• No results found

Keeping third-party risk in check

N/A
N/A
Protected

Academic year: 2021

Share "Keeping third-party risk in check"

Copied!
16
0
0

Loading.... (view fulltext now)

Full text

(1)

CorporateGovernor series:

Keeping third-party risk in check

(2)

Contents 1 Introduction

2 Roles and responsibilities 3 Planning ahead

4 Defining the risk universe 6 Crossing the risk threshold 8 Addressing high-risk relationships 9 A closer look

10 Not foolproof 11 Conclusion

(3)

The reliance on third parties has become a business reality in today’s complex and highly competitive environment. The risks involved are also a reality. As more companies outsource significant and critical business functions, they’re knowingly or unknowingly relinquishing more and more of their control environment to others.

Of particular concern in today’s datacentric business world are cloud providers, consultants, business process outsourcers, third-party transaction processors and others with whom you share sensitive or significant information. The need to protect confidential data is an issue that cuts across industries, with ones such as the financial services and health care sectors having particularly high regulatory requirements when it comes to sharing data with third parties. But any organization that entrusts outside entities with sensitive data, intellectual property, client data or proprietary information needs a framework for identifying, assessing and mitigating the risks involved. They will also need to ensure compliance with various security and privacy regulations.

(4)

Roles and responsibilities

A large portion of the responsibility for the risk monitoring and control evaluation exercise typically falls to internal audit because of its internal control mindset, risk management universe expertise, objective evaluation capabilities and ability to reach into multiple business areas across the organization. Although internal audit may drive the coordinated collection of information relating to these third parties, other functional areas — including finance, compliance, legal, procurement and business operations — are critical to formulating a complete picture of the use of third parties within an organization.

Furthermore, third-party risk management should be a subset of the larger enterprise risk management (ERM) program or similar initiative. The information that is gathered can also feed into other governance, risk and compliance efforts, which include the formulation of the internal audit risk universe and annual internal audit plan.

(5)

Although there are typically contractual protections in place in the event that agreements with third-party partners go awry, if it does happen, it’s usually too late for companies to do much beyond trying to recoup or minimize losses. A better approach is to be more proactive in assessing and managing risks on the front end when relationships are established, as well as continuing to monitor the interrelated control environment created between parties throughout the life of their contracts.

As companies try to better understand the risks inherent in their dealings with outside parties, it’s worth noting that exposure will vary with every relationship. The challenge is to establish a framework for risk assessment that is effective yet flexible enough to recognize that not all risks are created equal. The expectations placed on third parties and the level of assurance needed by your organization can — and should — vary, based on a number of factors.

Planning ahead

The challenge is to establish a framework for risk assessment

that is effective yet flexible enough to recognize that not all

risks are created equal.

(6)

Defining the risk universe

Although there’s no one-size-fits-all approach to managing third-party risks, a consistent thought pattern can be applied to the assessment process. As with many exercises, getting started is half the battle. Third parties are generally defined as business partners that are not under direct business control of the organization that engages them. These entities may include vendors, distributors or suppliers of products and services, joint venture or alliance partners, and franchisees or licensees.

But rather than trying to do a risk assessment exercise that includes the whole universe of third parties that are part of the accounts payable master file, consider excluding maintenance, repair and operations vendors and providers of hard inventory items such as raw materials or finished goods. Relationships with these vendors are typically dictated by purchase orders and subject to the Uniform Commercial Code of Commerce; as such, they don’t usually rise to the risk level of other entities that have access to an organization’s sensitive data and other intangible assets.

The following types of vendors should typically be subjected to a deeper third-party risk assessment:

• Information technology hosting/co-location data center providers

• Cloud or software-as-a-service providers

• Outsourced financial or operational service providers such as: — Payroll processors

— Securities settlement providers — Mortgage servicers

— Remittance processors

• Medical, dental or insurance claims processors

• Others that support operational activities on your behalf and with access to your company’s/client’s data:

— Courier services (e.g., medical files, cash co-pays) — Printing and mailing servicers

— Marketing service providers — Telecom providers

(7)

Although most vendor relationships will likely surface during a thorough search of accounts payable records, an additional source of information may be your in-house legal department, if you have one. Gather any vendor information the legal department may have, and develop an understanding of how contractual relationships are drawn up and approved. This information can then be cross-checked with the other data you’ve compiled. Not only will this ensure you’ve identified all pertinent vendors, but also the contractual agreements should contain details that are useful for the risk assessment, such as indications that clients have a “right-to-audit” provision or requirement for a report from an independent third party to confirm compliance with internal control or other regulatory requirements.

