More Related Content Similar to Concerned About Vendor Management 10 30 12 (20) Concerned About Vendor Management 10 30 122. Awarding CPE for this session
In general The rule
Respond to all polling Respond to at least 75% of
questions the polling questions to pass
with full credit
Group participation will not You have to be logged in
receive CPE individually to receive credit
If you experience any technical difficulties,
please contact 888.228.0988 or support@learnlive.com
© Grant Thornton LLP. All rights reserved. 2
3. Addressing your questions
through Q&A
Step 1
Step 2
If you experience any technical difficulties,
please contact 888.228.0988 or support@learnlive.com
© Grant Thornton LLP. All rights reserved. 3
4. Other helpful features you
can use
Be sure to shut down all other applications to allow
more Internet bandwidth.
If you experience any technical difficulties,
please contact 888.228.0988 or support@learnlive.com
© Grant Thornton LLP. All rights reserved. 4
5. Disclaimer
This Grant Thornton LLP presentation is not a comprehensive analysis of the
subject matters covered and may include proposed guidance that is subject to change
before it is issued in final form. All relevant facts and circumstances, including the
pertinent authoritative literature, need to be considered to arrive at conclusions that
comply with matters addressed in this presentation. The views and interpretations
expressed in the presentation are those of the presenters and the presentation is not
intended to provide accounting or other advice or guidance with respect to the
matters covered.
For additional information on matters covered in this presentation, contact your
Grant Thornton LLP adviser.
© Grant Thornton LLP. All rights reserved. 5
6. About TechAmerica
TechAmerica is the leading voice for the U.S. technology industry – the driving force
behind productivity growth and jobs creation in the United States and the foundation
of the global innovation economy. Representing approximately 1,000 member
companies of all sizes from the public and commercial sectors of the economy, it is
the industry’s largest advocacy organization and is dedicated to helping members’ top
and bottom lines. TechAmerica is also the technology industry's only grassroots-to-
global advocacy network, with offices in state capitals around the United
States, Washington, D.C., Europe (Brussels) and Asia (Beijing). Learn more about
TechAmerica at www.techamerica.org.
© Grant Thornton LLP. All rights reserved. 6
7. WEBCAST PRESENTERS
Warren W. Kirt Seale
Stippich Jr. Principal, National
Partner and National Special Attestation
Governance, Risk and Reports
Compliance Solution
Leader, Advisory Services Leader, Advisory
© Grant Thornton LLP. All rights reserved. Services 7
8. LEARNING
OBJECTIVES
• Identify a framework for
assessing third-party risk
• Examine the roles and
responsibilities of risk
management in finance,
legal, procurement and
business operations areas
• Understand tools that can be
used to provide comfort that
proper controls are in place
© 2011 Grant Thornton LLP. All rights reserved. 8
9. REAL RISK
REAL IMPACT
Huawei Threat: Real or Overblown?
Jail, Hard Lessons in
Cisco Gear Resale Scam
BlackBerry service goes down in
Europe, Middle East, Africa
GoDaddy goes down and hacker
takes credit
© 2012 Grant Thornton LLP. All rights reserved. 9
10. POLLING QUESTION #1
Has your company put a program in place to manage
third party risk?
A: Yes
B: No
© 2012 Grant Thornton LLP. All rights reserved. 10
11. DEFINING
THIRD PARTIES
• Businesses that are not under direct business
control of the organization that engages them
• Third parties may include:
• Vendors
• Distributors
• Suppliers
• Franchisees/licensees
• Joint venture or alliance partners
• Technology outsourcing providers
© 2012 Grant Thornton LLP. All rights reserved. 11
12. WHY IS THIRD PARTY
RISK IMPORTANT?
Reputational Compliance
Regulatory
Financial
Strategic Operational
© 2011 Grant Thornton LLP. All rights reserved. 12
13. SECTORS WITH
HIGHER RISK
Technology providers Relevant industries
• Data centers • Government
• Companies hosting IT • Health care
applications • Banking
• Third party logistics • Investment/fund managers
companies • Payroll management
• Cloud or Software as a companies
Service providers • Financial Services
• Telecom providers
• Any outsourcing company
that manages information on
behalf of others
© 2011 Grant Thornton LLP. All rights reserved. 13
14. POLLING QUESTION #2
Which type of company presents heightened risk when
in a vendor relationship?
