Recommendations to test controls performed by third-parties presented in the European Internal Audit Summit 2020 . Third-party management is the hottest topic in reducing business continuity, compliance, IT and commercial risks during the coronavirus crisis.

1. Prof. Hernan Huwyler, MBA CPA
Madrid, May 14th 2020
Managing Third Party Risks
2020 European Internal Audit Conference

2. Does the business need
a global pandemic to
realize the importance
of third party risks?

3. Researches shown that many
corruption , business interruption,
data breach and compliance
risks are triggered by third
parties

4. Start from a definition
3P = any entity that a
company does business
with

5. 3P
Sales channel
> Clients, dealers
Supply channel
> Suppliers and subcos
> Agents acting on behalf
Partners
> JVs, consortums

6. Who is the owner of the 3P risks
framework in your organization?
1. Procurement
2. Legal
3. Compliance
4. Risk Management
5. IT
5. Unclear

7. Suggest a centralized
3P management to
avoid conflicts of
interests and inconsistent
requirements

8. Policy
Procedures
Clauses
Platform

9. Policy
Procedures
Clauses
Platform
Program
Inventory
Escalation
Segmentation

10. • Sourcing risk assessment
• Due diligence
• SLA and contract, sub-cos approval
• Onboarding training
• Performance monitoring
• Ongoing due diligence
• Certification
• Exit plan
• Transition
• Customer complain
handling
• Contingency plan

11. The improvisation
during COVID19 shown
that colorful bubbles in
a map provide zero
value to business and
decision-making

12. Charlatanism
• Risk maps
• Risk matrices
• Risk registries
• Rating systems
• Scoring models

13. Science
Monte
Carlo
Simulations
Decision
trees
Scenario
planning
Reserve
calculations
Risk
financing

14. Internal audit
Assess the effectiveness of the
3P program
Test the performance of
controls on 3Ps against
policies

15. Operational delivery controls
3Ps should identify and operate
controls to comply with the
organization policies and
contractual requirements if exceed
local regulatory requirements

16. Review the 3P inventory
• Compile payment and
contract data
• Cleanse the data
• Segment 3Ps
• Match against 3P inventory and
approvals

17. Review the risk asssessment
• Data protection
• Instruction
• Confidentiality
• Incident management & backups
• Event escalation and reporting
• Sub-processors
• Return and erasure
• Inventory
• Policies & organization
• Asset management
• Access & cryptographic
• Operations
• Communication
• Vendor

18. Review the risk asssessment
• H&A risk assessment
• Training & awareness
• Hazard prevention
• Identity, certificate and career verifications
• Sanction, credit and criminal checks
• Legal rights to work
• Inspections
• Sub-contractors
• Accident reporting
• Access control
• Security risk
assessment
• Security officers
• Transport

19. Review the risk asssessment
• Availability of a complaints process
• Investigation & feedback mechanisms
• Retention rules and protection
• Document inventory, retrieval and disposal
• Disposal hold notification
• Validation of recovery time objectives
• Testing of service components

20. Review the risk asssessment
• Litigation, media & ethical investigation
• Potential conflicts of interests
• Labor practices
• Licenses and permits
• Sanction screening
• Guarantees and sureties
• Financial stability
• Insurance
• Legal registry
• Intellectual property
• Subcontracting

21. Assess the contractual clauses
Starting from
• 3P inventory
• Risk assessment
Unequivocal
requirements to make
each 3P accountable
Obligation to maintain
records
Contract management
• Approval of templates and deviations
• Nature and scope
Performance standards
• Requirements in SLAs
• Dispute resolution & termination

22. Review the monitoring
Self-
assessment
On-site
audits
Certifications
Frequency
Control
matrix
Consistency
Centralized
in-house
Non-
conformance
External
auditors

23. Review the 3P metrics
Contractual and
SLA KPIs
• Target, minimum and
actual
Incident statistics
• Contract breach log
• Quality rejections
• Customer complains
• Satisfaction surveys Update of exit plan
• Root-cause analysis
Traceability
• Validated sources of data
Improvement
• Incentives and penalties
• Discussion meetings and plans

24. Resources
Internal Audit Institute
Practice Guide for Auditing
Third-Party Risk Management

25. Resources
International Standard on Assurance
Engagements (ISAE) No. 3402
Assurance Reports on
Controls at a Service
Organization

26. @hewyler
www.linkedin.com/in/hernanwyler
mydailyexecutive.blogspot.com