making a deal with the devil

This post was recently shared on Mr. Chambers’ blog, On the Profession.

Internal auditors are right to be concerned about third-party risks. The days of a company’s suppliers or partners being well-known and trusted businesses on the same street or town are a distant memory.

In the interconnected, global economy of the 21st century, you are apt to be purchasing raw materials, components or services from business entities halfway around the world. In turn, these unfamiliar partners may be acquiring sub-components from other businesses whose very existence may be unknown to us. Third parties can create extraordinary risks for an enterprise, as we have seen played out repeatedly on the global stage.

Hiring practices, working conditions, conflict minerals, carbon footprint, political conflict, data security, financial stability, intellectual property — the list goes on. No brand is immune, no partner too pure. Third-party relationships can reside in any part of an organization, with one contract often having little bearing on another.

But internal auditors, with their broad understanding of internal controls, risk management and the organization’s operations, are in an excellent position to weigh these risks in aggregate and recommend policies and mitigation strategies.

The need is clear: more than three-quarters (78 percent) of the 164 chief audit executives who responded to a 2013 survey by The IIA Research Foundation and Crowe Horwath LLP expressed “some concern” or “high concern” about the difficulty of monitoring the risk management practices of third parties engaged by their organization. Yet, by their own admission, they’re doing little about it.

The survey report, Closing the Gaps in Third-Party Risk Management: Defining a Larger Role for Internal Audit notes that 82 percent of respondents allocate less than 20 percent of their internal audit resources toward assessing third-party risks (see an article in the February 2014 issue of Ia magazine for more on the survey).

With so many critical functions being outsourced — up to and including customer financial data processing and storage — internal auditors should be ensuring closer scrutiny and helping managers develop risk management programs. The challenge is making sure there are adequate resources and executive-level support.

A big part of the problem is that there seems to be significant disagreement over who owns third-party risks. This conflict in itself is a risk.

The study recommends nine ways internal audit can help clarify roles and provide assurance that the right questions are being asked:

  1. Assist management in identifying the third-party risk universe and risk ranking.
  2. Identify, quantify and evaluate risks to an organization that arise from third-party relationships.
  3. Identify or evaluate management’s understanding of how third parties comply with regulations or policies that should be in place.
  4. Evaluate third-party risk management activities that are in place, as well as the relative maturity of the risk management program related to the risk exposures of the organization.
  5. Compare third-party risk management approaches with those used in the organization’s enterprise risk management program.
  6. Determine the adequacy and effectiveness of assurance activities.
  7. Perform testing for compliance with agreements and regulations or policies.
  8. Confirm that service-level agreements are being met.
  9. Identify process improvements for third-party interactions.

These opportunities will vary by organization and the relative maturity of risk management capabilities. I mention them here to spark discussion.

Do you know what your third parties are up to? How did you make the case for audit resources?

Richard Chambers

About the Author

Richard F. Chambers is president and CEO of the Institute of Internal Auditors, the global professional association and standard-setting body for 180,000 internal auditors in 190 countries.

Related Post