OVER TORY HIRD ARTY ISK JUNE 1 IA A 4 Audi Wire · 2015-10-07 · June 2015 (Q2) Audi-Wire 4 September 2015 — saved.3rd Chapter Meeting October 26-30 2015 — Anniversary Week November

June 2015 (Q2) Audi-Wire 1

2015 JUNE COVER STORY: THIRD PARTY RISK MANAGEMENT ............... 1

IA AWARENESS ......... 2

CAE CORNER ........... 4 ANNIV. WEEK 2015 ... 7 Audi Wire T H E I NS T I T U TE O F I N T E R N AL AU D I T O R S

T R I N I D AD & T O B AG O C H AP T E R N E W S LE T T E R

Third Party Risk Management Introduction

As organizations continue to adapt

in order to keep pace with evolving

business environments, there is an

increasing reliance on vendors and

third party providers for business

support as well as critical business

services. Organizations in various

industries including financial services,

healthcare, media and retail are all

exposed to the risks that complex

third party relationships pose. Third

party risk (TPR) is not just limited to

cloud provider, data management

or security providers, this includes

HVAC, cleaning, Human Resources

(HR) and facilities management

providers.

While there are several federal and

industry guidelines (Office of the

Comptroller of Currency (OCC) Third

Party Relationships Bulletin, PCI

Security Standards Council data

security standard (PCI DSS), ISO

27001/2 and NIST’s Cybersecurity

Framework that include elements of

TPR management, most

organizations lack the required

maturity level within their TPR

program to appropriately address

the risk. Given the increasing

reliance on vendors for crucial

business support services as well as

the increased media exposure of

security breaches, it is imperative

that organizations understand and

manage their TPR risk to an

appropriate level commensurate

with their size.

As a starting point, an effective TPR

risk management program should

include:

Plans that outline the

organization’s strategy, identify

the inherent risks of the activity,

(Continued on page 3)

WASA receives “Generally Conforms” The Internal Audit and Compliance Department of WASA recently completed its first

ever External Assessment of its Quality Assurance Improvement Programme (QAIP)

and achieved the top rating of "Generally Conforms.” This allows the Department to

state on its audit reports that “work is conducted in conformance with the International

Standards for the Professional Practice of Internal Auditing.”

June 2015 (Q2) Audi-Wire 2

Internal Audit Awareness Month Activities

Congratulations to WASA’s Internal Audit and Compliance Department for

hosting its 5th annual celebration of Internal Audit Awareness month!

Activities included:

Brief visit to some secondary schools to promote WASA and Internal Auditing

An internal audit crossword competition

Publishing internal audit and compliance articles and

posters

Visiting employees within and outside Head Office to share

the value of internal audit

Hosting a closing function at the end of May 2015.

Congratulations to the winner of the Chapter’s competition for Internal

Auditors awareness month, Mrs. Ria Chrysostom-Ryan for her poem on

“What Internal Auditing Means to Me”

June 2015 (Q2) Audi-Wire 3

and detail how the

organization selects, assesses,

and oversees the third party.

Proper due diligence in

selecting a third party.

Written contracts that outline

the rights and responsibilities of

all parties.

Ongoing monitoring of the third

party’s activities and

performance.

Contingency plans for

terminating the relationship in

an effective manner.

Clear roles and responsibilities

for overseeing and managing

the relationship and risk

management process.

Documentation and reporting

that facilitates oversight,

accountability, monitoring, and

risk management.

Independent reviews that allow

management to determine

that the organization’s process

aligns with its strategy and

effectively manages risks.

(Continued from page 1)

Key Elements of a Third Party

Risk Management Program Strategy, Policies and

Procedures

Much like other areas of the

organization (Marketing, IT) there should

be a documented strategy to guide the

engagement of third party vendors in

line with the overall business goals and

risk appetite of the organization. In

addition, there should be documented

policies and procedures to assign roles

and responsibilities for personnel within

the organization to perform oversight of

the ongoing relationship.

The policies should include clear

guidelines on the process for selecting,

assessing and continuous monitoring of

the third party. These risk-based

decisions should be documented in

accordance with the level of risk, size

and complexity of the third party

relationships.

