Auditor's Perspective on Third-Party Risk Management Q&A

During our recent three day Third-Party Risk Management Bootcamp, we had a lot of GREAT questions come in. It was quite impossible to get to them all during the live sessions, so we have worked with our speakers to compile the answers. Below you will find answers to questions posed during Day 1 - Session 1: An Auditor's Perspective in Third Party Risk Management. 

Day 1 - Session 1
An Auditor’s Perspective in Third Party Risk Management

Mike Morris Partner PKM	Mary Beth Marchione Systems Senior Manager PKM

This session was led by Mike Morris and Mary Beth Marchione at PKM where they discussed common mistakes as well as practical tips for solid third party risk management practices from an auditor’s perspective. They have kindly provided answers to the following questions.

Q1: Can you provide some guidance on criteria for the tiering of vendors? 

Answer: “Typically, we see vendor management programs that identify the following criteria: access to sensitive information, criticality of service, frequency of service, past issues, access, etc. This should be unique to your organization. Typically, Tier 1 would be considered high risk, where the vendor has direct responsibility for securing your non-public customer information and is processing material financial transactions on your behalf. Tier 2 would be considered medium risk, where the vendor does not have direct access to non-public customer information and/or is not processing material transactions on your behalf.  Some regulatory guidance includes:

FIL-44-2008 Third-Party Risk Guidance for Managing Third-Party Risk, FFIEC IT Handbook – Management, FFIEC IT Handbook – Outsourcing Technology Services”

Q2: Some privately-run companies decline to disclose financials. What are some things we can do to work around this in our due diligence process?

Answer: “Make sure you get a right-to-audit clause in your contract (or renegotiate to get that clause in the contract). Also, try to negotiate that you will be provided financial statements annually.  Outside of that, it might be tough to get anything from them. If a vendor does not understand the needs of their customers in a highly-regulated environment, that’s a red flag that other regulatory compliance issues may be present as well. They may also be reluctant to provide financial information because their financial condition is deteriorating.”

Q3: What type of due diligence is required for subcontractors of your vendors?

Answer: “If the contractual relationship allows, you should be performing due diligence on the subservice providers as well.  However, you should be obtaining and reviewing your vendor’s vendor management program and determine if it covers the elements that are required by the FFIEC and whether it is performed annually.”

Q4: If the vendor provides their due diligence on the sub servicer, should we still conduct due diligence on the sub servicer?

Answer: “If you review your vendor’s due diligence and it appears to be well-documented, timely and follows the FFIEC guidance, then you should be able to rely on it. If not, then you’ll need to pursue other avenues.”

Q5: What types of things should be included in a vendor package?  

Answer: “It depends on the nature of the services provided.  At a minimum, it should include:

1. Financial health
2. Internal controls reports (such as SOC reports)
3. Insurance coverage
4. BCP and testing
5. Cyber resilience

Other information might include:

6. PCI compliance
7. HIPAA compliance
8. NYC cyber compliance
9. Massachusetts Privacy Law compliance”

Q6: Is it ever acceptable for a vendor to provide their financials or not?

Answer: “It depends on the criticality of the vendor. You should mostly be concerned about two issues:  1.) Will the vendor be there tomorrow, and if not, what is the consequence and 2.) Could a deteriorating financial condition at a vendor cause them to start cutting internal controls that you are relying on to protect you and your customers.”

Q7: Aside from contract language, is there any regulation, law or statute that would compel a vendor to cooperate with due diligence requests?

Answer: “If they serve financial institutions, they’re also subject to the FFIEC. Depending on their client base, they could be subject to direct regulatory audits. They’re also subject to specific state laws, such as the California and Massachusetts privacy laws. We believe that the best vendors understand the risks that they pose to you and the risks to their businesses. These vendors typically understand that they need to do the right thing for themselves and the customers that they serve.”

Q8: How do you determine the correct due diligence documents to be collected for low risk or moderate risk vendors? Not all vendors need insurance or financials.  

Answer: “Follow the risk guidance in FIL-44-2008 Third-Party Risk Guidance for Managing Third-Party Risk. Create a specific policy that dictates what level of scrutiny each risk level requires. There should be a baseline for the required documents. However, each vendor is unique and poses unique risk. The documentation obtained should line up with the risks that particular a vendor poses.”

Q9: How do you determine if your vendor needs to name you on their insurance certificate?

Answer: “They won’t name your company on their insurance. They need to have a policy that covers their risk and you need to have a policy that covers your risk.”

Q10: How much will I need to work with our legal counsel to develop a program? Aren’t my vendors legally obligated to share security information will me?

Answer: “Yes, you should work with your legal counsel, but no, your vendors aren’t necessarily legally required to share anything with you. If it is not included in your contract, then you probably won’t have much say in what they do or do not provide.”

Q11: As it relates to data, I would think it would be important to note not only housing data, but also access to data.