In those organizations that take an ad-hoc approach, internal audit may also need to seek vendor information on a department-by-department or business unit basis. The goal at this stage is to identify all pertinent vendor information wherever it might reside in the business to get a complete picture of existing relationships. Although internal audit will want to perform its own evaluation of risks, it’s worth noting that the larger vendors or those with access to potentially more sensitive information may have already been carefully vetted. That’s not to say that these entities should be ignored or written off as safe, but just to acknowledge that the larger vendors may have already received more scrutiny. In any case, there is still plenty of opportunity for uncontrolled risks to arise in larger vendors, and the need for monitoring those arrangements is critical.

(8)

Crossing the risk threshold

A question that often arises early in a risk assessment is:

“At what point is a risk threshold met?” Our experience suggests that as soon as your organization enters into an agreement with a third party and begins to share sensitive or proprietary information, it is time to consider the risk threshold to be met. Although those performing the assessment may get pushback from others who believe there should be a dollar threshold that triggers risk, think twice about this argument. After all, even vendors with which you do only a relatively small amount of business could still cost your company millions in exposures — fines, civil penalties, lost intellectual property, reputational damage, breach of client contractual obligations and brand erosion — if there’s a security breach. This isn’t to say that you shouldn’t use the annual spend for the service as a measure of the risk associated with a particular vendor. Rather, there are many other factors to consider in evaluating third-party risks and these all should be considered.

Through discussions with various relationship owners within your company — e.g., IT, finance, compliance, legal, procurement and business operations — you can identify additional risk considerations and use these when you perform an initial risk ranking or scoring of the relationship. The relationship owners can also help you identify vendors that may present a high risk to the organization due to subjective risk factors such as the criticality of the relationship or the level of visibility the vendor allows into its activities.

The following is a checklist of factors you may want to weigh and track in assessing risk. You will want to add your own, as well. See Table 1 as an example of organizing the vendor relationship information.

• Vendor name • Vendor type

• The nature of the service provided by the third party • The amount or type of data (company data, client data,

patient data, etc.) or intangible property at risk in the relationship

• The potential magnitude of the financial, reputational or operational loss in the event of third-party performance problems

• Contractual details such as date, term and value of contract (or current vs. past spend if there’s no contract)

• The frequency of interaction with the third party or degree of management oversight over the services

• Geographical (global) considerations such as location of third parties and number of physical locations

• Safeguards to ensure compliance with the Foreign Corrupt Practices Act, UK Bribery Act or other relevant industry, state or country regulations

• The primary relationship owner within the organization (e.g., IT, finance, marketing)

• Annual spend

• Scoring in terms of risks (financial, operational, compliance, strategic)

• Whether the vendor provides an audit report such as a SOC 1 or 2 (see the “A closer look” section for details)

• Whether the organization has a right-to-audit clause within the contract

(9)

assessment provides you with a basis for determining your next steps because it should highlight vendors that present the highest risk to your organization. These are the vendors for which you need to plan appropriate risk mitigation techniques.

Once you have identified all vendor relationships and assigned a weighting to the selected risk factors/attributes, you should have a good assessment of the vendors being used within your organization. See Table 2 as an example. This written

Table 1: Defining vendor relationship

Vendor name ABC Payroll IT Help Quick Print Vendor type Payroll provider Help Desk Support Printing/Mail service provider

Applicable regulatory requirements (e.g., HIPAA, FCPA)

IRS, Department of Labor N/A N/A Geographical/ global considerations Payroll processed in Kansas City, Kan. Local to each company site and headquarters Local to headquarters Contractual details Five-year agreement, approved by Legal department One-year auto-renewing contract Six-year agreement, approved by Legal department Nature of service being provided Payroll processor IT support contractors Prints/mails invoices and marketing materials Right to audit clause No No No Provides an audit report such as a SOC 1 Yes, SOC 1 No No Primary relationship owner within organization (e.g., IT, finance, marketing)

Bob Peoples, Human Resources Martin Technology, CIO Sally Accountant, CFO

Source: Grant Thornton LLP

Table 2: Risk considerations for each vendor

Vendor ABC Payroll IT Help Quick Print Significance of the data handled by the vendor 3 3 2 The frequency of interaction 5 5 4 Potential magnitude of an operational loss 5 3 2 Potential magnitude of a reputational loss 1 1 4 Potential magnitude of a financial loss 1 1 1 Significance of operational risk 5 4 1 Significance of financial risk 3 1 1

Expense of the vendor in relation to the income of the business unit supporting it

4 2 1

Rating is from low (1) to high (5). Source: Grant Thornton LLP

Significance of strategic risk 2 1 1

(10)

Addressing high-risk relationships

Although it may not be a common occurrence, when the risk assessment identifies critical or high-risk vendor relationships, internal auditors will want to consult with the relationship owner and legal department to determine how best to close the gap on risks. Before entering into contracts with these vendors, it’s always best to have a robust due diligence process before accepting new third-party business relationships.

