Audit Best Practices: Insights from a Seasoned Vendor Risk Analyst

As part of our Venminder Thought Leadership series we have the opportunity to meet with an incredibly diverse range of seasoned leaders from across the industry to gain new perspectives and glean advice around third parties, mitigating risk, best practices, the latest trends and more. Most recently, I had the opportunity to speak with Chris Caputo, an external audit coordinator at CMG Financial.

Chris Caputo Interview Highlights 

Chris is not only highly experienced with audit coordination. He also has a background in identifying and mitigating operational, physical and technological risks in both the financial services and default services industry.

He has a wealth of experience you’ll want to hear in full; however, here are just a few headliners from the interview:

• The criticality of having the right type of third-party risk players on your bench
• The importance of instilling a strong risk culture
• How state-to-state legal variations could impact law firms’ third-party vendors
• The true cost of third-party risk management

Play to Your Strengths 

To kick us off, Chris dived into a shared third-party risk management struggle: staffing. 

When I asked Chris what he felt were some of the biggest hurdles for building a strong third-party risk management program, Chris highlighted the “human element” of third-party risk management as well as the importance of customizing your third-party risk management approach to the vendor in question.

“Ultimately, I think the underlying issue is companies not having the right pieces in place to handle what needs to be done with that particular vendor,” Chris shared. “In addition to the appropriate allocation of those human resources, I think it's equally important, again, to tailor the risk management program itself to the third-party being reviewed. As a mortgage service company, we wouldn't and shouldn't hold a law firm providing default related services to the same standards as we would a third-party data center.”

Chris also shared that his role as an auditor has impacted his perspective on what kind of experience you need for effectively assessing risk.

“When I began auditing law firms providing default services and I transitioned into that new role, it was a pretty natural transition for me because it was essentially moving to the other side of the conference room table,” Chris said, “My experience working for the firm allowed me to key in on certain elements in the course of my audit, that perhaps somebody without my background wouldn't catch.”

However, Chris further highlighted his point about having the right players on your third-party risk bench, sharing he likely wouldn’t have been as thorough in an audit for a vendor offering IT-related services as he would have for say a co-location data center provider. When it comes to an effective audit, background and experience matters. 

The Importance of a Strong Risk Culture

One of the most important takeaways from our sit-down was how critical it is to have a culture of risk management as opposed to a few dedicated people. It’s crucial for an organization to communicate openly and effectively about that risk. When it comes to risk management, everyone needs to be paying attention so that the whole organization can work in unison towards mitigating that risk in the face of all of the different variables at play.

Here are a few tips Chis shared for cultivating a strong risk culture: 

• Tailor your approach, but maintain uniformity. With so many moving pieces, it's really important to ensure everybody is on the same page with their risk appetite, tolerance and awareness.
• Collaborate. In order to make sure the right controls are in place, the right risks are identified, and the right risk criticality is assigned, it’s critical that work is done in tandem across the board. Which leads to the next point…
• Communication is key. The first line has to be communicating effectively with the second line, and then from the second line to the third line, etc. Any governance groups, oversight committees, people who are performing the day-to-day identification and mitigation must be looped in.

Law Firms, Judicial Variation, and Third-Party Risk Management 

When I asked Chris where law firms land on the spectrum of risk mitigation, he conceded that like most other industries, the approach really depends on a multitude of factors. In his professional opinion, he feels law firms should largely be considered a third-party vendor; but the associated risks will vary by industry, and more specifically, will vary based on the function or the service of the law firm.

“When it comes to law firms, like the default related firms that I worked for, and that I audited over the years, I do think that it's definitely important they should absolutely be held with our (third) party risk program,” Chris said, “The day-to-day activities they perform, their access to NPI as well as other personal and confidential information and the fact they are constantly subject to the oversight of state and federal regulations...of course state regulations vary across the board, but they're all held to standards, such as FDCPA.”

This brought up another interesting factor: variations based on whether a state has a judicial foreclosure process or a non-judicial foreclosure process. Chris shared an incredibly insightful example which explains the difference between a case in the Northeast vs. a case in the South, and how differing legalities can drastically affect the risk of exposing personal information:

“We have a default firm that's handling foreclosures in New Jersey or New York,” Chris said, “Both of those are judicial jurisdictions, and they have confident oversight by way of the court, which contemporaneously add both a layer of protection and a degree of risk. The court acts as a layer of protection but it also has a degree of risk because legal pleadings that are filed are often public record, and if something like a complaint, for example, were to be filed with an exposed social security number or an exposed loan number. That's a huge privacy risk.”

“Whereas a firm handling that same foreclosure in North Carolina or Mississippi, both non-judicial states, you wouldn't have that layer of oversight provided by the court, but you also don't have the risk of filing a pleading with exposed NPI because they go through the non-judicial process, which doesn't incorporate those legal filings.”

As you can see, variations in jurisdiction can have a huge impact on the risk management required.

To wrap it up, Chris highlighted one of the hardest truths about third-party risk management, which is cost. Anyone who’s spent more than two seconds in this industry knows it’s expensive, complex and time-consuming. We certainly have to consider the expense of not only performing audits and developing a strong risk management program, but mitigating the risk internally, and ensuring employees are provided with secure access. But here’s the tougher question: What’s the cost if we don’t?

On behalf of Venminder, I’d like to thank Chris for his participation in this series. Be sure to listen to our discussion here to catch even more helpful information.

You should be taking certain steps to prepare for your next audit. Download the checklist.