Managing Third Party Risk

Similar documents
Effective Vendor Risk Management. April 21, Mario A. Mosse. This Training is Brought to you by ComplianceOnline. Presenter:

Internal Audit s Role in Third Party Risk Management (TPRM)

STRATEGIES FOR EFFECTIVELY WORKING WITH THIRD-PARTIES. September 2017

REGULATORY HOT TOPIC Third Party IT Vendor Management

Outsourcing and the Need for Supplier Audits

Ensuring Organizational & Enterprise Resiliency with Third Parties

THIRD-PARTY RISK MANAGEMENT

The Case for Outsourcing Accounts Payable

Long Beach City Auditor s Office

VENDOR RISK MANAGEMENT FCC SERVICES

VENDORINSIGHTU P D A T E

RISK MANAGEMENT REPORT

Supplier risk compliance obligation or source of competitive advantage? Improve supplier reliability to lift business performance

Audit Committee Performance Evaluation

Firm Profile TURNING RISKS INTO OPPORTUNITIES

Sarbanes-Oxley Compliance Kit

VENDOR MANAGEMENT 101

AUDIT COMMITTEE CHARTER AS AMENDED AS OF MAY 6, 2015

Vendor Management Challenges and Expectations An Open Discussion April 13, 2017

Financial CIA-I. Certified Internal Auditor (CIA) Download Full Version :

Vendor Management Table of Contents. Table of Contents. Equity Loans

Strengthening Vendor Risk Management Program

Agenda. Agenda. Why Audit Suppliers. Outsourcing / Offshoring. Supplier Risks. Minimum Security Standards. Audit Focus

Drive Your Business. Four Ways to Improve Your Vendor Risk Program

IIA ACFE Conference April 17, 2015

The Role of the VMO in Regulatory Compliance Planning, Due Diligence and Contract Negotiation

PURCHASING AND PROCUREMENT OVERVIEW

IBM Emptoris Services Procurement on Cloud

Social Media Policy Manual Table of Contents [Sample Client] Table of Contents. Sample

Managing the Business Associate Relationship: From Onboarding to Breaches. March 27, 2016

Will Your Company Pass a Privacy Audit?

Mini Summit VI - MANAGING THIRD PARTY RELATIONSHIP RISKS

CFPB Compliance Management Review

AUDIT COMMITTEE CHARTER

IACA Compliance Benchmark Questionnaire

AUDIT COMMITTEE OF THE BOARD OF DIRECTORS OF THE TORONTO-DOMINION BANK CHARTER

Navigating the Intersection of Vendor Management and Business Continuity

Microsoft Cloud Agreement Financial Services Amendment

FAQ. From: Christine Curtis Director of Security GOM. REF: Request to Clarify Contactor Background Screen. Date: October 31, 2014

STEPS FOR EFFECTIVE MANAGEMENT OF VENDOR AND SUPPLIER CYBERSECURITY RISKS. April 25, 2018 In-House Counsel Conference

AUDIT COMMITTEE CHARTER

Effective Date: January, 2007 Last Reviewed Date: September, 2016 Last Revised Date: October, 2016 Next Review Date: April 2018

Nutrien Procurement Policy 0006-PC-01-SPT-NOT-A. Procurement Mission Statement:

Audit-Risk Committee. Board Approval: August 2018

Topics for Discussion

Speedy Group Policy Part of: Group Policies & Procedures

Ohio Public Employees Retirement System. Request for Proposal

Triple C Housing, Inc. Compliance Plan

AUDIT COMMITTEE CHARTER

CRESCENT CAPITAL BDC, INC. AUDIT COMMITTEE CHARTER

OUR PROCUREMENT PRACTICES. Copyright 2018 Boart Longyear. All rights reserved

Defining and promoting excellence in the provision of mobile money services

IT Risk Advisory & Management Services

Third Party Risk Management ( TPRM ) Transformation

THE WHATS, WHYS AND HOWS OF AN EFFECTIVE ETHICS PROGRAM

International Operational Auditing

5 Core Must-Haves for Improved Internal Audit Performance. Copyright 2018 AuditBoard Inc. 1

Evolving Core Tasks for Improved Internal Audit Performance. Copyright 2018 AuditBoard Inc. 1

LI & FUNG LIMITED ANNUAL REPORT 2016

AUDIT COMMITTEE CHARTER

UNIVERSITY OF OKLAHOMA Campus Payment Card Security Standard Norman Campus

Procurement Standard. For further information contact

Effects of GDPR and NY DFS on your Third Party Risk Management Program

Seattle Public Schools The Office of Internal Audit

Managing Legal and Operational Risk in IT Agreements

TEACHERS RETIREMENT BOARD. AUDITS AND RISK MANAGEMENT COMMITTEE Item Number: 9 SUBJECT: Scope and Structure of the Enterprise Compliance Program

Why Is Third Party Risk Management Important?

