over tory hird arty isk june 1 ia a 4 audi wire · 2015-10-07 · june 2015 (q2) audi-wire 4...
TRANSCRIPT
June 2015 (Q2) Audi-Wire 1
2015 JUNE COVER STORY: THIRD PARTY RISK MANAGEMENT ............... 1
IA AWARENESS ......... 2
CAE CORNER ........... 4 ANNIV. WEEK 2015 ... 7 Audi Wire T H E I NS T I T U TE O F I N T E R N AL AU D I T O R S
T R I N I D AD & T O B AG O C H AP T E R N E W S LE T T E R
Third Party Risk Management Introduction
As organizations continue to adapt
in order to keep pace with evolving
business environments, there is an
increasing reliance on vendors and
third party providers for business
support as well as critical business
services. Organizations in various
industries including financial services,
healthcare, media and retail are all
exposed to the risks that complex
third party relationships pose. Third
party risk (TPR) is not just limited to
cloud provider, data management
or security providers, this includes
HVAC, cleaning, Human Resources
(HR) and facilities management
providers.
While there are several federal and
industry guidelines (Office of the
Comptroller of Currency (OCC) Third
Party Relationships Bulletin, PCI
Security Standards Council data
security standard (PCI DSS), ISO
27001/2 and NIST’s Cybersecurity
Framework that include elements of
TPR management, most
organizations lack the required
maturity level within their TPR
program to appropriately address
the risk. Given the increasing
reliance on vendors for crucial
business support services as well as
the increased media exposure of
security breaches, it is imperative
that organizations understand and
manage their TPR risk to an
appropriate level commensurate
with their size.
As a starting point, an effective TPR
risk management program should
include:
Plans that outline the
organization’s strategy, identify
the inherent risks of the activity,
(Continued on page 3)
WASA receives “Generally Conforms” The Internal Audit and Compliance Department of WASA recently completed its first
ever External Assessment of its Quality Assurance Improvement Programme (QAIP)
and achieved the top rating of "Generally Conforms.” This allows the Department to
state on its audit reports that “work is conducted in conformance with the International
Standards for the Professional Practice of Internal Auditing.”
June 2015 (Q2) Audi-Wire 2
Internal Audit Awareness Month Activities
Congratulations to WASA’s Internal Audit and Compliance Department for
hosting its 5th annual celebration of Internal Audit Awareness month!
Activities included:
Brief visit to some secondary schools to promote WASA and Internal Auditing
An internal audit crossword competition
Publishing internal audit and compliance articles and
posters
Visiting employees within and outside Head Office to share
the value of internal audit
Hosting a closing function at the end of May 2015.
Congratulations to the winner of the Chapter’s competition for Internal
Auditors awareness month, Mrs. Ria Chrysostom-Ryan for her poem on
“What Internal Auditing Means to Me”
June 2015 (Q2) Audi-Wire 3
and detail how the
organization selects, assesses,
and oversees the third party.
Proper due diligence in
selecting a third party.
Written contracts that outline
the rights and responsibilities of
all parties.
Ongoing monitoring of the third
party’s activities and
performance.
Contingency plans for
terminating the relationship in
an effective manner.
Clear roles and responsibilities
for overseeing and managing
the relationship and risk
management process.
Documentation and reporting
that facilitates oversight,
accountability, monitoring, and
risk management.
Independent reviews that allow
management to determine
that the organization’s process
aligns with its strategy and
effectively manages risks.
(Continued from page 1)
Key Elements of a Third Party
Risk Management Program Strategy, Policies and
Procedures
Much like other areas of the
organization (Marketing, IT) there should
be a documented strategy to guide the
engagement of third party vendors in
line with the overall business goals and
risk appetite of the organization. In
addition, there should be documented
policies and procedures to assign roles
and responsibilities for personnel within
the organization to perform oversight of
the ongoing relationship.
The policies should include clear
guidelines on the process for selecting,
assessing and continuous monitoring of
the third party. These risk-based
decisions should be documented in
accordance with the level of risk, size
and complexity of the third party
relationships.
