Your SlideShare is downloading. ×
Concerned About Vendor Management 10 30 12
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Concerned About Vendor Management 10 30 12

491
views

Published on

Technology companies increasingly share their critical information assets and outsource business and IT processes to third-party service providers. In this presentation, Grant Thornton LLP and …

Technology companies increasingly share their critical information assets and outsource business and IT processes to third-party service providers. In this presentation, Grant Thornton LLP and TechAmerica walk you through how technology companies can manage this third-party risk.


0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
491
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
6
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. CONCERNED ABOUTVENDORMANAGEMENT?Understanding third-party risk fortechnology companiesOctober 30, 20121-2 p.m. CT © 2011 Grant Thornton LLP. All rights reserved. 1
  • 2. Awarding CPE for this session In general The rule Respond to all polling Respond to at least 75% of questions the polling questions to pass with full credit Group participation will not You have to be logged in receive CPE individually to receive credit If you experience any technical difficulties, please contact 888.228.0988 or support@learnlive.com© Grant Thornton LLP. All rights reserved. 2
  • 3. Addressing your questionsthrough Q&AStep 1Step 2 If you experience any technical difficulties, please contact 888.228.0988 or support@learnlive.com© Grant Thornton LLP. All rights reserved. 3
  • 4. Other helpful features youcan use Be sure to shut down all other applications to allow more Internet bandwidth. If you experience any technical difficulties, please contact 888.228.0988 or support@learnlive.com© Grant Thornton LLP. All rights reserved. 4
  • 5. DisclaimerThis Grant Thornton LLP presentation is not a comprehensive analysis of thesubject matters covered and may include proposed guidance that is subject to changebefore it is issued in final form. All relevant facts and circumstances, including thepertinent authoritative literature, need to be considered to arrive at conclusions thatcomply with matters addressed in this presentation. The views and interpretationsexpressed in the presentation are those of the presenters and the presentation is notintended to provide accounting or other advice or guidance with respect to thematters covered.For additional information on matters covered in this presentation, contact yourGrant Thornton LLP adviser.© Grant Thornton LLP. All rights reserved. 5
  • 6. About TechAmericaTechAmerica is the leading voice for the U.S. technology industry – the driving forcebehind productivity growth and jobs creation in the United States and the foundationof the global innovation economy. Representing approximately 1,000 membercompanies of all sizes from the public and commercial sectors of the economy, it isthe industry’s largest advocacy organization and is dedicated to helping members’ topand bottom lines. TechAmerica is also the technology industrys only grassroots-to-global advocacy network, with offices in state capitals around the UnitedStates, Washington, D.C., Europe (Brussels) and Asia (Beijing). Learn more aboutTechAmerica at www.techamerica.org. © Grant Thornton LLP. All rights reserved. 6
  • 7. WEBCAST PRESENTERS Warren W. Kirt Seale Stippich Jr. Principal, National Partner and National Special Attestation Governance, Risk and Reports Compliance Solution Leader, Advisory Services Leader, Advisory© Grant Thornton LLP. All rights reserved. Services 7
  • 8. LEARNING OBJECTIVES • Identify a framework for assessing third-party risk • Examine the roles and responsibilities of risk management in finance, legal, procurement and business operations areas • Understand tools that can be used to provide comfort that proper controls are in place© 2011 Grant Thornton LLP. All rights reserved. 8
  • 9. REAL RISKREAL IMPACT Huawei Threat: Real or Overblown? Jail, Hard Lessons in Cisco Gear Resale Scam BlackBerry service goes down in Europe, Middle East, Africa GoDaddy goes down and hacker takes credit© 2012 Grant Thornton LLP. All rights reserved. 9
  • 10. POLLING QUESTION #1 Has your company put a program in place to manage third party risk? A: Yes B: No© 2012 Grant Thornton LLP. All rights reserved. 10
  • 11. DEFININGTHIRD PARTIES • Businesses that are not under direct business control of the organization that engages them • Third parties may include: • Vendors • Distributors • Suppliers • Franchisees/licensees • Joint venture or alliance partners • Technology outsourcing providers© 2012 Grant Thornton LLP. All rights reserved. 11