AUDIT COMMITTEE CHARTER (updated as of August 2016)

RFP Professional Staff Augmentation for Information Technology Addendum #1 dated 01/29/2016

Audit Committee Performance Evaluation Form

ANTI-MONEY LAUNDERING SERVICES EXPERTS WITH IMPACT

Third-party risk management. EY Integrity Diligence

CFPB Examination Procedures

IT Service Delivery And Support Week Seven: SLA. IT Auditing and Cyber Security Fall 2016 Instructor: Liang Yao

IBM Payments Gateway

TEXAS LOTTERY COMMISSION. Contract Management Manual

CHARTER OF THE AUDIT COMMITTEE OF THE BOARD OF DIRECTORS OF COMPUTER TASK GROUP, INCORPORATED

STUDY UNIT TEN INTERNAL AUDIT RESPONSIBILITIES FOR FRAUD

(will include interviews, documents review, physical inspection) Written By-laws. Incorporation papers. Minute Book. Insurance policy/ coverage

PUBLISHED BY IAITAM Publishing, LLC 1137 State Route 43 Suffield, Ohio Copyright 2008 by IAITAM Publishing, LLC All rights reserved.

Hiring a Quality Auditor:

Hiring a Quality Auditor:

SAMPLE BOARD PERFORMANCE EVALUATION: Prepared by DELOITTE & TOUCHE, 2013

Government Contract Controls: Going Beyond Business Systems

SOLUTION BRIEF EU GENERAL DATA PROTECTION REGULATION COMPLIANCE WITH RSA ARCHER

Overview of Top Risks & Risk Management Best Practices. Today s Agenda

Today s Agenda. David Wong, Monica Reinmiller

How to Stand Up a Privacy Program: Privacy in a Box

Texas Workforce Commission

Best Practices: Vendor Risk Questionnaires PROCESSUNITY WEBINAR SERIES

Payment Card Industry Data Security Standard Compliance: Key Players and Relationships. By Jason Chan

BIG LOTS, INC. AMENDED AND RESTATED AUDIT COMMITTEE CHARTER

BIOSCRIP, INC. CHARTER OF THE AUDIT COMMITTEE OF THE BOARD OF DIRECTORS

Acceleron Pharma Inc. Code of Business Conduct and Ethics

Privacy Statement. Information We Collect

VIRTUA DATE OF LAST REVIEW 5/11; 4/14, 8/16

COMMUNITY LIVING BRANT POLICY AND PROCEDURE MANUAL

Procurement Under the New Requirements 1

Outsourcing Transparency Evolution: Creating Value Across the Third-Party Extended Enterprise

WHY YOU NEED AN ETHICS PROGRAM AND HOW TO GET STARTED TODAY

Transcription:

Managing Third Party Risk Presenters: L o r i D a n i e l s E n g a g e m e n t M a n a g e r R i s k A d v i s o r y S e r v i c e s T i m L i e t z R e g i o n a l P r a c t i c e L e a d e r R i s k A d v i s o r y S e r v i c e s Tuesday, January 12, 2016

Our Time Today Third Party Vendor Management Current Trends and Program Management Why Organizations Leverage External Resources Phases of Each Relationship Evaluate Options Negotiate Agreement Monitor Service Level Performance Case Study Examples Internal Audit Focal Points How to Add Value to Your Organization Relationship Phases Trends & Regulatory Enforcement Internal Audit & Compliance Focal Points Experis Tuesday, January 12, 2016 2

Third Party Relationships Current Trends

Our Unique Perspective Best Practices in Procurement Experis Tuesday, January 12, 2016 4

2015 A FULL Perspective 441 meetings completed 22,439 miles driven 250 meals on the road 63 nights in a hotel 20 flights 11 train rides 1 Harley Ride to Key West! Experis Tuesday, January 12, 2016 5

What We Are Seeing 1Q 2016 OCC & Fed Increased focal points CEB Top 10 IA Risks 2016 Large Carolinas financial services client 3 people on site performing vendor audits Large regulated client assistance in developing vendor management program and completion of annual audits FSI Exchange Conference hot topic of 2 day event Sept 2015 Great opportunity for Internal Audit to add value to the organization Experis Tuesday, January 12, 2016 6

