outsourcing and the need for supplier audits€¦ · outsourcing and the need for supplier audits...

2/14/2017

1

Outsourcing and the Need for

Supplier Audits

John A. Gatto

Retired

April 3, 2017

Agenda

2

Why Audit Suppliers

Outsourcing

Supplier Risks

Minimum Security Standards

Audit Focus

2/14/2017

2

Definitions

Third Party

Any entity not under direct

business control of an

organization

Suppliers, business partners, marketing partners

3rd Party Risk Management

Encompasses supplier risk

management and is more broadly focused on

understanding organizational risks

Understanding which risks can be affected by a third party, either

+ or -

3rd Party Inventory

Comprehensive list of 3rd

parties from across the enterprise

Should also include

subsidiaries

3

4

• High Level of Risk

• Access to / custody of vital information

• Critical to the success of the business

2/14/2017

3

Why?

$50 billion estimated annual losses to

business from data and identity theft

3rd parties are a major source of data breaches

of regulated data

74% of companies do not have a complete

inventory of all 3rd parties that handle personal data of its employees

and customers (A)

73% of companies lack incident response

processes to report and manage breaches to 3rd

parties that handle data (A)

Breaches and non-compliance can lead to brand reputation, fines,

lost revenue and / or regulatory sanctions

Financial impact: investigations, legal

fees, monitoring services for victims, reissuance of credit cards, government

fines, etc.

(A) PwC 2014 Global State ofInformation Security Survey

5

Regulatory Requirements

REGS

GLBA

PCI

HIPAA

OCCFFIEC

FDIC

ISO 27001

6

2/14/2017

4

Key 2016 CEB Hot IT Spots

Third Party Relationships

Externalization of application development, infrastructure operations and back office

processing is continuing to rise

Complex sourcing options and persistent economic volatility, poorly

structured contracts, ineffective Supplier risk management and lower

quality services

Add to Audit Plan

3rd Party Contract Evaluation

3rd Party Compliance Review

Supply Chain Management Assessment

Third party information security audit

7

Key 2016 CEB Hot IT Spots

Key Risk Indicators

Number of compliance violations attributed to 3rd parties

Number of 3rd parties with access to sensitive company data

Use of right to audit clause

Number of 3rd party contracts established outside the procurement function

Frequency of business interruptions caused by 3rd party control breakdowns

8

2/14/2017

5

Agenda

9

Why Audit Suppliers

Outsourcing

Supplier Risks


Audit Focus

Outsourcing

10

Transform non-core business processes and ensure that maximum value from resources is focused on core processes

Partnering with an outsourcer is a very effective means to build a company that is capable of meeting future needs and turning on a dime at a moments notice

Delegate one or more business processes to an external provider who owns, administers or manages the processes based on performance metrics

2/14/2017

6

Outsourcing Risks

Handling and processing of data

Security and access

Retention of Data

System availability

Specific business factors

11

Areas for Outsourcing

• IT• Accounting• Corporate Services• Document Management• Healthcare processing• Call Centers

• SoX / MAR Compliance• CRM Storage• Facilities• Printing• Internal Audit• Real Estate• Product Development

12

2/14/2017

7

Major Types of IT Outsourcing

13

Application management

Infrastructure management

Help desk services

Independent testing / validation services

Data center management

Systems integration

R&D services

Managed security

Outsourcing Life Cycle

FEASIBILITY

• Building the business model and case

• Creating the baseline

• Understanding the market

• Assessing and benchmarking options

14

ALIGNMENT

• Validating the strategy

• Identifying options

• Preparing the business model

• Agreeing on sponsorship and building the team

2/14/2017

8


TRANSACTION

• Structuring the deal

• Agreeing on outsourced assets

• Negotiating the contract

• Delivering the deal and the business case

TRANSITION

• Delivering the change

• Getting quick returns on investment

• Establishing the culture

• Managing people

15


OPTIMIZATION & TRANSFORMATION

• Monitoring the contract and resolving disputes

• Transforming the business

• Reassessing the relationship

• Delivering the business case – realizing the benefits

TERMINATION / RENEGOTIATION

• Determine SLA adherence – both parties

• Decide if agreement should continue or end

• If end, invoke termination process

• If continue, renegotiate contract

16

2/14/2017

9

Agenda

17

Why Audit Suppliers

Outsourcing

Supplier Risks


Audit Focus

Supplier Risk Problems

What types of data

do my suppliers have

access to?

How are my suppliers

protecting my data?

