Keeping third-party risk in check



Similar documents
INDUSTRY SURVEY th Annual Government Contractor Survey Highlights Book

Merchant card and third-party payment network transaction reporting requirements

Information About Filing a Case in the United States Tax Court. Attached are the forms to use in filing your case in the United States Tax Court.

Job Market Intelligence:

Reserves planning: A step-by-step approach for nonprofit organizations

Sticker shock: What employers should know about the cost implications of the PPACA

Covering your assets: A proactive approach to securing sensitive data

IRS DECLARES NOV. 14 AS SPECIAL TAXPAYER PROBLEM SOLVING DAY. WASHINGTON -- The Internal Revenue Service will reach out to help taxpayers

Managing data security and privacy risk of third-party vendors

Maintaining sufficient reserves to protect your not-for-profit organization. Spring 2010

District of Columbia State Data Center Quarterly Report Summer 2007

RECONNECTING OPPORTUNITY YOUTH

Planning the external audit. The audit committee guide series

2010 Allocations to States of Volume Cap for Qualified School Construction Bonds

National Price Rankings

US Department of Health and Human Services Exclusion Program. Thomas Sowinski Special Agent in Charge/ Reviewing Official

NON-RESIDENT INDEPENDENT, PUBLIC, AND COMPANY ADJUSTER LICENSING CHECKLIST

IT Insights. Managing Third Party Technology Risk

Tuition and Fees. & Room and Board. Costs

Construction Initiative: Distribution of $24.8 Billion In Bonding Authority Initial Estimates for H.R. 4094

BUSINESS DEVELOPMENT OUTCOMES

List of newspapers in the United States by circulation - Wikipedia, the free encyclopedia

Three-Year Moving Averages by States % Home Internet Access

IRS UNVEILS TOLL-FREE NUMBER, PREPARES FOR PROBLEM SOLVING DAY IN NEW ROUND OF TAXPAYER HELP

Job Market Intelligence: Cybersecurity Jobs, Burning Glass Technologies

Public School Teacher Experience Distribution. Public School Teacher Experience Distribution

Grant Thornton LLP s 2007 Surety Credit Survey for Construction Contractors: The Bond Producer s Perspective depicts a market that, since digging out

Workers Compensation State Guidelines & Availability

Campus Safety Services

State Charitable Registration

Universities classified as "very high research activity"

Median, all 176 cities 21.1%


Online Labor Demand Shows Strong Increases, up 217,900 in December

SCHOOL SCHOOL S WEB ADDRESS. HOURS Tempe Arizona Ph.D January 15 $60 Not given 550/213

Reporting of Board Discipline. Mark Johnston, RPh Executive Director Idaho State Board of Pharmacy

2014 INCOME EARNED BY STATE INFORMATION

MAINE (Augusta) Maryland (Annapolis) MICHIGAN (Lansing) MINNESOTA (St. Paul) MISSISSIPPI (Jackson) MISSOURI (Jefferson City) MONTANA (Helena)

The Strategic Assessment of the St. Louis Region

Vertical Market Selling Guide. Security Systems Services

Hole-In-One Application

FACT SHEET. Language Assistance to Persons with Limited English Proficiency (LEP).

Supplemental Health Insurance Products Inventory Report. May 2014

Impacts of Sequestration on the States

Expanding Your Business Through Franchising What Steps You Need to Take to Successfully Franchise Your Business. By Robert J.

Trade Show Labor Rate Benchmarking Survey

Legjobban fizetõ Adsense kulcsszavak toplistája 2008/2009 idõszak - 1. rész

Q Homeowner Confidence Survey. May 14, 2009

2015 NFL Annual Selection Meeting R P O CLUB PLAYER POS COLLEGE ROUND 2

California Tante Marie's Cooking School

Licensure Resources by State

Net-Temps Job Distribution Network

Chex Systems, Inc. does not currently charge a fee to place, lift or remove a freeze; however, we reserve the right to apply the following fees:

Maximizing the value of an Internet business

Graduate School Rankings By U.S. News & World Report: CIVIL ENGINEERING

Centers of Excellence

Real Progress in Food Code Adoption

National Bureau for Academic Accreditation And Education Quality Assurance PUBLIC HEALTH

