Organizations storing customer credit card information, individuals’ medical records, or other personally identifiable information (PII) are required by certain laws and regulations to protect this data from hackers or other users with malicious intent. The loss of customer data results typically in reputational damage and unexpected legal fees.
What Is a Third-Party Audit?
Since companies routinely partner with other organizations, they must ensure their partners are protecting their customer data. One way to ensure data protection is to conduct a third-party audit. In a third-party audit, an independent auditor is hired by the organization to review its partner’s operations. The scope for a third-party audit is typically limited to only the area in question, in this case, the adequacy of data protection over shared data. One of the most common types of audits is certification audits. In certification audits, certification bodies are conducting audits to certify that one party can meet the requirements they agreed to in a contract. For example, if a company contracts a software vendor to host their data under a contractual provision to maintain SOC 2 controls or another standard, one of the certification bodies will perform an audit of the software company’s ability to meet the requirements. If the partner is found to meet the requirements of the chosen standard, the company is certified as in compliance. If issues are found, a remediation plan is put in place to meet the requirements of the chosen standard as soon as possible.
Companies that outsource payroll, healthcare processing, and other processes containing PII can obtain a SOC 2 report. Based on the AICPA’s WebTrust principles, a SOC 2 reportis an independent certification of outsourced service providers (OSP) non-financial reporting controls, including security, processing, confidentiality, and privacy controls. The OSP (i.e., third party) engages a firm to perform the attestation (audit) and then provides the detailed audit results to any interested customer.
But PII is not the only type of critical data shared with third parties. It’s common for organizations to share other sensitive and essential data, such as trade secrets with joint venture partners and subcontracted manufacturers or future strategic decisions with consulting firms and outside counsel. Besides reputational damage and legal fees, the loss of trade secrets and strategic information can significantly lose revenue, market share, and shareholder value.
Unfortunately, it is uncommon that these strategic third parties provide a SOC 2 report or other means of independent data protection control assurance (e.g., an ISO 27001 certification). It is interesting to see that while management is spending more and more on internal controls and protection of key data, very little, if anything, is done to verify that externally held essential data is just as protected.
According to PwC’s 2015 Global State of Information Security Survey, organizations with annual revenues exceeding $1b had $11m budgeted for security spend in 2014. However, when executives are asked how third parties protect critical data, initial responses include references to contract clauses indemnifying the company if data is lost or blind trust in the third party. As one executive states, “If our supplier can’t protect our, and their other customers’ key data, they wouldn’t be in business.”
How Do You Conduct a Third-Party Audit?
Conducting a third-party audit starts with identifying the scope of the review. The scope should be specific and in line with the potential risk exposure. At this point, an independent auditor is hired by the organization to perform the audit. Independence is essential to the success of this engagement to preserve the relationship between the two parties. This is especially true when we consider third-party relationships beyond the company/vendor relationship. If we are considering an audit of a board member, an independent party is the only way to conduct an audit free from bias. After they perform the audit, the independent auditor will issue a 3rd Party Audit Report. The 3rd Party Audit Report will include detailed information describing the outcome.
A proactive and forward-looking Internal Audit department can help bring the needed awareness to the lack of focus on external data protection controls compared against the high level of attention given to internal data protection controls.
What Should Internal Auditors Consider When Performing a Third-Party Audit?
Internal Audit can assure their Board of Directors and executive team whether or not a process is in place to manage risks of third parties maintaining critical data. That third parties have their data protection controls in place. Suppose the Chief Audit Executive can successfully recommend a third-party data protection control audit. In that case, Internal Audit should consider including third-party governance, contracts, and third-party data controls in the scope of their engagement.
Third-Party Data Governance
To determine if management is adequately protecting critical data stored at third parties, an understanding of all third parties with key data should be obtained by audit. Vendors are quick to be included and assessed for this type of project. Still, the Internal Auditor should also consider third parties such as customers, joint venture partners, contractors, and even their board of directors.
Customers and joint venture partners may co-develop proprietary technologies and new products. Some companies may also make investments in start-ups or smaller organizations to develop specific technologies and evaluate if the invested company’s data is critical. And while an organization’s Board of Directors is usually considered (top) employees of an organization, most are independent and send and receive information that is more often than not strategic, confidential, or both.
Next, does the organization have policies and procedures dictating how to classify, handle, transmit, store, and share critical data? Do the policies and procedures dictate the individuals in the organization that have the authority to determine what data can be shared and what data cannot be? A lack of policies and procedures can sometimes mean a lack of process. And a lack of a process almost always means a lack of control.
If third-party data protection policies and procedures do not exist, different departments in the organization may still have a role in protecting data. For example, as part of the vendor due diligence process, Procurement personnel may be asking new third parties about their data protection controls and how they classify data. While Procurement’s process may not cover all third parties with critical data, it will include some, and the organization should take credit for their work.
While contract clauses such as data confidentiality and “right to audit” are standard in most key vendor and distributor contracts, other contract clauses are more suited to protect critical data. Internal Audit should look for or recommend specific clauses highlighting the partner’s data processes. Specifically, does the third party have someone in charge of classifying critical data, document how key data should be handled and transmitted, and how critical data is destroyed once the critical data is no longer needed?
Another contract clause gaining popularity as a result of all of the recent cyber hacks is the notification of a successful cyber-attack. Internal Audit should verify that company contracts require third parties to notify the company as soon as possible (generally within 24 – 48 hours) when their network has been successfully breached. Timing is essential to cease sharing their critical data and begin their disaster recovery plans if data was lost.
Finally, suppose the third party is sharing critical data with other subcontractors or third parties. In that case, management can require through contract clauses that the third party has a process to monitor the subcontractor’s data protection controls. Contract language should include how often the third-party audits their subcontractors and the level of detail of their review (inquiry only, inspection testing, or independent verification from a qualified auditor).
Internal Audit can also have a role in evaluating third-party data protection controls. In addition to auditing the contract clauses mentioned above, many other third-party controls can and should be evaluated. These include the amount of training and awareness provided to third party employees on data protection requirements, whether or not desktops, laptops, and other mobile devices are encrypted, and if mission-critical data is segmented from the other third party data.
To determine what controls Internal Audit should review, key data business owners and the information security department should be asked for insight. Also, cybersecurity control frameworks such as the SANS Institute’s Critical Security Controls for Effective Cyber Defense, Top Cyber Security Controls, NIST’s Framework for Improving Critical Infrastructure Cybersecurity, or ISO’s 27001 Information Security Management Standard should be leveraged as much as possible by IT security.
Chief Information Officers and Chief Compliance Officers spent significant time and resources protecting PII by identifying and tagging PII and bolstering the organization’s network and cybersecurity defenses. While tagging PII partially addressed compliance risks, the risk of unprotected critical data stored at third parties may still exist. If this is the case, the well-informed Chief Audit Executive has an opportunity to enable positive change by bringing attention to this enterprise risk.
Tom O’Reilly is the Field Chief Audit Executive and Connected Risk Advisor at AuditBoard. In his role, Tom meets, collaborates, and shares Internal Audit and Connected Risk strategies and tactics with the AuditBoard Community and customers to help improve the practice of Internal Audit and how 2nd and 3rd line functions work together.