18

2/14/2017

10

Highest Risk Industries

Government

Healthcare

Banking

Investment / Fund

Managers

Payroll Management Companies

Financial Services

19

Outsourcing Life Cycle - Risks• Outsourcing strategy is not aligned with corporate

objectives.Alignment

• Assumptions (payback period and savings) are wrong -inadequate due diligence from suppliers and the organization's failure to assess relevant risks

Feasibility

• Procurement policies not met; proper service-level agreements not implemented; regulatory implications not considered; contingency arrangements not planned.

Transaction

• Lack of formal transition planning, failure to plan for retention of appropriate skills, and ineffective escalation and resolution of operational IT issues.

Transition

• Outsourcing contract is not managed effectively -outsourcing benefits and efficiencies are not achieved.

Optimization and Transformation

• Inadequate termination of outsourcing processes. Termination and Renegotiation

20

2/14/2017

11

21

SuppliersThe

EnterpriseCustomers

Data Data

Data Data

The process of assessing,

mitigating and remediating key

areas of risk around the

suppliers that provide services

to an organization

Supplier Risk Management

The process of responding to,

mitigating and remediating key areas

of risk identified by customers. This

is both a proactive (self identified)

and a reactive (customer identified)

process

Customer Risk Management

Risk Management

21

TPRM –What It Is

Third Party Risk Management (TPRM) is the process of analyzing and controlling risks presented to your company, your data, your operations and your finances by parties OTHER than your own company.

Due Diligence is the investigative process by which a company or other third party is reviewed to determine its suitability for a given task. Due diligence is an ongoing activity, including review, monitoring, and management communication over the entire vendor lifecycle.

No universally-accepted framework like CobiT or COSO

22

2/14/2017

12

Parties in Risk Management

Business Operations

Compliance

IT Security

Procurement

Finance

Internal Audit

Legal

23

TPRM - Process

Initial Risk Review

• Based on risk tier

• Documentation review

• On-site review

• Business process documentation

• Inherent risk/residual risk

• Remediation plan

Ongoing Monitoring

• Both for changed risks and for changes at third party

Recurring Reviews

• Based on risk tier

24

2/14/2017

13

Confidential

RestrictedInternal

Public

21

Classes of Data Suppliers Handle

25

Confidential

Restricted

Internal

Public

Classification of

Data Handled by

Supplier

Examples of Type of

Data Handled by SupplierExample of Supplier

Business Relationship

• Protected health information

• Medical records

• Patient /member information

• Treatment & condition information

• Credit card information

• Member address

• Phone number

• Biometric info

• Email address

• Date of birth

• Payroll information

• Employee performance data

• HR and personnel records

• Proprietary and trade secrets

• Proprietary code & business logic

• Investigations

• Tax information

• Employee info

• Highly sensitive

reports

• Reports / Assessments

• Findings and recommendations

• Strategy /roadmap documents

• Internal company memoranda

• Budgets

• Financial data

• Projections

• Marketing and promotional

materials

• Mailings and solicitations

• Public relations

• Campaigns and outreach

• Telemarketing

• Surveys

• Advertising

material

• Web and media

• Outsourced software development

• Outsourced software maintenance and support

• Customer/Member helpdesk

• Claims processing

• Mail/Envelope stuffing and fulfillment

• Professional services firms

• Consultants and advisory firms

• Professional service contractors

• Payroll and check printing services

• Benefits administration services

• Tax compliance services

• HR consulting and outsourcing services

• Mission critical consultants and contractors

• Advertising agency

• Event marketing firm

• Web-design and digital media services

• Printing and graphics design

• Marketing and survey companies

26

Types of Data Suppliers Handle

26

2/14/2017

14

ConfidentialRestrictedInternalPublic

Low

Medium

High

Classification of Data Handled by Supplier

RISK

LEVEL

27

27

Risk Levels by Types of Data

27

Contract language not clear / missing critical component

Cannot meet contract due to financial issues

Security issues / data breaches affect company brand

Adherence to employment requirements

Not able to provide services to match SLA’s

Inadequate recovery processes

Supplier Risks

28

2/14/2017

15

Country specific laws and regulations hinder performance

Access data outside of the business arrangements

Subcontractors not adhere to main contract provisions

Cost reductions not met

Loss of business knowledge

Customer restrictions

Supplier Risks

29

Process discipline

Scope creep

Turnover of key personnel

Knowledge transfer

Internal control structure

Culture

30

Supplier Risks

30

2/14/2017

16

• Risks in both

• Sensitivity with many customers about the availability of their data to off-shore personnel

On-shore versus off-shore Suppliers

• Increased reliance on Supplier solutions to work with your most sensitive data requires you are cognizant of the shared risk