THUMBTACK.COM SMALL BUSINESS SURVEY: METHODOLOGY & ANALYSIS Conducted in partnership with the Kauffman Foundation

Alarm or Security System Design, Installation, Service or Repair Application

High Risk Health Pools and Plans by State

State-Specific Annuity Suitability Requirements

University Your selection: 169 universities

GW Law Alumni Elective Courses Survey

ARCHITECTURE TOP 20 PROGRAMS 2014

ASSESSING RISK OF SENIOR LIVING OVER-SUPPLY A LONG-TERM PERSPECTIVE

2014 Employment Law Update South Central Industrial Association. November 6, 2014 Houma, Louisiana

APPENDIX B. STATE AGENCY ADDRESSES FOR INTERSTATE UIB CLAIMS

Artisan Contractors Application

GROWTH Who We Educate

State Pest Control/Pesticide Application Laws & Regulations. As Compiled by NPMA, as of December 2011

Software as a service: Helping companies make the right decision

J.D. Power Reports: Strong Network Quality Performance Is Key to Higher Customer Retention for Wireless Carriers

NAIC ANNUITY TRAINING Regulations By State

State Tax Information

REAL ESTATE PROPERTY MANAGERS SUPPLEMENTAL APPLICATION

NIH 2009* Total $ Awarded. NIH 2009 Rank

How To Rank A Graduate School

Guide to PEO Due Diligence

J.D. Power and Associates Reports: Overall Wireless Network Problem Rates Differ Considerably Based on Type of Usage Activity

Volume Title: Bank Stock Prices and the Bank Capital Problem. Volume URL:

Real Progress in Food Code Adoption

Trouble Ticket - The method to be used by the Customer when reporting a Potential Network Outage to IGNISIS.

States Ranked by Alcohol Tax Rates: Beer (as of March 2009) Ranking State Beer Tax (per gallon)

Exploring the Impact of the RAC Program on Hospitals Nationwide

University of Massachusetts School of Law: Career Services Office State-By-State Online Job Search Resources

Health care financing in challenging times. Spring 2010

SUPPLEMENTAL APPLICATION COMMERCIAL GENERAL LIABILITY COMPLETE IN ADDITION TO ACORD APPLICATIONS. ATTACH ADDITIONAL SHEETS AS NECESSARY.

The Most Affordable Cities For Individuals to Buy Health Insurance

Local chapter Corporate partnership opportunities

********************

Graduate School Rankings By U.S. News & World Report: ELECTRICAL/ELECTRONIC ENGINEERING

Graduate School Rankings By U.S. News & World Report: MECHANICAL ENGINEERING

THE COST OF OPERATING A DISTRIBUTION WAREHOUSE DETAILED IN BizCosts REPORT

UPDATED FEBRUARY Accounting for FDIC-assisted transactions: Acquisition of loans, application of ASC and other issues

TRAVEL VISA PRO ORDER FORM. For Concierge INDIA VISA APPLICATION SERVICE* go to the pages #2-4

Aetna s Quality & Total Cost Strategy

Confirm that an on-line credit union is legitimate and that your share deposit is insured; Keep your personal information private and secure;

Transcription:

ADDRESSING THE CONCERNS OF THE CORPORATE GOVERNANCE COMMUNITY FALL 202 CorporateGovernor series: Keeping third-party risk in check

Contents Introduction 2 Roles and responsibilities 3 Planning ahead 4 Defining the risk universe 6 Crossing the risk threshold 8 Addressing high-risk relationships 9 A closer look 0 Not foolproof Conclusion 2 About Grant Thornton

Introduction The reliance on third parties has become a business reality in today s complex and highly competitive environment. The risks involved are also a reality. As more companies outsource significant and critical business functions, they re knowingly or unknowingly relinquishing more and more of their control environment to others. Of particular concern in today s datacentric business world are cloud providers, consultants, business process outsourcers, third-party transaction processors and others with whom you share sensitive or significant information. The need to protect confidential data is an issue that cuts across industries, with ones such as the financial services and health care sectors having particularly high regulatory requirements when it comes to sharing data with third parties. But any organization that entrusts outside entities with sensitive data, intellectual property, client data or proprietary information needs a framework for identifying, assessing and mitigating the risks involved. They will also need to ensure compliance with various security and privacy regulations. Keeping third-party risk in check