  • 12. WHY IS THIRD PARTYRISK IMPORTANT? Reputational Compliance Regulatory Financial Strategic Operational© 2011 Grant Thornton LLP. All rights reserved. 12
  • 13. SECTORS WITHHIGHER RISK Technology providers Relevant industries • Data centers • Government • Companies hosting IT • Health care applications • Banking • Third party logistics • Investment/fund managers companies • Payroll management • Cloud or Software as a companies Service providers • Financial Services • Telecom providers • Any outsourcing company that manages information on behalf of others© 2011 Grant Thornton LLP. All rights reserved. 13
  • 14. POLLING QUESTION #2 Which type of company presents heightened risk when in a vendor relationship? A: Data centers B: Third party logistics companies C: Software as a service companies D: A and C E: All of the above© 2012 Grant Thornton LLP. All rights reserved. 14
  • 15. RESPONSIBILITY FORTHIRD PARTY RISKMANAGEMENT Compliance Finance Legal Vendor Oversight Procurement Function Business Internal audit operations/ IT© 2011 Grant Thornton LLP. All rights reserved. 15
  • 16. DEFINING THE THIRDPARTY UNIVERSE• Analyze comprehensive vendor listing (A/P master file, legal, procurement)• Exclude the following: – Maintenance, repair, operations vendors – Providers of raw materials or finished goods• Confer with in-house legal resources – Additional source of data – Contractual details will be helpful• Consider other departments that may need to be consulted© 2011 Grant Thornton LLP. All rights reserved. 16
  • 17. WHERE DO YOU BEGINPROJECT OBJECTIVE• Risk Assessment & Appeals Processes – Customized the vendor due diligence process depending on the company’s specific risks – Rule-based point values assigned – Cumulative score will dictate level of additional investigation if required© 2011 Grant Thornton LLP. All rights reserved. 17
  • 18. POLLING QUESTION #3 A third party risk assessment should be part of an enterprise risk management program. A: True B: False© 2012 Grant Thornton LLP. All rights reserved. 18
  • 19. FACTORS TO CONSIDERWHEN ASSESSING RISK Risk Domain Assessment Factors Strategic • Level of importance of vendor to corporate operations Reputational • Magnitude of potential loss if there are problems with the vendor relationship Regulatory • Level of vendor oversight/monitoring • Reporting required by outside regulatory body© 2011 Grant Thornton LLP. All rights reserved. 19
  • 20. FACTORS TO CONSIDERWHEN ASSESSING RISK Risk Domain Assessment Factors Operational • Type of vendor – nature of products/services provided • Frequency of communication with vendor Financial • Annual spend with vendor Compliance • Current safeguards or controls design to ensure compliance with relevant regulations • Availability of audit reports or existence of "right to audit" clause© 2011 Grant Thornton LLP. All rights reserved. 20
  • 21. EXAMPLE OF HOW TODEFINE THE RISKUNIVERSEVendor Vendor Nature of Contractual Geographic Applicable Primary Provides Right toName Type service details al/global regulatory relationshi an audit audit clause being considerati requirements p owner report provided on (e.g., HIPAA, within such as FCPA) organizatio SOC 1 n (e.g., IT, finance, marketing)ABC Payroll Payroll Five-year Payroll IRS, Bob Peoples, Yes, SOC 1 NoPayroll provider processor agreement processed in Department Human approved by Kansas City, of Labor Resources Legal Kan. departmentIT Help Help Desk IT support One-year Local to each N/A Martin No No Support contractors auto- company site Technology, renewing and CIO contract headquartersQuick Print Printing/ Prints/mails Six-year Local to N/A Sally No No Mail invoices and agreement, headquarters Accountant, service marketing approved by CFO provider materials Legal department Source: Grant Thornton LLP© 2011 Grant Thornton LLP. All rights reserved. 21
  • 22. WEIGHTING RISK FACTORS Vendor Significance Potential Potential Potential The Expense of Significa Significa Significa of the data magnitude magnitude magnitude frequency the vendor nce of nce of nce of handled by of a of a of an of in relation financial operatio strategic the vendor financial reputationa operationa interaction to the risk nal risk risk loss l loss l loss income of the business unit supporting it ABC 3 1 1 5 5 4 3 5 2 Payroll IT Help 3 1 1 3 5 2 1 4 1 Quick 2 1 4 2 4 1 1 1 1 PrintRating is from low (1) to high (5). Source: Grant Thornton LLP © 2011 Grant Thornton LLP. All rights reserved. 22
  • 23. NEEDS ANALYSISAPPROACH High, medium or low-risk areas are determined based on the following Risk Factors - Strategic Importance - Business Operations Risk Needs - - Legal/Regulatory Compliance System Reliance and Capability analysis - - Fraud Risk External Factors - Human Capital Risk - Financial Impact - Market Impact - Reputation Impact© 2011 Grant Thornton LLP. All rights reserved. 23