Volume & sensitivity of data

• More control when Suppliers access the data via your network

• More risk when data leaves your network

How data is accessed, stored,

transmitted & viewed

• Understand the Supplier’s commitment to security & reducing risk - a stolen unencrypted laptop can harm company reputation if data is exposed

Maturity of Supplier & Supplier’s security

program

Supplier Landscape Considerations

31

Supplier

Contracting

Security

Privacy

Business

Legal

Audit

32

Suppler Contracting

32

2/14/2017

17

33

Phase Considerations

Strategy & Planning • Privacy, Audit, Legal & Security requirements

RFP

• Supplier ability and method to meet contractual

requirements

• Supplier security controls questionnaire

Contracting• Business Associate Agreements

• Minimum Security Requirements

Implementation

• Requirements for data access, connectivity, data transfer,

etc.

• Understanding the process for incident notification

Monitoring• Supplier security controls questionnaire

• Supplier assessments / audits

Contract

Termination• Protocols over data when relationship no longer exists

Supplier Security Controls Life Cycle

33

Why Audit Suppliers

Outsourcing

Supplier Risks


Audit Focus

34

Agenda

34

2/14/2017

18

Audited Financial Statements

Experience & Capabilities

Business Reputation

Qualifications & Experience

Existence of significant

complaints, litigation or

regulatory actions

Use of other parties or

subcontractors

Scope of internal controls, systems, data security and audit coverage

Business resumption strategy &

contingency plans

Adequacy of management information

systems

Supplier Management

Processes

Insurance Coverage

Due Diligence

35

Understanding your needs

Establishing stakeholders and defining roles

Defining business and technical requirements

Defining supplier requirements

Supplier outsourcing

36

Contract Risks

36

2/14/2017

19

37

Scope

Data protection, privacy, and intellectual property

Price protections

Third-party assignments

Ownership of assets used or

created by partnership

Conflicts among different legal

systems

Contingency planning and

change management

Right to audit Termination

Dispute Resolution

Confidentiality & Security

Key Contract Components

37

How is contract structure for Suppliers: Standard, Master Service Agreement, Amendments, Exhibits, Appendices, etc.

Do you have a “right to audit” clause in the contract?

Are services detailed?

Are locations identified and addresses provided?

Are resources assigned?

Is system access identified?

Are minimum security requirements included?

38

Key Items to Understand

38

2/14/2017

20

Security Assessment

Conduct an annual security assessment

Identified gaps -remediation plans

Security Officer

Appoint a person who is either the Security Officer

and/or is responsible for compliance

Implement Security Policies and Procedures

Document the administrative, technical and

physical controls to protect data

Include appropriate disciplinary

provisions for data security violations

Minimum Security Requirements

39

Awareness & Training

Have data security awareness and

training

Receive training prior to contact

with data

Security Monitoring

Continuously monitor security events / conduct periodic reviews of activity

Implement hardware, software and

procedural audit control mechanisms

Incidence Response

Timely notification of suspected / actual data compromise

Steps to prevent further damage and

corrective action steps to stop incident

from recurring40


40

2/14/2017

21

• Monitor building exterior and all entrances

• Process for logging and escorting visitors

• Deploy / monitor cameras 24 x 7

• Deploy and use electronic access control system

• Have solid floor-to-ceiling walls

• Provide alternate power sources

• Not display any information about Company

• Data received in paper or portable media stored in locked containers, etc.

Physical Security

41


41

• Be enclosed by a compound wall with entry/exit gate attended by security guard 24x7

• Restricted access parking requires:• vehicle identifiers,

• vehicle examination prior to entrance (visual inspection of undercarriage, interior of vehicle, interior of trunk, etc.),

• presentation of employee identification badge prior to entrance

Physical Security outside the US -additional requirements

42


42

2/14/2017

22

43

Workstation Security

Workstations shall be positioned so that XYZ data is not visible outside of the designated XYZ production

area

Workstations shall lock after no more than 10 minutes of inactivity. Supplier personnel shall be instructed to lock their workstations when they shall be away from

their desks.

Laptops shall not be used to access, process, transmit or store data


43

44


Print capability is disabled

Access to applications is limited. Applications not required for processing data are disabled.

USB and CD/DVD drives are disabled

End-point firewalls installed on all Supplier workstations and be configured to prevent unauthorized network

access attempts


44

2/14/2017

23

Subcontractors

• Not employ subcontractors unless express written permission granted prior to implementing the arrangement

• Monitor activities of subcontractors for compliance with the Agreement

Encryption

• Comply with standards provided by the National Institute of Standards and Technology (NIST).

