With rising inflation and supply chain bottlenecks, companies are looking for ways to manage risks and expenses. An important strategy in such a disruptive environment is to review your company’s third-party relationships. Relationships with third parties who are vital to supplying goods, materials, and services is an evergreen risk that has become even more critical during the COVID-19 era. Internal Audit should be reviewing relationships with these parties, which often involves assessing the risk associated with the third party’s technical capabilities, business competence, and ability to meet contractual obligations. At the beginning of this year, I challenged internal auditors to get to know their third parties better – especially the culture, audit strategy, and risk management structure.
We may know ourselves and our organization, but we do not always know the people and organizations upon whom we depend for success. Below are key questions internal auditors should ask to determine your level of familiarity with your critical third-party partners’ risk and control environments.
Can You Conduct a Third-Party Culture Risk Assessment?
Getting to know a third party’s culture related to risk is tricky, but it can be done. Before going too far in answering this question or those that follow, you should consult with your legal team to understand the rights and limitations of third parties that may be formalized in the contractual right to audit agreements. In a third-party culture risk assessment, you can gather information by conducting interviews with a cross-section of employees and reviewing past and current employee comments on sites that compile company profile information. You can also get a sense of a company’s public risk persona by reviewing news articles, press releases, and annual reports.
Have You Met Your Third-Party Partner’s Internal Auditors?
Another way to get to know your partners is by meeting with their internal auditors. If there is no internal department, I would consider this a major red flag. Assuming there is an audit team, interviewing the chief audit executive will give you a glimpse into the organization’s governance. You can ask questions about the department’s audit strategy: are they risk-based and agile, what are their strengths and capabilities, and are they structured to report directly to the audit committee. How long has it been since they underwent an external quality assessment, and what were the results? Understanding the internal audit function will help you assess the risk culture and afford a better understanding of the partner’s governance model. It may also afford you a basis for relying on their work (rather than reperforming it) under certain circumstances.
How Does Your Third-Party Partner Manage Risk?
Like assessing the internal audit function, I suggest evaluating your partner’s risk management program to the extent possible. The evaluation may start with obtaining SOC reports for service providers to understand their control environment for the service that impacts your organization directly. Then look more holistically at the organization, its subsidiaries, brands, and regional locations and ask about their risk management philosophy, how they assess risks, and how they plan for emerging risks. Like with audit, this information helps you construct a view of the organization’s governance.
Why Worry About Third Parties?
Businesses depend on one another for success, but your business partners are also a source of risks. As internal audit leaders, we should be more cognizant of our critical third-party partners’ risk and control environment. Understanding our partners requires us to know their compliance environment, question how their internal audit team operates, vet their risk management methodology, and interpret their risk culture. Our success depends on our partners, and now is not the time to place our future in the hands of an unknown risk.