The Institute of Internal Auditors presents all things internal audit tech. In this episode, Mike Levy and Chantelle Mixon discuss the growing risk tied to fourth party relationships. They break down how internal auditor's role is evolving in a world shaped by cybersecurity AI and shifting regulations. So we're talking about one of my favorite topics. I, um, as a c, when I was a CAE before I became a consultant, I third party risk was one of the areas that we had oversight over.
But you know, here we're talking about fourth party risk. And I think it's an often overlooked area that I think really deserves a lot of attention because ultimately everybody's focused on managing risks within their organization. Oftentimes we've outsourced a lot of operations to third parties, but where the risk really lies is with the fourth part, the fourth parties.
I think just for our, for our listeners, it might be helpful just to kind of talk about from your perspective, what is fourth party risk and why do we care about it? Sure. Um, third party and fourth party risks have become more critical to organizations as they embark upon outsourcing certain competencies to not only address gaps in their current structure, but also to give them leading edges on areas of opportunity or risk.
Fourth party risk associated with parties who are essentially fourth or downstream entities. 'cause believe it or not, you have six party risks too. Um, and so those entities have been contracted by third parties who we directly contract with but don't have a contract directly with.
And so the risk has increased because companies don't always include the appropriate contractual obligations in their contracts as well as identify them early enough, given the rapidly changing environment due to acquisitions, consolidations, entities changing overall corporate structures. How have you seen that the nature and landscape of that o evolve over the years?
At the end of the day, I think for me, thinking about cloud-based technologies, I think created a whole host of other risks on the third party side. But how have you seen the evolution of fourth party risk, um, within organizations? I Think it's increased greatly because of the increase in offshore activities as companies scale back, um, look for ways to, um, decrease expenses. They are outsourcing a lot of their functions off our shores.
And as that has increased and their need to identify those competencies offshore, you're seeing more fourth party risks because they don't exist on shore. I've seen a lot of organizations stumble here and I think there's been some really, over the last five to 10 years, we've seen some really high profile things like cyber data breaches and things like that that are happening at the fourth party level and then having really dramatic impacts to organizations.
When we think about that in terms of our risk management strategy and some of the reputational or financial risks that might exist, how as internal auditors, how do we, how do we mitigate some of those things? What should we be concerned about, about, you know, especially if I'm an internal auditor that's never really thought about fourth party risk, where, where, where do those risks
Lie? Right. I think during the inherent risk assessment process, which is the first step, which we often stumble through as companies and then making sure our due diligence processes include those that identify financial related areas such as concentrations of risk, such as the actual ability for the company to sustain its operations over the long term and align with those imperatives as they change.
I think when it comes to reputational risk, we don't always think about as companies that we want to partner, almost like a marriage with people who have like values and see things as we see them and want to comply, especially if we're in a highly regulated industry.
Makes a lot of sense. If you're an audit function that's maturing this process, what would you think of as the first few steps for them to really go through to make sure you've even identified the population of what those third and then third parties, but then ultimately what the fourth and downstream parties are? Yeah, I think the first step is to make sure that you are aligned with what your senior leadership thinks third and fourth party risk is.
Um, it seems really basic, but I think we forget that first identifying who you're targeting is the first step to identifying what risk you're trying to manage. And so as senior leadership identifies and defines that population, the next step is once you know who those parties are, whether it's the third party or fourth party, which I will tell you for the fourth party is a little bit more complicated, right? Because as I mentioned, you don't have a direct contract with them.
So it's really getting your arms around your third party first so that you can identify ways that you can engage with them in different ways to identify if they have any fourth parties that they haven't made you aware of, and then modify contracts and then assess those risk as you identify those contracts. I remember when we were managing this, when I was a CAE, it was, the identification was most, it was the most difficult part at the end of the day.
'cause we were having to look in a lot of different places to identify those third parties and then ultimately get to the fourth parties because it wasn't just contract repositories for us. We were finding that there were third parties that happened through credit card spend at the company.
So we actually ended up pulling not only contracts, but we were looking at accounts payable and credit card TE spend because to the extent someone subscribed to a SaaS based vendor and put it on their expense report, it wasn't always identified in the process. And it's that concept of shadow it that sort of creeps up and it's a risk.
But once we had that population, you know, for, for us that risk assessment of those third parties and where do we think this most significant risk and impact would be? And who has sensitive data, who's had risk? I mean, how does an auditor even think start thinking about these because it feels very voluminous for what's often an audit team that's already has a fairly full body of work and what they need to do.
