Internal Auditors Take on Third Parties

As businesses become more dependent on third parties, internal auditors need to put processes in place to help identify third-party risks.

With companies outsourcing more responsibilities to third parties, the risks associated with outside firms are also increasing. While chief risk officers are often called upon to manage  those risks, however, it is internal auditors who are responsible for setting up processes to identify third-party risk factors.

Rick Warren

Rick Warren, principal, Crowe Horwath

While CROs and internal auditors work together, it’s tricky to tease out who actually owns the risk — that is, who has primary responsibility for managing it. “Ownership of risk should be diverse,” says Rick Warren, a principal with Crowe Horwath and co-author, along with the Institute of Internal Auditors, of “Closing the Gaps in Third-Party Risk Management,” a study which surveyed 164 chief-audit executives about their role in third-party risk management. In fact, 78 percent of respondents had a high level of concern for monitoring third-party risk-management practices. Others think, however, that the least risky approach is for CROs to be in the driver’s seat, with internal auditors pursuing an arm’s length, objective approach to analyzing the risk.

In the past couple of decades, risk management has evolved, especially as the global economy continues to grow. The extent of outsourcing was not as prevalent as it is today. “Even 15 years ago, you might have a supplier, but they may not outsource. Now, we have these tiers,” Warren says. For example, company A outsources to Company B who outsources to Company C, and so on. In fact, 65 percent of internal-audit executives who responded to the survey said their reliance on third parties is “significant” or “extensive.”

For the most part, organizations are evolving, explains Denise Cicchella, executive director and founder of construction-auditing consultancy Auspicium. Most companies have processes in place, she adds, including a more thorough vetting process of third parties.

A good vetting process includes looking at a potential third parties’ work history, checking professional qualifications and highlighting credit risks. Companies should also enter into insurance contracts under which insurers have the right to subrogation, which enables a company’s insurance carrier to go after third parties that have created losses for the company.

Overall, most companies also need to find out what approach to managing third-party risk works best. According the survey, 82 percent of respondents said they devote less than 20 percent of their internal audit resources to assessing third-party risks (see Exhibit 6.1), including 11 percent who don’t devote any resources at all. And yet, 78 percent of respondents said they had “some concern” or “high concern” about difficulties monitoring third-party risk-management practices.

5 thoughts on “Internal Auditors Take on Third Parties

  1. Surely the risk has to be owned by the party who decided to outsource all or a part of the work they would normally do?

  2. From the article:

    “The CRO or risk-management team should be responsible for mitigating loss exposures with third parties, while an internal auditor should determine what the risks are. Keeping the internal auditor separate from owning risk allows for more transparency and less collusion. ”

    Reading this literally, it would seem that the CRO would need to ‘determine the risks’ that they will ‘be responsible for mitigating’; not the internal auditor. Further, the auditor’s determination of risk, a CRO function, would seem to negate a posture of independence in evaluating a CRO, just as defining controls in most other areas would compromise the auditor’s independence in evaluating them.

    Outsourced services, depending on the terms of the contract, should be seen as extensions of the organization, particularly such services as IT that may be heavily integrated and embedded, and strategically critical to the the contracting entity. It is appropriate for internal audit to 1) have access by contract to audit such entities consistent with the terms and scope of the contract, and 2) to assess the CRO’s function in its determination and management of the attendant risks.

    But it seems inappropriate and contrary to independence for the internal audit function to be responsible for defining the risk that the CRO is to mitigate.

  3. Thanks for reminding and highlighting the importance of looking at 3rd party-risk mgt. Since the varieties of outsourcing is enormous, a dedicated CRO is a must. Internal Auditor shall evaluate the process, capability and effectiveness in all segments of Risk Mgt – Identification, Assessment, Mitigation.

  4. The article begins with “While chief risk officers are often called upon to manage those risks, however, it is internal auditors who are responsible for setting up processes to identify third-party risk factors.” This is inaccurate. Chief Risk Officers do not manages those risks. It’s the responsibility of the business line management to manage these risks. CROs play an oversight role and coordinate the function of risk management. They also determine whether the proper tools are being used by the business line managers to manage the risks. Also, internal auditors do not set up processes. Again, setting up the process is the responsibility of business line managers. Internal auditors provide an independent assessment of processes. They do not set up the processes.

  5. Hi, when business is depending in third parties, process must be in place to assess those third parties relationship risks.

    In my opinion I think that the counteractions to third parties tactics address to:

    1°) the price list:
    * for example the presentation is glossy/well printed implying prices cannot be changed;

    2°) the discount:
    * example, presented as a special discount for a special customer, giving something extra to the company;

    3°) the volume price agreements:
    * example, third party offers a volume discount structure to sell more;

    4°) Special offer:
    * example,routine business dressed up to look like something different purpose is making it look legitimate;

    5°) Small customer:
    * example, in resisting claims for better conditions, third party may discount the importance of the individual customer;

    6°) Differentiating the product:
    * example third party actively highlight special advantage/benefits for company;

    7°) Service factor:
    * example, third party prompt response got the company out of a difficult situation;

    8°) Friendly interest:
    * example, third party keep records of PA’s/employees interest, likes and dislikes will recall previous conversations. Personal and Family details;

    9°) Entertainment and gifts:
    * Example, third party offers procurement/internal client significant gifts or entertainment/travel;

    10°) Talking to internal client/management (backdoor setting):
    * example, third party seeks information and concessions out of this groups and also third party may claim that certain agreements have already been made.

    Dramane BAKAYOKO From Burkina Faso


Your email address will not be published. Required fields are marked *