The Institute of Internal Auditors has issued a new practice guide to help audit third-party risk management.
This latest practice guide informs chief audit executives and their audit teams on how to understand and assess risks related to the use of third-party providers. Risks related to vendors, suppliers, resellers, and other third parties routinely show up on lists of the top risks that organizations face. Technology research firm Gartner, for example, recently named third-party risk as one of its “audit plan hot spots” for 2019. According to Gartner, nearly 70 percent of chief audit executives report third-party risk as one of their top concerns, but many organizations still struggle to account for and manage it.
The guide considers risks across the full vendor life cycle, including the appropriate sourcing, ongoing management, and termination of vendors. It also provides further exploration into risks resulting from the types of services third parties provide and covers the sensitivity of data typically shared in such relationships. By most estimates, third-party risks are increasing for most organizations.
According to the IIA, the guide, “provides structure for planning and executing third-party risk audits appropriate to the size, scale, and risks facing an organization. Example audit guidance is provided, making this a robust resource with tangible tools.”
Topics covered by the third-party risk management practice guide include:
- Outlining key roles, responsibilities, and risks in managing third-party providers.
- Defining a third-party risk audit coverage approach.
- Developing a structure for scoping, planning, and executing third-party risk audits.
- Appropriately engaging and assessing third-party risk management activities across the business, oversight, and control functions.
- Determining whether the organization has a third-party risk management structure that results in a “patchwork” approach, and, if so, how to bring it together into an enterprise-wide framework.
“Internal audit teams can help by evaluating third-party contracts and compliance efforts, as well as investigating regulatory requirements for third-party data handling,” says Gartner in its report.
Members of the IIA can download the report for free, while non-members may purchase it in the IIA Bookstore.