Yes. You know, you identify what I will call the second phase here is the data mining. Um, you know, I think I think about any area of completeness and accuracy of any type of inventory similar to how we think about just inventory in general, right? Tag the floor floor to tag that old school way of looking at it. And so the ways that you identify that in this risk management space for third or fourth parties is you start with the payments.
So you mentioned accounts payable, you have EFTs, you have ways by which you are gathering information through RFIs and RFPs with relationships with current third parties. And so through all those, you're out able to employ data analytics throughout your internal audit programs and throughout your strategy such that you're always continuously monitoring those activities to identify those fourth parties that you might not have identified. And that includes other inventories as well.
So that's the financial way, but you also have other risks that are identifying third parties and fourth parties like ai, right? AI models through that procurement process. So that RFI and RFP identifies other means by which you can inventory across the company too. So when we fast forward through, uh, you know, we have our, I, we have our inventory identified of third and we started to identify the fourth party risk. What is, you know, what is that mechanism?
I know we used to use, um, we used to look at like third party assurance reports like a SOC two report for example, and see what, what parties existed. Sometimes we would do surveys of, of our vendors. It always found, found, uh, I always found a mixed set of results there. You know, sometimes third parties were very willing to share information. Other times there was a bit of finesse that happened there. How do you navigate that typically? You know, it's getting tougher and tougher.
I will not lie to you Mike. I think, I think the SOC one and SOC two reports post several of the very large cybersecurity incidents has revealed the need for those particular auditors to do more due diligence and not only isolating what we think are the key processes and controls around whatever scope is within those reports, but also making sure that the actual party doing that work and performing those controls with the business owners is actually either in-house or outta house.
Outta house means that we might have to go to an offsite location. We might have to actually engage with the third party to make sure that we actually have the controls rightly identified in those reports, which in the past I would tell you we would just look at the surface of the reports and audit the controls that were written, not necessarily diving the next layer down to make sure we've got the right person performing the controls and therefore the right entity included in the reports.
Are you using and just you mentioned like when I think about all of this, I mean there's a lot of steps in that process and you're dealing with a lot of different people and a lot of different vendor contacts and things like that. Are you finding that you're using tools and technology to help support that? Or is that a manual process within organizations? I'm just trying to think through if I'm a, an audit function that doesn't have some of these things, how do I even get started on this?
Yeah, you know, I think when you think about just the profession in general, I think we're learning through recent opportunities to attend conferences and such that an internal audit department that's not thinking about technology is probably already behind in this space. And so I think when you think about if you don't have it today, the most simple way to get started is to make sure that the proper universes exist in those daily functions. In the first line, we are the third line, right?
And so there's a second line in between us. And so between the second line and third line, they should have adequate means already for us to at least get started if we don't have the technology and then employing the technology later on.
Yeah, I'm so glad you mentioned the second line as part of this process because I think one of the varying things I've seen as I've worked with different organizations is sometimes third party risk management sits and is housed within the internal audit function in the third line. But it's oftentimes it's really a second line activity and it really depends on the organization where it sits.
So for me, where I've been successful in the past and curious if this is your experience too, is sometimes if I have nowhere to start, I will start with my IT security team and IT compliance because there's often some population of third party risks that they are actively managing and navigating on the cybersecurity front. I think cyber risk is a huge part of third party and fourth party risk, but it's probably not the only risk at the end of the day that we need to think about.
Is that consistent with what you're experiencing? Yes, very consistent. I think that relationship with the second line is really critical in this space. There are several enterprise related risk 'cause we partner a lot with our ERM team as well where you wanna make sure that you've isolated those enterprise level risks with their assistance and any tools that they're currently using as a starting point, especially back to your reference to smaller shops without that technology. So I do agree.
So when we go back to we talk about technology, I'm just thinking about some of the different opportunities here. You know, one of the other things I've seen organizations do and it it does tend to layer on the cyber front, but if I'm an audit committee and you know, audit committees aren't always as in the loop on third party and fourth party risk.
And as I think about, you know, the role of A CAE and educating and training up their audit committee so that they understand where some of the key risks of the organization are sometimes to be able to give them reporting and a lens into what does the holistic risk of an organization look like and having them understand that it's a very significant component of that might reside at a fourth or third party that you have the only control you have over that is the contract.