Roles and responsibilities A large portion of the responsibility for the risk monitoring and control evaluation exercise typically falls to internal audit because of its internal control mindset, risk management universe expertise, objective evaluation capabilities and ability to reach into multiple business areas across the organization. Although internal audit may drive the coordinated collection of information relating to these third parties, other functional areas including finance, compliance, legal, procurement and business operations are critical to formulating a complete picture of the use of third parties within an organization. Furthermore, third-party risk management should be a subset of the larger enterprise risk management (ERM) program or similar initiative. The information that is gathered can also feed into other governance, risk and compliance efforts, which include the formulation of the internal audit risk universe and annual internal audit plan. 2 Keeping third-party risk in check

Planning ahead Although there are typically contractual protections in place in the event that agreements with third-party partners go awry, if it does happen, it s usually too late for companies to do much beyond trying to recoup or minimize losses. A better approach is to be more proactive in assessing and managing risks on the front end when relationships are established, as well as continuing to monitor the interrelated control environment created between parties throughout the life of their contracts. As companies try to better understand the risks inherent in their dealings with outside parties, it s worth noting that exposure will vary with every relationship. The challenge is to establish a framework for risk assessment that is effective yet flexible enough to recognize that not all risks are created equal. The expectations placed on third parties and the level of assurance needed by your organization can and should vary, based on a number of factors. The challenge is to establish a framework for risk assessment that is effective yet flexible enough to recognize that not all risks are created equal. Keeping third-party risk in check 3

Defining the risk universe Although there s no one-size-fits-all approach to managing third-party risks, a consistent thought pattern can be applied to the assessment process. As with many exercises, getting started is half the battle. Third parties are generally defined as business partners that are not under direct business control of the organization that engages them. These entities may include vendors, distributors or suppliers of products and services, joint venture or alliance partners, and franchisees or licensees. But rather than trying to do a risk assessment exercise that includes the whole universe of third parties that are part of the accounts payable master file, consider excluding maintenance, repair and operations vendors and providers of hard inventory items such as raw materials or finished goods. Relationships with these vendors are typically dictated by purchase orders and subject to the Uniform Commercial Code of Commerce; as such, they don t usually rise to the risk level of other entities that have access to an organization s sensitive data and other intangible assets. The following types of vendors should typically be subjected to a deeper third-party risk assessment: Information technology hosting/co-location data center providers Cloud or software-as-a-service providers Outsourced financial or operational service providers such as: Payroll processors Securities settlement providers Mortgage servicers Remittance processors Medical, dental or insurance claims processors Others that support operational activities on your behalf and with access to your company s/client s data: Courier services (e.g., medical files, cash co-pays) Printing and mailing servicers Marketing service providers Telecom providers Help desk or user support providers 4 Keeping third-party risk in check

Although most vendor relationships will likely surface during a thorough search of accounts payable records, an additional source of information may be your in-house legal department, if you have one. Gather any vendor information the legal department may have, and develop an understanding of how contractual relationships are drawn up and approved. This information can then be cross-checked with the other data you ve compiled. Not only will this ensure you ve identified all pertinent vendors, but also the contractual agreements should contain details that are useful for the risk assessment, such as indications that clients have a right-to-audit provision or requirement for a report from an independent third party to confirm compliance with internal control or other regulatory requirements. In those organizations that take an ad-hoc approach, internal audit may also need to seek vendor information on a department-by-department or business unit basis. The goal at this stage is to identify all pertinent vendor information wherever it might reside in the business to get a complete picture of existing relationships. Although internal audit will want to perform its own evaluation of risks, it s worth noting that the larger vendors or those with access to potentially more sensitive information may have already been carefully vetted. That s not to say that these entities should be ignored or written off as safe, but just to acknowledge that the larger vendors may have already received more scrutiny. In any case, there is still plenty of opportunity for uncontrolled risks to arise in larger vendors, and the need for monitoring those arrangements is critical. Keeping third-party risk in check 5

