By Jeanette McKeever, CCBIA, Director of Internal Audit, Young & Associates
In today’s financial landscape, banks and credit unions increasingly rely on third-party vendors to meet regulatory demands, leverage technological advancements, and maintain competitive edges. However, these relationships introduce various types of risks in internal audit, from compliance and operational risks to reputational and strategic risks. Amidst economic uncertainty, increased digitalization, and growing supervisory attention, many financial institutions are reviewing their third-party risk management (TPRM) frameworks to ensure they are robust and comprehensive.
Here, the role of internal audit becomes indispensable. Internal audit’s role in TPRM goes beyond mere compliance. By leveraging their unique skills and perspectives, internal auditors can help institutions identify, monitor, and control risks while achieving strategic goals.
Understanding Third-Party Risk in Banking
Third-party relationships and their associated risks require careful management. Ineffective oversight of the complex operational, financial, technological, and legal agreements governing these extended business relationships can lead to brand or reputation damage, data security breaches, and significant financial losses. Additionally, such oversight failures can result in errors in financial reporting, compounding the challenges and potential impacts on the institution.
Financial institutions are entrusting an increasing percentage of their operations to third parties, prompting regulators to scrutinize these relationships more closely. The updated interagency guidance from the Federal Deposit Insurance Corporation (FDIC), the Federal Reserve Board (FRB), and the Office of the Comptroller of the Currency (OCC) outlines the regulatory expectations for managing third-party risks throughout the relationship lifecycle: planning, due diligence, selection, contract negotiation, ongoing monitoring, and termination.
Monitoring vendor performance is also a regulatory requirement for credit unions. The National Credit Union Administration (NCUA) specifies the criteria for assessing vendor performance in their 2007 supervisory letter SL No. 07-01, “Evaluating Third-Party Relationships.” This guidance emphasizes key areas for third-party relationship management, including risk assessment and planning, due diligence, risk management, monitoring, and control.
The Role of Internal Audit in Third-Party Risk Management
Though Chief Risk Officers are typically responsible for managing third-party risks, internal audit plays a crucial role as the third line of defense. Internal auditors bring essential skills, capabilities, and perspectives to thoroughly examine TPRM programs, identifying gaps or areas for improvement that might have been missed by the second line of defense. The board relies on internal auditors as an extra layer of security to ensure that third-party risks are properly identified and assessed, appropriate internal controls are in place, and timely risk intelligence is generated to inform decision-making.
Leveraging Internal Audit to Improve Third-Party Risk Controls
Internal audit can contribute significantly to managing third-party risks through various areas:
- Pinpointing Critical Contracts: Internal auditors can assist in identifying high-risk third parties and ensure they receive more frequent scrutiny. This can help with prioritizing risk management efforts.
- Assessing Risk Management Programs: They can evaluate the effectiveness of third-party due diligence processes and controls, conducting research to gauge the risk level and reputation of third parties.
- Reviewing Compliance with Governance Standards: Internal auditors can verify if the financial institution’s processes for selecting and managing third parties adhere to governance requirements and include necessary risk and compliance clauses in contracts.
- Evaluating and Improving Risk Controls: They can assess the effectiveness of risk management controls, ensure regulatory compliance, and check for “right to audit” clauses in third-party agreements.
- Facilitating Informed Decision-Making: Auditors offer valuable insights into third-party risks. They also evaluate decision-making and contract management processes. This ensures that these processes align with the bank or credit union’s strategic objectives. Additionally, auditors verify that the processes provide sufficient risk protection.
- Assessing Performance and Identifying Opportunities: They review global third-party performance, detect inconsistencies, and recommend best practices for effective risk and performance management.
Integrating Internal Audit into Third-Party Risk Management Strategies
1. Independent Vendor Risk Assessment and Identification
Conducting a risk assessment is essential for the initial decision-making process regarding whether to establish a third-party relationship. Internal auditors bring an independent perspective to the assessment and identification of third-party risks. They can perform thorough risk assessments to identify all third-party relationships and associated risks. This independent evaluation helps ensure no significant risk is overlooked, and it provides a holistic view of the financial institution’s third-party risk landscape.
2. Vendor Due Diligence and Selection Oversight
The due diligence process equips management with the necessary information to evaluate both the qualitative and quantitative aspects of potential third parties, determining whether a relationship will support the financial institution’s strategic and financial goals while mitigating identified risks.
If your financial institution has its own internal audit team, involving them in the due diligence process for vetting potential third-party relationships can be highly beneficial. Though not prevalent practice in community banks and credit unions yet, leveraging your institution’s third line of defense can enhance third-party risk management processes and provide an extra layer of protection.
Internal audit teams can provide oversight during the due diligence and selection phases of third-party relationships. They can assess the processes used for selecting third parties to confirm that the institution has effective policies and procedures in place. By ensuring thorough due diligence, internal auditors help identify potential risks early on. Their oversight includes evaluating the third party’s operational quality, compliance capabilities, risk profile, and long-term viability.