When I think about how I demonstrate and show that risk, to me it's the what procedures we're doing over those third or fourth parties, but it could also be what public facing data points can I get. So I know, you know, I always think about things like DNV reports or ESG, like clarity AI has like an ESG study, but there's also a lot of public facing cyber scanning you can do.
In your experience with third, when we're looking at third party and measuring the actual risks that we think we exist, how have you sort of brought all that data together in terms of reporting for executives or the board or the second line when we're evaluating? You know, I would tell you prior to cybersecurity really, really becoming a high level enterprise risk for most industries, we would just continue to have services.
So we have subscriptions with certain services where we're able to data mine directly and or obtain reports, push pull reports with. Um, there's several organizations that within our industry also give us updates every quarter. So using those external data endpoint exports of information so that we can data mine it and review any of their insights.
Now fast forward with cybersecurity being at a high profile risk, I would tell you that that seems already behind, um, in terms of getting understanding of what the risks are, making sure that we're on top of responding to concerns by the audit committee.
And so what we use now, believe it or not, is we have ongoing quarterly monitoring where we may directly go audit some of these entities on site, um, in partnership with mainly the second line and some first line business partners that have our higher profile, um, third or fourth parties. What do you think is the biggest misconception about vendor risk management and third, you know, third party risk specifically and fourth party?
You know, I think the most often response that we have when we work with business owners or contract owners who are in first line is, I outsource this through a contract to a third or fourth party and I don't have any other responsibility. And I think what they fail to realize is the minute you give your responsibility to someone else, it actually increases your responsibility.
There's a saying in the cyber world that it's a, there's no such thing as the cloud, it's just somebody else's computer.
And I think that, I think that really resonates here too, because at the end of the day, we're not really, maybe someone else is better at managing these, you know, managing the technology itself, but if we're not evaluating that risk, I mean anything that could create business disruption, financial risk, reputational risk for an organization, whether or not there's a contract in place, I mean, we need to make sure we are understanding and navigating what controls they have in place
and what their process is for sure. Absolutely. Absolutely. And then, you know, in terms of when you think about maturity of where that landscape is today and fourth party risk, where do you see it going? I mean, we've talked about AI a little bit earlier, earlier on, but when you look a year out from now or two years or three years, where do you see that landscape evolving to and maturing to? And how do you see audit being involved in that?
Yeah, I think internal audit's role is going to increase with the increased risk that we're seeing in particularly cyber. We're seeing in AI that we're seeing in the relationships that have full accountability for core services and or goods at organizations.
And when I mean increase that means that we'll either have direct responsibility for auditing those entities each year within the audit plan in partnership with second and third line accordingly, but then more importantly, contracts directly with them.
I think what we're finding in the modification, just overall in the industry of contracts with third parties is while you may have the appropriate clauses to be able to get policies and procedures that align with yours, opportunities to either review audit results and or go audit them yourselves, and last and certainly not least, performance monitoring, right? Where they're submitting data reports or quality review results to you on an ongoing basis, that's just not gonna be good enough anymore.
Right? It's the old trust but verify internal audit saying, right? And so that verification audit committee is gonna expect you to do directly. I think that's, that's really valid.
And I, I, I think, you know, to me, and I'm curious to get your perspective on this, that contract that we talked about, I mean, making sure audit and risk is part of the contracting process and making sure we've at least aligned on what some of the key contract points are and every organization's a little bit different in terms of what they are.
That's sometimes where I see the biggest early pitfall because a lot of times if someone just goes out and signs a contract and they're not sure that some of those clauses are there other than sort of, uh, negotiation after the fact, you can't always dictate some of the terms if it's, if you've done that after the fact, You cannot. That's the greatest pitfall I think that you'll see in this third and fourth party space is that unfortunately a lot of the aha moments come a little too late. Yeah.
For me it's like that right to audit clause specifically. I mean, there are a number of specific clauses that I think we should make sure they're limited Liability termination, all of those. Yes. But yeah, if you can't audit, if you can't audit your third parties and ultimately get to those fourth parties, there's, it's almost impossible to even identify who the fourth or fifth or sixth parties are in the, in the organization.
And then I guess ultimately, when you think about an internal audit function that's just starting in this, or they're look to, they're looking to take this to the next level. What's the, you know, one step you would have an organization take today to improve their approach here?
We've talked about a lot of different things here, but if you, if you had to pick like the one, like the one most impactful thing that they could do to Identify their critical third and fourth party relationships using whatever means you have necessary through first and second line, as I mentioned previously, to identify those. Because if you don't know who they are, you can't manage the risk. I think that's extremely well said.
