Chief audit executives are worried about organizational risks as a result of relationships with third parties, yet they are feeling a little left out in terms of addressing them.

According to a recent survey of 164 chief audit executives by the Institute of Internal Auditors Research Foundation and Crowe Horwath, two-thirds said their organizations rely on third parties significantly or extensively. More than three-fourths said they had at least some concern about difficulties monitoring risk management at third parties, yet 82 percent said they devote less than 20 percent of internal audit resources to assessing third-party risks. Only 21 percent said they are consulted or involved in the decision-making process when a company is establishing a new third-party relationship.

Rick Warren, a principal at Crowe Horwath who authored the report, says audit committees and CFOs have said they want internal audit more involved in advising them on risks, but the pace of change is rapid. “It's safe to say this is an emerging area,” he says. “It's changing every day. Many internal audit departments are still struggling with: where's my role in this? Where do I fit into the bigger picture, and where can I add value?"

It's also far to say the level of third-party risk will vary widely among different types of entities, making the exact data in one survey result difficult to gauge. “One internal audit department might spend 5 percent of its time on third-party risks, and another might spend 30 to 40 percent,” Warren says. Some might also get assurance on third-party risks through third-party audits as well, he says. “That reduces the need for internal audit to be involved in those areas. Every company is different.”

Third-party risk exposures that most concern CAEs include supply disruptions, anti-corruption regulations and investigations, data breaches and remediation costs, and reputation damages, according to the survey results. The study concludes internal audit could pursue a bigger role in assessing third-party risks by helping management identify its risks and ranking them, by identifying or evaluating how well management understands its own compliance with regulations and policies, and by evaluating activities already in place. Among other things, they also could compare third-party risk management approaches with the company's enterprise resource management program and determine the adequacy and effectiveness of assurance activities.

Warren says CAEs would be wise to assess where their organizations stand and whether the internal audit department can bring more to the table. “Knowing where you are today can help you start at high level to see who's involved and how you manage the risk,” he says. “That helps the executives in the management side of the business move the bar from a risk perspective.”

Topics