• For data in transit, must use encryption technologies that comply with NIST applicable state and federal regulations (“Approved Encryption”).

• Implement technical security measures to guard against unauthorized access to data that is being transmitted over an electronic communications network. Encryption shall be the primary means of securing the data while in transit.


45

46

Hard Copy Documentation

Remote Access / Network Security

Asset Tracking, Disposal & Destruction

Security Safeguards for Data in Transit

Anti-Malware

Patch Management

Logical Separation of Data

Access to Data

Development & Testing

Business Continuity/Disaster Recovery

Other Security Requirements

46

2/14/2017

24

No formal program or owner

No formal framework or guidance, so

people don't know where to start

Time consuming

Too many vendors to assess OR lack of vendor inventory to know who to assess

Manual process –spreadsheet driven

Vendors may be brought in as

personal referral

Why Lax Supplier Management

47

Align every IT outsourcing contract

with the organization’s key

business objectives

Set up a monitoring mechanism

Manage changes in IT projects and services across

complex portfolios

Establish direct and visible accountability for IT performance

Define specific ownership of key

contract terms

Define well-integrated IT management

processes for the client and service

provider

48

Supplier Governance Framework

48

2/14/2017

25

49

Which suppliers require

monitoringWhat should

be monitored Who should

conduct the monitoring How

frequently

When to do on site versus remote

Monitoring

49

Compliance Elements

Legal and Regulatory

Compliance

• Is the supplier compliant with regulators and self-regulatory organizations?

Financial Condition

• In addition to the vendor’s current financial condition, assess third-party suppliers’ growth, earnings, pending litigations and any other factors that may affect the supplier’s overall stability.

Business Reputation

• Does the supplier have a history of complaints performing the activities the company is planning to outsource?

Compliance/Risk Management

• Only work with third-party suppliers that have processes in place for ensuring compliance with contractual and regulatory requirements and following industry best practices.

Subcontracting• Assessments should include validation that the

supplier is in compliance with contractual provisions concerning supplier outsourcing.

50

2/14/2017

26

Compliance Elements

Business Continuity

• A third-party supplier should have a plan in place to respond to service disruptions ranging from Internet outages to cyber-attacks or natural disasters.

Physical and IT Security

• The vendor should have controls in place to ensure its IT systems are protected from external and internal attacks and that its computers and servers are protected from theft.

The Right to Audit and

Require Remediation

• Before entering into an agreement, establish their right to audit the third-party and to require remediation when issues are identified.

Termination

• Procedures should also be spelled out in some level of detail should the third party be unwilling or unable to fulfill its compliance and performance obligations.

51

Why Audit Suppliers

Outsourcing

Supplier Risks


Audit Focus

52

Agenda

52

2/14/2017

27

53

Who are your key suppliers?

Who maintains the supplier inventory

and how is it updated?

What can the supplier provide in terms of assurance (SOC2, HITRUST

certification)?

Do you have a right to audit clause in the contract? How clear

is it?

Do you exercise your right to audit

clause?

Does your company have a centralized

supplier management

program?

Audit Planning – Key Questions

53

Audit Focus

IA needs to be independent and

determine if TPRM controls are designed properly and operating

as designed

TPRM is the second line of defense and the

operational aspects of the program should be

reviewed with key stakeholders

IA is the 3rd line of defense and should

focus on 3rd party on-site activities required by the

program

Depending on who owns the controls, IA will need to review that area for

sustainability

The supplier owner must be in compliance with the

contract – IA needs to audit that area also

IA should be reviewing the compensating controls that help

minimize risks and monitor all remediations

needed

54

2/14/2017

28

Audit Focus

Have 1 person facing off with 3rd party management

Sets the audit standard for 3rd party audit programs

Acts as SME on 3rd party risk management within audit

Conducts reviews and identifies potential risks and required remediation.

Develops an opinion of the overall design and effectiveness of the TPRM

55

Audit Focus

Supplier selection / governance

Supplier securitySupplier

management procedures

56

Key Audit Focus

56

2/14/2017

29

Key Controls – Supplier Operations

Overall control environment

Security considerations•Data protection

•Network, physical, environment, personal and logical access security

SDLC Controls

Change management controls

HR policies and Procedures

57

Supplier Selection

Obtain list of all Suppliers

Who is approved to

update the list

Statistics on spend

Criticality to core business

functions

Supplier Audits

Questionnaire Rank resultsFollow-up calls with Suppliers

Site visits

Supplier Oversight

Reporting Meetings Site visits KPIs

Supplier Termination

Assess vendor

termination control

environment

Ensure data properly

returned or destroyed

Review contract

termination controls

Audit Reports Identify gapsFollow-up on remediation

58

What Should Audit Do?

