june 2017 43 Internal audItor
A recent Thomson Reuters survey shows that 72% of companies perform initital third-party
due diligence, but only 36 percent monitor for risk profile changes once third parties are in place.
culture, typically defined as the beliefs,
values, attitudes, and behaviors related
to risk awareness, risk taking, and risk
management. How are the business and
third-party risk teams interacting? Do
they meet regularly to assess their most
critical third parties? Do they agree on
the priority of third-party risk?
Internal auditors should examine
meeting minutes and other communications between key business leaders
and the third-party risk team, as they
will provide insight as to the strength
of processes and controls around third-party risk. Some additional leading
risk management practices for internal
» Naming a central point of contact within the audit function
to liaise with the third-party risk
management team, similar to
other enterprise risk functions.
» If operating in a regulated environment, understanding the
guidelines organizational business and risk leaders must follow in addition to any available
exam procedures (e.g., OCC’s
2017-7, Third-party Relationships: Supplemental Examination Procedures).
» Determining whether the third-party risk program is focusing
its efforts on areas that pose the
greatest risk. If so, is the risk
management team consistent
with this approach? Has it outlined the methodology used to
segment risk profiles by severity? Is the team working smart
or just working hard?
» Reviewing the program governance and risk escalation
process. Is it disciplined? Is the
vendor due diligence robust?
Does it include a sufficient
» Evaluating the process for handling unplanned terminations
for a critical third party. Has
the program adequately defined
a workaround while the service
is either brought in house or
replaced by another third party?
» Determining what documentation is maintained and whether
it provides an adequate audit
trail to easily determine what
risks and related controls are
operating as designed.
Keeping RisK in CheCK
Without a doubt, companies need to
enhance their third-party risk programs
as third parties continue to drive the
execution of organizational processes
and help optimize performance. The
value of managing risks associated with
outsourcing a critical business service to
a third party is shared across the organization, and it represents a vital component of protecting shareholder value.
Internal auditors should keep in mind
that their role in this process is critical
to providing assurance that third-party
risk management performs optimally.
focus their skills and talents on core
business processes and look for creative
ways to outsource noncore processes.
Although more and more organizations
are moving in this direction, they must
still make sure their vendors are providing consistent, efficient services and
that risks associated with using third-party vendors are minimized.
Michael Rose, cia, cPa, cisa, cisM,
is a Business Advisory Services partner at
Grant Thornton LLP in New York.
Dennis FRio, cPa, is a Business Advisory Services managing director at Grant
Managing outsourcing risks is vital
to protecting shareholder value.
To coMMen T
on this article,
author at michael.