Risk is everywhere. And now that companies are increasingly working across borders and outsourcing many of their functions, it’s more complicated to manage.
A third-party vendor is any ancillary organization outside the control of the entity that performs a function or provides a service that isn’t central to the operating purpose of the business. While there are major benefits to outsourcing certain functions, there are also major risks and costs. For example, a company that manufactures a widget may depend on a third party to facilitate the movement of the product or yet another third party to provide insurance. While these third-party vendors play an important role in the business’ success, they may also contribute to the risk.
Definitions of authority and responsibility, which are set and implemented by management, should apply not only to full-time employees but also to third-party vendors. When we hear about third-party risk, it’s common to think of risks to the following areas:
- Supplier chain
- Data security
- Data processing
For public companies in the United States that must comply with the Sarbanes-Oxley Act (SOX), the Securities and Exchange Commission (SEC) rules require management to base its evaluation of the effectiveness of the company’s internal control over financial reporting (ICFR) on a suitable, recognized control framework, which is invariably the most recent version of the Committee of Sponsoring Organizations of the Treadway Commission’s (COSO) Internal Control—Integrated Framework, known as COSO 2013. This framework addresses several risk considerations relevant to working with third parties and is helpful when management begins to outline and implement a plan to identify, assess, respond to, and monitor risk.
COSO’s mission is to develop guidance to help organizations minimize risk by establishing processes and improving controls. The latest version was created as a response to ever-evolving business models, which include an increased reliance on third-party vendors. While the framework might seem basic and logical, it’s surprising how often controls aren’t put in place to monitor third-party activity in particular.
There are five components with 17 underlying principles within the framework, including:
- Control environment
- Risk assessment
- Control activities
- Information and communication
- Monitoring activities
Some of the points of focus within each of the 17 principles speak directly to incorporating third-party vendors; however, each of them can—and should—be extended in theory to your working relationship with outside service providers. The risk of not doing so is simply too great.
Control Environment
The five principles within this component focus on management’s responsibility to set the tone at the top. This means that an organization’s officers must not only lead by example through their directives, actions, and behavior, but that they’re also charged with establishing a formal process for conduct that includes these categories:
Standards of Conflict
Expectations for integrity and ethical values need to be established and must apply to the board of directors and senior management down through each of the organization’s levels, including outsourced service providers and business partners. Once you have a code of conduct in place, it’s management’s responsibility to communicate expectations to vendors. In addition, these expectations should be highlighted in vendor contracts—along with which activities are permitted—so that everyone is working from the same page.
Oversight
Put processes in place to evaluate the performance of individuals and teams as it relates to the standards of conduct. It’s important to have the board of directors retain oversight for management’s design, implementation, and conduct when it comes to internal controls. The board should remain independent from management so it can remain objective during evaluations and decision making.
Structure, Authority, and Responsibility
The COSO framework breaks out responsibilities according to position within the organization. The board of directors, for example, oversees the entire process while senior management works to establish directives, guidance, and control structure so employees can understand expectations. Management, meanwhile, carries on the same level of guidance within the organization and its subunits. Personnel and third-party service providers are tasked with understanding the standards of conduct and adhering to management’s definition for scope of authority and responsibility. Through it all, it’s important that management at all levels leads by example.
Accountability
Issues and deviations from the standards need to be identified and fixed quickly and consistently. Controls not only communicate expectations but also hold individuals—whether full-time staff or third-party vendors—accountable for their performance. Think of outside vendors as an extension of management. Because management is accountable for the behavior of those vendors, a problem with a vendor is very much management’s problem.
Risk Assessment
The framework helps organizations put regulations in place to minimize risk liability. Reputational risk is the biggest concern when relying on third parties because you don’t know what you don’t know. And it’s much bigger than whether or not you’re getting your widgets on time or at all.
Clarity is key: you must clearly specify suitable objectives in order to identify and assess risk, including fraud. According to the framework, here’s where you start:
- Make sure financial reporting objectives are consistent with accounting principles and that external reporting accurately reflects transactions and events.
- Identify and analyze risk, including internal and external factors and how they might affect your organization.
- Consider the types of fraud and motivations, such as fraudulent reporting, possible loss of assets, and corruption when there are incentives, pressures, and opportunity.
- Determine how to address risk and decide whether your organization should accept, avoid, reduce, or share the risk.
Contracts should be reviewed periodically to ensure they continue to meet your needs and expectations, as times of transition often help set the stage for a lapse in controls. Reassess your risk identification process when there are changes to the regulatory, economic, and physical environments in which your organization operates as well as changes to your business model or leadership.
Control Activities
The purpose of performing control activities is to create responses to address and mitigate risk. Control activities are based on the specifics of the entity and take into consideration how the environment, complexity, nature, and scope of operations affect the controls. There’s a range of options that include manual and automated controls as well as preventive and detective controls, and these will vary at different levels of your organization.
Technology controls are a big part of establishing control activities. To that end, management must be sure these controls are designed and implemented so the IT environments are properly restricted and that data processing is complete, accurate, and accessible. In addition, systems must be set up so that only authorized users are able to access them, which protects an entity’s assets from external threats.
Policies and procedures help management reinforce its directions by detailing what’s expected as well as related actions as a result of any red flags. For example, it’s common for companies to outsource their payroll functions to a third party. While the process might seem basic, it’s important to make clear that the service provider cannot change the payroll rate and cannot write checks, then set up controls to monitor it.
Information and Communication
Internal communication is a key pillar supporting your internal controls. The internal controls set up by the board and management are useless if you don’t have a means in place to communicate them. You want all staff to understand the expectations so they can carry out their responsibilities. Not only should communication flow top-down, but management and the board of directors will also need to have an open and honest flow of information so that they can each fulfill their roles as laid out by the standards of conduct.
In the case of reporting fraud, anonymous hotlines are an integral part of your controls so that potential whistleblowers feel it’s safe and confidential to report red flags when normal channels break down, whether because of trust or other factors. This applies to internal and external parties, as discussed in the next section.
Monitoring Activities
In the same way you want to keep the line of communication open internally, it should also be open externally for shareholders, partners, owners, regulators, customers, and financial analysts, among others, to discuss matters of internal control. This allows relevant information to be communicated to the board, whether through assessments conducted by external parties or through anonymous tips delivered through whistleblower hotlines accessible to those inside and outside the organization.
This monitoring process relies on tinkering to be the most effective. Things change, requiring your organization to make adjustments along the way. Part of this process includes conducting ongoing evaluations to see which aspects of your controls are working and which aren’t. Through that analysis, management and the board may uncover deficiencies that should be tackled head on and corrected as soon as possible.
We're Here to Help
You can only mitigate risk if you can identify it and understand how it affects your organization. While their work is contracted, outside service providers should be seen as a part of your organization and subject to the same controls and evaluations. Risk is everywhere, and it’s those organizations that recognize it and approach it thoughtfully that stand the best chance of alleviate it. To learn more about how processes and controls can help you reduce risk when working with third-party vendors, contact your Moss Adams professional. You can also register to watch an on-demand webcast entitled “Internal Controls: Facts and Fiction.”