Internal audit empowers third-party risk management

 

Organizations are using more third-party services. That means they’re taking on more third-party risks.

 

When you have a dependence on third parties, you need a dedicated approach to third-party risk management (TPRM). TPRM programs manage the risks that can be introduced through third-party relationships, including brand and reputation risks through data leaks, disruptions to customer service, supply chain risks and even financial fraud. When your service provider uses downstream entities for extended service and support, you also need to consider the risks from a fourth party (a subcontractor to your third party).

 

The realities of third-party risks are important in the board room. The board’s oversight of the risk function is important to making sure all bases of the risk profile are covered. That’s especially true for private companies, where risks might be greater due to less regulatory mandated oversight. High-profile examples of third-party data exposure, like the 2021 breaches at automobile companies that affected more than three million customers, amplify the need for better program governance.

 

How can you find the capacity and skills for additional TPRM when you form a significant new third-party relationship?

 

Internal audit (IA) can play a critical role in responding to this risk environment, and IA is keenly aware of third-party risk. In a recent survey from the Institute for Internal Auditors, third-party risk was identified as one of the top three areas of concern. The internal audit team brings an independent perspective to process, risks and controls, along with experience in reporting to senior leadership, all of which can be key to designing your TPRM program.

 

 

 

Trends in TPRM

 

As you launch or improve your TPRM program, consider starting with an awareness of market trends. Some of the current trends include:

Headshot of Chris Saracco

“The days are gone where you just worry about things within the ‘four walls of your network.’  You need to consider third-party risks as they relate to cybersecurity and data protection.”

Chris Saracco

Grant Thornton IT Risk Managing Director

  • Explosive growth of third-party services:
    As organizations become more technologically dependent, they expand their use of third parties, particularly in the IT area. Software is increasingly cloud-based, and the dwindling number of on-premise services are usually hosted by a third party.
  • Concerns about third-party data breaches:
    Forrester research predicted that about 60% of security incidents this year will be the result of issues with third parties. “The days are gone where you just worry about things within the ‘four walls of your network,’” said Grant Thornton IT Risk Senior Manager Chris Saracco. “You need to consider third-party risks as they relate to cybersecurity and data protection. You need to monitor those, and have processes and controls in place to manage the risks when a cybersecurity breach happens in a third party — assess the criticality, the impact to your organization or potentially even to your customers.”
  • Shift from siloed to cross-functional risk management:
    In companies that take an enterprise-wide view of risk, the responsibility for risk management is less siloed. That helps all departments work together within a common framework.
  • Compliance with new privacy laws and regulations
    As the regulatory environment evolves, organizations must manage their own compliance and include the performance of third-party partners in their compliance evaluations.
  • Growing role of Environmental, Social and Governance (ESG) reporting:
    ESG is becoming increasingly visible in non-financial reporting and public communications. Organizations are accountable for their partners’ performance as well as their own.
  • Automated TPRM:
    TPRM automation is becoming essential, to limit the time spent on administration and repetitive tasks, shifting the focus to value.


 

IA in evaluating TPRM readiness

 

Internal audit can help you provide a TPRM readiness assessment, which typically includes three phases:

Headshot of Vikrant Rai

“Internal auditors can help you evaluate and understand the true readiness posture. They can also help with a maturity assessment that uses the leading metrics, then applies the right maturity to evaluate the program level maturity.”

Vikrant Rai

Grant Thornton Internal Audit Cybersecurity Managing Director

  1. Planning and initiation:
    IA can help evaluate the effectiveness of a TPRM program by selecting a framework that provides a comprehensive view of the TPRM program lifecycle and defining the in-scope operating environment.
  2. TPRM program assessment:
    IA can help assess the governance and operating model, including TPRM program lifecycle to evaluate controls to identify process gaps and opportunities for improvement.
  3. Reporting:
    IA can help prioritize any remediation needs with key stakeholders, develop a comprehensive program assessment and compile an executive report for board and executive leadership.

“Internal auditors can help you evaluate and understand the true readiness posture,” said Grant Thornton Internal Audit Cybersecurity Managing Director Vikrant Rai. “They can also help with a maturity assessment that uses the leading metrics to evaluate the program level maturity, then applies the right-sized prioritized recommendations that can help strengthen the TPRM program governance.”

 

 

 

IA in assessing TPRM frameworks

 

There are essentially three TPRM program governance models to consider for your organization: centralized, federated, and de-centralized. The internal audit team can help determine which will work best in the structure of your organization, as each model comes with its own unique benefits and challenges to weigh.

 

Since internal auditors are independent and objective, they are often called upon to wear a consultant hat instead of an auditor hat. Their risk-based perspective can help determine the maturity level of the existing third-party risk management process, and what governance model and operating framework is the most appropriate. Their knowledge can help determine the appropriate controls for each relationship. IA knows the right questions to help ensure your organization gets the information it needs to select, monitor and manage third-party relationships.

 

For example, if a third party has access to the company’s data, you might need to ask:

  • Is there a defined data classification policy? Does the policy clearly define how certain classes of data should be secured?
  • Does the third party have privileged access or elevated privileges? If so, does it log and perform reviews of the activities it performs?
  • Does the third party always have carte blanche access, or does it use a limited portal or channel?
  • Is the third party being monitored by your organization?

IA can also ask important questions in each phase of the TPRM program. For instance, in contracts and negotiation, IA can make sure you include a “right to audit” clause so that your organization can perform its own investigation if necessary. It’s also important to assess how the third party might be able to grow with your organization in the future.




IA in every phase of TPRM program lifecycle

 

A TPRM program lifecycle is designed to maximize the business goals while minimizing the risks that arise from external relationships. The goals of the program should be to increase awareness of third-party management roles and responsibilities; establish coordination of third-party relationships; provide a clear understanding of risk; and deliver standardized risk classification and rating levels. The program lifecycle comprises four phases, and IA can play an important role in each one:

  1. Profiling and selection (due diligence):
    IA can evaluate the profiling and selection process, along with adoption and consistency. IA can also assess the risk assessment process, including risk acceptance and exception. The exception process should depend on the risk level of the third party or vendor, require approval from designated authorities and identify compensating controls.
  2. Contract negotiation:
    IA can evaluate the entry criteria before a contract is negotiated, to determine if it was evaluated using appropriate mechanisms. A third party or vendor should only be onboarded after the contractual obligations are met — or for exceptions, after risk mitigation strategies are in place to ensure compensating controls are implemented in a timely manner.
  3. Managing and monitoring:
    IA can review guiding principles for risk assessment and review frequency. These should be based on the nature of service provided and the risk exposure that the company faces when contracting with the third party or vendor.
  4. Termination/offboarding:
    IA can review the process for offboarding to ensure there is a comprehensive checklist, and appropriate controls and communications.

Here is a sample TPRM program framework, illustrating the business drivers, risk areas and program components over the four phases of the TPRM program lifecycle:

Third-party services can often help lower costs, improve efficiency, add skills, boost capacity and offer other benefits, but those benefits come with risks that should be managed.

 

That’s why it’s essential to have a comprehensive and well-designed TPRM program to provide ongoing monitoring and strong controls. Internal audit is a valuable partner in addressing these risks, from evaluating the TPRM program governance model to assessing the process, risks and controls through the TPRM program lifecycle. All of this work plays an important role in managing the risks that arise from third party relationships.

 
 

Contacts:

 
 
 
 

Our featured risk, compliance and controls insights