Does your organisation have robust policies in place around third party provisions, asks Paul Haley?
We live in a vastly complex business world where organisations in any sector need to work in partnership with an ever-increasing array of suppliers and partners. The provision of goods and services to us, in order that we can deliver the end product and service to customers, requires a thorough understanding of contractual terms, service level agreements, risk management, clear transparency and disclosure, monitoring and review, competence, shared values and goals, and trust.
Above all, though, our organisations require assurance that we will achieve our objectives. This is relatively easy internally – we can rely on internal management controls, management inspection and compliance teams, and internal audit. These are often referred to as the ‘three lines of defence’, as posited by an Institute of Internal Audit Position Statement.
However, it can become more difficult to gain assurances throughout our supply chain, which requires external assurances and thus potentially reliance on ‘third party assurances’.
Third party provisions Our organisations have moved away from a traditional structure designed to do everything in-house. We have concentrated on developing our core competencies and then have looked to partners to provide their unique skills. So it is now accepted common practice to have third party provision of IT infrastructure/ networks/ database/ website/ e-commerce/ systems, transport and distribution, security, estates management, telecommunications, call centres, warehousing, and shared service functions for finance, HR, payroll, marketing – even internal audit itself could be provided from outside the organisation.
This is reflected in the diagram above which shows a movement from a triangle to a diamond-shaped organisation. However, in order to deliver our end product, our risks remain within the traditional triangle. The challenge is to ensure our risk management and internal control frameworks reflect this. Equally, we must gain enterprise-wide risk management assurances.
Supply chain grey areas A growing area of concern is what I describe as the grey area of our supply chain, which is when prime contractor suppliers have sub-contracted work out, or are similarly relying on their supply chain to provide services that are intrinsic to continuity of service to us. How might we be affected by these unknown points of failure? Worryingly, you may not be able to answer until this happens and you suffer immediate loss of service, or loss of your data, or both.
You may wish to consider to what extent the risk has been mitigated through contractually preventing sub-contracting. And of course whether this is a reliable control.
Organisations therefore need to manage supply chain risks through optimising assurances. These could come from the three lines of defence as already mentioned. But this will depend on what terms and conditions you have with suppliers, such as:
have you ensured a right of audit access for your internal assurance teams?
did you select partners based on how willing they are to provide assurances?
have you determined what lines of defence your suppliers have?
do they have their own internal audit team?
Also, have you established assurance requirements such as holding valid ISO accreditations for quality, environment, health & safety, risk management, information security, or even Investors In People? These will offer a level of assurance that a minimum standard has been reached, is being maintained, and is being subject to independent third party checking & certification.
If you have ensured rights of audit access to suppliers, you need to risk assess your supply chain and determine where and how to gain assurances. Do you send in your assurance teams? Do you seek written confirmation from the suppliers' own assurance teams? Do you obtain regular written assurance from the suppliers' boards?
Your own internal audit team will be more likely to place reliance on the work of supplier audit teams if they can demonstrate similar professional competence and qualifications and that work is performed to professional standards, such as the IIA’s International Professional Practices Framework which comprise the International Standards for the Professional Practice of Internal Auditing. One of these, Performance Standard 2050 sets out Cooperation with Other Providers of Assurance.
Assurance maps and frameworks An area of much activity is the development of assurance maps and frameworks. This enables organisations to understand where assurances over risks can be gained. It can illustrate where there is duplication of assurance which can sometimes be a burden on the business operations, and where there are assurance gaps. This kind of assurance mapping is particularly useful to an audit committee which will have governance responsibilities to provide assurance to the main board on the governance, internal control and risk management processes, and likelihood that corporate objectives will be achieved.
A clear assurance framework will ensure an audit committee enables demand-led assurance, which can focus on a cost effective and clear process of inspection, compliance, and audit review. This can and should also include regulatory inspection and external audit, which also provides further assurance albeit often driven by specific somewhat narrow legislative compliance. This gives a complete picture, or an auditable trail of assurances which, when combined with further assurance from your organisation’s directors, from the various governance committee chairs (audit, remuneration, nominations etc) can enable the construction of the annual governance statement for your chief executive to issue within the annual report and accounts.
Reasonable assurance A key aspect to consider is to have a board level debate around defining ‘reasonable assurance’. This could include setting risk appetite which could be quantitative and qualitative – eg all risks having an impact multiplied by probability score of x or less, and 97% of customers are satisfied. A board could then set out what ‘green’ assurance looks like across various parts of the organisation. Once there is agreement on what is reasonable, the audit committee and the three lines of defence can determine where all the assurances are required and how it can bring together all the third party assurances as already explained.
One further thing to consider: why make all this effort just to support the annual governance statement? Organisations can speed up the assurance mechanisms to pull the levers bi-annually, or even quarterly, and embed this into the regular performance monitoring systems.
Paul Haley – director of strategic operations, BHBi
Paul Haley is a chartered internal auditor and director of BHBi, one of the UK’s leading specialist private sector training providers for internal audit, with leading expertise in integrated assurance, reliance and coordination.