With companies outsourcing more responsibilities to third parties, the risks associated with outside firms are also increasing. While chief risk officers are often called upon to manage  those risks, however, it is internal auditors who are responsible for setting up processes to identify third-party risk factors.

Rick Warren

Rick Warren, principal, Crowe Horwath

While CROs and internal auditors work together, it’s tricky to tease out who actually owns the risk — that is, who has primary responsibility for managing it. “Ownership of risk should be diverse,” says Rick Warren, a principal with Crowe Horwath and co-author, along with the Institute of Internal Auditors, of “Closing the Gaps in Third-Party Risk Management,” a study which surveyed 164 chief-audit executives about their role in third-party risk management. In fact, 78 percent of respondents had a high level of concern for monitoring third-party risk-management practices. Others think, however, that the least risky approach is for CROs to be in the driver’s seat, with internal auditors pursuing an arm’s length, objective approach to analyzing the risk.

In the past couple of decades, risk management has evolved, especially as the global economy continues to grow. The extent of outsourcing was not as prevalent as it is today. “Even 15 years ago, you might have a supplier, but they may not outsource. Now, we have these tiers,” Warren says. For example, company A outsources to Company B who outsources to Company C, and so on. In fact, 65 percent of internal-audit executives who responded to the survey said their reliance on third parties is “significant” or “extensive.”

For the most part, organizations are evolving, explains Denise Cicchella, executive director and founder of construction-auditing consultancy Auspicium. Most companies have processes in place, she adds, including a more thorough vetting process of third parties.

A good vetting process includes looking at a potential third parties’ work history, checking professional qualifications and highlighting credit risks. Companies should also enter into insurance contracts under which insurers have the right to subrogation, which enables a company’s insurance carrier to go after third parties that have created losses for the company.

Overall, most companies also need to find out what approach to managing third-party risk works best. According the survey, 82 percent of respondents said they devote less than 20 percent of their internal audit resources to assessing third-party risks (see Exhibit 6.1), including 11 percent who don’t devote any resources at all. And yet, 78 percent of respondents said they had “some concern” or “high concern” about difficulties monitoring third-party risk-management practices.


The best practice for companies to deploy in handling third-party risks is to segment risk management into different areas, experts say. The CRO or risk-management team should be responsible for mitigating loss exposures with third parties, while an internal auditor should determine what the risks are. Keeping the internal auditor separate from owning risk allows for more transparency and less collusion.

“In an ideal world, there’s a chief risk officer,” explains Mike Jacka, a former internal auditor for Farmers Insurance Group and currently co-founder of auditing-consulting firm Flying Pig Audit. Because internal auditing is about assessing and working with people to mitigate risk, it would be a conflict of interest if they also were the owners of third-party risk. Internal auditors need to be independent and objective. “We can’t own that piece of it or we’d have to review our own work,” Jacka says, adding that it’s an internal auditor’s role to ensure there is a “robust” risk-management process in place.

Generally, the role of the internal auditor is to recognize the risk and ensure the owner of the risk is handling it, Cicchella says. “Auditors shouldn’t own risk. They should see how it’s managed,” she says.

As a former CRO, Shelley Hurley, who is now executive director of risk management and global resources lead at Accenture, the consulting firm, says her previous role as CRO was to identify, mitigate and own risk, working closely with the internal audit group. The internal auditor would be part of the corporate risk committee, a group that included the chief accounting officer, the tax group and the credit-risk-management group.

To illustrate the desirability of such segmentation, she pointed to the typical splitting of companies into three parts: front office, mid-office and back office. Those pieces are purposely segmented so that there is no possibility for collusion, Hurley says. When companies get in trouble, it’s because they don’t honor the separation among the different parts of the office. Hurley views risk and compliance in the same way. It’s balancing powers and having a system of checks and balances that assures that internal auditors measure risk not own it. “If you own risk, it’s hard to audit and evaluate,” she says.