A: Data centers
B: Third party logistics companies
C: Software as a service companies
D: A and C
E: All of the above
© 2012 Grant Thornton LLP. All rights reserved. 14
15. RESPONSIBILITY FOR
THIRD PARTY RISK
MANAGEMENT
Compliance Finance
Legal Vendor Oversight Procurement
Function
Business Internal audit
operations/ IT
© 2011 Grant Thornton LLP. All rights reserved. 15
16. DEFINING THE THIRD
PARTY UNIVERSE
• Analyze comprehensive vendor listing (A/P master file, legal,
procurement)
• Exclude the following:
– Maintenance, repair, operations vendors
– Providers of raw materials or finished goods
• Confer with in-house legal resources
– Additional source of data
– Contractual details will be helpful
• Consider other departments that may need to be consulted
© 2011 Grant Thornton LLP. All rights reserved. 16
17. WHERE DO YOU BEGIN
PROJECT OBJECTIVE
• Risk Assessment & Appeals Processes
– Customized the vendor due diligence process depending on the company’s
specific risks
– Rule-based point values assigned
– Cumulative score will dictate level of additional investigation if required
© 2011 Grant Thornton LLP. All rights reserved. 17
18. POLLING QUESTION #3
A third party risk assessment should be part of an
enterprise risk management program.
A: True
B: False
© 2012 Grant Thornton LLP. All rights reserved. 18
19. FACTORS TO CONSIDER
WHEN ASSESSING RISK
Risk Domain Assessment Factors
Strategic • Level of importance of vendor to
corporate operations
Reputational • Magnitude of potential loss if there
are problems with the vendor
relationship
Regulatory • Level of vendor
oversight/monitoring
• Reporting required by outside
regulatory body
© 2011 Grant Thornton LLP. All rights reserved. 19
20. FACTORS TO CONSIDER
WHEN ASSESSING RISK
Risk Domain Assessment Factors
Operational • Type of vendor – nature of
products/services provided
• Frequency of communication with
vendor
Financial • Annual spend with vendor
Compliance • Current safeguards or controls
design to ensure compliance with
relevant regulations
• Availability of audit reports or
existence of "right to audit" clause
© 2011 Grant Thornton LLP. All rights reserved. 20
21. EXAMPLE OF HOW TO
DEFINE THE RISK
UNIVERSE
Vendor Vendor Nature of Contractual Geographic Applicable Primary Provides Right to
Name Type service details al/global regulatory relationshi an audit audit clause
being considerati requirements p owner report
provided on (e.g., HIPAA, within such as
FCPA) organizatio SOC 1
n (e.g., IT,
finance,
marketing)
ABC Payroll Payroll Five-year Payroll IRS, Bob Peoples, Yes, SOC 1 No
Payroll provider processor agreement processed in Department Human
approved by Kansas City, of Labor Resources
Legal Kan.
department
IT Help Help Desk IT support One-year Local to each N/A Martin No No
Support contractors auto- company site Technology,
renewing and CIO
contract headquarters
Quick Print Printing/ Prints/mails Six-year Local to N/A Sally No No
Mail invoices and agreement, headquarters Accountant,
service marketing approved by CFO
provider materials Legal
department
Source: Grant Thornton LLP
© 2011 Grant Thornton LLP. All rights reserved. 21
22. WEIGHTING RISK
FACTORS
Vendor Significance Potential Potential Potential The Expense of Significa Significa Significa
of the data magnitude magnitude magnitude frequency the vendor nce of nce of nce of
handled by of a of a of an of in relation financial operatio strategic
the vendor financial reputationa operationa interaction to the risk nal risk risk
loss l loss l loss income of
the
business
unit
supporting
it
ABC 3 1 1 5 5 4 3 5 2
Payroll
IT Help 3 1 1 3 5 2 1 4 1
Quick 2 1 4 2 4 1 1 1 1
Print
Rating is from low (1) to high (5). Source: Grant Thornton LLP
© 2011 Grant Thornton LLP. All rights reserved. 22
23. NEEDS ANALYSIS
APPROACH
High, medium or low-risk areas are determined based on
the following Risk Factors
- Strategic Importance
- Business Operations Risk
Needs -
-
Legal/Regulatory Compliance
System Reliance and Capability
analysis -
-
Fraud Risk
External Factors
- Human Capital Risk
- Financial Impact
- Market Impact
- Reputation Impact
© 2011 Grant Thornton LLP. All rights reserved. 23
24. RISK MITIGATION
TECHNIQUES
• Transaction monitoring
• Increased data analysis and reporting
• Contract renegotiation
• Independent reviews
• Audits
• Site visits
• Questionnaire
© 2011 Grant Thornton LLP. All rights reserved. 24
25. USE OF ATTESTATION
REPORTS
SOC 1 SOC 2 AT 101
• provides vehicle for • address controls • allows service
reporting on a service pertinent to the Trust organizations to
organization’s system Services Principles of provide user
of internal control security, availability, organizations and
relevant to a user processing integrity, other stakeholders
organization’s internal confidentiality and with a tailored
control over financial privacy. report on controls
reporting. • includes many of the that are relevant to
• intended as auditor-to- same elements as a the services.