Options may include the following:

• Data collection, management and monitoring; reporting and analytics • Working to renegotiate contracts • Asking to perform site visits or audits to gain the assurance you need • Additional management oversight of the provider or more closely monitoring the vendor’s performance against agreed-upon service levels

In some cases, the company may need to evaluate switching to another service provider. Your organization should be in the driver’s seat when it comes to feeling comfortable with third-party relationships.

(11)

A closer look

One of the most common risk mitigation techniques that organizations can employ with third parties is the review of an independent third-party assessment of the vendor’s processes, technology and controls used in the delivery of services. A common form of this type of review is an attestation report referred to as a Service Organization ControlSM (SOC)1 report, which helps vendors demonstrate the strength of their internal controls to current and prospective customers. However, for this type of report to be useful, it’s important to know what to look for and to ensure that it addresses the right controls.

There are three different types of SOC reports:2

• SOC 1 reports provide a vehicle for reporting on a service organization’s system of internal control that is relevant to a user organization’s internal control over financial reporting. SOC 1 reports are intended to be auditor-to-auditor communications, with specific content dependent on the service organization’s system.

• SOC 2 reports address controls at a service organization that are pertinent to the Trust Services Principles of security, availability, processing integrity, confidentiality and privacy.3 This report includes many of the same elements as a SOC 1 report — specifically, the independent service auditor’s report, management’s assertion letter, a description of the system, and a section containing the service auditor’s tests of the operating effectiveness of controls and the related test results.

• SOC 3 reports allow service organizations to provide user organizations and other stakeholders with a report on controls that are relevant to the Trust Services Principles. But unlike SOC 1 and SOC 2 reports, SOC 3 reports are short-form reports that can be distributed or posted on service organizations’ website as a seal.

(12)

Not foolproof

Having access to a SOC report can be extremely helpful when evaluating potential vendors and monitoring third-party risk on an ongoing basis. In most cases, organizations that undertake an annual SOC audit to satisfy customer requirements generally have more sophisticated internal control structures than those who do not. However, the mere existence of a SOC report may not allay all of your company’s specific concerns. It is important to determine what your organization needs to have assurance on and to understand what the SOC report contains. SOC reports may provide a good baseline of control information, but they may also be too generic or superficial for your needs.

As you assess the benefits of a SOC report that is provided to you, consider what the report states, or doesn’t state, relating to the following topics:

• Handling of subservice providers through a “carve-out” vs. “inclusive” method

• Time period covered, if one is listed, and whether that aligns with your needs

• Locations covered and those not covered within the report • Construction of control objectives and control activities (is

something critical to you left out?) • Bias in sampling

• The testing approach (e.g., inquiry, observation, inspection) employed by the auditor

• Exceptions noted by the service auditor and responses by management

Asking for a right-to-audit clause is an effective way to preserve your ability to seek additional information regarding the services provided by third-party vendors. Certainly, without having either this right or a SOC report to rely on, your company may be exposed to an unacceptable level of risk. Keep in mind that you will probably need to request the right to audit — vendors won’t necessarily offer it without being asked. This underscores the importance of an ongoing program to identify and manage third-party risk.

Case study: Taking the extra step to

guard critical data

A global financial services company with billions in assets partners with a third-party services company to print and mail customer statements to institutions and individuals around the world. Because of the confidential nature of the data shared with the third party, the company insists on a high level of assurance that customer information is kept private and secure.

To satisfy the needs of its customers, the service provider has an annual SOC 1 report completed. But upon review, the company realizes that the document has some inherent limitations that don’t enable it to understand and verify the control environment to the degree it wants. Further, the SOC 1 addresses controls that are not critical to the company and omits information around confidentiality and privacy, both of which are key concerns. Therefore, as part of the agreement between the two entities, the company sought for and obtained the right to periodically audit the third party’s processing center to assess risks, perform control testing and develop its own internal report. As needed, the company’s auditors make recommendations to the third party to further enhance internal controls and safeguard information.

Both parties consider the right-to-audit agreement to be a binding aspect of their partnership. Without it, the financial services company could not gain the

(13)

Conclusion

Executive management faces ongoing scrutiny and pressure from their board, external auditors and regulators to ensure robust ERM practices. Third-party relationships are a key area of concern in an era of widespread outsourcing and reliance on third parties for non-core operational services. Organizations need to have a consistent and comprehensive process for

evaluating and mitigating the risks inherent in these relationships, preferably as part of the ongoing internal audit risk universe and ERM initiatives.