3. Contract Management and Compliance
Financial institution management should ensure that the specific expectations and obligations of both the financial institution and the third party are clearly defined in a written contract before finalizing the arrangement. Board or committee approval is required for many material third-party relationships, and significant contracts should be reviewed by appropriate legal counsel before finalization. The level of detail in contract provisions will depend on the scope and risks associated with the third-party relationship. Effective contract management is crucial for mitigating third-party risks. This involves not just due diligence but also thorough processes in agreement formation, publication, activation, compliance with service delivery, analysis, optimization, and offboarding.
The internal audit function can engage in contract management in two key areas:
- Auditing the overall contract management process.
- Reviewing active contracts with critical vendors.
Auditing the Contract Management Process
An effective contract management process is crucial for maintaining strong performance across your institution. Even minor inefficiencies can lead to significant issues, particularly when your financial institution aims to grow and scale. A robust contract management system contributes to a thriving institution.
Regular audits of your contract management lifecycle can reveal hidden costs and growth opportunities. These audits should assess process deficiencies, compliance issues, and historical management practices. Start by identifying key stages in your process and setting benchmarks for measurement. Key stages often include planning, due diligence, selection, contract negotiation, ongoing monitoring, and termination, as outlined in regulatory guidance.
Evaluate your management practices within each stage. Is the contract management process clearly defined? Are roles and responsibilities assigned? Who ensures compliance with service-level agreements (SLAs)? Addressing these questions through a contract management audit can help identify risks and gaps, ensuring a more effective and efficient process.
Reviewing Active Contracts with Critical Vendors
Begin by inventorying and segmenting critical vendors based on risk levels to identify those most critical to audit. Incorporate audits of high-risk and important service provider contracts into your annual audit plan. Gain an understanding of the key risks associated with each service provider and thoroughly review their contracts.
Internal auditors can review critical third-party contracts to ensure they include comprehensive risk and compliance clauses. This includes verifying that contracts have “right to audit” provisions, which allow the institution to monitor third-party compliance continuously. Once you’ve established your audit rights, you can start the contract audit by assessing key legal and business risks. Look for deficiencies and compliance issues in the contract, and consider conducting on-site reviews if your audit rights permit. An efficiency audit may also be warranted to ensure services are delivered as per the contract and service level agreements.
After completing the audit, validate the results, identify root causes, and propose solutions. Finally, communicate the results to the contract owner and key stakeholders, ensuring they are informed of the findings and recommended actions.
4. Ongoing Monitoring and Reporting
Once a third-party relationship is established, continuous monitoring is essential to manage evolving risks. Internal audit can play a vital role in developing and implementing monitoring frameworks that track third-party performance, compliance, and risk exposure. Regular audits and reviews can provide senior management with timely risk intelligence, enabling informed decision-making and ensuring that effective internal controls are in place.
5. Internal Audit Collaboration with Risk Management Functions
Internal audit of third-party risk management becomes more effective when auditors and risk managers collaborate and share information, leveraging each other’s abilities and tools. By working closely with risk, compliance, and other departments, internal auditors can ensure that third-party governance policies and procedures are consistently applied across the bank or credit union.
By integrating third-party risk assessments with audit plans, both auditors and risk management teams can eliminate redundancies in the risk evaluation processes. This approach also helps standardize the risk language used and offers management teams and boards a comprehensive view of the financial institution’s third-party risk profile. This collaboration integrates TPRM into the overall risk management strategy, enhancing the institution’s ability to manage third-party risks.
Building a Robust Third-Party Risk Management Framework
To effectively manage third-party risks, financial institutions should establish a comprehensive TPRM framework. TPRM necessitates a framework that holds the board of directors and senior management accountable, requiring them to adjust the principles based on the size, scope, and criticality of the products or services provided by third parties. This framework should be consistently applied across the institution and integrated into its operational, risk, and compliance management activities. As discussed, key components of a robust TPRM framework include:
- Defining and Inventorying Third-Party Vendors: Internal audit can assist in identifying and inventorying all third-party relationships, categorizing them by risk level and criticality.
- Risk Appetite Assessment: Assessing the bank or credit union’s risk appetite concerning third-party relationships, particularly those in high-risk locations or industries.
- Enhanced Vendor Due Diligence: Conducting enhanced due diligence for critical third-party relationships, ensuring alignment with the institution’s risk profile and regulatory requirements.
- Ongoing Monitoring and Performance Standards: Establishing and maintaining rigorous monitoring and performance standards for third-party relationships, ensuring continuous compliance and risk management.
- Training and Awareness: Providing training for stakeholders on TPRM processes and the importance of effective third-party risk management.
Risk-Based Internal Audit for Financial Institutions
With regulatory bodies calling for enhanced third-party oversight, the imperative for thorough risk and assurance functions has never been greater. These functions must delve deeply into the third-party network to ensure that critical risks and compliance requirements are diligently managed and monitored. Internal auditors are pivotal in this endeavor and should seek to broaden their role in fortifying third-party risk management.
At Young & Associates, we understand the critical importance of robust TPRM processes and offer expert consulting services to help banks and credit unions strengthen their internal audit functions, risk management, and more. By leveraging our expertise, financial institutions can enhance their third-party risk management frameworks, ensuring compliance, mitigating risks, and achieving strategic objectives. Ultimately, effective TPRM is not just about regulatory compliance; it’s about creating a resilient and thriving financial institution.
For more information on how Young & Associates can support your internal audit needs, click here.
