Professional Documents
Culture Documents
Assurance Over Third Party Service Providers
Assurance Over Third Party Service Providers
Assurance Over Third Party Service Providers
Whitepaper
Assurance over
Third Party
Service Providers
OCTOBER 2021
Level 5, 580 George Street, Sydney NSW 2000 | PO Box A2311, Sydney South NSW 1235
T +61 2 9267 9155 F +61 2 9264 9240 E enquiry@iia.org.au www.iia.org.au
Assurance over Third Party
Service Providers
Background 2
- Purpose 2 OUTSOURCER THIRD PARTY FOURTH/’Nth’ PARTY
Figure 2: Assurance over third party risk management – may › A dedicated third party risk management hub can
be provided by Internal Audit or other assurance providers provide insight into all third party relationships across the
organisation, control over the onboarding process and
Audit the third party risk management framework
ongoing oversight of third party relationships. The owner
› The third party risk management framework may be a may be the head of procurement, chief operating officer,
standalone framework or an element of an organisation’s or a governance body. Alternatively, managing third
overarching risk management framework. party service providers may be decentralised and each
Audit the third party risk management process business manager may own the third party relationships
in their area.
› For example, conduct a procurement audit that includes
reviewing how third party risks were addressed. › The IIA ‘Three Lines Model’ can be used to define third
party risk management roles and help identify duplication
Include third party risk management in process audits or gaps (refer Figure 4).
› For example, in a payroll audit evaluate the third party › Third party risk management policies and procedures
risk management processes used in relation to the third may be either standalone products or included in an
party that processes the payroll. organisation’s overarching risk management polices and
Undertake audits of third parties procedures.
GOVERNING BODY
Accountability to stakeholders for organisational oversight
MANAGEMENT
Actions (including managing risk) to INTERNAL AUDIT
achieve organisational objectives Independent assurance
2 Refer IIA Practice Guide ‘Reliance by Internal Audit on Other Assurance Providers’ (2011)
© 2021 - The Institute of Internal Auditors - Australia 4
Assurance over Third Party
Service Providers
segmentation and the types of assurance activities that may Conclusion
be conducted within each tier is provided in Figure 5.
Summary
Figure 5: Example segmentation of third party service provider
Third party relationships continue to expand and evolve,
relationships
introducing risks that must be continuously assessed and
Tier 1 Tier 2 Tier 3 responded to, to achieve organisational objectives. Internal
(High risk) (Medium risk) (Low risk) auditors and risk managers, particularly those who hold
› Self-assessment › Self-assessment › Self-assessment the IIA Certification in Risk Management Assurance (CRMA)
are uniquely qualified to identify potential third party risk
› Review of return › Review of return › Review of return exposures and make recommendations on how to respond to
› ASAE reports › ASAE reports › ASAE reports those risks.