The Institute of Internal Auditors
Overview: Organizations leverage and rely on third-party providers, as well as subservice or “fourth-party” providers, to conduct business activities. 1 These relationships continue to expand and evolve, introducing numerous risks that must be continuously assessed and appropriately managed by the organization to achieve desired business outcomes. In regulated industries, courts of law, and the court of public opinion, an organization cannot escape blame, including potentially severe repercussions in terms of reputation or financial penalties, if a third-party provider fails to perform as contracted or suffers its own unfortunate event or unethical practices.
Because organizations and their customers can suffer adverse consequences as a result of the actions (or inaction) of their third-party providers, regulators and standard-setting organizations for some industries (e.g., financial services) have established rules, regulations, and guidance concerning the management of third-party providers. These rules can mandate sophisticated third-party risk management models, but the principles used to construct these regulatory requirements are adaptable by other industries that may not have defined benchmarks or parameters to guide them in developing and executing third-party risk management.
This guide introduces internal auditors to the concept of a third-party risk management framework as an element of a larger enterprise risk management framework. It also considers that organizations come in all shapes and sizes, with differing availability of resources, tools, and techniques. To that end, this guide prompts internal auditors to learn the objectives of the organization’s third-party provider selection and management process. It also provides practical considerations for developing an audit of the organization’s third-party risk management methods.
Learning the elements of an organization’s third-party risk management processes may enable the internal audit function to identify areas where the organization may obtain additional value from their third-party relationships while helping the organization protect itself from unnecessary risk exposure.