At The IIA Financial Services Exchange conference in Washington, DC on October 1-2, I had the honor of moderating a panel discussion on the role of internal audit in creating value through third-party risk management. The panelists were:
- Abel Clark, CEO of TruSight
- Amy Hellen, Head of Third-Party Risk Management at TD Bank
- Maz Kothari, Managing Director at JPMorgan Chase
- James McDonald, Managing Director at Protiviti, and
- Sriram Padmanabhan, Chief Auditor – Technology, Change and Third Parties, Citigroup.
Following are some notable observations and takeaways based on comments from the panelists.
The Current Regulatory Landscape
Regulators are probing fourth-party risk – in other words, subcontractors. They also are focusing more on special categories such as nontraditional third parties. Specifically, they are looking at governance of these nontraditional third parties and how financial services organizations are risk-assessing them compared with traditional third parties.
Regulators also are looking at the specific strategies for working with third parties. They want to know the strategy the organization has for working with its third parties and, by extension, how the organization is becoming more thoughtful when developing a strategic plan to mitigate the specific risks associated with a third party, and the services being provided by that third party.
Another critical area regulators are assessing is business continuity/resiliency risk associated with third parties, and the connection to an organization’s broader business continuity plans. This includes ensuring consistency and alignment between an organization’s internal expectations and its third-party risk management program.
Of note, there continues to be inconsistency in regulator reviews. Large banks tend to be reviewed more closely and in greater detail. The level of detail in reviews then scales down based on the size of the financial institution. But more detailed regulator reviews are starting to trickle down to smaller banks.
In addition, regulators continue to focus more in their reviews on how third parties are managing data or processes where consumers are affected and concerned. If consumer laws and/or regulations are involved, regulators are looking at third parties more closely.
There continues to be a push for internal audit to conduct on-site visits to critical vendors and suppliers. Regulators want to know how much internal audit is relying on questionnaires to vendors, compared with in-person visits. This is a tricky area: Internal audit often needs to trust, but verify in person. There is no straight answer to this, but regulators continue to probe this area. And if the first line or second line is not performing on-site assessments, regulators are looking to internal audit to fill the void.
Key Considerations and Guiding Principles When Implementing, Refreshing or Auditing a Third-Party Management Program
Key challenges for internal audit groups and financial services organizations are 1) finding the right resources to properly appreciate the risk and control environment and 2) the need for strong overall governance across the third-party risk management program. In addition to the potential challenges with time and resources to perform some key tasks (e.g., information collection and validation), internal audit must be ready to conduct on-site visits if vendors push back on completing questionnaires or are not thorough in answering them. This increases the burden on internal audit, as third parties often provide inconsistent levels of detail in their responses to an organization’s questionnaire, causing difficulty in assessing the overall effectiveness of the program.
Additionally, it is not feasible for the internal audit group to visit every third party. Internal audit must be thoughtful in selecting vendors and third parties to visit. As part of this process, internal audit should develop a risk-based framework to determine which critical third parties to focus on and potentially visit.
Also of note, assessment of fourth- and fifth-party risks, as well as vendor concentration risk, is becoming a significant area that auditors need to address.
With regard to fintechs, a large and growing number of traditional financial services organizations are working with fintechs as their third, fourth and even fifth parties. These fintech organizations must fall under the primary organization’s third-party risk management program. The question becomes how to achieve the appropriate balance between, addressing risk, on the one hand, and fostering and encouraging innovation in these fintech organizations and emerging technology companies that benefit the organization, on the other hand.
Interestingly, with regard to fintechs and regtech, the Office of the Comptroller of the Currency (OCC) is still trying to figure out its supervisory guidance and how third-party risk management applies. There is no question that the principles apply, but how those translate to day-to-day management remains a challenge. This definitely will be a continuing area of focus for the OCC and other regulatory authorities.
Another key consideration for third-party risk management programs is people risk. Programs focused on people risk have been evolving in response to regulatory reform and other risk and compliance issues. Internal audit needs the right skills and experience, including but not limited to cybersecurity and information-security experience and other advanced technology capabilities. It’s very difficult to find individuals that understand all the domains of third-party risk, as each risk domain across a traditional organization is embedded underneath the umbrella of third-party risk.
Yet another important consideration is data and how various third parties are managing it for the organization. This is not just about vendors. Consider, for example, Facebook. How should an organization deal with Facebook as a third party that is managing at least a segment of the organization’s data through interfaces with its apps or other technologies?
Ultimately, an organization needs to understand its data in order to manage it – determine where the data is, from where it originates, what happens if that data is breached or hacked at one vendor, and whether that breach or hack will cascade to other vendors. As part of this strategy, the organization needs to understand how third parties are processing and securing its data.
Due Diligence and De-Risking Third Parties
There are a couple of important considerations in this area. First, internal audit needs to determine whether management is rationalizing what is and what is not a critical third party, and how management reached those conclusions. This is because not every third party can be, or needs to be, audited with the same level of rigor and thoroughness. Noncritical third parties do not require the same level of risk management as critical parties, and understanding what is required for whom is important when trying to manage resources effectively.
Second, because a one-size-fits-all approach is unfeasible when monitoring third parties, internal audit should work with management to determine, or preclassify, which ones are low-risk parties, as well as the factors that might trigger a higher risk in these third parties and the need for greater due diligence.
Finally, internal audit must review the organization’s inventory of third parties on a regular basis. This cannot be viewed as a static list. Third parties come and go, and relationships with specific parties evolve over time.
Cybersecurity Risk Management
As we know, the regulators are focusing increasingly on cybersecurity risk. The question becomes whether the internal audit group has the requisite skills to audit cybersecurity risk as it relates to third parties. In addition, internal audit needs to assess how management is governing cybersecurity risk and how audits should be performed.
There continues to be significant interest in cyber risk at the board level. Therefore, information regarding cybersecurity risk with third parties must be included in board reports – coverage, number of issues known and more.
One of the challenges, then, becomes producing the right amount of reporting, as well as reporting that is actionable. What are the board, management and other groups doing with the reports? Are key risks identified up-front? Are action items included? When it comes to cybersecurity, reports cannot be issued simply for the sake of issuing them.
In Closing: The Role of Internal Audit
One of the key roles for internal audit is engaging with the third party’s management and understanding its strategy. This helps internal audit know what to assess and how to audit key areas. In other words, it helps internal audit understand what it needs to do.
Internal audit can and should be a key partner for effective third-party risk management, which needs to be effectively monitored. Internal audit can help with this as part of its overall support of the organization’s compliance efforts.
Finally, some institutions have questions as to whether affiliates should be treated in the same manner as external third parties. Internal audit must recognize that regulators do not differentiate between affiliates, or internal third parties, and external third parties. Therefore, the overall structure for auditing third parties must include affiliates as well as vendors.