According to the “Pulse of the Internal Audit 2020” published by the Institute of Internal Auditors (IIA), “less than half of respondents say their functions devote any portion of the audit plan to third-party relationships”. Ironically, the survey also indicates growing concerns about third-party risks from Chief Audit Executives…
As organizations rely more and more on third party providers, this raises the question: why is this area is not listed as a recurring risky matter on most audit plans? Could it be that Internal Audit does not have a good knowledge of the existing third-party relationships? Could it be that Internal Audit does not properly assess third-party risks, has not yet developed a tailored audit program or does not have the capacity to undertake these specialized audits? Perhaps…
Key questions the Internal Audit department should review, in order to determine whether third-party risk represents a serious concern for their organization include:
- Has an inventory of all third parties used been created?
- Has each third-party relationship been assessed to identify the critical ones to the organization that could present the highest risks?
- Has there been any incident in the past originating from a third-party relationship?
Obviously, the riskier or more critical relationships should be added to the audit plan. A tailored audit program should be developed based on the services provided by the third party. Also, keep in mind these third parties may engage with third parties themselves – so those are considered fourth parties to your organization!
We often see third-party relationships in the financial service sector and more specifically in the insurance industry. Large insurers delegate a portion of their core functions, such as insurance plan administration and claim adjustments, to Third Party Administrators (TPA) or Third-Party Payers (TPP).
In this case, the insurance company’s plans are sold and administered by a Third Party, while the insurer retains the risk. Because of the level of inherent risk, these relationships require close monitoring through periodic audit procedures to provide assurance that the insurer’s risks are mitigated by the controls in place at the TPA/TPP level. The main risks are:
- Coverage plans inaccurately set up in the TPA’s systems resulting in both inaccurate premium collections and inaccurate claim payments;
- Absence of fraud detection controls (i.e. drug over usage);
- Errors in claims adjudication based on the plan terms;
- Data quality and security, including data hosted at fourth parties;
- Reputational and legal.
Third party relationships represent a high risk for most organizations, which is often overlooked by the second line of defense’s teams and Internal Audit departments until it is too late. Adding this theme to the audit universe and audit plan will most certainly bring extensive added value to your organization in the long run and will help Internal Audit departments increase their status as trusted advisors within the organization.
How can Richter help?
- Risk assessment of your third parties;
- Development of audit programs and risk and control matrices;
- Evaluation of the adequacy of the controls in place at your TPAs/TPPs and comparison with best practices;
- Elaboration of remediation action plans/improvement plans;
- Assessment of the adequacy of the third party used and recommendations of potentially better suited vendors;
- Training/workshops with your organization to better understand and mitigate your third-party risk.