June 2015 (Q2) Audi-Wire 1 2015 JUNE COVER STORY: THIRD PARTY RISK MANAGEMENT ............... 1 IA AWARENESS ......... 2 CAE CORNER ........... 4 ANNIV. WEEK 2015 ... 7 Audi Wire THE INSTITUTE OF INTERNAL AUDITORS TRINIDAD & TOBAGO CHAPTER NEWSLETTER Third Party Risk Management Introduction As organizations continue to adapt in order to keep pace with evolving business environments, there is an increasing reliance on vendors and third party providers for business support as well as critical business services. Organizations in various industries including financial services, healthcare, media and retail are all exposed to the risks that complex third party relationships pose. Third party risk (TPR) is not just limited to cloud provider, data management or security providers, this includes HVAC, cleaning, Human Resources (HR) and facilities management providers. While there are several federal and industry guidelines (Office of the Comptroller of Currency (OCC) Third Party Relationships Bulletin, PCI Security Standards Council data security standard (PCI DSS), ISO 27001/2 and NIST’s Cybersecurity Framework that include elements of TPR management, most organizations lack the required maturity level within their TPR program to appropriately address the risk. Given the increasing reliance on vendors for crucial business support services as well as the increased media exposure of security breaches, it is imperative that organizations understand and manage their TPR risk to an appropriate level commensurate with their size. As a starting point, an effective TPR risk management program should include: Plans that outline the organization’s strategy, identify the inherent risks of the activity, (Continued on page 3) WASA receives “Generally Conforms” The Internal Audit and Compliance Department of WASA recently completed its first ever External Assessment of its Quality Assurance Improvement Programme (QAIP) and achieved the top rating of "Generally Conforms.” This allows the Department to state on its audit reports that “work is conducted in conformance with the International Standards for the Professional Practice of Internal Auditing.”
10
Embed
OVER TORY HIRD ARTY ISK JUNE 1 IA A 4 Audi Wire · 2015-10-07 · June 2015 (Q2) Audi-Wire 4 September 2015 — saved.3rd Chapter Meeting October 26-30 2015 — Anniversary Week November
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
June 2015 (Q2) Audi-Wire 1
2015 JUNE COVER STORY: THIRD PARTY RISK MANAGEMENT ............... 1
IA AWARENESS ......... 2
CAE CORNER ........... 4 ANNIV. WEEK 2015 ... 7 Audi Wire T H E I NS T I T U TE O F I N T E R N AL AU D I T O R S
T R I N I D AD & T O B AG O C H AP T E R N E W S LE T T E R
Third Party Risk Management Introduction
As organizations continue to adapt
in order to keep pace with evolving
business environments, there is an
increasing reliance on vendors and
third party providers for business
support as well as critical business
services. Organizations in various
industries including financial services,
healthcare, media and retail are all
exposed to the risks that complex
third party relationships pose. Third
party risk (TPR) is not just limited to
cloud provider, data management
or security providers, this includes
HVAC, cleaning, Human Resources
(HR) and facilities management
providers.
While there are several federal and
industry guidelines (Office of the
Comptroller of Currency (OCC) Third
Party Relationships Bulletin, PCI
Security Standards Council data
security standard (PCI DSS), ISO
27001/2 and NIST’s Cybersecurity
Framework that include elements of
TPR management, most
organizations lack the required
maturity level within their TPR
program to appropriately address
the risk. Given the increasing
reliance on vendors for crucial
business support services as well as
the increased media exposure of
security breaches, it is imperative
that organizations understand and
manage their TPR risk to an
appropriate level commensurate
with their size.
As a starting point, an effective TPR
risk management program should
include:
Plans that outline the
organization’s strategy, identify
the inherent risks of the activity,
(Continued on page 3)
WASA receives “Generally Conforms” The Internal Audit and Compliance Department of WASA recently completed its first
ever External Assessment of its Quality Assurance Improvement Programme (QAIP)
and achieved the top rating of "Generally Conforms.” This allows the Department to
state on its audit reports that “work is conducted in conformance with the International
Standards for the Professional Practice of Internal Auditing.”
June 2015 (Q2) Audi-Wire 2
Internal Audit Awareness Month Activities
Congratulations to WASA’s Internal Audit and Compliance Department for
hosting its 5th annual celebration of Internal Audit Awareness month!
