Recommendations to test controls performed by third-parties presented in the European Internal Audit Summit 2020 . Third-party management is the hottest topic in reducing business continuity, compliance, IT and commercial risks during the coronavirus crisis.
14. Internal audit
Assess the effectiveness of the
3P program
Test the performance of
controls on 3Ps against
policies
15. Operational delivery controls
3Ps should identify and operate
controls to comply with the
organization policies and
contractual requirements if exceed
local regulatory requirements
16. Review the 3P inventory
• Compile payment and
contract data
• Cleanse the data
• Segment 3Ps
• Match against 3P inventory and
approvals
17. Review the risk asssessment
• Data protection
• Instruction
• Confidentiality
• Incident management & backups
• Event escalation and reporting
• Sub-processors
• Return and erasure
• Inventory
• Policies & organization
• Asset management
• Access & cryptographic
• Operations
• Communication
• Vendor
18. Review the risk asssessment
• H&A risk assessment
• Training & awareness
• Hazard prevention
• Identity, certificate and career verifications
• Sanction, credit and criminal checks
• Legal rights to work
• Inspections
• Sub-contractors
• Accident reporting
• Access control
• Security risk
assessment
• Security officers
• Transport
19. Review the risk asssessment
• Availability of a complaints process
• Investigation & feedback mechanisms
• Retention rules and protection
• Document inventory, retrieval and disposal
• Disposal hold notification
• Validation of recovery time objectives
• Testing of service components
20. Review the risk asssessment
• Litigation, media & ethical investigation
• Potential conflicts of interests
• Labor practices
• Licenses and permits
• Sanction screening
• Guarantees and sureties
• Financial stability
• Insurance
• Legal registry
• Intellectual property
• Subcontracting
21. Assess the contractual clauses
Starting from
• 3P inventory
• Risk assessment
Unequivocal
requirements to make
each 3P accountable
Obligation to maintain
records
Contract management
• Approval of templates and deviations
• Nature and scope
Performance standards
• Requirements in SLAs
• Dispute resolution & termination