Crossing the risk threshold A question that often arises early in a risk assessment is: At what point is a risk threshold met? Our experience suggests that as soon as your organization enters into an agreement with a third party and begins to share sensitive or proprietary information, it is time to consider the risk threshold to be met. Although those performing the assessment may get pushback from others who believe there should be a dollar threshold that triggers risk, think twice about this argument. After all, even vendors with which you do only a relatively small amount of business could still cost your company millions in exposures fines, civil penalties, lost intellectual property, reputational damage, breach of client contractual obligations and brand erosion if there s a security breach. This isn t to say that you shouldn t use the annual spend for the service as a measure of the risk associated with a particular vendor. Rather, there are many other factors to consider in evaluating third-party risks and these all should be considered. Through discussions with various relationship owners within your company e.g., IT, finance, compliance, legal, procurement and business operations you can identify additional risk considerations and use these when you perform an initial risk ranking or scoring of the relationship. The relationship owners can also help you identify vendors that may present a high risk to the organization due to subjective risk factors such as the criticality of the relationship or the level of visibility the vendor allows into its activities. The following is a checklist of factors you may want to weigh and track in assessing risk. You will want to add your own, as well. See Table as an example of organizing the vendor relationship information. Vendor name Vendor type The nature of the service provided by the third party The amount or type of data (company data, client data, patient data, etc.) or intangible property at risk in the relationship The potential magnitude of the financial, reputational or operational loss in the event of third-party performance problems Contractual details such as date, term and value of contract (or current vs. past spend if there s no contract) The frequency of interaction with the third party or degree of management oversight over the services Geographical (global) considerations such as location of third parties and number of physical locations Safeguards to ensure compliance with the Foreign Corrupt Practices Act, UK Bribery Act or other relevant industry, state or country regulations The primary relationship owner within the organization (e.g., IT, finance, marketing) Annual spend Scoring in terms of risks (financial, operational, compliance, strategic) Whether the vendor provides an audit report such as a SOC or 2 (see the A closer look section for details) Whether the organization has a right-to-audit clause within the contract 6 Keeping third-party risk in check

Once you have identified all vendor relationships and assigned a weighting to the selected risk factors/attributes, you should have a good assessment of the vendors being used within your organization. See Table 2 as an example. This written assessment provides you with a basis for determining your next steps because it should highlight vendors that present the highest risk to your organization. These are the vendors for which you need to plan appropriate risk mitigation techniques. Table : Defining vendor relationship Vendor name Vendor type Nature of service being provided Contractual details Geographical/ global considerations Applicable regulatory requirements (e.g., HIPAA, FCPA) Primary relationship owner within organization (e.g., IT, finance, marketing) Provides an audit report such as a SOC Right to audit clause ABC Payroll Payroll provider Payroll processor Five-year agreement, approved by Legal department Payroll processed in Kansas City, Kan. IRS, Department of Labor Bob Peoples, Human Resources Yes, SOC No IT Help Help Desk Support IT support contractors One-year autorenewing contract Local to each company site and headquarters N/A Martin Technology, CIO No No Quick Print Printing/Mail service provider Prints/mails invoices and marketing materials Six-year agreement, approved by Legal department Local to headquarters N/A Sally Accountant, CFO No No Source: Grant Thornton LLP Table 2: Risk considerations for each vendor Vendor Significance of the data handled by the vendor Potential magnitude of a financial loss Potential magnitude of a reputational loss Potential magnitude of an operational loss The frequency of interaction Expense of the vendor in relation to the income of the business unit supporting it Significance of financial risk Significance of operational risk Significance of strategic risk ABC Payroll 3 5 5 4 3 5 2 IT Help 3 3 5 2 4 Quick Print 2 4 2 4 Rating is from low () to high (5). Source: Grant Thornton LLP Keeping third-party risk in check 7

Addressing high-risk relationships Although it may not be a common occurrence, when the risk assessment identifies critical or high-risk vendor relationships, internal auditors will want to consult with the relationship owner and legal department to determine how best to close the gap on risks. Before entering into contracts with these vendors, it s always best to have a robust due diligence process before accepting new third-party business relationships. Options may include the following: Data collection, management and monitoring; reporting and analytics Working to renegotiate contracts Asking to perform site visits or audits to gain the assurance you need Additional management oversight of the provider or more closely monitoring the vendor s performance against agreedupon service levels In some cases, the company may need to evaluate switching to another service provider. Your organization should be in the driver s seat when it comes to feeling comfortable with thirdparty relationships. 8 Keeping third-party risk in check