Activities included:
Brief visit to some secondary schools to promote WASA and Internal Auditing
An internal audit crossword competition
Publishing internal audit and compliance articles and
posters
Visiting employees within and outside Head Office to share
the value of internal audit
Hosting a closing function at the end of May 2015.
Congratulations to the winner of the Chapter’s competition for Internal
Auditors awareness month, Mrs. Ria Chrysostom-Ryan for her poem on
“What Internal Auditing Means to Me”
June 2015 (Q2) Audi-Wire 3
and detail how the
organization selects, assesses,
and oversees the third party.
Proper due diligence in
selecting a third party.
Written contracts that outline
the rights and responsibilities of
all parties.
Ongoing monitoring of the third
party’s activities and
performance.
Contingency plans for
terminating the relationship in
an effective manner.
Clear roles and responsibilities
for overseeing and managing
the relationship and risk
management process.
Documentation and reporting
that facilitates oversight,
accountability, monitoring, and
risk management.
Independent reviews that allow
management to determine
that the organization’s process
aligns with its strategy and
effectively manages risks.
(Continued from page 1)
Key Elements of a Third Party
Risk Management Program Strategy, Policies and
Procedures
Much like other areas of the
organization (Marketing, IT) there should
be a documented strategy to guide the
engagement of third party vendors in
line with the overall business goals and
risk appetite of the organization. In
addition, there should be documented
policies and procedures to assign roles
and responsibilities for personnel within
the organization to perform oversight of
the ongoing relationship.
The policies should include clear
guidelines on the process for selecting,
assessing and continuous monitoring of
the third party. These risk-based
decisions should be documented in
accordance with the level of risk, size
and complexity of the third party
relationships.
Vendor Due Diligence
The organization should perform a due
diligence review on the vendor to verify
the ability of the third party to meet their
needs. This assessment should include, at
a minimum, the following:
Corporate history
Qualifications of key personnel
Client references
Financial status, including reviews of
audited financial statements
Service delivery capability, status,
and effectiveness
Technology and systems
architecture
Internal controls environment,
information security, and audit
coverage. Some organizations
provide SSAE (Statements on
Standards for Attestation
Engagements) reports which can
provide detailed test results on the
internal control environment of the
service provider at a point in time
Legal and regulatory compliance
including any complaints, litigation,
or regulatory actions
Reliance on and success in dealing
with third party service providers
Insurance coverage
Ability to meet disaster recovery
and business continuity
requirements
Contract Negotiation
Once the due diligence process has
been executed and third party
selected, the next step is formalizing the
relationship in the form of an executed
contract. The contract should clearly
define the expectations and
responsibilities of both the organization
as well as the third party to ensure the
enforceability. Contracts should include
the following terms as a minimum.
Nature and Scope of Arrangement
Performance Measures or
Benchmarks
Responsibilities for Providing,
Receiving, and Retaining
Information
The Right to Audit Clause
Responsibility for Compliance with
Applicable Laws and Regulations
Cost and Compensation
Ownership and License
Confidentiality and Integrity
(Continued on page 5)
Award of Platinum Award
Congratulations to our members,
because of your continuous
support and commitment to the
Chapter and profession, we have
earned IIA Platinum Chapter status
in 2015!
June 2015 (Q2) Audi-Wire 4
September 2015 — 3rd Chapter Meeting
October 26-30 2015 — Anniversary Week
November 2015 — 4th Chapter Meeting
Thanks to all who attended the chapter meeting on May 28th
where our panellists, Dr. Axel Kravatsky, Mr. Dion Abdool, Mr.
Mariano Browne, and Mr. Larry Kowlessar spoke on the topic
Public Accountability and Corporate Oversight in the Public
Sector. It was a highly attended, insightful and thought provoking
presentation.
Work-Life Balance
The workforce is changing, but are the Human
Resources methods of companies keeping up to retain
its best employees?
More that one-third of workers today are from Generation
Y. These individuals, known as millennials, value
personal time and are willing to search for new jobs if
they are not able to satisfy their personal time instead of
sticking out the situation in their current company.
In order to retain person’s from this workforce, during the
hiring process, “flexible” or “alternative” working
methods should be discussed. Potential employees are
specifically seeking these types of arrangements.
An office culture that supports work-life balance is key to
recruiting and retaining employees. Employers today
must show a level of respect and care towards their
employees, especially to protect its employees from
suffering burnout thereby causing them to lose their drive
to work.