Vendor Due Diligence

The organization should perform a due

diligence review on the vendor to verify

the ability of the third party to meet their

needs. This assessment should include, at

a minimum, the following:

Corporate history

Qualifications of key personnel

Client references

Financial status, including reviews of

audited financial statements

Service delivery capability, status,

and effectiveness

Technology and systems

architecture

Internal controls environment,

information security, and audit

coverage. Some organizations

provide SSAE (Statements on

Standards for Attestation

Engagements) reports which can

provide detailed test results on the

internal control environment of the

service provider at a point in time

Legal and regulatory compliance

including any complaints, litigation,

or regulatory actions

Reliance on and success in dealing

with third party service providers

Insurance coverage

Ability to meet disaster recovery

and business continuity

requirements

Contract Negotiation

Once the due diligence process has

been executed and third party

selected, the next step is formalizing the

relationship in the form of an executed

contract. The contract should clearly

define the expectations and

responsibilities of both the organization

as well as the third party to ensure the

enforceability. Contracts should include

the following terms as a minimum.

Nature and Scope of Arrangement

Performance Measures or

Benchmarks

Responsibilities for Providing,

Receiving, and Retaining

Information

The Right to Audit Clause

Responsibility for Compliance with

Applicable Laws and Regulations

Cost and Compensation

Ownership and License

Confidentiality and Integrity

(Continued on page 5)

Award of Platinum Award

Congratulations to our members,

because of your continuous

support and commitment to the

Chapter and profession, we have

earned IIA Platinum Chapter status

in 2015!

June 2015 (Q2) Audi-Wire 4

September 2015 — 3rd Chapter Meeting

October 26-30 2015 — Anniversary Week

November 2015 — 4th Chapter Meeting

Thanks to all who attended the chapter meeting on May 28th

where our panellists, Dr. Axel Kravatsky, Mr. Dion Abdool, Mr.

Mariano Browne, and Mr. Larry Kowlessar spoke on the topic

Public Accountability and Corporate Oversight in the Public

Sector. It was a highly attended, insightful and thought provoking

presentation.

Work-Life Balance

The workforce is changing, but are the Human

Resources methods of companies keeping up to retain

its best employees?

More that one-third of workers today are from Generation

Y. These individuals, known as millennials, value

personal time and are willing to search for new jobs if

they are not able to satisfy their personal time instead of

sticking out the situation in their current company.

In order to retain person’s from this workforce, during the

hiring process, “flexible” or “alternative” working

methods should be discussed. Potential employees are

specifically seeking these types of arrangements.

An office culture that supports work-life balance is key to

recruiting and retaining employees. Employers today

must show a level of respect and care towards their

employees, especially to protect its employees from

suffering burnout thereby causing them to lose their drive

to work.

Examples of Cultural Solutions:

Work-Life Goal Setting/Employee Needs

Assessments - Discussions between the employee

and employer on the goals of both parties and how

each party can assist in mutual achievement.

Employers can meet with employees to determine

what their needs are and how the company can better

serve their needs to achieve greater productivity and

commitment.

Flexible Work Environment - Does an employee

always need to be in the office? In today

environment, hardly likely. Arrangements can be

made for an employee to work from home which can

lead to higher output from as commuting time can be

saved.

How to Get Started:

Create a work-life balance advisory team

Conduct employee needs assessments

Build a business case for change

Educate Leadership

(Continued on page 6)

June 2015 (Q2) Audi-Wire 5

Business Resumption and Contingency Plans

Indemnification

Insurance

Dispute Resolution

Limits on Liability

Breach Notification

Default and Termination

Customer Complaints

Subcontracting

Foreign-Based Third Parties

Given the increase of cyber attacks the inclusion of breach

notification clauses has become necessary to meet

regulatory compliance requirements for notifying customers

of any potential data loss in a timely manner.

Ongoing Monitoring

A mature third party risk management program incorporates

ongoing monitoring of the relationship for the duration of the

agreement. A risk-based approach to ongoing monitoring

allows an organization to maximize their resources by focusing

on third parties that present the highest risk either by

possessing or processing sensitive company data and client

information or simply if the relationship involves critical

business services.