A closer look One of the most common risk mitigation techniques that organizations can employ with third parties is the review of an independent third-party assessment of the vendor s processes, technology and controls used in the delivery of services. A common form of this type of review is an attestation report referred to as a Service Organization Control SM (SOC) report, which helps vendors demonstrate the strength of their internal controls to current and prospective customers. However, for this type of report to be useful, it s important to know what to look for and to ensure that it addresses the right controls. There are three different types of SOC reports: 2 SOC reports provide a vehicle for reporting on a service organization s system of internal control that is relevant to a user organization s internal control over financial reporting. SOC reports are intended to be auditor-to-auditor communications, with specific content dependent on the service organization s system. SOC 2 reports address controls at a service organization that are pertinent to the Trust Services Principles of security, availability, processing integrity, confidentiality and privacy. 3 This report includes many of the same elements as a SOC report specifically, the independent service auditor s report, management s assertion letter, a description of the system, and a section containing the service auditor s tests of the operating effectiveness of controls and the related test results. SOC 3 reports allow service organizations to provide user organizations and other stakeholders with a report on controls that are relevant to the Trust Services Principles. But unlike SOC and SOC 2 reports, SOC 3 reports are shortform reports that can be distributed or posted on service organizations website as a seal. Service Organization Control, SOC, SOC 2 and SOC 3 are proprietary service marks of the AICPA. 2 For more information on SOC, see Grant Thornton s white paper Puzzled about Service Organization Control reports? at www.grantthornton.com/portal/site/gtcom/menuitem.9c078ed5c0ef4ca80cd87003384ca/?vgnextoid=59bd4af807e030vgnvcm000003a834acrcrd&vgnextfmt=default. 3 The principles and criteria were developed by the AICPA and the Canadian Institute of Chartered Accountants. See www.aicpa.org/interestareas/informationtechnology/resources/ TrustServices/Pages/Trust%20Services%20Principles%E2%80%94An%20Overview.aspx. Keeping third-party risk in check 9

Not foolproof Having access to a SOC report can be extremely helpful when evaluating potential vendors and monitoring third-party risk on an ongoing basis. In most cases, organizations that undertake an annual SOC audit to satisfy customer requirements generally have more sophisticated internal control structures than those who do not. However, the mere existence of a SOC report may not allay all of your company s specific concerns. It is important to determine what your organization needs to have assurance on and to understand what the SOC report contains. SOC reports may provide a good baseline of control information, but they may also be too generic or superficial for your needs. Case study: Taking the extra step to guard critical data A global financial services company with billions in assets partners with a thirdparty services company to print and mail customer statements to institutions and individuals around the world. Because of the confidential nature of the data shared with the third party, the company insists on a high level of assurance that customer information is kept private and secure. To satisfy the needs of its customers, the service provider has an annual SOC report completed. But upon review, the company realizes that the document has some inherent limitations that don t enable it to understand and verify the control environment to the degree it wants. Further, the SOC addresses controls that are not critical to the company and omits information around confidentiality and privacy, both of which are key concerns. Therefore, as part of the agreement between the two entities, the company sought for and obtained the right to periodically audit the third party s processing center to assess risks, perform control testing and develop its own internal report. As needed, the company s auditors make recommendations to the third party to further enhance internal controls and safeguard information. As you assess the benefits of a SOC report that is provided to you, consider what the report states, or doesn t state, relating to the following topics: Handling of subservice providers through a carve-out vs. inclusive method Time period covered, if one is listed, and whether that aligns with your needs Locations covered and those not covered within the report Construction of control objectives and control activities (is something critical to you left out?) Bias in sampling The testing approach (e.g., inquiry, observation, inspection) employed by the auditor Exceptions noted by the service auditor and responses by management Asking for a right-to-audit clause is an effective way to preserve your ability to seek additional information regarding the services provided by third-party vendors. Certainly, without having either this right or a SOC report to rely on, your company may be exposed to an unacceptable level of risk. Keep in mind that you will probably need to request the right to audit vendors won t necessarily offer it without being asked. This underscores the importance of an ongoing program to identify and manage third-party risk. Both parties consider the right-to-audit agreement to be a binding aspect of their partnership. Without it, the financial services company could not gain the level of assurance needed to continue the relationship. For its part, the service provider accepts the rigorous audits as a condition of doing business with the company and views the site visits as an opportunity to continually test and improve its control environment, which has lasting benefits for both the service provider and its customers. 0 Keeping third-party risk in check