Vendor Due Diligence
The organization should perform a due
diligence review on the vendor to verify
the ability of the third party to meet their
needs. This assessment should include, at
a minimum, the following:
Corporate history
Qualifications of key personnel
Client references
Financial status, including reviews of
audited financial statements
Service delivery capability, status,
and effectiveness
Technology and systems
architecture
Internal controls environment,
information security, and audit
coverage. Some organizations
provide SSAE (Statements on
Standards for Attestation
Engagements) reports which can
provide detailed test results on the
internal control environment of the
service provider at a point in time
Legal and regulatory compliance
including any complaints, litigation,
or regulatory actions
Reliance on and success in dealing
with third party service providers
Insurance coverage
Ability to meet disaster recovery
and business continuity
requirements
Contract Negotiation
Once the due diligence process has
been executed and third party
selected, the next step is formalizing the
relationship in the form of an executed
contract. The contract should clearly
define the expectations and
responsibilities of both the organization
as well as the third party to ensure the
enforceability. Contracts should include
the following terms as a minimum.
Nature and Scope of Arrangement
Performance Measures or
Benchmarks
Responsibilities for Providing,
Receiving, and Retaining
Information
The Right to Audit Clause
Responsibility for Compliance with
Applicable Laws and Regulations
Cost and Compensation
Ownership and License
Confidentiality and Integrity
(Continued on page 5)
Award of Platinum Award
Congratulations to our members,
because of your continuous
support and commitment to the
Chapter and profession, we have
earned IIA Platinum Chapter status
in 2015!
June 2015 (Q2) Audi-Wire 4
September 2015 — 3rd Chapter Meeting
October 26-30 2015 — Anniversary Week
November 2015 — 4th Chapter Meeting
Thanks to all who attended the chapter meeting on May 28th
where our panellists, Dr. Axel Kravatsky, Mr. Dion Abdool, Mr.
Mariano Browne, and Mr. Larry Kowlessar spoke on the topic
Public Accountability and Corporate Oversight in the Public
Sector. It was a highly attended, insightful and thought provoking
presentation.
Work-Life Balance
The workforce is changing, but are the Human
Resources methods of companies keeping up to retain
its best employees?
More that one-third of workers today are from Generation
Y. These individuals, known as millennials, value
personal time and are willing to search for new jobs if
they are not able to satisfy their personal time instead of
sticking out the situation in their current company.
In order to retain person’s from this workforce, during the
hiring process, “flexible” or “alternative” working
methods should be discussed. Potential employees are
specifically seeking these types of arrangements.
An office culture that supports work-life balance is key to
recruiting and retaining employees. Employers today
must show a level of respect and care towards their
employees, especially to protect its employees from
suffering burnout thereby causing them to lose their drive
to work.
Examples of Cultural Solutions:
Work-Life Goal Setting/Employee Needs
Assessments - Discussions between the employee
and employer on the goals of both parties and how
each party can assist in mutual achievement.
Employers can meet with employees to determine
what their needs are and how the company can better
serve their needs to achieve greater productivity and
commitment.
Flexible Work Environment - Does an employee
always need to be in the office? In today
environment, hardly likely. Arrangements can be
made for an employee to work from home which can
lead to higher output from as commuting time can be
saved.
How to Get Started:
Create a work-life balance advisory team
Conduct employee needs assessments
Build a business case for change
Educate Leadership
(Continued on page 6)
June 2015 (Q2) Audi-Wire 5
Business Resumption and Contingency Plans
Indemnification
Insurance
Dispute Resolution
Limits on Liability
Breach Notification
Default and Termination
Customer Complaints
Subcontracting
Foreign-Based Third Parties
Given the increase of cyber attacks the inclusion of breach
notification clauses has become necessary to meet
regulatory compliance requirements for notifying customers
of any potential data loss in a timely manner.
Ongoing Monitoring
A mature third party risk management program incorporates
ongoing monitoring of the relationship for the duration of the
agreement. A risk-based approach to ongoing monitoring
allows an organization to maximize their resources by focusing
on third parties that present the highest risk either by
possessing or processing sensitive company data and client
information or simply if the relationship involves critical
business services.