Elements that should be covered as part of the ongoing

monitoring includes the areas listed in the due diligence

section above. In addition to these general areas, the

organization should assess the third party’s ongoing security

position including breach notification policies and the ability

to maintain data confidentiality as these represent increased

an increased reputation and compliance risk.

Termination

In most cases, contracts are agreed and executed in good

faith to the benefit of both parties but occasionally either the

third party does not satisfy the terms of the contract or the

contract expires and the organization no longer wishes to

continue the relationship. In either instance, there needs to

be a clear understanding of the steps required to effectively

terminate the relationship. The key to adequate termination is

established at the beginning of the relationship and

maintained through the ongoing monitoring of the contract.

It is imperative that performance expectations are clearly

defined as this will be the basis for determining whether the

third party is meeting the terms of the contract.

Third Party Risk Management Lifecycle

In order to ensure the five key areas discussed above are

executed

effectively,

organizations

should perform the

following

throughout the

third party risk

management

lifecycle:

Oversight and

accountability

– The Board

and Senior

Management are responsible for the oversight of the

enterprise-wide risk management process which should

incorporate the third party risk management program.

Documentation and reporting – This includes maintaining

an inventory of all current and past third party

relationships, due diligence reports, executed contracts

and ongoing performance reports, etc.

Independent reviews – Periodic reviews of the third party

risk management process should be conducted to

provide senior management with feedback on its

effectiveness.

Summary

Third party relationships allows organization to maximize

efficiencies, save on administrative costs and reduce the

complexity of their operations however, it also poses

reputational, compliance and operational risks. A

documented third party risk management process with clear

roles and responsibilities for management responsible for third

party relationships as well as senior management and the

board is the foundation of a strong third party risk

management program.

While it is impossible to remove all facets of third party risk, a

mature third party risk program with ongoing monitoring and

reporting to senior management allows the organization to

react to any issues and focus on those relationships that

deliver the most benefit.

References

Lyons, John C. (2013, October 13) Third Party Relationships: Risk

Management Guidance. Retrieved from http://www.occ.gov/news-

issuances/bulletins/2013/bulletin-2013-29.html

Profile Taurean Imam is a Manager at Protiviti’s Fort Lauderdale office where

he provides internal auditing and risk consulting services. Taurean has

served the Communications, Banking/

Financial Services, and Hospitality industries

both in South Florida as well as across the

United States. He has had experience

working on Sarbanes-Oxley, Gramm-Leach

-Bliley, and IT General Controls audit and

compliance activities. Taurean has worked

on engagements at Financial Services

clients including community banks with

approximately $5 billion in assets as well

major national banks with over $200 billion

in assets.

Prior to Protiviti, Taurean worked on Project Management (Fujitsu

Caribbean), Internal Audit (CL Financial), IT (CLICO Trinidad) and

Banking Operations (Republic Bank Limited) within the Consulting and

Financial Services industries in Trinidad.

Taurean holds the following certifications:

PCI Qualified Security Assessor (QSA)

Certified Information Systems Auditor (CISA)

Project Management Professional (PMP)

ITIL V3 Foundation

CompTIA Security+

CompTIA Network+

(Continued from page 3)

June 2015 (Q2) Audi-Wire 6

A successful work-life program must benefit the organization and

employee. It values employees contribution to the business rather

than their working pattern. It should be communicated to the

entire organization, not just a specific department and

consideration must be given to who fills the duties of a person

while not at work.

Managers...if you cannot leave for a day or a couple days without

someone having to fill your position, you may have a problem.

Risks of a lack of work-life balance:

Greater hiring and retention challenges

Inability to attract millennial professionals - the new

workforce

Substantial decline in staff productivity and work quality

Burnout of MVPs

Failure to keep pace with demands.

How to convince management of the need for a work-life balance

program? There are many studies that show productivity increases

with a work-life management program. Prepare yourself with

statistics: turn over rate, cost of training new employees etc.