According to the survey, 32 percent of all respondents said the business unit or functional leadership own risk. Zero percent of respondents said internal auditors owned risk.

In addition, boards and CFOs are looking to add more value to the internal-audit function, Warren says. Because of this, the C-suite is providing process improvements and expectations for internal auditors to accomplish the goal of identifying third-party risk. Indeed, CFOs tend to own internal and external risks including financial and supply-chain technology perils and are “uniquely qualified to shepherd the [third-party risk-management] process,” Warren says.

A CFO, however, should rely on internal auditors to help analyze third-party risk because they “have the skills and capabilities to make significant improvements to an organization’s performance,” he adds.

, , , , , , , , , , , , , ,

5 responses to “Internal Auditors Take on Third Parties”

  1. From the article:

    “The CRO or risk-management team should be responsible for mitigating loss exposures with third parties, while an internal auditor should determine what the risks are. Keeping the internal auditor separate from owning risk allows for more transparency and less collusion. ”

    Reading this literally, it would seem that the CRO would need to ‘determine the risks’ that they will ‘be responsible for mitigating’; not the internal auditor. Further, the auditor’s determination of risk, a CRO function, would seem to negate a posture of independence in evaluating a CRO, just as defining controls in most other areas would compromise the auditor’s independence in evaluating them.

    Outsourced services, depending on the terms of the contract, should be seen as extensions of the organization, particularly such services as IT that may be heavily integrated and embedded, and strategically critical to the the contracting entity. It is appropriate for internal audit to 1) have access by contract to audit such entities consistent with the terms and scope of the contract, and 2) to assess the CRO’s function in its determination and management of the attendant risks.

    But it seems inappropriate and contrary to independence for the internal audit function to be responsible for defining the risk that the CRO is to mitigate.

  2. Thanks for reminding and highlighting the importance of looking at 3rd party-risk mgt. Since the varieties of outsourcing is enormous, a dedicated CRO is a must. Internal Auditor shall evaluate the process, capability and effectiveness in all segments of Risk Mgt – Identification, Assessment, Mitigation.

  3. The article begins with “While chief risk officers are often called upon to manage those risks, however, it is internal auditors who are responsible for setting up processes to identify third-party risk factors.” This is inaccurate. Chief Risk Officers do not manages those risks. It’s the responsibility of the business line management to manage these risks. CROs play an oversight role and coordinate the function of risk management. They also determine whether the proper tools are being used by the business line managers to manage the risks. Also, internal auditors do not set up processes. Again, setting up the process is the responsibility of business line managers. Internal auditors provide an independent assessment of processes. They do not set up the processes.

  4. Hi, when business is depending in third parties, process must be in place to assess those third parties relationship risks.

    In my opinion I think that the counteractions to third parties tactics address to:

    1°) the price list:
    * for example the presentation is glossy/well printed implying prices cannot be changed;

    2°) the discount:
    * example, presented as a special discount for a special customer, giving something extra to the company;

    3°) the volume price agreements:
    * example, third party offers a volume discount structure to sell more;

    4°) Special offer:
    * example,routine business dressed up to look like something different purpose is making it look legitimate;

    5°) Small customer:
    * example, in resisting claims for better conditions, third party may discount the importance of the individual customer;

    6°) Differentiating the product:
    * example third party actively highlight special advantage/benefits for company;

    7°) Service factor:
    * example, third party prompt response got the company out of a difficult situation;

    8°) Friendly interest:
    * example, third party keep records of PA’s/employees interest, likes and dislikes will recall previous conversations. Personal and Family details;

    9°) Entertainment and gifts:
    * Example, third party offers procurement/internal client significant gifts or entertainment/travel;

    10°) Talking to internal client/management (backdoor setting):
    * example, third party seeks information and concessions out of this groups and also third party may claim that certain agreements have already been made.

    Dramane BAKAYOKO From Burkina Faso

Leave a Reply

Your email address will not be published. Required fields are marked *