Auditing Third Parties
It has always been the case that many organisations rely on third parties to deliver products and services to enable their business to function effectively. With the advent of cloud services, and the increasing number of cloud-based products and services on offer to organisations, third party reliance is only likely to increase in the future. But how do you know that the service you are receiving from your third parties meets all of your expectations, especially in terms of information security?
The obvious answer is to audit your third parties against your policy and control requirements in order to verify that they are operating as you expect them to. Many organisations have internal audit departments that have for a long time, included third parties within their audit programmes. However, with the increase in uptake of third party services, many organisations simply do not have sufficient resources to meet the demands for increasing numbers of audits are starting to run out of resources. Furthermore, the auditing of cloud-based service providers requires specialist technical knowledge.
So what is the Answer?
The first step is to understand the extent that you rely on each third party and the importance of its services to your organisation. Understanding the risks that the individual third parties present to your business will assist you in prioritising your resources. You may find that low risk third parties can be adequately dealt with by a self-assessment questionnaire, leaving audit resources available to focus on the higher risk third parties. Abriska 27036, URM’s Supplier Risk Management Tool can play a valuable role here.
This ‘triage’ approach may still leave a significant number of medium/high risk third parties that need to be audited.
Approaches to conducting third party audits
There are two approaches to conducting third party audits. The first one is to conduct them using a sampling approach which means that, in any given year, you audit only a sub-set of your third parties. The aim would still be to audit most if not all of your third parties, but over a longer period of time, e.g. up to 3 years, looking at a different sample every year. However, for some organisations, there may still be too many suppliers to audit, even within a 3 year period. Also, your stakeholders and other interested parties, may require you to audit either more suppliers or more regularly and you need to retain an element of flexibility to respond to any urgent audit requirements.
The second approach, ironically, is to outsource some or even all of your third party audits. URM can provide you with a full internal audit service and assurances that your third parties are performing as expected. We can help plan your audit programme effectively and can take on some or even all of the workload associated with auditing third parties. Our auditors are not only experienced in performing all types of process and system based audits, but are also geographically located around the country to ensure that no matter where your third parties are located, your audit needs can be catered for, at no additional cost.
At the end of the audit you will be presented with a comprehensive report, adopting your audit approach, your internal style and your template. URM can help you with any action/nonconformity management of your third parties through to successful conclusion or you can manage this yourself. Either way, drawing on external expertise can provide you with resource flexibility to provide an appropriate third party audit service to assure yourselves and provide evidence to stakeholders and interested parties that your third parties meet your information security or business continuity requirements and that you are managing your supplier risk.