Conclusion Executive management faces ongoing scrutiny and pressure from their board, external auditors and regulators to ensure robust ERM practices. Third-party relationships are a key area of concern in an era of widespread outsourcing and reliance on third parties for non-core operational services. Organizations need to have a consistent and comprehensive process for evaluating and mitigating the risks inherent in these relationships, preferably as part of the ongoing internal audit risk universe and ERM initiatives. Keeping third-party risk in check

About Grant Thornton The people in the independent firms of Grant Thornton International Ltd provide personalized attention and the highest quality service to public and private clients in more than 00 countries. Grant Thornton LLP is the U.S. member firm of Grant Thornton International Ltd, one of the six global audit, tax and advisory organizations. Grant Thornton International Ltd and its member firms are not a worldwide partnership, as each member firm is a separate and distinct legal entity. In the U.S., visit Grant Thornton LLP at www.grantthornton.com. For more information, contact: Warren Stippich Partner and National Governance, Risk and Compliance Leader Advisory Services T 32.602.8499 E warren.stippich@us.gt.com Kirt Seale Principal and National Special Attestation Reports Leader Advisory Services T 24.56.2367 E kirt.seale@us.gt.com 2 Keeping third-party risk in check

Offices of Grant Thornton LLP National Office 75 West Jackson Boulevard Chicago, IL 60604 32.856.0200 National Tax Office 250 Connecticut Ave. NW, Suite 400 Washington, DC 20036-353 202.296.7800 Alaska Anchorage 907.264.6620 Arizona Phoenix 602.474.3400 California Irvine 949.553.600 Los Angeles 23.627.77 Sacramento 96.449.399 San Diego 858.704.8000 San Francisco 45.986.3900 San Jose 408.275.9000 Colorado Denver 303.83.4000 Connecticut Glastonbury 860.78.6700 Georgia Atlanta 404.330.2000 Illinois Chicago 32.856.0200 Oakbrook Terrace 630.873.2500 Schaumburg 847.884.023 Kansas Wichita 36.265.323 Maryland Baltimore 40.685.4000 Massachusetts Boston North Station 67.723.7900 Boston Financial 67.226.7000 District Westborough 508.926.2200 Michigan Detroit 248.262.950 Minnesota Minneapolis 62.332.000 Missouri Kansas City 86.42.2400 St. Louis 34.735.2200 Nevada Reno 775.786.520 New Jersey Edison 732.56.5500 New York Albany 58.427.597 Long Island 63.249.600 Downtown 22.422.000 Midtown 22.599.000 North Carolina Charlotte 704.632.3500 Raleigh 99.88.2700 Ohio Cincinnati 53.762.5000 Cleveland 26.77.400 Oklahoma Oklahoma City 405.28.2800 Tulsa 98.877.0800 Oregon Portland 503.222.3562 Pennsylvania Philadelphia 25.56.4200 Rhode Island Providence 40.274.200 South Carolina Columbia 803.23.300 Texas Austin 52.39.682 Dallas 24.56.2300 Houston 832.476.3600 San Antonio 20.88.800 Utah Salt Lake City 80.45.000 Virginia Alexandria 703.837.4400 McLean 703.847.7500 Washington Seattle 206.623.2 Washington, D.C. Washington, D.C. 202.296.7800 Wisconsin Appleton 920.968.6700 Madison 608.257.676 Milwaukee 44.289.8200 Florida Fort Lauderdale 954.768.9900 Miami 305.34.8040 Orlando 407.48.500 Tampa 83.229.720

Content in this publication is not intended to answer specific questions or suggest suitability of action in a particular case. For additional information on the issuaes discussed, consult a Grant Thornton client service partner. Grant Thornton LLP All rights reserved U.S. member firm of Grant Thornton International Ltd

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information