Blogpost

Internal Auditors Target Third Party Risks

Despite the unexpected timing, nature and magnitude of the pandemic and its many challenges, a crucial line of risk management appears to have been prepared to provide assurance of organizational resilience capabilities before the coronavirus (COVID-19) struck. Business continuity management (BCM) and organizational resilience rate as a top-5 2020 risk, according to a fall 2019 survey of more than 500 internal audit executives conducted by the European Confederation of Institutes of Internal Auditing (ECIIA).

 

For the past four years, the ECIIA — a consortium of national internal auditor institutes and associations (including those in Belgium, France, Germany, Italy, the Netherlands, Spain, Sweden and the UK and Ireland) — has published a hefty Risk in Focus report that analyzes the top risk priorities of internal audit functions. Most if not all of those national associations are closely aligned with the U.S. Institute of Internal Auditors (IIA).

 

The 2020 report is especially helpful to third party risk managers, cybersecurity professionals, senior executive teams and boards of directors for a number of reasons:

 

  • The research reflects how internal audit leaders rate top risks according to a number of different parameters (e.g., how the risk rankings compare to the time internal auditors devote to each risk area)
  • Cybersecurity and data security have quickly emerged as the topmost risk concern among internal audit functions.
  • While cybersecurity and data security headline the report, numerous findings show that third party risk, outsourcing and supply chain threats have stormed their way onto CAEs’ radar screens as a top-5 risk, and that respondents expect third party risks to intensify during the next five years.
  • The report shows TPRM professionals how internal audit functions plan to assess third party management risks this year.

 

The “fact remains that business activities are spread far and wide outside of an organization’s own borders,” the report’s authors note in a chapter devoted to third party risk. “Recent protectionist, nationalist trade developments notwithstanding, supply chains have lengthened as the world has become more globalized over the long term, meaning that third-party risk may not even apply to third parties at all, but fourth, fifth, sixth etc. parties, also known as nth parties.”

 

The report indicates that internal auditors are clearly concerned about nth party risk: “It is important to keep in mind that fourth parties may not be subjected to the level of scrutiny and oversight that the organization has over the legally contracted third party. This calls for businesses to take even greater care in managing supplier risk.”

Here are the current top risks internal audit executives identified most frequently:

  • Cybersecurity and data security
  • Regulatory change and compliance
  • Digitalization, disruptive technology and other innovation
  • Outsourcing, supply chains, and third-party risk
  • Business continuity/resilience

And here are the top risks that survey respondents expect their companies will need to address in 2025:

  • Cybersecurity and data security
  • Digitalization, disruptive technology and other innovation
  • Regulatory change and compliance
  • Outsourcing, supply chains, and third-party risk
  • Macroeconomic and political uncertainty

It is noteworthy that each item in both of those risk rankings relates, directly or indirectly, to third party risk management. Effective organizational cybersecurity increasingly depends on the cybersecurity capabilities of key vendors, and the same can hold for business continuity/resilience. Plus, a growing number of regulatory  guidelines and requirements address third party risks, as the Risk in Focus 2020 report notes in a quick rundown of financial services industry rules-making.

Finally, here are some of the questions that the report poses to internal audit leaders regarding their function’s ability to assess their company’s third party risk management programs:

  • Does the business review the appropriateness of its outsourcing program? Is it confident that the cost benefits outweigh any additional risks associated with outsourcing?
  • Do contracts with third parties include audit rights and can internal audit, if required, gain physical access to these third parties?
  • Is the business trying to understand its nth party risk exposure by asking third parties how they use sub-outsourcing?
  • Are critical processes handled by nth parties and is there an inventory of these?
  • Is due diligence carried out on third parties and their nth party suppliers, both at the onboarding stage but also on an intermittent basis?
  • How do third/nth parties manage data and data security risk?
  • Are these controls up to the same standards as the organization’s own controls as dictated by GDPR?

Amid all of the difficult unknowns related to the pandemic, it is helpful to have some certainty concerning the types of questions third party risk management teams can expect to field from their internal audit colleagues in the months ahead.