What We Are Seeing 1Q 2016 Large NC Client: o Centralized procurement process is key o Existing or NEW vendor? o NEW: risk assessment is critical on how to manage inherent risks o Data security key o Get MSA and onboarding process cleared ahead of time to make new vendor on boarding easy o ID risks ahead of time with new vendors o OCC focal point in Oct. that produced finding Experis Tuesday, January 12, 2016 7

What We Are Seeing 1Q 2016 Experis Tuesday, January 12, 2016 8

Recent Trends 42% of companies now describe themselves as highly vulnerable to vendor, supplier, or procurement fraud - Kroll Global Fraud Survey A current survey indicates that 85% of companies recently suffered at least one supply chain disruption Zurich Financial Survey 90% of all FCPA cases involved third-party intermediaries organizations need to evaluate their understanding of and compliance with statutes such as the FCPA and UK Bribery Act. - Corporate Executive Board Experis Tuesday, January 12, 2016 9

Recent Trends - continued Facilitation Payments 3 rd parties must follow your company s policy The Biebs Example 3 rd party service providers handling customer credit card data storing, processing and transmitting, customer card data COSO 2013 Compliance controls over outsourced service providers are a big focal point today. In the past, SOC reviews seemed sufficient, but now more in depth review of controls and monitoring activities are required. Formal, documented controls are being implemented. Experis Tuesday, January 12, 2016 10

Recent Trends - continued Controls over information going out to third parties and controls over info coming back in from them. Need to be more formalized now. Increased complexity of supply chains and Opacity of individual links. Organizations are not seeing the cumulative effect of weaknesses within a supply chain. Business leader accountability is increasing to know the third parties they utilize and their effect on the organization. Russia Sanction Compliance most complex sanctions ever for businesses, especially in energy. OFAC compliance are your business partners compliant? Experis Tuesday, January 12, 2016 11

Why Organizations Leverage External Resources

Duke University/CFO Magazine Outlook Survey Two-thirds of firms expect to increase employment in 2016, with the increase averaging about 2 percent. Employment growth will be strongest in services/consulting, retail/wholesale and construction. Manufacturing employment should shrink 1 percent. Manufacturing firms will reduce fulltime employment in 2016. CFOs list the difficulty in attracting and retaining qualified employees as one of their top three overall business concerns. Experis Tuesday, January 12, 2016 13

Duke University/CFO Magazine Outlook Survey Top 10 Concerns for U.S. Businesses 1. Economic Uncertainty 2. Cost of benefits 3. Attracting and retaining qualified employees 4. Regulatory requirements 5. Government policy 6. Weak demand for product/services 7. Data Security 8. Employee productivity 9. Employee morale 10. Access to capital Experis Tuesday, January 12, 2016 14

By 2020, there will be 123 million high-skill, high-pay jobs available in the U.S., but only 50 million Americans with the right education to fill them. Economist Intelligence Unit Experis Tuesday, January 12, 2016 15

Workplace Balance Cut costs Increase flexibility Enhance innovation Knowledge management Engage Increase productivity Experis Tuesday, January 12, 2016 16

Top 5 Reasons Organizations Outsource 75% Reduce and control operating costs 65% Focus on core competencies 59% Resources not available internally 52% Reduce internal headcount 51% Reallocate internal resources for higher value purposes Experis Tuesday, January 12, 2016 17

Top 5 Functions Outsourced 69% IT (all categories) 29% Operations and administration 26% Customer service 21% Other (wide variety) 20% Financial (payroll, etc.) Experis Tuesday, January 12, 2016 18

Reliance on Vendors and the Regulatory Roadmap Regulators acknowledge the risks associated with vendor relationships and have demanded that leaders monitor and take responsibility for the actions of their vendors through various laws and standards such as the Sarbanes Oxley Act, the Gramm-Leach- Bliley Act, the FCPA, the Health Insurance Portability and Accountability Act, as well as the Payment Card Industry Data Security Standard (PCI DSS) requirements and CFPB guidance. Consequently, vendor management is currently at the forefront of organizational risk management priorities. Experis Tuesday, January 12, 2016 19

Phases of the Vendor Relationship

Phases of the Relationship Evaluate Options Manage and Negotiate Agreement Monitor Service Level Performance Experis Tuesday, January 12, 2016 21

Evaluate Options Procurement Process RFI, RFP, Proposals, SOW s Bid Submittal Process Transparent Bid Opening Process & Controls Selection Criteria Due Diligence Final Decision Documented? Experis Tuesday, January 12, 2016 22

