What are some of the risks involved in engaging third party providers? Are you really saving money by engaging them? I recently had the opportunity to interview the Global Director of Internal Audit at Quiksilver, Nicole Ungaro. Here are some insights on the top 5 audit failures when reviewing and auditing your third party providers:
1) Be Involved in the Planning Process
Internal Audit needs to be involved in the planning phase, even before a third party provider is engaged. That way, they can do their due diligence to assess the risks. The executive team needs to include Internal Audit in the process, so they can determine what controls need to be in place, particularly when no SOC (Service Organization Controls) report is available. The communication between the executive team and internal audit is critical in setting up the company for success BEFORE the outsourcing happens.
2) Having the legal right to audit?
Check the contract and confirm with your legal department to ensure Internal Audit has the right to audit your Third Party Provider. Nicole recommends conducting a surprise audit, if possible, in order to protect the company and set the proper tone. Perhaps work with legal counsel to determine what triggering event would cause the internal audit department to schedule a surprise audit. After all, outsourcing should NOT mean out of scope.
3) Miscommunication: Avoiding the “Who Said”?
Miscommunication can often lead to big mistakes when outsourcing. Often times third party providers don’t believe they need to comply with SOX, because they are not public companies. Nicole shared an example from one of her colleagues where the distribution center did not follow SOX guidelines. This led to extra work for Internal Audit and External Audit. So, while the company had been trying to save money, by engaging a third party provider, it ended up costing them more than they expected. Therefore, Internal Audit needs to validate key reports at the beginning.
4) SOC Reports don’t cover EVERYTHING!
Depending on the type of report, the Service Organization Controls (SOC) Report only provides management a sense that policies and procedures are being followed. Thus, Chief Audit Executives (CAEs) need to be sure that the SOC report [http://www.aicpa.org/InterestAreas/FRC/AssuranceAdvisoryServices/Pages/ServiceOrganization%27sManagement.aspx] is valid and covers the right time period. Determine if other work needs to be done. User considerations should be pinned down to see who might be at fault if there is a failure.
5) Mobile Devices and Cloud Management Increase Everyone’s RISKS!
The Board and upper management need to also be aware of cloud and mobile device security and when working with third party providers. This is really a hot issue now, because of recent security breaches. Some client, vendor and employee breaches could occur and this can lead to bad publicity and possible law suits. It is up to Internal Audit to make the Board aware of risks and perhaps engage the help of IT on the subject of security. Board members are eager to find out the risks to them and to the company. So be sure to keep them informed and include them in the process. A special research project “Cloud Computing: A Study of Internal Audit’s Preparedness” was under taken by one of the largest IIA Chapters, Dallas which provides insight on why internal auditors sometimes see Cloud computing as a hype and lack the true awareness of what could go wrong when they need to audit these service providers.
Need help auditing and engaging with third party providers? We invite you then to learn more about our Compliance Resource Analysis or by emailing us at: Info@avivaspectrum.com to start the conversation about the right resource mix and co-sourcing options.
Find out now by receiving your complimentary: Control Compliance Analysis with Sonia Luna
Learn how to save over 25% of your SOXCompliance costs.
About Nicole Ungaro
Nicole Ungaro is Global Director of Internal Audit at Quiksilver. She has 16 years’ experience in auditing, starting her career in external audit at KPMG. She then transitioned to internal audit, creating an internal audit department at Universal Electronics, Inc. and then moved into the retail sector at Wet Seal. Nicole holds a Bachelor of Science degree from Cal State Long Beach. Nicole is currently involved with the Institute of Internal Auditors, Orange County chapter as the Treasurer.