Online Exclusive: The Fourth-Party Factor

As financial services become more complex, firms often work with hundreds of fourth-party subcontractors, making it difficult to assess the risks those providers pose. Internal auditors need to pay close attention to fourth-party risks and make sure they are included in the audit plan.

Understand the Risks

Financial firms work directly with third-party providers, so their operations, governance, and controls are somewhat clear and straightforward for internal auditors to review. This transparency, along with guidance from The IIA’s Third-Party Topical Requirement, helps auditors assess risks. However, internal auditors don’t have that luxury with fourth parties.

“These entities have been contracted by third parties who we contract with but not by us directly,” says Shontelle Mixon, divisional senior vice president, Internal Audit and Special Investigations, at Chicago-based insurance company Health Care Service Corp. “So, the risk has increased because companies don’t always include the appropriate contractual obligations.”

Indeed, many institutions do not have any contact with fourth parties — or even know they exist. This presents an array of unanticipated issues, according to Jill Czerwinski, managing principal, Risk Consulting at Crowe in Hinsdale, Ill. “Especially when it comes to your most critical vendors, fourth-party relationships can expose you to reputational and cybersecurity risk,” she writes in a blog post, “Fourth-Party Risk Is Daunting — Make It Manageable.”

Firms also must address operational risk. “If you rely heavily on a third-party vendor for your day-to-day operations and that vendor relies on a critical subcontractor, what happens when that subcontractor experiences a disaster or interruption in service?” Czerwinski notes. “In that case, the dominos can begin to fall: The subcontractor’s disaster knocks your third party offline — and depending on the vendor, that interruption could bring entire areas of your business to a standstill.”

Identify Relevant Parties

To address fourth-party risk, Mixon suggests that internal audit teams work closely with stakeholders to determine which third-party vendors to prioritize. Internal audit should focus more on vendors that pose the greatest risk. Although this approach may not reveal fourth parties directly, it will narrow the focus on the third parties whose vendors require the most attention.

“It seems really basic, but identifying who you’re targeting is the first step toward identifying what risk you’re trying to manage,” says Mixon, who was featured in the “All Things Internal Audit Tech” podcast episode “The Rise of Fourth-Party Threats.”

Protiviti’s Third Party Risk Management Framework details considerations for evaluating third-party risk, including assessing:

• Inherent risk based on the services the vendor will provide.
• Third-party arrangements.
• Overall residual risk.
• The risk mitigation plan.

 “A detailed evaluation of each third party will be required, focusing on the key risk identified and including considering the use of fourth parties, data flows, and common ownership and networks that may allow data to be shared beyond the planned activities,” the framework notes.

Internal audit also should dig deeper into available documentation to locate fourth parties that aren’t mentioned in those agreements. Auditors may find this information in areas such as accounts payable and expense reports.

The KPMG blog post, “Elevating Fourth-Party Risk Oversight for Financial Services,” recommends strategies for managing fourth-party risk. Internal auditors can use these strategies to identify subcontractor relationships and understand how much their third parties depend on them:

• Maintain an inventory of subcontractors.
• Review contracts between the organization’s third parties and their subcontractors for alignment with obligations to the organization.
• Directly evaluate subcontractors, subject to contractual allowances.
• Check whether the organization requires third parties to demonstrate due diligence and ongoing monitoring of subcontractors.
• Understand interlinkages across the supply chain and the impact on the organization's critical business processes because of concentration risk.

Evaluate Contracting Controls

After identifying the highest risk fourth parties, internal audit should assess where additional contractual controls and due diligence are needed for future evaluations. “For example, if you’re entering into a vendor relationship with a development firm that relies on a subcontractor for 80% of its work, then you might want to insert a clause into your contract giving you the contractual right to assess the subcontractor directly,” Czerwinski advises.

To address fourth-party risk, the American Bankers Association advises financial institutions to include two controls in vendor contracts:

• Stipulate that vendors must inform the institution if they outsource a critical function to another provider.
• Require vendors to inform the institution if they change critical vendors.

Hold Third Parties Accountable

Even after internal audit evaluates fourth-party risk, there is only so much the organization can do to address it because it doesn’t have a contract with the subcontractor. One thing auditors can do is check whether vendors have strong programs to manage their own third-party risks.

“Before you can feel confident in your vendors’ third-party risk management activities, you’ll need to examine their programs and make sure they’re performing due diligence on their own vendor relationships,” Czerwinski writes. “If your vendor can prove that their third-party risk management program meets your expectations and adequately addresses risk, you can feel much more confident that fourth-party risk is under control.

According to the American Bankers Association, a vendor’s System and Organization Controls (SOC) 2 report can reveal how it performs due diligence on its subcontractors’ risk, including:

• Third-party vendor scope.
• Audit evaluations.
• Monitoring processes and controls.

Internal auditors should not rely solely on the SOC 2 report to assess contractors’ third-party risk programs. “We’re not only isolating what we think are the key processes and controls in reports, but we’re also making sure the actual party is doing that work and performing those controls,” Mixon says. “We might have to go to an offsite location to engage with the third party to make sure we have the controls rightly identified in those reports.”

Control Takes Strategy

Not knowing what risks might be hidden by fourth parties can be daunting for internal auditors. Such risks may seem mysterious, but helping their organization put a strong third-party risk management strategy in place can keep them under control.