The document discusses the importance for organizations to understand their third-party providers. It recommends organizations identify all third-party providers, the services they provide, and key details. Organizations should also assess the risks associated with each provider, such as operational, financial, regulatory, and security risks, and monitor providers based on their risk level. Frequent evaluation and monitoring of third-party providers is crucial as their actions can expose organizations to risk.

1. Page 1 of 4 Crossland Advisors, Inc.
http://crosslandadvisors.com/
610-365-4852
Copyright © 2020
Do You Really Know Your Third-Party Providers?
Almost every organization has at least one if not a multitude of third-party vendors providing
various services or goods that are critical to daily operations. Does your organization know:
• All of the third-party providers being used?
• The services or products being provided?
• Key provider contacts?
• Key organization liaisons for each provider?
• Contractual obligations with each provider?
• Service level agreements for each provider?
• The financial viability of each provider?
• The controls implemented by each provider and the operating effectiveness of those
controls?
• The risks to the organization?
The Definition
The simple definition of a third-party provider is any vendor that is performing a service or
providing a product that could be performed or produced internally if the required resources
were available. Examples would be consultants, contractors, IT services, claims processing, and
other outsourced production or services. Products and services such as office supplies and
utilities are not considered third-party providers.
The Population
While it may seem easy to identify all of the third-party providers being used throughout the
organization, it can be a challenge. Initially, request a list of third-party providers (using the
established definition) from each area of the organization.
To make sure all third-party providers are identified, request a listing of all vendor payments for
the past twelve (12) months from Accounts Payable. Using the established third-party provider
definition, confirm the population of third-party providers being used throughout the
organization.
Filling in the Details
Using the verified population of third-part providers, create a database listing the details for
each, such as:
• Products or services being provided
• Provider contacts
• Assigned organization liaison

2. Page 2 of 4 Crossland Advisors, Inc.
http://crosslandadvisors.com/
610-365-4852
Copyright © 2020
• Contract terms
• Service level agreements
• Last risk assessment
• Required provider documentation (e.g. SOC reports, Shared Assessment/SIG, Agreed
Upon Procedures)
• Evaluation frequency
The Risk Assessment
An effective third-party provider management process includes each provider being evaluated
based on a number of key categories. Common risk categories are:
• Operational
• Financial
• Reputational
• Regulatory
• Security and Privacy
• Business Continuity
• Geographic
Each provider should be assigned a risk ranking based on these categories.
A weighted scoring process is typically used to assign a risk ranking. The weighted scoring will
vary based on the type of organization and industry. Smaller organizations may be highly
dependent on third-party providers and therefore may assign more weight to certain risk
categories such as operational and business continuity. Organizations in healthcare and finance
will most likely need to assign more weight to regulatory risk, security and privacy.
The risk ranking should be used to determine the frequency of subsequent evaluations and
required provider documentation (e.g. SOC reports, Shared Assessment/SIG, Agreed Upon
Procedures).
The risk assessment should result in each third-party provider being assigned to a risk tier.
Common risk tiers are:
• Critical
• High
• Medium
• Low
Since the products or services being provided by the third-party are an extension of the
organization, there should be an expectation that the third-party provider will have at least the

3. Page 3 of 4 Crossland Advisors, Inc.
http://crosslandadvisors.com/
610-365-4852
Copyright © 2020
same level of controls (operational, financial, reputational, regulatory, security/privacy,
business continuity) as if those products or services were produced or performed internally.
Re-Evaluation Frequency and Procedures
The risk tier assignment from the risk assessment normally determines the re-evaluation
frequency; however, unplanned events could accelerate or delay a re-evaluation. Typical re-
evaluation frequencies are:
• Critical – quarterly or semi-annually
• High – semi-annually or annually
• Medium – annually or every two years
• Low – every two or three years
The re-evaluation process should include:
• Confirming the products or services being provided
• Confirming provider contacts
• Confirming the assigned organization liaison
• Confirming contract terms and service level agreements
• Analyzing financial viability
• Obtaining and reviewing required provider documentation (e.g. SOC reports, Shared
Assessment/SIG, Agreed Upon Procedures)
• Performing a new risk assessment
• Reviewing the controls implemented by each provider and the operating effectiveness
of those controls
New Third-Party Providers
The new third-party evaluation process should be rigorous to make sure the organization is not
taking unnecessary risks; due diligence is crucial. Ideally, the new third-party evaluation process
should be completed before any contractual agreements are executed.
Each new third-party provider should be added to the population database along with all
pertinent information. A risk assessment and all re-evaluation procedures listed above should
be completed as part of the evaluation process and prior to executing any contracts. This
provides the organization with the information needed to make a final decision.

4. Page 4 of 4 Crossland Advisors, Inc.
http://crosslandadvisors.com/
610-365-4852
Copyright © 2020
While it may be a prudent to use third-party providers, always remember that YOU OWN THE
RISK! Therefore, identifying, understanding and evaluating the third-party provider risks is
critical to the organization.
Related article: Evaluating Service Organization Control Reports
https://www.slideshare.net/JayCrossland/evaluating-service-organization-control-reports-76805927
Crossland Advisors provides IT risk and control services to a number of industries, including:
• Manufacturing
• Pharmaceuticals
• Healthcare
• Financial Services
• Insurance
• Government
• Retail
• Utilities
Our extensive experience allows us to develop real world solutions to complex challenges. We
use a process-focused risk-based approach and are able to relate leading practices and
improvements to understand, anticipate and address a wide variety of information system risk
and process issues.
Crossland Advisors is ready to work with you to satisfy your IT risk and control needs.