—Written by: Rajin Ramjit—Vice President Professional

Services, IIA-TT Chapter

Based on a presentation by the IIA on the

Work-Life Balance of an Audit Team

(Continued from page 4)

Unlock Your Door to Opportunity with IIA

Global Certifications

The IIA offers a comprehensive certification portfolio

for internal auditors that can serve as the key to

unlocking your next opportunity within the profession;

enhancing your credibility and adding clout to your

resume. By earning your Certified Internal Auditor®

(CIA®), Certified Government Auditing Professional®

(CGAP®), Certified Financial Services Auditor®

(CFSA®), Certification in Control Self-Assessment®

(CCSA®), and Certification in Risk Management

Assurance™ (CRMA®) certification, your clients and

employer know that you are a valuable team asset who

is highly motivated, knowledgeable, and committed to

ensuring quality is part of everything you do. IIA

certifications set you apart from other professionals,

unlocking your full potential and opening up countless

doors of opportunity for career growth and success. See

what awaits you on the other side of the door.

Visit: http://www.theiia.org

Contact us for more information if you are

interested in pursuing any certification.

June 2015 (Q2) Audi-Wire 7

June 2015 (Q2) Audi-Wire 8

IIA Week 2015

In today’s challenging business environment, maximizing the internal audit profession is

imperative to keep abreast of emerging business trends. Proven steps to align strategy to

capabilities and increase performance so as to improve internal audit’s cost-value equation

have become a necessity for the audit shop’s survival. This was the ethos of the first 2015

week long activities held through the period 20-24 April 2015.

This seminar aptly entitled ‘Maximising Your Audit Delivery’’ was hosted at the very well-

equipped training facilities at Arthur Lok Jack Graduate School of Business, Champ Fleurs

using a classroom styled approach and provided breakfast, lunch and break sessions to

participants and speakers which afforded them a good opportunity to network with each

other in a casual environment.

June 2015 (Q2) Audi-Wire 9

District Leaders Workshop 2015

The 2015 Caribbean District Leaders Workshop was held in Curacao from June 4th to the

6th. Participants came from six Caribbean countries and the District Advisor came from the

USA representing the IIA North America. The President, Senior Vice President and the

Vice President Professional Development attended from Trinidad and Tobago.

The District Advisor identified tools and resources to assist participants on the IIA’s

database. Financial controls and strategic planning was also addressed.

It was noted that the IIA’s 75th anniversary will be held in New York in 2016 and that

Trinidad and Tobago will host the 2016 District Workshop in June of that year.

Leadership Conference 2015

In April 2015 the Leadership Academy was held in Orlando, Florida, USA. The President

and Senior Vice President attended. This conference dealt with an array of leadership

matters covering the pulse of the profession, best use of cellular technology applications,

certifications and responsibilities of the leader.

June 2015 (Q2) Audi-Wire 10

Professional Centre, Rooms B301/302

#11-13 Fitz Blackman Drive, Wrightson Road Ext.

Port of Spain, Trinidad

Phone: (868) 625-5558 Fax: (868) 623-4560 Mobile: (868) 769-1671

Email: [email protected]

Website: https://chapters.theiia.org/trinidad-and-tobago/Pages/default.aspx

Now you can enjoy Internal Auditor (Ia) magazine in a format that's as mobile as you are. Ia's

mobile app includes everything that appears in the print magazine ... and more, including

convenient access to Ia blogs, exclusive video content, and the latest audit-related news.

Our print issues are married with articles from real-time content feeds for a seamless, engaging

experience on your mobile device. Users can search across more than two years' worth of archives

for topics of interest and bookmark pages for future reference. Each app platform uses native device functionality for optimum

performance and readability. Plus, downloaded issues are available for offline reading, and push notifications let you know as soon as

new issues become available.

Download the Ia app today — free to Ia subscribers. Available for iPhone, iPad, iPod Touch, Android, and Kindle Fire.

iPad, iPhone, & iPod Touch

Google Play (Android Tablets & Phones)

Kindle Fire

Ia Mobile Edition Get Connected

Contact us to submit articles, tell us what training you’re

interested in or ask us about getting certified.