Using third parties invariably presents a variety of risks for organizations, including strategic, reputational, regulatory, operational, financial, transactional, security, compliance, and other risks. However, when utilized effectively, third parties can also provide tremendous value in terms of specialized knowledge, increased capacity, reduced overhead, and more customized business solutions. Internal audit should be at the front of managing the risks associated with third parties by independently reviewing, evaluating, and reporting on the related business practices.
This course provides an overview on third-party risk management, including governance structure and risk management processes. It also specifies contracting, monitoring, and contract termination elements of the third-party relationship. Finally, the content defines the role of internal audit as it relates to various phases of the third-party management audit engagement, including planning, defining scope and objectives, testing, and reporting.
- Recognize the elements and attributes of third-party risk management.
- Recognize risks and controls associated with contracting third parties.
- Recognize the areas where internal audit can monitor third parties.
- Differentiate types of third-party risk management governance structures.
- Differentiate key elements of Type 1 and Type 2 assurance reports for the operation of critical third-party organizations.
- Differentiate the evaluation criteria for engagements of third parties.
- Understand third-party due diligence policies and procedures.
- Understand the testing phase and the need to determine the essential criteria element(s) for evaluating the organization's third-party risk management framework and process.
What You Will Learn
Defining Third Parties
- What are Third Parties and Examples
- Recent Trends
- Why Organizations leverage external resources
Elements of Third-Party Risk Management Program
- Risk Management Approach
- Third-Party Risk Management Framework
- Risk Appetite
- Third-Party Risk Management Governance
- The Elements of Third-party Provider Management Processes
The Elements of Third-party Provider Management Processes
- Due Diligence
- Issue Resolution
The Role of Internal Audit in Auditing Third-Party Risk Management
- Gather information to understand the area or process under review.
- Conduct a preliminary risk assessment of the area or process under review.
- Form engagement objectives.
- Establish engagement scope.
- Allocate resources.
- Document the plan.
Assess Risks and Controls
- Understand the Inherent Risks
- Preliminary Evaluation of Risks
- Understand the Business Partner's environment, processes, and controls
- Determine which processes and activities to audit
Testing and Evaluating Third-party Risk Management
- Audit the third-party risk management framework (e.g., risk appetite, governance, methodology)
- Audit the third-party risk management process (e.g., procurement audit)
- Audit a component of the third-party risk process (e.g., contracts audit)
- Third-Party Risks and Red Flags/Warning Signs
- Audit Considerations of Fourth Parties
- Engagement results
- Recommendations, and/or action plans
- Plan for Action