auditing vendor third-party risk - raush advisory services › wp-content › uploads › 2019 ›...

Auditing Vendor Third-Party Risk

AHIA Southeastern RegionConference - December 7, 2018

What can your Audit Department do?

Mike Lisenby is the Managing Partner of Rausch Advisory Services. Mike has over 18+ years ofexperience in helping businesses manage their technology resources and compliance needseffectively. His experience includes consulting and co-sourcing, IT Security, IT audits, Regulatorycompliance, and technology security assessments, risk identification, assessment andevaluation; risk response; risk monitoring; IT control design and implementation; and IT controlmonitoring and maintenance. Mike has held leadership roles with Arthur Andersen and severalother National Consulting Firms, and has prior experience with Fortune Brands and Philip Morris.

SPEAKER – MICHAEL LISENBY2

He designed a Virtual Security Technology Center for aNational Consulting Firm and ran an ethical hacking /penetration testing team for Arthur Andersen.

He has served on the Board of Directors for theInformation Systems Audit and Control Association(ISACA/Atlanta & Milwaukee), and he holds a CRISC(Certified in Risk and Information Systems Control)Certification.

Scott Dwyer, Director in the Internal Audit practice at Rausch Advisory Services, has extensive Internal Audit experience as a former consulting auditor, Director of Internal Audit, and Chief Audit Executive.

Scott is an innovative executive who effects positive change by combining real leadership with strong collaborative skills and expertise in internal auditing, regulatory compliance, and risk management.

His 20+ years of experience have been heavily focused on the healthcare industry where Scott has provided a wide range of services to each of the three legs of the healthcare stool: providers, payers, and regulators. Most recently Scott had been the Chief Audit Executive for Independent Health Association, a $2 billion health insurance company in Buffalo, NY.

Scott earned his MBA at the University of Buffalo and is a Certified Information Systems Auditor.

SPEAKER – SCOTT DWYER3

Rausch recognizes not every client is the same, each has unique needs. We are committed to meeting those needs.

Rausch accomplishes this through providing experienced dedicated professionals that engage with our clients to achieve their objectives.

At Rausch we believe the most important thing is our employees, we treat them how we expect they will treat our clients.

Client First

Finance & Accounting – Internal Audit – Information Security

ABOUT US4

AGENDA5

02Third-Party BreachesLatest news on vendor breaches that are affecting

organizations today

01About UsMichael Lisenby & Scott Dwyer and brief introduction to

Rausch Advisory Services LLC.

03Audit ConsiderationsAddressing vendor risk management, why and how do you

need to evaluate your third-parties.

What is Audit’s role?

04Tools & Technologies

.

Tools to enable the process, building an effective survey and

defining the Vendor Assessment Process.

Law

Terms

Audit

Standards

Guideline

Policy

Transparency

Regulations

Requirements

Law

Audit

Terms

TPRM

VENDORCOMPLIANCE

VRM

Programs

• Vendor Risk Management

• Third Party Risk Management

• Supplier Relationship Management

6

Who Owns The Risk

“Information Security and Compliance typically don’t

control who the organization does business with. Business

owners do.”

7

8

THIRDPARTY

BREACH

THIRD PARTY BREACH - NEWS

VENDOR RISK MANAGMENT9

AUDIT CONSIDERATIONS

Have you audited your company’s vendor management program?

Does your company have a formalized due diligence process covering contracting, services review and the overall monitoring and management of vendor relationships?

Does your organization have the appropriate controls in place to mitigate risks that are present in the vendor management program framework?

AUDIT CONSIDERATIONS10

Is your organization considering risk and controls during the sourcing and onboarding of vendors?

Which departments participate in the review and approval of new vendors? (Finance? Compliance? Procurement? IT Security? Information Risk Office?)

Does your organization have a central repository for all its vendor contracts?


12

Competencies Compliance

Categorize

3C’s


How does the organization identify its risk exposure to vendors? (Hint: Do not rely solely on spending levels!)

Does the organization risk rate its vendors?

13 AUDIT CONSIDERATIONS

CategorizeEstablishing risk assessment framework

Categorize your vendors by service typeand level of risk: Keep it simple: High, Medium, and Low Work with internal partners to determine risk

criteria to measure Perform initial assessment of each vendor

and repeat each year________________________________________________Who should perform these risk assessments?