Elements that should be covered as part of the ongoing
monitoring includes the areas listed in the due diligence
section above. In addition to these general areas, the
organization should assess the third party’s ongoing security
position including breach notification policies and the ability
to maintain data confidentiality as these represent increased
an increased reputation and compliance risk.
Termination
In most cases, contracts are agreed and executed in good
faith to the benefit of both parties but occasionally either the
third party does not satisfy the terms of the contract or the
contract expires and the organization no longer wishes to
continue the relationship. In either instance, there needs to
be a clear understanding of the steps required to effectively
terminate the relationship. The key to adequate termination is
established at the beginning of the relationship and
maintained through the ongoing monitoring of the contract.
It is imperative that performance expectations are clearly
defined as this will be the basis for determining whether the
third party is meeting the terms of the contract.
Third Party Risk Management Lifecycle
In order to ensure the five key areas discussed above are
executed
effectively,
organizations
should perform the
following
throughout the
third party risk
management
lifecycle:
Oversight and
accountability
– The Board
and Senior
Management are responsible for the oversight of the
enterprise-wide risk management process which should
incorporate the third party risk management program.
Documentation and reporting – This includes maintaining
an inventory of all current and past third party
relationships, due diligence reports, executed contracts
and ongoing performance reports, etc.
Independent reviews – Periodic reviews of the third party
risk management process should be conducted to
provide senior management with feedback on its
effectiveness.
Summary
Third party relationships allows organization to maximize
efficiencies, save on administrative costs and reduce the
complexity of their operations however, it also poses
reputational, compliance and operational risks. A
documented third party risk management process with clear
roles and responsibilities for management responsible for third
party relationships as well as senior management and the
board is the foundation of a strong third party risk
management program.
While it is impossible to remove all facets of third party risk, a
mature third party risk program with ongoing monitoring and
reporting to senior management allows the organization to
react to any issues and focus on those relationships that
deliver the most benefit.
References
Lyons, John C. (2013, October 13) Third Party Relationships: Risk
Management Guidance. Retrieved from http://www.occ.gov/news-
issuances/bulletins/2013/bulletin-2013-29.html
Profile Taurean Imam is a Manager at Protiviti’s Fort Lauderdale office where
he provides internal auditing and risk consulting services. Taurean has
served the Communications, Banking/
Financial Services, and Hospitality industries
both in South Florida as well as across the
United States. He has had experience
working on Sarbanes-Oxley, Gramm-Leach
-Bliley, and IT General Controls audit and
compliance activities. Taurean has worked
on engagements at Financial Services
clients including community banks with
approximately $5 billion in assets as well
major national banks with over $200 billion
in assets.
Prior to Protiviti, Taurean worked on Project Management (Fujitsu
Caribbean), Internal Audit (CL Financial), IT (CLICO Trinidad) and
Banking Operations (Republic Bank Limited) within the Consulting and
Financial Services industries in Trinidad.
Taurean holds the following certifications:
PCI Qualified Security Assessor (QSA)
Certified Information Systems Auditor (CISA)
Project Management Professional (PMP)
ITIL V3 Foundation
CompTIA Security+
CompTIA Network+
(Continued from page 3)
June 2015 (Q2) Audi-Wire 6
A successful work-life program must benefit the organization and
employee. It values employees contribution to the business rather
than their working pattern. It should be communicated to the
entire organization, not just a specific department and
consideration must be given to who fills the duties of a person
while not at work.
Managers...if you cannot leave for a day or a couple days without
someone having to fill your position, you may have a problem.
Risks of a lack of work-life balance:
Greater hiring and retention challenges
Inability to attract millennial professionals - the new
workforce
Substantial decline in staff productivity and work quality
Burnout of MVPs
Failure to keep pace with demands.
How to convince management of the need for a work-life balance
program? There are many studies that show productivity increases
with a work-life management program. Prepare yourself with
statistics: turn over rate, cost of training new employees etc.