Examples of Cultural Solutions:
Work-Life Goal Setting/Employee Needs
Assessments - Discussions between the employee
and employer on the goals of both parties and how
each party can assist in mutual achievement.
Employers can meet with employees to determine
what their needs are and how the company can better
serve their needs to achieve greater productivity and
commitment.
Flexible Work Environment - Does an employee
always need to be in the office? In today
environment, hardly likely. Arrangements can be
made for an employee to work from home which can
lead to higher output from as commuting time can be
saved.
How to Get Started:
Create a work-life balance advisory team
Conduct employee needs assessments
Build a business case for change
Educate Leadership
(Continued on page 6)
June 2015 (Q2) Audi-Wire 5
Business Resumption and Contingency Plans
Indemnification
Insurance
Dispute Resolution
Limits on Liability
Breach Notification
Default and Termination
Customer Complaints
Subcontracting
Foreign-Based Third Parties
Given the increase of cyber attacks the inclusion of breach
notification clauses has become necessary to meet
regulatory compliance requirements for notifying customers
of any potential data loss in a timely manner.
Ongoing Monitoring
A mature third party risk management program incorporates
ongoing monitoring of the relationship for the duration of the
agreement. A risk-based approach to ongoing monitoring
allows an organization to maximize their resources by focusing
on third parties that present the highest risk either by
possessing or processing sensitive company data and client
information or simply if the relationship involves critical
business services.
Elements that should be covered as part of the ongoing
monitoring includes the areas listed in the due diligence
section above. In addition to these general areas, the
organization should assess the third party’s ongoing security
position including breach notification policies and the ability
to maintain data confidentiality as these represent increased
an increased reputation and compliance risk.
Termination
In most cases, contracts are agreed and executed in good
faith to the benefit of both parties but occasionally either the
third party does not satisfy the terms of the contract or the
contract expires and the organization no longer wishes to
continue the relationship. In either instance, there needs to
be a clear understanding of the steps required to effectively
terminate the relationship. The key to adequate termination is
established at the beginning of the relationship and
maintained through the ongoing monitoring of the contract.
It is imperative that performance expectations are clearly
defined as this will be the basis for determining whether the
third party is meeting the terms of the contract.
Third Party Risk Management Lifecycle
In order to ensure the five key areas discussed above are
executed
effectively,
organizations
should perform the
following
throughout the
third party risk
management
lifecycle:
Oversight and
accountability
– The Board
and Senior
Management are responsible for the oversight of the
enterprise-wide risk management process which should
incorporate the third party risk management program.
Documentation and reporting – This includes maintaining
an inventory of all current and past third party
relationships, due diligence reports, executed contracts
and ongoing performance reports, etc.
Independent reviews – Periodic reviews of the third party
risk management process should be conducted to
provide senior management with feedback on its
effectiveness.
Summary
Third party relationships allows organization to maximize
efficiencies, save on administrative costs and reduce the
complexity of their operations however, it also poses
reputational, compliance and operational risks. A
documented third party risk management process with clear
roles and responsibilities for management responsible for third
party relationships as well as senior management and the
board is the foundation of a strong third party risk
management program.
While it is impossible to remove all facets of third party risk, a
mature third party risk program with ongoing monitoring and
reporting to senior management allows the organization to
react to any issues and focus on those relationships that
deliver the most benefit.
References
Lyons, John C. (2013, October 13) Third Party Relationships: Risk
Management Guidance. Retrieved from http://www.occ.gov/news-
issuances/bulletins/2013/bulletin-2013-29.html
Profile Taurean Imam is a Manager at Protiviti’s Fort Lauderdale office where
he provides internal auditing and risk consulting services. Taurean has
served the Communications, Banking/
Financial Services, and Hospitality industries
both in South Florida as well as across the
United States. He has had experience
working on Sarbanes-Oxley, Gramm-Leach
-Bliley, and IT General Controls audit and
compliance activities. Taurean has worked
on engagements at Financial Services
clients including community banks with
approximately $5 billion in assets as well
major national banks with over $200 billion
in assets.
Prior to Protiviti, Taurean worked on Project Management (Fujitsu
Caribbean), Internal Audit (CL Financial), IT (CLICO Trinidad) and
Banking Operations (Republic Bank Limited) within the Consulting and