How COSO Framework Can Help Mitigate Third-Party Risk
Companies are increasingly outsourcing many of their functions, which makes risk more complicated to manage. Outsourcing, which can be beneficial to companies that either lack bandwidth or specialized knowledge, isn’t necessarily the problem. The thing to remember is you don’t transfer the risk when you transfer the work.
The good news is that risk can be managed by leveraging well-accepted, step-by-step frameworks. Once implemented, a framework can help you identify and address the inherent risks of working with a third-party service provider and determine whether the costs of outsourcing are outweighed by their corresponding benefits.
Through this process, the argument becomes clear and documented as to whether you outsource the manufacturing of a widget, facilitate the movement of the product, or provide insurance.
COSO 2013 Framework
This framework is helpful when management begins to outline and implement a plan to identify, assess, respond to, and monitor risk. The mission of the COSO (Committee of Sponsoring Organizations of the Treadway Commission) 2013 Internal Control—Integrated Framework is to develop guidance to help organizations minimize risk by establishing processes and improving controls.
While the framework might seem basic and logical, it’s surprising how often controls aren’t put in place to monitor third-party activity in particular. Let’s take a quick look at the five components and their 17 underlying principles that address third-party risk within the framework:
- Control environment
- Risk assessment
- Control activities
- Information and communication
- Monitoring activities
Some of the points of focus within each of the 17 principles speak directly to incorporating third-party vendors and should be applied to your working relationship with outside service providers. The risk of not doing so is simply too great. While the 17 principles are broken down into 87 points of focus that provide a deeper dive into the framework, the following highlights the key points of the five components.
An organization’s officers and board must not only lead by example through their directives, actions, and behavior, but they’re also charged with establishing a formal process for conduct. It’s management’s responsibility to set the tone at the top by utilizing these principles:
Standards of conduct. Establish a code of conduct that applies to everyone, including associated third parties. Management should communicate this to vendors and include it in vendor contracts.
Oversight. Have a process to evaluate the performance of individuals and teams as it relates to the standards of conduct, including the performance of those in your third parties.
Structure, authority, and responsibility. Responsibilities for upholding the COSO framework are broken out by position within the organization. Through it all, it’s important to lead by example.
Accountability. Issues and deviations from the standards need to be identified and fixed quickly and consistently. Everyone, including third-party vendors, must be accountable for their performance.
Reputational risk is the biggest concern when relying on third parties because you don’t know what you don’t know – and it’s much bigger than whether or not you’re getting your widgets on time or at all.
Review contracts periodically to make sure they meet your needs and expectations, as times of transition can mean lapses in controls. Reassess when there are changes to the regulatory, economic, and physical environments in which your organization operates, as well as changes to your business model or leadership.
Performing control activities helps create responses to address and mitigate risk. A big part of this is technology controls. To protect an entity’s assets from external threats, management must design and implement these controls so IT environments are properly restricted to only authorized users and that data processing is complete, accurate, and valid.
Information and Communication
Internal controls are useless if you don’t have a means in place to communicate them. Management and the board of directors need to facilitate an open and honest two-way flow of information so employees, vendors, and management can fulfill their respective roles as laid out by the standards of conduct.
In the case of reporting fraud, anonymous hotlines are necessary so potential whistleblowers feel it’s safe to report red flags when normal channels break down. For instance, quality issues based on third-party activity should be discovered in the warehouse and communicated upward. If your customers are the first word in quality control issues, you may already be sunk.
You can only mitigate risk if you can identify it, evaluate which controls are working and which aren’t, and then make adjustments. While their work is contracted, outside service providers should be seen as a part of your organization and subject to the same controls and evaluations.
The line of communication should also be open externally for shareholders, partners, owners, regulators, customers, and financial analysts, among others. This allows relevant information to be communicated to the board, whether through assessments conducted by external parties or through anonymous tips delivered through whistleblower hotlines accessible to those inside and outside the organization.
Risk is everywhere, and it’s those organizations that recognize it and approach it thoughtfully that stand the best chance of alleviating it.
Steve Fineberg, CPA, is a senior manager with Business Risk Management and Control Solutions at Moss Adams LLP. He has provided auditing, accounting, and consulting services since 2003, and has extensive experience performing business process and IT...