Third parties play an important role in today’s modern global enterprises. However, they also introduce multiple risks, ranging from compliance and data security risks, to reputational and legal risks. In a MetricStream Research survey on third-party risk management, 21% of respondents reported that their organizations had faced risk exposure due to a third party. Of those who shared financial impact data on the losses, 25% said that the loss impact was greater than $10 million.
While the responsibility for managing third-party risks usually falls to Chief Risk Officers (CROs) or Chief Compliance Officers (CCOs), the third line of defense—internal audit—is needed to provide the assurance that these risks are being addressed effectively. Internal auditors bring to the table the skills, capabilities, and perspectives necessary to dig deep into the third-party risk management program, and identify gaps or areas of improvement that the second line of defense might have overlooked. Executives and boards rely on internal auditors to ensure that third-party risks are being identified and assessed as they should; that appropriate internal controls are in place; and that timely risk intelligence is being generated to drive informed decisions.
There are a variety of activities that internal audit can perform to evaluate the effectiveness of third-party risk management. One is to review controls and policies, as well as third-party risk assessment mechanisms. The other is to provide oversight around the third-party relationship lifecycle, ranging from initial screening and due diligence, to data collection, contract management, documentation reviews, and ongoing risk monitoring.
Collaboration is key – internal auditors need to be able to work closely with procurement and other groups to determine if policies and procedures around third-party governance are being followed, and if third-party risk management has been integrated properly into supply chain management processes.
Below, in more details, are the key areas in which internal audit can add value to third-party risk management:
Assist management teams in pinpointing critical or high-risk third parties, and ensuring that they are monitored and evaluated more frequently than others. Leverage internal audit’s birds-eye view of risks across the enterprise to determine how third-party risks can impact the organization’s health and well-being. Provide insights that can help the third-party risk management group prioritize their resources and activities to focus on the areas of highest third-party risk.
Determine whether or not the company’s third-party due diligence processes and controls are aligned with the associated risks. Conduct additional research to understand the third parties employed by the company, and how these firms are perceived in the business community. The level of research should correspond to the level of risk posed by the third party.
Review the third-party selection process, and determine if the organization has sufficient policies and procedures in place. Evaluate third-party contract management processes to check that risk and compliance clauses are being integrated into contract documents. Understand how the management team defines and follows up on metrics and reporting protocols around third-party relationships.
Ensure that the scope of third-party audits is aligned with the scale, nature, and number of third-party contracts. Assess if appropriate controls have been implemented to mitigate third-party risks, and to test third-party compliance with regulations, policies, and contract requirements. Check that third-party agreements have a “right to audit” clause included. Enforce processes for continuous third-party monitoring.
Take a closer look at third-party relationships in high-risk locations and industries (e.g. countries with a reputation for corruption or bribery). Monitor regulatory developments and feeds on third parties, including the work they have done, the service level agreements (SLAs) they provide, and news updates around their organization.
Build management’s confidence in the robustness of third-party risk management processes and controls. Highlight areas of concern with recommended improvements.
Advise procurement, supplier governance, management teams, and other stakeholders on the potential risks posed by third-party relationships. Evaluate decision-making processes around third parties to determine alignment with the company’s strategies and objectives.
Assess the performance of third parties across global operations, and identify inconsistencies, as well as potential opportunities for improvement. Outline key best practices around third-party risk and performance management.
Internal auditing of third-party risk management becomes more effective when the two lines of defense i.e. auditors and risk managers collaborate and share information, while also leveraging each other’s abilities and tools. For instance, when risk managers maintain a centralized repository of all third-party information, internal auditors can use the same system to understand the third-party risk environment, and to identify high-risk areas effectively.
Similarly, by linking third-party risk assessments to audit plans, both auditors and risk management teams can avoid redundancies in third-party risk evaluation processes, while standardizing the risk language that is used, and providing management teams and boards with a holistic view of the enterprise’s third-party risk profile.
Collaboration between the two lines of defense also helps the risk management function increase its own awareness of third-party risks. For instance, by integrating audit findings or issues into third-party risk assessments, the risk function can identify risks that they might have missed out, and focus on the risk areas that truly matter.
As regulatory bodies and customers push organizations to achieve better third-party oversight, there is an imminent need for risk and assurance functions to delve deep into the third-party network, and ensure that critical risks and compliance requirements are being managed and monitored properly. Internal auditors play a key role in achieving this objective, and would do well to consider how they can expand their role in strengthening third-party risk management. Ultimately, the process of managing and mitigating third-party risk is not just about meeting regulatory requirements, but also about creating the conditions necessary for the business, as well as its suppliers, vendors, and partners to thrive.