  • 24. RISK MITIGATIONTECHNIQUES• Transaction monitoring• Increased data analysis and reporting• Contract renegotiation• Independent reviews• Audits• Site visits• Questionnaire© 2011 Grant Thornton LLP. All rights reserved. 24
  • 25. USE OF ATTESTATIONREPORTS SOC 1 SOC 2 AT 101• provides vehicle for • address controls • allows service reporting on a service pertinent to the Trust organizations to organization’s system Services Principles of provide user of internal control security, availability, organizations and relevant to a user processing integrity, other stakeholders organization’s internal confidentiality and with a tailored control over financial privacy. report on controls reporting. • includes many of the that are relevant to• intended as auditor-to- same elements as a the services. auditor SOC 1 report • highly flexible and communication, with • principles and criteria can be leveraged for specific content developed by the multiple industry dependent on the AICPA and the standards service organization’s Canadian Institute of (e.g., NIST, ISO) system. Chartered Accountants. © 2011 Grant Thornton LLP. All rights reserved. 25
  • 26. POLLING QUESTION #4 My company uses SOC reports when working with our vendors and customers. A: Always B: Often C: Infrequently D: We have used SOC reports C: Not sure© 2012 Grant Thornton LLP. All rights reserved. 26
  • 27. A FEW THINGS TONOTE ABOUT SOCREPORTSConsider the following when reviewing a SOC report:• Time period covered• Handling of subservice providers (carve-out vs. inclusive)• In-scope and out-of-scope locations• Construction of control objective and control activities• Sampling and testing methodology• Exceptions noted and management response© 2011 Grant Thornton LLP. All rights reserved. 27
  • 28. ADDING VALUECASE STUDY Issue • A Fortune 500 Corporation experienced issues related to a third party that results in self-disclosure of an issue • Company required a way to mitigate against future issues with vendors and third parties Response • Grant Thornton created and managed a new process to onboard and assess the compliance-related risk associated with newly identified third parties and business partners • Team also worked to extract "legacy" third party relationships from a large number of Enterprise Resource Planning (ERP) systems, to capture, process and investigate • Grant Thornton was also involved in the creation of supplemental qualification requirements for certain third party relationships as well as development of a technology solutions to evaluate new relationships. Benefits Achieved • The results of this project included: – Standardized the review and acceptance of a new third party business relationship – Insight and seamless transparency into the third party relationships retained that would otherwise be unseen – Validation of the creation of a new customer master or vendor master file within the Client’s local ERP system. – More efficient process of creating valid agreements helping to further protect the Client from any unforeseen risks© 2011 Grant Thornton LLP. All rights reserved. 28
  • 29. KEY TAKEAWAYS • Understand and evaluate your third party relationships • Know your risks • Take reasonable steps toward risk mitigation© 2011 Grant Thornton LLP. All rights reserved. 29
  • 30. QUESTIONS© 2011 Grant Thornton LLP. All rights reserved. 30
  • 31. KEEPING THIRD-PARTYRISK IN CHECK This white paper addresses the process of information gathering, assessing and assigning Will insert risk ratings, and mitigating the high-risk relationships. Learn how using Service white Organization Control reports can help manage paper third-party risk in our illustrative case study. cover here You will receive a downloadable copy of the paper in the follow-up email from Grant Thornton LLP.© 2011 Grant Thornton LLP. All rights reserved. 31
  • 32. FOR MOREINFORMATION,CONTACT:Warren StippichPartner, National Governance, Risk and Governance LeaderAdvisory ServicesT 312.602.8499E warren.stippich@us.gt.comKirt SealePrincipal, National Special Attestation Reports LeaderAdvisory ServicesT 214.561.2367E kirt.seale@us.gt.com© 2011 Grant Thornton LLP. All rights reserved. 32
  • 33. THANK YOU FORATTENDING To retrieve your CPE certificate: • Respond to online evaluation form • Print your CPE Certificate from the CPE confirmation email or participation tab *Note: Group participation will not receive CPE • Download today’s slides as a reference resource© Grant Thornton LLP. All rights reserved. 33 33
  • 34. Thank you for attending.Visit us online at:www.GrantThornton.comtwitter.com/GrantThorntonUSlinkd.in/GrantThorntonUSFor questions regarding your CPE certificate, contactLearnlive at 888.228.0988.

×