EmergingIssues: Impact of the Third-Party Relationships on Internal Audit
EmergingIssues: Impact of the Third-Party Relationships on Internal Audit
Thebusiness environment has become complex, which has created the needfor internal auditors to be proactive in order to identify potentialrisks that their companies are likely to face. According to KPMG(2016) the establishment of third-party relationships is one of themodern trends that expose companies to audit risks. Third-partyrelationships are established by organizations that intend tooutsource some of their functions. Although most the third-partyrelationships are based on enforceable contracts, there is a highrisk of non-compliance by the third-parties. This paper will addressthe impact of third-party relationships on auditing.
Driversof the third-party relationships and its impact on internal audit
Companiesare increasingly relying on the services of third parties, which isaccomplished by outsourcing some of their functions. One of the keydrivers of this new trend is the need for the modern companies toreduce the cost of operation and increase revenue (KPMG, 2016). Theidea of using the third-party relationships to reduce the cost ofproduction is adopted by organizations that uphold the concept ofspecialization, where companies choose to focus on the core areas oftheir fields of operation and outsources other services specializedthird-parties. The other key driver of the third-party relationshipis the need to increase efficiency and productivity. This isachieved by helping the enterprise focus on the core functions andoutsourcing functions that are not critical.
Althoughthe third-party relationships have a lot of benefits to organizationsoperating in the modern business environment, it exposes theenterprise to numerous risks that might result in regulatorysanctions, fines, operation bans, lawsuits, and reputational damage(KPMG, 2015). An exposure to additional risks increases the work ofinternal auditors, who are expected to identify the risks and advisethe management on how to manage them. There are three major risksfacing organizations that rely on the third-party relationships. Thefirst type of risk is the protection of data from unauthorizedparties. Companies with robust data protection system are alsoexposed to a very high risk of breach whenever they establishthird-party relationships (Horwath, Anderson, Varney, Warren,Czerwinski & Andolina, 2015). This is because some third-partiesmay not have adequate internal controls to protect sensitiveinformation from unauthorized access.
Thesecond type of risk that internal auditors need to address whendealing with enterprises that have third-party relationships is thelack of compliance with the laws and rules. An enterprise may adhereto its core values (such as integrity and competence) in itsoperations, but it cannot impose the same values to the third party(Horwath etal.,2015). Any revelation of non-compliance by the third-party can damagethe image as well as the going concern of the enterprise. In somecases, the contracting organization may find it difficult todetermine whether the third party has been employing subcontractorswho are lax in their compliance and business efforts, thus exposingthe company to additional risks.
Third,internal auditors are now required to focus on the impact of thethird-party relationship on the continuity of their businesses. Forexample, an enterprise that outsources some of its core functions toa third party can face the risk of collapsing in case unexpectedrevelations (such as a serious incident of fraud) are made about thevendor (Horwath etal.,2015). Similarly, relying on the third party to help the enterprisewith the core functions that the company cannot operate without is ahigh risk that the internal auditor needs to identify and discuss itwith the management. This is because any adverse effect on such athird party affects the operations of an enterprise directly.
Challengesto internal auditors
Internalauditors of contracting companies face internal and external risks.Internal risks may include the determination of the ownership ofresponsibilities for different risks. This makes it difficult for theinternal auditors to determine who should be held responsible for therisks that are attributed to the existence of a third-partyrelationship (Horwath etal.,2015). In addition, many organizations do not adopt adequatemanagement strategies for the third-party-related risks until someproblems have arisen. To this end, more proactive and periodic riskassessment approaches should be used throughout the course of a giventhird-party relationship. This is quite demanding on the part of theinternal auditors, who are expected to focus on other operations ofthe contracting organizations, other than the third-party relations.
Externalchallenges that internal auditors face include the increase indisclosure requirements, complexities associated with the globalsupply chain, and the complex invoicing system. In today’s businessenvironment, organizations are required to make a disclosure of abroader range of non-financial information in order to demonstratetheir compliance with social, security, privacy, and labor standards(Horwath etal.,2015). These disclosures are highly dependent on reports andassertions of the third-party suppliers, service providers, andpartners. However, it is quite challenging for internal auditors toverify the accuracy of the data that is obtained from the thirdparties. In addition, an increase in the globalization, coupled withthe highly integrated value, supply, and information chains in amodern business environment have increased the complexity ofassessing and identifying risks when auditing transactions thatinvolve third parties. Similarly, the complex invoicing systems hasenhanced the complexity of assessing risks that involve a third-partyrelationship with suppliers. This is because the relationships thatare quite sensitive to commodity prices require prices to be peggedto the market index or a standard set by another third party (Horwathetal.,2015). This increases the layers complexity, which makes itchallenging for internal auditors to monitor compliance and identifyrisks.
Strategiesthat internal auditors can use to respond to the third-party-relatedrisk
Internalauditors can use three strategies to address risks that result fromthe third-party relationships. First, auditors should review theidentification, due diligence, and selection of the third-parties(KPMG, 2015). Secondly, internal auditors should evaluate thecontract management processes that are used by the contractingorganization to keep track of the third-party relationships. This canhelp internal auditors identify any weaknesses in the approaches thatthe management uses to monitor and manage the relationship betweenthe company and its third-parties. Third, auditors should evaluateand recommend the enforcement of the third-party compliance with thesecurity standards set by the contracting organization (KPMG, 2015).This will ensure that sensitive information does not leak tounauthorized persons through the third parties.
Organizationsestablish strong relationships with third-parties with the objectivesof increasing efficiency, reducing the cost of operation, andenhancing productivity. However, third-party relationships subjectcontracting organizations to risks that demand an increase in thescope of work of internal auditors. Some of the risks thatcontracting companies face include the loss of sensitive informationto unauthorized parties, the lack of compliance with rules, and anegative impact on the reputation, which affects the going concern ofthe organization negatively. By reviewing the ability of thethird-parties to comply with the standards set by the contractingcompany, internal auditors can determine the possibility of the risksoccurring, which can help them advise the management appropriately.
Horwath,A., Anderson, G., Varney, M., Warren, D., Czerwinski, M. &Andolina, G. (2015). Managingthird-party relationship risk.Chicago: Crowe Horwath.
KPMG(2015). KPMGinternal audit: Top 10 key risks in 2015.KPMG. Helsinki.
KMPG(2016). KPMGinternal audit: Top 10 key risks in 2016.KPMG. Helsinki.