Concerned About Vendor Management 10 30 12

CONCERNED ABOUT
VENDOR
MANAGEMENT?
Understanding third-party risk for
technology companies
October 30, 2012
1-2 p.m. CT

© 2011 Grant Thornton LLP. All rights reserved. 1

Awarding CPE for this session

In general The rule
Respond to all polling Respond to at least 75% of
questions the polling questions to pass
with full credit

Group participation will not You have to be logged in
receive CPE individually to receive credit

If you experience any technical difficulties,
please contact 888.228.0988 or support@learnlive.com
© Grant Thornton LLP. All rights reserved. 2

Addressing your questions
through Q&A
Step 1

Step 2


Other helpful features you
can use

Be sure to shut down all other applications to allow
more Internet bandwidth.


Disclaimer

This Grant Thornton LLP presentation is not a comprehensive analysis of the
subject matters covered and may include proposed guidance that is subject to change
before it is issued in final form. All relevant facts and circumstances, including the
pertinent authoritative literature, need to be considered to arrive at conclusions that
comply with matters addressed in this presentation. The views and interpretations
expressed in the presentation are those of the presenters and the presentation is not
intended to provide accounting or other advice or guidance with respect to the
matters covered.

For additional information on matters covered in this presentation, contact your
Grant Thornton LLP adviser.


About TechAmerica
TechAmerica is the leading voice for the U.S. technology industry – the driving force
behind productivity growth and jobs creation in the United States and the foundation
of the global innovation economy. Representing approximately 1,000 member
companies of all sizes from the public and commercial sectors of the economy, it is
the industry’s largest advocacy organization and is dedicated to helping members’ top
and bottom lines. TechAmerica is also the technology industry's only grassroots-to-
global advocacy network, with offices in state capitals around the United
States, Washington, D.C., Europe (Brussels) and Asia (Beijing). Learn more about
TechAmerica at www.techamerica.org.


WEBCAST PRESENTERS

Warren W. Kirt Seale
Stippich Jr. Principal, National
Partner and National Special Attestation
Governance, Risk and Reports
Compliance Solution
Leader, Advisory Services Leader, Advisory
© Grant Thornton LLP. All rights reserved. Services 7

LEARNING
OBJECTIVES
• Identify a framework for
assessing third-party risk

• Examine the roles and
responsibilities of risk
management in finance,
legal, procurement and
business operations areas

• Understand tools that can be
used to provide comfort that
proper controls are in place


REAL RISK
REAL IMPACT
Huawei Threat: Real or Overblown?
Jail, Hard Lessons in
Cisco Gear Resale Scam

BlackBerry service goes down in
Europe, Middle East, Africa

GoDaddy goes down and hacker
takes credit

POLLING QUESTION #1
Has your company put a program in place to manage
third party risk?

A: Yes
B: No


DEFINING
THIRD PARTIES
• Businesses that are not under direct business
control of the organization that engages them

• Third parties may include:
• Vendors
• Distributors
• Suppliers
• Franchisees/licensees
• Joint venture or alliance partners
• Technology outsourcing providers


WHY IS THIRD PARTY
RISK IMPORTANT?
Reputational Compliance

Regulatory
Financial

Strategic Operational


SECTORS WITH
HIGHER RISK
Technology providers Relevant industries
• Data centers • Government
• Companies hosting IT • Health care
applications • Banking
• Third party logistics • Investment/fund managers
companies • Payroll management
• Cloud or Software as a companies
Service providers • Financial Services
• Telecom providers
• Any outsourcing company
that manages information on
behalf of others


POLLING QUESTION #2
Which type of company presents heightened risk when
in a vendor relationship?

A: Data centers
B: Third party logistics companies
C: Software as a service companies
D: A and C
E: All of the above


RESPONSIBILITY FOR
THIRD PARTY RISK
MANAGEMENT
Compliance Finance

Legal Vendor Oversight Procurement
Function

Business Internal audit
operations/ IT

DEFINING THE THIRD
PARTY UNIVERSE
• Analyze comprehensive vendor listing (A/P master file, legal,
procurement)
• Exclude the following:
– Maintenance, repair, operations vendors
– Providers of raw materials or finished goods
• Confer with in-house legal resources
– Additional source of data
– Contractual details will be helpful
• Consider other departments that may need to be consulted


WHERE DO YOU BEGIN
PROJECT OBJECTIVE
• Risk Assessment & Appeals Processes
– Customized the vendor due diligence process depending on the company’s
specific risks
– Rule-based point values assigned
– Cumulative score will dictate level of additional investigation if required


POLLING QUESTION #3
A third party risk assessment should be part of an
enterprise risk management program.

A: True
B: False


FACTORS TO CONSIDER
WHEN ASSESSING RISK
Risk Domain Assessment Factors
Strategic • Level of importance of vendor to
corporate operations

Reputational • Magnitude of potential loss if there
are problems with the vendor
relationship

Regulatory • Level of vendor
oversight/monitoring
• Reporting required by outside
regulatory body


FACTORS TO CONSIDER
WHEN ASSESSING RISK
Risk Domain Assessment Factors

Operational • Type of vendor – nature of
products/services provided
• Frequency of communication with
vendor

Financial • Annual spend with vendor

Compliance • Current safeguards or controls
design to ensure compliance with
relevant regulations
• Availability of audit reports or
existence of "right to audit" clause


EXAMPLE OF HOW TO
DEFINE THE RISK
UNIVERSE
Vendor Vendor Nature of Contractual Geographic Applicable Primary Provides Right to
Name Type service details al/global regulatory relationshi an audit audit clause
being considerati requirements p owner report
provided on (e.g., HIPAA, within such as
FCPA) organizatio SOC 1
n (e.g., IT,
finance,
marketing)
ABC Payroll Payroll Five-year Payroll IRS, Bob Peoples, Yes, SOC 1 No
Payroll provider processor agreement processed in Department Human
approved by Kansas City, of Labor Resources
Legal Kan.
department