Due Diligence Review Audited Financial Statements Experience & Capabilities Business Reputation Qualifications & Experience Existence of significant complaints, litigation or regulatory actions Use of other parties or subcontractors Scope of internal controls, systems, data security and audit coverage Business resumption strategy & contingency plans Adequacy of management information systems Insurance Coverage Experis Tuesday, January 12, 2016 23

Negotiating and Managing Vendor Contracts Centralized? Trained Negotiators? Legal Department ALWAYS Involved? Delegation of Authority Verified PRIOR to Execution? Contract Repository? Access to Repository Limited? Experis Tuesday, January 12, 2016 24

Content of the Contract Scope Cost/Compensation Business Reputation Performance Standards/SLA s Management Information Reports Right to Audit Confidentiality & Security Business Resumption and Contingency Plans Default & Termination Dispute Resolution Indemnification Experis Tuesday, January 12, 2016 25

Contract Structuring & Review The Obvious Management should ensure that the specific expectations and obligations of both parties are outlined in a written contract prior to entering into the arrangement. Board approval should be obtained prior to entering into any significant third-party arrangements. Legal counsel should review significant contracts prior to finalization. Experis Tuesday, January 12, 2016 26

Oversight of Third-Party Activities Management should periodically review the Third party s operations to verify that they are consistent with the terms of the written agreement and that risks are being controlled. Management should consider designating a specific officer to coordinate the oversight activities with respect to significant relationships and, as necessary, involve other operational areas (audit, IT) in the monitoring process. An effective oversight program will generally include the monitoring of the third party s quality of service, risk management practices, applicable internal controls and reports. Experis Tuesday, January 12, 2016 27

Monitor Performance Questions to Ask Monitoring adherence to the agreement Who performs? Annual scoring of performance Are there documented performance statistics for each vendor where appropriate? Who scores? Renewal process How is it coordinated between procurement and process owners? Experis Tuesday, January 12, 2016 28

Case Studies

Regulatory Enforcements Large Retailer access gained through HVAC vendor Consulting Firm - Edward Snowden Incident Large Retailer FCPA violations in Mexico Layne Christensen October 27, 2014 $5.1 million dollar FCPA fine for paying bribes in Africa during the 2000 s. Improper payments to government officials over a 5 year period. Series of payments, often made by third parties, made under the guise of cost of doing business. Experis Tuesday, January 12, 2016 30

Alleged Navy Shipyard Gunman 34 yr. old Military Contractor from Texas The Washington Naval Shipyard reportedly has over 3,000 civilian, military and contract support personnel working in the building attacked by the gunman last November Location of shooting described as a highly secure military site Lapses suggested in security screening and Base protection, subsequent to the event Arrested in 2004 for shooting out tires of a car Security clearance granted in 2008 Reported history of mental illness Experis Tuesday, January 12, 2016 31

Lessons Learned Vendor management has become a core competency Increased need for standardized vendor oversight Companies need monitoring processes for on going vendor performance Experis Tuesday, January 12, 2016 32

Audit Focal Points Managing Increased Oversight of Vendors and Adding Value

Vendor Management Continues to be a Growing Area The issued guidance has been around for years, yet implementation and impact on operations continue to grow. Some vendors have indicated that since 2012, the number of audits of their operations have quadrupled. Companies have reported growing areas of inquiry and oversight. Increased regulatory focus on a vendor s operational compliance Primary responsibility lies with the organization managing the vendor relationship Experis Tuesday, January 12, 2016 34

Coping with the Onslaught of Review Requirements The increased frequency of audits, together with the rise in scope, can be daunting for both risk managers and their vendors. Experis Tuesday, January 12, 2016 35

Pre-2013 Areas of Audit of a Vendor From a sampling of vendor questionnaires from pre-2013, typical areas of inquiry included: Basic vendor information Tax identification number State of Organization Business Type Financial Information Professional licenses Insurance Coverage Privacy policy/confidentiality of data Business continuity Experis Tuesday, January 12, 2016 36

2015 Areas of Audit Business information Licensing Financial Management Employee qualifications Litigation Regulatory actions Ownership of products System development lifecycles Security Network Physical Application Hardware Access control Identity access management Privacy/GLBA/PCI Operations Polices and procedures Change management Consumer complaints Risk Management Enterprise risk management program Insurance risk management Information risk management Vendor risk management Compliance Policies mine and yours Procedures mine and yours Applicable laws Records retention Training Business Continuity Planning Disaster recovery Pandemic plan Diversity, Environment, Reputation Experis Tuesday, January 12, 2016 37

2016 Viewpoint There is a renewed focus within IA Departments to identify new areas to add value to their organization and reprioritize risks Top 10 Risks for Internal Audit in 2016: #2 Operational Risk Third Party Relationships #9 Information Risk Third Party Relationships -2016 Pulse of Internal Audit CEB Experis Tuesday, January 12, 2016 38

