Third-Party Monitoring for Small and Medium Businesses
Leaders must recognize and understand the factors that promote strong third-party monitoring. Ensuring that your products/services are provided on time is only a piece of the puzzle. Managing third-party relationships, building strong payment protocols, being more informed about their operations concerning privacy, security, processing integrity, confidentiality and knowing the geographic challenges associated with growth can help keep risks under control. Albeit, it’s your company and you are still responsible and accountable for what happens.
Creating value in your third-party network while simultaneously mitigating risks to your company requires coordination between multiple stakeholders in the business including procurement, personnel, information technology, legal, compliance and finance. Vetting potential third-party relationships is a critical first step to mitigating risk to your organization, but it’s only the first step. By working together across the business, these various stakeholders can design a strategy for using third-party relationships to increase value within the supply chain. Companies that succeed can both protect their brands and drive business growth.
How Do You Define “Third Parties”?
For the purposes of this article, the term “third parties” includes:
- Consultants: auditors, lobbyists, management consultants
- Contractors: temporary employees, subcontractors
- Agents: international intermediaries, domestic agencies, local advertisers and marketers
- Vendors: data vendors, maintenance, on-demand service providers, offshore service providers
- Suppliers: branded, white-branded or third-party branded material suppliers and manufacturers as well as those suppliers’ suppliers
- Distributors: dealers and resellers, foreign distribution firms and their local resellers
- Joint ventures: partnerships, international joint ventures (factories, manufacturers, dealers), franchisees
What is Third Party Monitoring?
Third party monitoring must cover all activities related to your third parties, including risk ranking, screening, data collection, documentation, and ongoing monitoring. It refers to the studied assessment of third parties and their principals both before and during an engagement. It can include conducting a business culture and ethics review of the third party provider through questionnaires and interviews, as well as analysis of critical databases and reputational reporting or searching for “red flags”. It may also include active, continuous and real-time monitoring of your third party engagements for changes in status from the original screening and any changes to the third party’s risk profile.
For organizations that may be admirably diligent with their own internal ethics and compliance programs, the risk their third parties represent is out of their comfort zone and they feel like they have little control. In this instance, having a monitoring plan in place allows organizations to not lose sleep at night thinking their third parties are putting them at risk.
A Simple Tool for SMBs for Third-Party Monitoring
As can be seen from the paragraphs above, third-party monitoring can be all encompassing, resource crunching, time-consuming and expensive. Many SMB’s cannot afford such an exhausting program on an ongoing basis. What should one do to start making steps toward monitoring their third-parties? We suggest a simple approach to third-party monitoring is administering surveys with their third parties on an annual basis. This allows your company to see how your vendors compare and where there is risk.
With the increased digital transformation in organizations, information security is becoming a key area of focus. The ability of an organization to monitor their third parties in relationship to information security is becoming a more important area of focus. We recommend asking your third parties for their Service Organization Controls SOC 1SM and/or SOC 2SM Type 2 report(s). These reports are completed by a CPA firm to independently assess third party operations for internal controls over financial reporting (SOC 1SM) and/or one or more of data and information security, availability, processing integrity, confidentiality and privacy (SOC 2SM). If your third party does not have a SOC report, Withum, has developed a simple questionnaire for information security that can be administered by most SMB’s on an ongoing basis for all their third parties. This will assist in learning more about information security risk and damage from their third parties and possibly create a culture of trust and transparency for a closer relationship.
To learn more about third party monitoring, tools for monitoring your vendors or additional insight into Withum’s questionnaire, contact a member of Withum’s Cyber Secure Services Group.
|Sumit Pal, CISA, CGEIT, CRISC, MBA, Principal
T (609) 520 1188