Assurance over Third Party Service Providers

Assurance over Third Party Service Providers

**Purpose **

Engaging third party service providers may provide economies of scale, cost savings, productivity gains, or other benefits to an organisation. But these relationships can also reduce an organisation’s control over their product or service, which makes the third party risk management process that much more important.

When key third party service providers fall short of service expectations or fail altogether, the resulting reputational and operational damage to their clients can be significant and may even exceed any damage the service provider may suffer.

Executives and boards rely on internal auditors to assure risks are identified and assessed, appropriate internal controls are in place, and timely risk intelligence is being generated to drive informed decision-making.

**Background **

Due diligence is generally undertaken when engaging a third party service provider, but there can be less attention paid to ongoing due diligence. and uncertainty over who is responsible for assuring parties further down the supply chain such as fourth, or ‘nth’ parties. (refer Figure 1)

Typically, organisations leave the main responsibility with their contracted third-party service provider. If that party identifies issues with services provided by the fourth or ‘nth’ party, the organisation either assumes or has written into the contract that the contracted third party resolves the issues. This approach works in theory, but may not be adequate in the real world. Third party service provider incidents are increasing, often with immediate pubic visibility.

**Discussion **

Issue

The issue to be discussed is: How can Internal Audit provide assurance that risks associated with third party service providers are being identified, assessed and responded to appropriately?

**History **

Internal Audit traditionally operates ‘internally’ within organisations, providing assurance over their organisation’s internal controls. With the advent of outsourcing and the associated risks, Internal Audit’s role expanded to providing assurance in relation to third party risks, including assurance over the internal controls of third-party service providers.

‘Right to audit’ clauses were included in some contracts and, although not always executed, allowed Internal Audit to undertake site visits and obtain information to assess controls at third party premises.

In January 2015, the Auditing and Assurance Standards Board (AUASB) issued ASAE 3150 ‘Assurance Engagements on Controls’ and some organisations began to rely on these reports for assurance that third party risks were being managed appropriately.