Audit Management: Planning Be educated. Whether you are the reviewer or the subject, you must: Know your client/vendor Understand the services Understand your business, including the regulatory oversight Understand your contract Scope of audit provisions Compliance obligations Plan in advance: Are the limits to the disclosure of my information? Why? Are there materials available only for onsite review? Why? Are there materials that can be provided in advance? Who grants exceptions? Experis Tuesday, January 12, 2016 39

Audit/Risk Assessments: Preparation Create a library of commonly asked questions Collect data on commonly asked questions and create acceptable answers in advance Set review periods of library to prevent stale answers Employee Handbook annual Litigation monthly or quarterly Create collateral that can be provided on predictable topics Privacy policy Disaster recovery Records retention Experis Tuesday, January 12, 2016 40

Audit/Risk Assessments: Execution For examiners/auditors o Set expectations of team members o Appoint a team lead/project manager o Define roles o Require remediation plans For vendors: o Dedicate a team for managing inquiries o Centralize communication o Use standard responses o Manage timeline o Build client trust and relationships o Gather data and spot trends Experis Tuesday, January 12, 2016 41

Audit/Risk Assessments: Post Mortem Save your work! Identify focus areas for next review Reduce time needed to respond to ongoing requests Create collateral for regulatory compliance exam Track and communicate results internally Act on noted issues Terminate or reduce use of problem vendors Test remediation efforts Follow up and request proof of completed remediation Test Experis Tuesday, January 12, 2016 42

VRM is no longer just nice to have. Increased regulatory focus Increasing number of consent orders and findings, even on past vendors Increasing areas of inquiry Increasing number and amount of fines Increased ancillary operating costs for vendor management Experis Tuesday, January 12, 2016 43

Focal Points for IA: Transparency a must from start to finish with each vendor! December 2015 IIA Magazine The Importance of Auditing for Conflicts of Interest Hotline Reporting Number on RFP s? Consistency centralized or decentralized environment? Control Environment - strong or weak? Evaluate the process of monitoring vendor performance Experis Tuesday, January 12, 2016 44

Gaming the System, Ethical Dilemmas or Fraud? Inflated Rack Rates vs. final Negotiated Rates increased annual bonus tied to cost savings CFO Request split into separate SOW s to prevent Board Approval Inappropriate Relationships -- $25 million telecomm cabling contract & dual invoicing International Locations further from the Corporate Office, the likelihood for fraud increases. Experis Tuesday, January 12, 2016 45

Risk Focal Points FCPA & UK Bribery Act Compliance payments made through 3 rd Parties numerous recent FCPA fines related to bribes made through third parties Right to Audit Clause Financial Stability Sole Source Providers Background and Drug Screening Experis Tuesday, January 12, 2016 46

Risk Focal Points PC & Internet access start & finish of project Equipment and Badges monitoring them Building Access too liberal? Data Access and Retention Policies do vendors comply? Experis Tuesday, January 12, 2016 47

2016 Audit Plan Additions? Third-Party Governance Review: Ensure internal procedures regarding the use of third parties are comprehensive and consistently applied. These should cover processes, such as due diligence, contract management, and relationship termination. Audit Rights Review: Look through contracts to see whether audit rights are included over third-party vendors. As contracts are renegotiated and new relationships are formed, ensure a right to audit clause is included. Due Diligence in Selecting Third-Party Relationships: Assess the due diligence process used to select vendors and other partners, including an examination of the third parties internal control environment, security history, legal compliance (including complaints, litigation, and regulatory actions), and financial status. Supply Chain Management Health Check: Review whether risk management is appropriately integrated into supply chain management cutting across individual parts, such as procurement, logistics and distribution and includes a focus on lower likelihood but higher impact risks, such as business continuity, currency crises, and commodity volatility. - CEB 2016 Audit Plan Hot Spots Experis Tuesday, January 12, 2016 48

Resources CEB Procurement Strategy Council Experis Tuesday, January 12, 2016 49

Contact Info L o r i D a n i e l s E n g a g e m e n t M a n a g e r E x p e r i s F i n a n c e l o r i. d a n i e l s @ e x p e r i s. c o m 9 1 9. 7 5 5. 5 8 6 3 T i m L i e t z D i r e c t o r R i s k A d v i s o r y S e r v i c e s E x p e r i s F i n a n c e t i m o t h y. l i e t z @ e x p e r i s. c o m 9 1 9. 7 5 5. 5 8 5 9

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback