Vendor risk management

Strategic and operational dependency on third parties is commonplace in organisations across all sectors. The question for chief audit executives (CAEs) is how to ensure that meaningful assurance is provided with often limited audit resource.

Organisations often use their own language as this topic is rich in terminology, so for clarity this briefing begins with a lexicon:

  • Vendor/supplier: A person or organization that provides a product or service, vendor can be B2C (business to customer) or B2B (business to business) they are typically closest to the end customer in a supply chain, suppliers are B2B.
  • Outsourcing: Obtain a service by contract from a supplier/contract out.
  • Procurement process: Method of purchasing from ordering, receipt, review and approval.
  • Contract management: Process of creating, executing and analysing contracts.

The following are largely interchangeable terms and definitions merge:

  • Vendor risk management: Often focus on cost, quality and value.
  • Supplier relationship management: Assessing contracts for strategic value, maximising interactions and renewal evaluation.
  • Third party management: Monitor and manage interactions with external parties.

This paper uses the term third party to discuss themes related to the use of external party (vendor/supplier) to provide services, whether as a simple contractual arrangement for a service or fully outsourced.

In or Out

There are always two sides to a coin and there is an argument for keeping all activities in-house and avoiding third party risks. Regardless of when internal audit joins the party, by invitation or gate-crashing, this debate should be the starting point; understanding the rationale will provide risk insight and enable targeted assurance.

Internal audit should understand how the decision has been made by reviewing the business case, analysis of the costs and risks associated with the activity. Consideration should also be given to who made the decision and whether they had appropriate authority. The ability to…