Vendor risk management

Strategic and operational dependency on third parties is commonplace in organisations across all sectors. The question for chief audit executives (CAEs) is how to ensure that meaningful assurance is provided with often limited audit resource.

Organisations often use their own language as this topic is rich in terminology, so for clarity this briefing begins with a lexicon:

  • Vendor/supplier: A person or organization that provides a product or service, vendor can be B2C (business to customer) or B2B (business to business) they are typically closest to the end customer in a supply chain, suppliers are B2B.
  • Outsourcing: Obtain a service by contract from a supplier/contract out.
  • Procurement process: Method of purchasing from ordering, receipt, review and approval.
  • Contract management: Process of creating, executing and analysing contracts.

The following are largely interchangeable terms and definitions merge:

  • Vendor risk management: Often focus on cost, quality and value.
  • Supplier relationship management: Assessing contracts for strategic value, maximising interactions and renewal evaluation.
  • Third party management: Monitor and manage interactions with external parties.

This paper uses the term third party to discuss themes related to the use of external party (vendor/supplier) to provide services, whether as a simple contractual arrangement for a service or fully outsourced.

In or Out

There are always two sides to a coin and there is an argument for keeping all activities in-house and avoiding third party risks. Regardless of when internal audit joins the party, by invitation or gate-crashing, this debate should be the starting point; understanding the rationale will provide risk insight and enable targeted assurance.

Internal audit should understand how the decision has been made by reviewing the business case, analysis of the costs and risks associated with the activity. Consideration should also be given to who made the decision and whether they had appropriate authority. The ability to…

"High achievement always takes place in the framework of high expectation."

- Charles Kettering

Further reading

Chartered IIA technical guidance

Risk-based internal auditing

Data security in third party agreements

Auditing supply chains

Outsourcing and the role of internal audit

External 

HM Treasury: Building a cooperative assurance relationship between internal audit, departmental gateway, coordinators and centres of excellence

Crown Commercial Service: Public procurement policy guidance

Parliament: Sourcing public services: lessons learned from the collapse of Carillion inquiry

Deloitte: Overcoming the threats and uncertainty: Extended enterprise risk management global survey report 2017

Institute of Risk Management: Extended enterprise risk; managing complexity in 21st Century organisations

Isaca: COBIT 5 guidance

National Outsourcing Association: Outsourcing Life Cycle 2012

BSI: BS 11000 - Collaborate successfully with your chosen partners

Centre for the protection of national infrastructure: Security for industrial control systems - manage third party risks