To your point, if you don't know who they are, you might find out who they are at some point, but it's, it's not gonna be the way you want to know that they, they exist. It's not at the End of the day. And I also, to your point, I mean you said it earlier, I think that, um, thinking about some of the key risks to your organization and where the biggest impacts could be, probably dictate how to develop and mature a program too.
Because ultimately, if cyber and data breaches and data liability and dis unintentional disclosure are things that you're concerned about, you probably structure your program to be more focused on that to start, if you're really concerned about your sustainability reporting, maybe that's an area of focus for you too. But I also think that lens becomes really important as you, um, are thinking about how to develop and mature a program.
It does, which is why I mentioned that senior leadership definition of not only what a third or fourth party is, but what is their intention? What are the risks that are most critical to them at the enterprise level? Because I think where we also get shortsighted as internal auditors as we believe that risks are specific to the third party or fourth party type, and that is not true in this new environment. Cyber is related to every third and fourth party, right?
AI could be related to any type of third and fourth party. You mentioned several others. Resiliency, there's certain areas privacy that I am particularly interested in if I'm a senior leader, if it happens no matter who the third or fourth party is. And so identifying those key risks upfront and making sure that you're managing them consistently across the organization, third or fourth party related, is really key to the success of any type of program or framework.
And you hit on something that I think is really interesting. I'm curious to how, see how you've been successful at this, working with the senior leadership on this is I've found very an interesting dynamic. I what has been your experience there? Because I feel like sometimes in my experience, at least the senior leadership team doesn't always have full visibility and they're not always as focused on third and fourth party risks.
So I'm really interested to hear how, how you've sort of educated and developed some of those relationships too to make sure that it is an area that they're focusing on from an operations perspective. Right. You know, I've spent my entire career in financial services and so I would tell you, I don't have a whole lot of experience with seniors who don't know how important this in this part of risk is.
Um, you know, we do a lot of our business with third and fourth parties, and so they are not only in tune, but they are asking and keenly aware of the risk that exists in this space. What I have seen as, you know, the industry has evolved over the years is a need for more information and more KPIs and metrics to be able to identify issues become before they become a problem.
Right. You know, I think the data analytics have just got so advanced and being able to isolate and identify potential areas of concern before it even hits the radar of a performance report before it hits the radar of a ongoing quarterly performance meeting with those vendors. And so I think over the years they are more keenly aware, at least in financial services and are wanting that information before it becomes a
Problem. That's, I mean, that's an interesting point too, because I think that is a barometer of a successful program and function. If your leadership is asking for things like that, it shows that they're deeply engaged. And I think that's a hugely important thing that we should not overlook in terms of the, an auditor trying to mature the process. Right.
And I think, you know, you, for smaller companies, I think that's really critical for them because if they are aligned with senior leadership's identification of what first, third, and fourth parties are, and then number two, the risks that they're most concerned about, they could just focus on those and let the contract owners focus on the day-to-day Right. Which they are ultimately and accountable for.
Because that's also a misnomer in that when you centralize this function, all of a sudden that day-to-day monitoring becomes that centralized. We, we don't have that relationship with those vendors directly. We leave that day-to-day monitoring with the business owners where it appropriately should reside. Well said. Is there anything else you wanna leave our listeners with in terms of things to think about or key important aspects from a uh, fourth party risk perspective?
You know, I think about, I've been a, you know, an auditor for a, a very long time and this area could be a little daunting for, you know, especially less skilled auditors or smaller shops. I think what I wanna leave with them is you are already equipped to understand what risks are.
Just because another party is doing it outside of your company doesn't necessarily mean that you can't get a handle on it and develop the appropriate, I would say, scale and understanding quickly such that your team can focus on the right risk at the right time. Well said. Thank you so much for joining us today. It was a pleasure having you and looking forward to having you back soon. Pleasure talking to you too, Mike. Thanks for having me again.
Hey, audit pros ready to supercharge your skills and connect with the best in the field. You absolutely need to check out the I'S 2025 International Conference happening July 14th through the 16th and Toronto. And virtually this is your chance to dive into emerging risks, cutting edge tech and global best practices that will elevate your internal audit game. Don't get left behind and register now@theia.org. If you like this podcast, please subscribe and rate us.
You can subscribe wherever you get your podcasts. You can also catch other episodes on YouTube or@theiiaa.org. That's THEI a.org.