Answer: “You are correct. Access to data by managed services providers is a risk as well.”

Q12: If a company is private and declines to provide financial statements - what are alternative avenues of reviewing financial condition?

Answer: “You really don’t have any recourse. You need to renegotiate the contract once it’s up for renewal or consider pursuing a new vendor that will provide this information.”

Q13: How are you handling private organizations that will not provide financials, only a statement that they are financially fit even with an NDA?

Answer: “Make sure you get a right-to-audit clause in your contract (or renegotiate to get that clause in the contract). Also, try to negotiate that you will be provided financial statements annually. Outside of that, it might be tough to get anything from them. If a vendor does not understand the needs of their customers in a highly-regulated environment, that’s a red flag that other regulatory compliance issues may be present as well. They may also be reluctant to provide financial information because their financial condition is deteriorating.”

Q14: Is it required to have cyber insurance along with COI?

Answer: “It depends on the risk of a cyber breach at the vendor. If there is risk to your operations or your non-public customer information, then they should have a cyber policy.”

Q15: Do you treat a "partner" the same as a "vendor". For example, if company A has created a solution where there is a need to partner with company B... versus a more straight forward outsourcing engagement. Should company A treat company B like a "vendor"?

Answer: “If the partner poses business risks due to the nature of the activities they are supporting, then you would need to perform due diligence over the partner.”

Q16: Could you provide advice on reviewing quality and reports on training, compliance (e.g. data privacy) training and other matters related to a vendor, and particularly an off-shore vendor?

Answer: “If I understand the question correctly, you would need to review the training materials and related documentation (attendance lists, presentation materials, acknowledgement forms, etc.) to ensure that the topics are relevant and that the employees were present at the training. The location of the vendor should not matter if they are required (by the services provided) to complete specific training either by regulation or contract."

Q17: How do you treat a vendor that we use just a few times? Like a VOE provider that we must use due to the borrower's employer? They have borrower data, but not at all critical to our service. 

Answer: “If they have your non-public customer information, then you’re responsible for understanding how they are securing the information. The level of detail and number of documents that you review aside from understanding how your information is secured, will depend on your vendor management program. It should be designed to provide guidance on the level of vendor review required based on a tiered/risk rated system. Access to non-public customer information should always be a factor in determining that tier/risk.”

Answer: “The review should be relative to the risk that they pose (access to non-public customer information) and/or consist of performing reference and background checks on the company. In some instance you can point to internal controls that can mitigate risk while they are onsite (escorting the contractors, clean desk policy, locked doors for sensitive areas, etc.).”

Answer: “Operational control will have a good understanding of the day-to-day risks a vendor poses as well as internal controls that mitigate some of those risks in your organization. We have seen many organizations create a questionnaire with key factors used to evaluate the risk of a vendor (this should align to your vendor management program) and then have multiple departments fill it out as a vendor can provide a service that affects multiple departments in your organization. In addition, operational control may be a great place to start when documenting controls in your organization that meet Complementary User Entity Controls noted in the vendor’s SOC report that your organization is responsible for (escorting the contractors, clean desk policy, locked doors for sensitive areas, etc.).” 

Q20: I have a question related to a vendor questionnaire. We are considering using one but what is the value of one? Given that it isn't audited by a third party, just their say so. Thoughts?

Answer: “If the vendor has a SOC report, you shouldn’t be sending a questionnaire until you are certain that the SOC’s scope doesn’t cover some or all of the control you are looking for. We see too many instances where financial institutions are sending questionnaires to vendors when the answers have already been provided. Additionally, a SOC report provides stronger due diligence because it’s an audit conducted by an independent auditor as opposed to a questionnaire completed by the vendor. If they do not have a SOC report, or a related third party assurance report, a site visit might be a better alternative. If your contract has a “Right to Audit” clause, it will allow you the mechanism to go to the vendor’s location and review controls in person.” 

Q21: Can you elaborate on data classification?

Answer: “The FFIEC’s definition from their Information Security IT Handbook is “A program that categorizes data to convey required safeguards for information confidentiality, integrity and availability; establishes controls required based on value and level of sensitivity.

Examples of data classifications are:

1. Critical – Non-public customer and employee information, financial information (for publicly-traded companies)
2. Business Confidential – Financial information (for non-publicly traded companies), network diagrams, audit reports, board of director and IT committee minutes, strategic plans
3. Sensitive – Proprietary forms, checklists, policies and procedures, etc.”

Q22: Can you provide best practices to run an AP scrub for potential missing vendors?

Answer: “Sort your vendor risk assessment apathetically and compare it to your A/P list sorted alphabetically and look for any gaps.”

Preparing for an audit can be mind-numbing and a bit scary, but if you stick to a basic game plan, it’s easy to manage. Download our helpful infographic for a few quick tips on what to do when you hear the auditors are coming for a visit.