Navigating Risk Using the Third-Party Topical Requirement

The IIA’s new Third-Party Topical Requirement establishes a consistent and comprehensive approach to assessing the design and implementation of third-party governance, risk management, and control processes. The new Topical Requirement comes at a time of growing third-party risks related to geopolitical uncertainties, trade and supply chain disruptions, and other factors that pose operational, reputational, and compliance risks.

Organizations today truly act as networks, says Laurent Berliner, a member of the International Internal Audit Standards Board. Areas such as cloud infrastructure, software development, call centers, logistics, and even core finance or human resources processes are frequently outsourced. “This brings speed and efficiency, but it also extends your risk perimeter to partners, subcontractors, and to their own suppliers,” he says.

Laurent Berliner

Risk Cases in Point

Uday Gulvadi

The Topical Requirement cites several examples of risks related to third parties, including:

Cybersecurity risk. In an outsourcing relationship, the primary organization may give the service provider customer data that includes personally identifiable information. “The rise in the volume and sophistication of data breaches illustrates how valuable this information can be to threat actors and hackers,” says Uday Gulvadi, managing director, Regulatory Compliance, Payments, and Financial Crimes, at Stout. “Organizations need to build strong controls related to data protection and privacy, cybersecurity risk prevention, and incident response.”

As many incidents have shown, a data breach or ransomware attack at a service provider can have a significant impact on the primary organization’s reputation and the trust it has built with customers and other business partners. It can also be costly to unravel the extent of the breach, identify which records have been stolen, and cover any ransom, Gulvadi notes. “The advent of AI has exacerbated the risks, with the proliferation of deepfake-based attacks adding a new layer of complexity,” he says.

As a result, internal auditors must assess the related risks in their third-party audit engagements. That includes assessing controls for inventorying and identifying all critical vendors that have access to customer information. Internal audit should test the organization’s controls to verify and validate that the service provider protects data with robust cybersecurity defensive and incident response controls, according to Gulvadi.

Financial risk. A supplier may lose funding, face insolvency, or impose sudden price hikes, forcing costly replacements and destabilizing the hiring organization’s budgets, Berliner explains. This is critical when an organization is engaged in longer-term process outsourcing or technology support contracts, Gulvadi says.

“Assessing the third party’s financial strength and ability to continue operating effectively throughout the term of the contract is crucial,” he explains. If there is a critical dependency, the organization should protect itself from a vendor that can’t continue offering high-quality services. Internal auditors should evaluate risks and controls around validating and confirming critical vendors’ financial strength using audited financial statements or other means, he says.

Operational risk. Critical outsourced processes or platforms may fail, disrupting service delivery, regulatory reporting, or customer experience. Berliner says examples include a payroll provider outage that occurs on payday or a data center outage during a product launch.

Compliance risk. The organization may become jointly liable and exposed if suppliers mishandle personal data or violate sanctions, anti-bribery rules, or sustainability regulations.

Legal risk. When third parties break laws, organizations that do business with them may be swept into lawsuits and face legal penalties or fines.

Reputational Risk: A Critical Consideration

The Topical Requirement highlights reputational risk as a key category warranting attention. Sherry Rodriguez, vice president of Global Assurance at a leading financial institution, emphasizes that an organization’s reputation can be adversely impacted by a third party’s cybersecurity, operational, financial, compliance, or legal vulnerabilities.

“Reputational risk, in my view, encompasses all of these dimensions,” Rodriguez explains. “While we may not have direct control over third parties, they often act on our behalf. It is imperative that we safeguard our reputation with precision, as it remains our most valuable asset.”

Sherry Rodriguez

To that end, internal auditors must engage proactively with third parties to assess risks within their operations and supply chains. Rodriguez advises that auditors also ensure cross-functional awareness within their own organizations regarding strategic and reputational exposures, as well as the details of the Topical Requirement.

She underscores that this awareness should extend beyond traditional risk-focused departments such as compliance, legal, and finance, to include any function interacting with third parties. “When everyone understands the risks,” she notes, “internal auditors are better positioned to fulfill their responsibilities effectively.”

Berliner notes that the risks cited in the Topical Requirement are not new, “But the velocity and interconnectedness of modern supply chains means that a single third-party supplier failure can quickly cascade down across several, if not all, risk categories.”

Governance, Risk Management, and Control Processes

According to Berliner, key questions internal auditors should ask in assessing and providing assurance on governance, risk management, and controls include:

• Governance: Is there a documented outsourcing strategy? The strategy should feature clear rules and follow the Three Lines Model to clarify roles. Gulvadi notes that internal auditors should also assess the quality of board level oversight, because weaknesses in governance and oversight can cause huge risks to the organization.
• Risk Management: Is there a standardized risk-based process for selection, due diligence, and periodic assessment of third parties? The process should include clear thresholds for when it should be escalated to a higher level of authority based on the scale of the risk involved. It should also identify critical vendors and whether they are subject to enhanced monitoring. “This is about ensuring there is a sound and bulletproof risk management system,” Berliner says. Internal auditors should also be aware of the interconnectedness of risks, Gulvadi says. “There can be a domino effect if there is a failure at one major supplier that many entities depend on.”
• Control processes: Is due diligence proportional to criticality? If not, risks will not receive the appropriate level of attention. At the same time, contract clauses (indemnity, data security, audit rights, and exit plans) should be consistently and constantly applied, according to Berliner. Performance and risk indicators should be evidence-based, and offboarding checklists should prevent ghost access to the system or data leakage, he says.

The Crucial Role of Internal Audit

In addressing third-party risk, Berliner compares internal auditors to building inspectors, who check wiring, fire exits, insurance certificates, and other key safeguards “for the entire complex, not just the main house.”  He says providing assurance includes ensuring:

• There is a complete and risk-tiered third-party inventory.
• Due diligence has been done in areas such as contract protections and ongoing monitoring.
• These processes are scaled based on service criticality.
• Offboarding, data return destruction, and access revocation are performed as rigorously as onboarding.

While most organizations are likely to have a separate internal audit engagement for organizational third-party risk management, Gulvadi notes that many business units or functions may have a critical or major dependency on third parties. As a result, internal audit should consider applying the Topical Requirement in their audits of these business units and functions. “Any exclusions in scope from the requirements must be thoroughly documented,” he says.

Internal auditors should begin by considering their existing policies and procedures related to third-party risk and adjust them as necessary to align with the Topical Requirement, Rodriguez advises. They should ensure vendors are following similar policies and procedures and that they align their audit testing and plans with the Topical Requirement.

In their role as advisors, internal auditors can also help the board and management stress test supply chain incident response plans, using tabletop fire drills and operationalizing key clauses, such as breach notifications, subcontractor flow down, and sustainability obligation, for instance.

A Proactive Posture

According to Berliner, it’s critical to map the third-party program end-to-end across the organization and to risk tier it. Internal auditors can then use the Third-Party Topical Requirement as a blueprint to test governance, risk management, and controls “before the next supply chain event makes the headlines,” he says.

It’s well worth investing time in scenario rehearsals, contract hygiene, and monitoring indicators before a crisis occurs, Berliner says. “This proactive posture is what really differentiates organizations that weather third-party risks from those that make the front page for the wrong reasons.”