(14)

The people in the independent firms of Grant Thornton International Ltd provide personalized attention and the highest quality service to public and private clients in more than 100 countries. Grant Thornton LLP is the U.S. member firm of Grant Thornton International Ltd, one of the six global audit, tax and advisory organizations. Grant Thornton International Ltd and its member firms are not a worldwide partnership, as each member firm is a separate and distinct legal entity. In the U.S., visit Grant Thornton LLP at www.GrantThornton.com.

For more information, contact:

Warren Stippich

Partner and National Governance, Risk and Compliance Leader Advisory Services

T 312.602.8499

E warren.stippich@us.gt.com

Kirt Seale

Principal and National Special Attestation Reports Leader Advisory Services

T 214.561.2367 E kirt.seale@us.gt.com

(15)

Offices of Grant Thornton LLP National Office

175 West Jackson Boulevard Chicago, IL 60604 312.856.0200

National Tax Office

1250 Connecticut Ave. NW, Suite 400 Washington, DC 20036-3531 202.296.7800 Alaska Anchorage 907.264.6620 Arizona Phoenix 602.474.3400 California Irvine 949.553.1600 Los Angeles 213.627.1717 Sacramento 916.449.3991 San Diego 858.704.8000 San Francisco 415.986.3900 San Jose 408.275.9000 Colorado Denver 303.813.4000 Connecticut Glastonbury 860.781.6700 Florida Fort Lauderdale 954.768.9900 Miami 305.341.8040 Orlando 407.481.5100 Tampa 813.229.7201 Georgia Atlanta 404.330.2000 Illinois Chicago 312.856.0200 Oakbrook Terrace 630.873.2500 Schaumburg 847.884.0123 Kansas Wichita 316.265.3231 Maryland Baltimore 410.685.4000 Massachusetts

Boston – North Station 617.723.7900 Boston – Financial 617.226.7000 District Westborough 508.926.2200 Michigan Detroit 248.262.1950 Minnesota Minneapolis 612.332.0001 Missouri Kansas City 816.412.2400 St. Louis 314.735.2200 Nevada Reno 775.786.1520 New Jersey Edison 732.516.5500 New York Albany 518.427.5197 Long Island 631.249.6001 Downtown 212.422.1000 Midtown 212.599.0100 North Carolina Charlotte 704.632.3500 Raleigh 919.881.2700 Ohio Cincinnati 513.762.5000 Cleveland 216.771.1400 Oklahoma Oklahoma City 405.218.2800 Tulsa 918.877.0800 Oregon Portland 503.222.3562 Pennsylvania Philadelphia 215.561.4200 Rhode Island Providence 401.274.1200 South Carolina Columbia 803.231.3100 Texas Austin 512.391.6821 Dallas 214.561.2300 Houston 832.476.3600 San Antonio 210.881.1800 Utah

Salt Lake City 801.415.1000

Virginia Alexandria 703.837.4400 McLean 703.847.7500 Washington Seattle 206.623.1121 Washington, D.C. Washington, D.C. 202.296.7800 Wisconsin Appleton 920.968.6700 Madison 608.257.6761 Milwaukee 414.289.8200

(16)

Content in this publication is not intended to answer specific questions or suggest suitability of action in a particular case. For additional information on the issuaes discussed, consult a Grant Thornton client service partner.

References

Related documents

 Scholarship recipients must maintain satisfactory progress and good standing as stipulated by the academic institution and the Government, or the scholarship will

For type testing in installation: Test circuit in the high-voltage lab at the University of Duisburg-Essen with the new PFISTERER accessories for 420 kV: IXOSIL outdoor

Covering the Period from January 27, 2010 to January 20, 2011 Station Comprising Station Employment Unit: Millennium Radio Shore (WJLK (FM)/WBUD (AM)/WOBM

Such a collegiate cul- ture, like honors cultures everywhere, is best achieved by open and trusting relationships of the students with each other and the instructor, discussions

The Legal Aid Center of Southern Nevada: Immigration Relief for Victims of Crime, Las Vegas, NV October 22, 2012. Nebraska Children’s Summit: Making Change Happen,

The Proposed Guidance also states that ISSPs should address, as part of the security risk assessment, the risks posed by critical third-party service providers that have access to

during vendor selection and periodically, only 46% required pre-contract on-site assessments and only 35% required periodic on-site assessment of at least high-risk third party

The master device will communicate with the slave device whenever it receives either DRDY bar (Data ready ) signal from the slave device that it indicates the data