IT Help Help Desk IT support One-year Local to each N/A Martin No No
Support contractors auto- company site Technology,
renewing and CIO
contract headquarters
Quick Print Printing/ Prints/mails Six-year Local to N/A Sally No No
Mail invoices and agreement, headquarters Accountant,
service marketing approved by CFO
provider materials Legal
department
Source: Grant Thornton LLP

WEIGHTING RISK
FACTORS
Vendor Significance Potential Potential Potential The Expense of Significa Significa Significa
of the data magnitude magnitude magnitude frequency the vendor nce of nce of nce of
handled by of a of a of an of in relation financial operatio strategic
the vendor financial reputationa operationa interaction to the risk nal risk risk
loss l loss l loss income of
the
business
unit
supporting
it

ABC 3 1 1 5 5 4 3 5 2
Payroll

IT Help 3 1 1 3 5 2 1 4 1

Quick 2 1 4 2 4 1 1 1 1
Print

Rating is from low (1) to high (5). Source: Grant Thornton LLP

NEEDS ANALYSIS
APPROACH

High, medium or low-risk areas are determined based on
the following Risk Factors

- Strategic Importance
- Business Operations Risk
Needs -
-
Legal/Regulatory Compliance
System Reliance and Capability
analysis -
-
Fraud Risk
External Factors
- Human Capital Risk
- Financial Impact
- Market Impact
- Reputation Impact


RISK MITIGATION
TECHNIQUES
• Transaction monitoring
• Increased data analysis and reporting
• Contract renegotiation
• Independent reviews
• Audits
• Site visits
• Questionnaire


USE OF ATTESTATION
REPORTS
SOC 1 SOC 2 AT 101
• provides vehicle for • address controls • allows service
reporting on a service pertinent to the Trust organizations to
organization’s system Services Principles of provide user
of internal control security, availability, organizations and
relevant to a user processing integrity, other stakeholders
organization’s internal confidentiality and with a tailored
control over financial privacy. report on controls
reporting. • includes many of the that are relevant to
• intended as auditor-to- same elements as a the services.
auditor SOC 1 report • highly flexible and
communication, with • principles and criteria can be leveraged for
specific content developed by the multiple industry
dependent on the AICPA and the standards
service organization’s Canadian Institute of (e.g., NIST, ISO)
system. Chartered Accountants.


POLLING QUESTION #4
My company uses SOC reports when working with our
vendors and customers.

A: Always
B: Often
C: Infrequently
D: We have used SOC reports
C: Not sure


A FEW THINGS TO
NOTE ABOUT SOC
REPORTS
Consider the following when reviewing a SOC report:

• Time period covered
• Handling of subservice providers (carve-out vs. inclusive)
• In-scope and out-of-scope locations
• Construction of control objective and control activities
• Sampling and testing methodology
• Exceptions noted and management response


ADDING VALUE
CASE STUDY
Issue
• A Fortune 500 Corporation experienced issues related to a third party that results in self-disclosure of an
issue
• Company required a way to mitigate against future issues with vendors and third parties
Response
• Grant Thornton created and managed a new process to onboard and assess the compliance-related risk
associated with newly identified third parties and business partners
• Team also worked to extract "legacy" third party relationships from a large number of Enterprise Resource
Planning (ERP) systems, to capture, process and investigate
• Grant Thornton was also involved in the creation of supplemental qualification requirements for certain
third party relationships as well as development of a technology solutions to evaluate new relationships.
Benefits Achieved
• The results of this project included:
– Standardized the review and acceptance of a new third party business relationship
– Insight and seamless transparency into the third party relationships retained that would otherwise be
unseen
– Validation of the creation of a new customer master or vendor master file within the Client’s local ERP
system.
– More efficient process of creating valid agreements helping to further protect the Client from any
unforeseen risks

KEY TAKEAWAYS

• Understand and evaluate your third party
relationships

• Know your risks

• Take reasonable steps toward risk mitigation


QUESTIONS


KEEPING THIRD-PARTY
RISK IN CHECK
This white paper addresses the process of
information gathering, assessing and assigning
Will insert risk ratings, and mitigating the high-risk
relationships. Learn how using Service
white Organization Control reports can help manage
paper third-party risk in our illustrative case study.
cover
here You will receive a downloadable copy of the
paper in the follow-up email from Grant
Thornton LLP.


FOR MORE
INFORMATION,
CONTACT:
Warren Stippich
Partner, National Governance, Risk and Governance Leader
Advisory Services
T 312.602.8499
E warren.stippich@us.gt.com

Kirt Seale
Principal, National Special Attestation Reports Leader
Advisory Services
T 214.561.2367
E kirt.seale@us.gt.com


THANK YOU FOR
ATTENDING

To retrieve your CPE certificate:
• Respond to online evaluation form
• Print your CPE Certificate from the CPE confirmation email or
participation tab
*Note: Group participation will not receive CPE
• Download today’s slides as a reference resource

© Grant Thornton LLP. All rights reserved. 33 33

Thank you for attending.

Visit us online at:

www.GrantThornton.com

twitter.com/GrantThorntonUS

linkd.in/GrantThorntonUS

For questions regarding your CPE certificate, contact
Learnlive at 888.228.0988.

Concerned About Vendor Management 10 30 12

Recommended

Recommended

More Related Content

What's hot

What's hot (19)

Similar to Concerned About Vendor Management 10 30 12

Similar to Concerned About Vendor Management 10 30 12 (20)

Concerned About Vendor Management 10 30 12