—Written by: Rajin Ramjit—Vice President Professional
Services, IIA-TT Chapter
Based on a presentation by the IIA on the
Work-Life Balance of an Audit Team
(Continued from page 4)
Unlock Your Door to Opportunity with IIA
Global Certifications
The IIA offers a comprehensive certification portfolio
for internal auditors that can serve as the key to
unlocking your next opportunity within the profession;
enhancing your credibility and adding clout to your
resume. By earning your Certified Internal Auditor®
(CIA®), Certified Government Auditing Professional®
(CGAP®), Certified Financial Services Auditor®
(CFSA®), Certification in Control Self-Assessment®
(CCSA®), and Certification in Risk Management
Assurance™ (CRMA®) certification, your clients and
employer know that you are a valuable team asset who
is highly motivated, knowledgeable, and committed to
ensuring quality is part of everything you do. IIA
certifications set you apart from other professionals,
unlocking your full potential and opening up countless
doors of opportunity for career growth and success. See
what awaits you on the other side of the door.
Visit: http://www.theiia.org
Contact us for more information if you are
interested in pursuing any certification.
June 2015 (Q2) Audi-Wire 7
June 2015 (Q2) Audi-Wire 8
IIA Week 2015
In today’s challenging business environment, maximizing the internal audit profession is
imperative to keep abreast of emerging business trends. Proven steps to align strategy to
capabilities and increase performance so as to improve internal audit’s cost-value equation
have become a necessity for the audit shop’s survival. This was the ethos of the first 2015
week long activities held through the period 20-24 April 2015.
This seminar aptly entitled ‘Maximising Your Audit Delivery’’ was hosted at the very well-
equipped training facilities at Arthur Lok Jack Graduate School of Business, Champ Fleurs
using a classroom styled approach and provided breakfast, lunch and break sessions to
participants and speakers which afforded them a good opportunity to network with each
other in a casual environment.
June 2015 (Q2) Audi-Wire 9
District Leaders Workshop 2015
The 2015 Caribbean District Leaders Workshop was held in Curacao from June 4th to the
6th. Participants came from six Caribbean countries and the District Advisor came from the
USA representing the IIA North America. The President, Senior Vice President and the
Vice President Professional Development attended from Trinidad and Tobago.
The District Advisor identified tools and resources to assist participants on the IIA’s
database. Financial controls and strategic planning was also addressed.
It was noted that the IIA’s 75th anniversary will be held in New York in 2016 and that
Trinidad and Tobago will host the 2016 District Workshop in June of that year.
Leadership Conference 2015
In April 2015 the Leadership Academy was held in Orlando, Florida, USA. The President
and Senior Vice President attended. This conference dealt with an array of leadership
matters covering the pulse of the profession, best use of cellular technology applications,
certifications and responsibilities of the leader.
June 2015 (Q2) Audi-Wire 10
Professional Centre, Rooms B301/302
#11-13 Fitz Blackman Drive, Wrightson Road Ext.
Port of Spain, Trinidad
Phone: (868) 625-5558 Fax: (868) 623-4560 Mobile: (868) 769-1671
Email: [email protected]
Website: https://chapters.theiia.org/trinidad-and-tobago/Pages/default.aspx
Now you can enjoy Internal Auditor (Ia) magazine in a format that's as mobile as you are. Ia's
mobile app includes everything that appears in the print magazine ... and more, including
convenient access to Ia blogs, exclusive video content, and the latest audit-related news.
Our print issues are married with articles from real-time content feeds for a seamless, engaging
experience on your mobile device. Users can search across more than two years' worth of archives
for topics of interest and bookmark pages for future reference. Each app platform uses native device functionality for optimum
performance and readability. Plus, downloaded issues are available for offline reading, and push notifications let you know as soon as
new issues become available.
Download the Ia app today — free to Ia subscribers. Available for iPhone, iPad, iPod Touch, Android, and Kindle Fire.
iPad, iPhone, & iPod Touch
Google Play (Android Tablets & Phones)
Kindle Fire
Ia Mobile Edition Get Connected
Contact us to submit articles, tell us what training you’re
interested in or ask us about getting certified.