58

2/14/2017

30

Identify the Services Provided

Identify the Potential Risks

Document Security and Privacy Controls

Document Gaps

Recommend Enhancements

59

Audit Approach

59

Identify the Services Provided

• What information is accessed, managed or handled?

• Does the supplier store any critical information

• Does the supplier have access to the information via connection to network?

• Does the supplier provide access to critical data?

Identify the Potential Risks

• Based on services provides, identify the areas of potential risks

• Use COBIT, ISO 27001, NIST 800-53 or you own questionnaire

• If data is not confidential, do you need to audit this supplier?

• Document the risk for each service activity

Document Security and Privacy Controls

• Identify security controls for each risk identified in step 2

• For each control refer to documentation or evidence of the effectiveness of the control

• Request SOC-1, or SOC-2 or Pen Test reports

60

Audit Approach

60

2/14/2017

31

Document Gaps

• Compare the controls of the supplier with industry best practices

• Identify areas where controls are missing or sub-standard

• Focus on areas that could impact confidential data and brand image

Recommend Enhancement

• Prioritize risks associated with the gaps

• Recommend solutions to bridge the gaps

• Prioritize the timing of the enhancements

• Determine if the report will be an advisory or an audit –based on the risk raking

• Identify follow-up items and personnel responsible

61

Audit Approach

61

Organizational

Physical Security and Environmental


Logical/Data Access

Network and Server Security

Change Management

Corporate Continuity

Supplier Governance

Audit Domains

62

2/14/2017

32

63

• Controls in place to ensure that audit risks are identified and mitigated properly

• Personnel policies in place regarding employee hiring, candidate background checks as permitted by applicable local laws, orientation, and training

Organization

• Building exterior and physical access security controls are in place to prevent unauthorized access (on and offshore)

• Identification badge controls

• Environmental safeguards

• Safeguards surrounding the destruction and disposal of sensitive information

• Physical access to production area is restricted to prevent unauthorized access

• Materials allowed to be brought into workspace are limited based on Supplier services provided

Physical Security and Environmental Controls

Audit Domain Coverage

63

64

• Controls are in place to:

• secure sensitive data on computer workstations (on shore and off shore locations)

• secure workstation assets and data

• protect mobile computing assets such as tablet computers and mobile phones


• General controls are in place to prevent unauthorized access to:

• information resources (Internal)

• computer resources (External)

Logical/Data Access


64

2/14/2017

33

65

• Controls are in place to:

• detect and prevent network threats

• apply security updates and to harden settings for application and database servers

• identify, escalate, and track security incidents until resolution

• ensure that remote or wireless access to the network is disabled or securely controlled

• Technical safeguards are in place for data in transit and data at offshore Supplier locations

Network and Server Security

• Change Management controls are in place to ensure that only authorized, tested, and documented changes are made to the system

• Organizational controls are in place to monitor and track compliance

• HIPAA and Security awareness training is communicated to employees

Change Management and Regulatory Compliance


65

66

• Business Continuity/Disaster Recovery (BC/DR) plans are established and in place

• Data storage and backup activities occur on a scheduled basis and are available for file recovery and disaster recovery events

• Controls are in place to ensure that computer equipment is disposed and recycled securely

Corporate Continuity Controls (BC/DR)

• Controls are in place to ensure that Third Parties who the Supplier has contracted with are adequately managed

Supplier Governance


66

2/14/2017

34

Service level management

Contractual requirements

Data transmission

controls

Data security / privacy

Continuity / availability of

systems

Operational controls

Availability of SOC-1, SOC-2,

ISO17799

Supplier Internal Audit

Function

67

Audit Implications

67

As companies focus on core

business practice, they

outsource more functions to specialized

Suppliers

Suppliers differ based by

industry: Retailers,

Manufacturers, Insurance,

etc.

1

Most companies

struggle with managing

their Suppliers

No one does it perfectly

2

Solution requires

enterprise effort

Required + increased focus by

customers and regulatory agencies across all disciplines

3

Key Take Aways

68

2/14/2017

35

End of Presentation

©Institute of Internal Auditors 2017

Join Us: @IIAChicago ● #IIAChi

Any questions?

[email protected]

69

outsourcing and the need for supplier audits€¦ · outsourcing and the need for supplier audits...

Documents