Organizations are increasingly relying on third parties to carry out vital business functions. This has allowed organizations to focus on core business goals and optimize costs without compromising effectiveness and efficiency of their internal processes.
Outsourcing can have significant benefits but is not without risk. Third-party relationships also increases exposure of organizations to new risks and potential compliance failures that may result in fines, lawsuits or reputational damage.
Such compliance failures may occur due to:
- Complexity of outsourcing or third party agreements, particularly due to the increasingly customized and sophisticated nature of services being outsourced.
- Third parties being granted access to organization networks further increasing the potential for data security breaches.
- Third parties may operate in areas of political uncertainty, increasing the severity and broadening the nature of risks that the organization is exposed to.
In the context of these risk exposures, organizations need to implement controls to mitigate the risks in order to effectively benefit from third parties relationships. Some considerations may include:
- Enhancing cost reduction
- Improving contract governance
- Creating more effective contractual self-reporting processes
- Ensuring timely detection of risk management failures occurring within third-party business partners
How Internal Audit can help:
- Review the third-party selection and due diligence processes including on- and off-boarding processes and controls.
- Evaluate contract management to monitor third-party relationships and contract fulfilment.
- Review third-party compliance with generally accepted information security standards.
- Provide subject matter expertise input when assessing the maturity level of the Service Delivery Lifecycle
What is needed by Internal Audit?
- Expertise in auditing third parties, supply chain management, sourcing and shared services methodology (i.e. Business Services Maturity Model – BSM) including assessing the level of compliance with local laws and corporate regulations
- Sound understanding of local customs and practices as well as experience in comparing local practices to regulatory standards
- Capability to benchmark current SLA agreement against good practice (i.e. using the correct KPIs, compare budget and actual costs against industry standards etc.)