Risk Assessment Qualitative Documentation:

Against which framework will vendors be measured?

Access needed to internal data?

Nature of data categorized by risk (PHI, PPI, proprietary, corporate financial, identifiers, passwords)

Data and information security expectations



Risk Assessment Quantitative Documentation:

Financial solvency baselines

Contract size

Beneficial owners of third-party's business

IT Security Ratings

16

ComplianceAre your vendors affecting

your regulatory or VRM

compliance program?


Is Internal Audit partnering with Compliance to evaluate vendors’ compliance activities and controls?

Does your company policy require evidence of third-party attestation: SOC, SOC2, PCI Certification, etc.?

Has the vendor developed strong HIPAA policies and controls?

What impact, if any, will the vendor have on your HITECH compliance?

17



compliance program?


Your company’s Vendor Risk Management Policy should require the following:

Human resources security Physical and environmental security Baseline requirements for network and

system security Baseline requirements for data security Baselines requirements for access control Baseline requirements for IT acquisition and

maintenance

18



compliance program?


Your company’s Vendor Risk Management Policy should require the following:

Require vendors to document their vendor management program Define the vendor's incident response

management responsibilities Define the vendor’s BCP and DR responsibilities Outline the vendor compliance requirements A strong right-to-audit clause!

19

CompetenciesOn-going evaluation of a vendor is

critical to the process. Evaluation

and measurement is critical.


Incorporate information security management when qualifying a vendor.

Review information security throughout the life of the contract.

Your Board of Directors should be kept informed regarding the company’s vendor risk management program.

20

CompetenciesOn-going evaluation of a vendor is

critical to the process. Evaluation

and measurement is critical.


What contingency plans does your organization have in place if a supplier for a critical process goes out of business?

Do your vendor contracts include a statement of work, delivery date, payment schedule, and information security requirements?

Does your program measure vendor performance against established SLA’s?

The Internal Auditor must be able to identify and assess the risks within each of the control activities reviewed during the audit of the vendor.

Additionally, mitigation plans need to be assigned and monitored for those risks that the audit has identified as needing remediation.


Tools & Surveys22

Surveys

ExcelWord

Dedicated SoftwareSurvey Monkey

Frameworks

ISO, NISTCloud Security Alliance

COSO, Cobit

Evaluation

Automated Scoring Manual Audit Team Review

Interviews

Manual Intervention

Automation

Platform to deliver, secure, retain and

communicate

Flexibility

Ease of Use

VENDOR ASSESSMENT PROCESS23

01

02

03

04

06

05

07

Data Export Export assessments and evidence from tool or email collection into standardized framework so that can be

evaluated.

Standardize Assessment All assessments should be customized

to fit your environment.

DistributionInitiate an assessment to

the vendors

Communicate Maintain communication to ensure assessments are completed timely.

Annual Re-assessment Organizations should provide

ongoing governance throughout the vendor lifecycle.

Approval or Rejection of VendorsThe client can use all evidence

provided and any audits performed combined with the scoring dashboards to quickly approve or reject a vendor.

Vendor Review A review of the Vendors self-

assessment should be completed to ensure accuracy.

Succ

ess

Met

hods

ProcessCreate a repeatable process that collects and measures the relevant information

EngagementProactively engaged relationships which nurture vendors towards your business goals

EducationProactive insight driven campaigns which communicate the value of controls to mitigate risk

CommunityBuilding advocates and creating opportunities with your providers and peers to share and learn

RA

S Ve

ndor

360

Ease of use

Dedicated Portal

• Dedicated assessments• Branded for your company• Access through a browser• Mobile Friendly• Assessment can be sent in up to 46 languages• Start and stop at your pace• Intuitive logic

• One place for all reporting of a vendor• Efficiently assign assessments through invite forms• Comparison reporting • Auditor access• Access through a browser• Mobile Friendly

• Assessments are responsive to their screen size and supports 46 different languages dynamically!

• Branded to your environment, vendors see your branding with questions tailored and weighted to your requirements.

• Rausch utilizes RAS for internal audits, compliance reviews and enterprise risk assessments.

26

Address5825 Glenridge Drive, BLD 1 STE 212 Atlanta, GA

Contact Numbers:404.775.1151

Email Address:[email protected]

THANK YOU

auditing vendor third-party risk - raush advisory services › wp-content › uploads › 2019 ›...

Documents