Auditing Third Party Risk

Using third parties invariably presents a variety of risks for organizations, including strategic, reputational, regulatory, operational, financial, transactional, security, compliance, and other risks. However, when utilized effectively, third parties can also provide tremendous value in terms of specialized knowledge, increased capacity, reduced overhead, and more customized business solutions. Internal audit should be at the front of managing the risks associated with third parties by independently reviewing, evaluating, and reporting on the related business practices. This course provides an overview on third-party risk management, including governance structure and risk management processes. It also specifies contracting, monitoring, and contract termination elements of the third-party relationship. Finally, the content defines the role of internal audit as it relates to various phases of the third-party management audit engagement, including planning, defining scope and objectives, testing, and reporting.

Learning Objective(s):

• Recognize the elements and attributes of third-party risk management.
• Recognize risks and controls associated with contracting third parties.
• Recognize the areas where internal audit can monitor third parties.
• Differentiate types of third-party risk management governance structures.
• Differentiate key elements of Type 1 and Type 2 assurance reports for the operation of critical third-party organizations.
• Differentiate the evaluation criteria for engagements of third parties.
• Understand third-party due diligence policies and procedures.
• Understand the testing phase and the need to determine the essential criteria element(s) for evaluating the organization’s third-party risk management framework and process.