auditor SOC 1 report • highly flexible and
communication, with • principles and criteria can be leveraged for
specific content developed by the multiple industry
dependent on the AICPA and the standards
service organization’s Canadian Institute of (e.g., NIST, ISO)
system. Chartered Accountants.
© 2011 Grant Thornton LLP. All rights reserved. 25
26. POLLING QUESTION #4
My company uses SOC reports when working with our
vendors and customers.
A: Always
B: Often
C: Infrequently
D: We have used SOC reports
C: Not sure
© 2012 Grant Thornton LLP. All rights reserved. 26
27. A FEW THINGS TO
NOTE ABOUT SOC
REPORTS
Consider the following when reviewing a SOC report:
• Time period covered
• Handling of subservice providers (carve-out vs. inclusive)
• In-scope and out-of-scope locations
• Construction of control objective and control activities
• Sampling and testing methodology
• Exceptions noted and management response
© 2011 Grant Thornton LLP. All rights reserved. 27
28. ADDING VALUE
CASE STUDY
Issue
• A Fortune 500 Corporation experienced issues related to a third party that results in self-disclosure of an
issue
• Company required a way to mitigate against future issues with vendors and third parties
Response
• Grant Thornton created and managed a new process to onboard and assess the compliance-related risk
associated with newly identified third parties and business partners
• Team also worked to extract "legacy" third party relationships from a large number of Enterprise Resource
Planning (ERP) systems, to capture, process and investigate
• Grant Thornton was also involved in the creation of supplemental qualification requirements for certain
third party relationships as well as development of a technology solutions to evaluate new relationships.
Benefits Achieved
• The results of this project included:
– Standardized the review and acceptance of a new third party business relationship
– Insight and seamless transparency into the third party relationships retained that would otherwise be
unseen
– Validation of the creation of a new customer master or vendor master file within the Client’s local ERP
system.
– More efficient process of creating valid agreements helping to further protect the Client from any
unforeseen risks
© 2011 Grant Thornton LLP. All rights reserved. 28
29. KEY TAKEAWAYS
• Understand and evaluate your third party
relationships
• Know your risks
• Take reasonable steps toward risk mitigation
© 2011 Grant Thornton LLP. All rights reserved. 29
31. KEEPING THIRD-PARTY
RISK IN CHECK
This white paper addresses the process of
information gathering, assessing and assigning
Will insert risk ratings, and mitigating the high-risk
relationships. Learn how using Service
white Organization Control reports can help manage
paper third-party risk in our illustrative case study.
cover
here You will receive a downloadable copy of the
paper in the follow-up email from Grant
Thornton LLP.
© 2011 Grant Thornton LLP. All rights reserved. 31
32. FOR MORE
INFORMATION,
CONTACT:
Warren Stippich
Partner, National Governance, Risk and Governance Leader
Advisory Services
T 312.602.8499
E warren.stippich@us.gt.com
Kirt Seale
Principal, National Special Attestation Reports Leader
Advisory Services
T 214.561.2367
E kirt.seale@us.gt.com
© 2011 Grant Thornton LLP. All rights reserved. 32
33. THANK YOU FOR
ATTENDING
To retrieve your CPE certificate:
• Respond to online evaluation form
• Print your CPE Certificate from the CPE confirmation email or
participation tab
*Note: Group participation will not receive CPE
• Download today’s slides as a reference resource
© Grant Thornton LLP. All rights reserved. 33 33
34. Thank you for attending.
Visit us online at:
www.GrantThornton.com
twitter.com/GrantThorntonUS
linkd.in/GrantThorntonUS
For questions regarding your CPE certificate, contact
Learnlive at 888.228.0988.