the risk exposures of the organization.
- Compare third-party risk management approaches with those used in the organization’s enterprise risk management program.
- Determine the adequacy and effectiveness of assurance activities.
- Perform testing for compliance with agreements and regulations or policies.
- Confirm that service-level agreements are being met.
- Identify process improvements for third-party interactions.
These opportunities will vary by organization and the relative maturity of risk management capabilities. I mention them here to spark discussion.
Do you know what your third parties are up to? How did you make the case for audit resources? Please share your struggles and successes in the comments section below.