Have your third line of defence always ready
Various regulations enforce Third Party Risk Management especially all the regulated industries such as but not limited to Banking (FINRA, SEBI, RBI), Insurance (IRDAI), NBFC, Health, Aerospace, etc. Periodic Internal Audit being the Third Line of Defense in the organization helps Third Party Risk Management (TPRM) teams to
Prepare for external audits by identifying the gaps and deficiencies
Assess the maturity of the program in line with the defined policies, procedures and standards
Validate the communication of critical information to respective stakeholders as part of reporting
Help identify the type of framework organizations need to implement (Centralized, Decentralized and Hybrid)
Identify key security controls all along the different phases of the TPRM lifecycle (Pre-onboarding, Due Diligence and Onboarding, Continuous Monitoring, Termination and Off-boarding)
Identify any skill and experience gap in the human resource
Operations always undergo changes but keeping up with policies and SOPs to reflect the current process prepares you for the audit. Align the TPRM program with your organization’s goals, policies and standards to avoid having an observation or non-conformity. Periodically revisiting the process and modus operandi helps you stay updated and translates into a live and relevant program.
Internal audits should be performed periodically to keep the following in check
Adherence to process and defined SLAs
Tracking deviations and exceptions with proper authorization
Uniform tracking of risks and remediation
Updated SOPs, playbooks and templates
Updated and centralized inventory and tiering
What we do in the TPRM Audit
Maintain accurate and complete Standard Operating Procedures (SOPs) – to demonstrate key processes in the TPRM program and help new members of the team come up to speed
Playbooks for other teams engaged during the TPRM life cycle – End-to-end Third Party onboarding involves multiple teams (Procurement, Legal, Privacy, Ethics & Compliance, ESG, Healthcare, Life Science etc.) who need guidance on how to engage, work with and transition to next step. This will ease coordination and increase collaboration.
Data consolidation and centralization – output from one team can be an input to another and vice versa. Consolidating and categorizing all data can give you insights into trends, volume per industry, operational statistics etc.
Standard templates to ensure uniformity in documentation and communication – Data quality, accuracy and completeness are achieved when there is a defined format to document and share information. Having a structure makes it easy to improvise and adapt by proper change management. Gathering requirements proactively from the stakeholders and generating reports accordingly reduces the ad-hoc need to come up with new reports frequently.
Version control of all documents via an established Change management process – Inception of a document and the journey of evolution can easily be captured and demonstrated by implementing version control. It helps to trace the improvements, changes and enhancements that the process has undergone. Revisiting all published documents annually is a recommended practice that helps in deciding whether to plan changes, to a dormant process or withhold changes for a recently updated process
Audit trail of human resources to track action -Be it deviations from the process, tracking critical authorized changes or approval, provisioning or revoking access, every crucial activity needs to be logged and recorded. Preferably these changes should be pointed to an SIEM solution
Exception criteria and process – There are mostly some exceptions to a program which need to be documented. Well-defined criteria to qualify as an exception should be documented and followed diligently with a process for approval in place. These exceptions should be revisited periodically to check if they remain valid or can be out of scope. It’s worthwhile to maintain a record of such exceptions over some time to address repetitions and gate the new exceptions
Documentation and tracking of identified risks to closure – Residual Risks identified during the due diligence should be recorded and tracked centrally with the help of a tool. This will enable the TPRM team to configure timelines, POCs from the business to whom the risk is tagged and the approval/rejection process. Conditions can be set to accept certain types of evidence and provision to extend the risk if sufficient compensatory controls are in place.
Covering legacy risks by Inclusion of legacy third parties – Except for the fairly new ones, most of the organizations that have existed for more than a decade will have Third Parties supporting them since their inception further back in time. Such Third Parties are generally not assessed or are assessed during the renewal process. All unassessed legacy Third Parties expose your organization to risk of varying degrees. They should be part of security due diligence and part of a continuous monitoring list.
A robust inventory of all Third Parties – Stakeholders are interested in the insights and not operational statistics. For a manager to derive KPIs, KRIs and other performance metrics of the TPRM program, it is crucial that all data on Third parties which includes, assessments, risks, documentation and contracts.
TPRM Audit methodology used in Defentrix
Pre-audit prep – overall understanding of the
- TPRM framework implemented, existing documentation in scope (policies and processes defined, procedures followed and standards-aligned to)
- TPRM lifecycle and the transition between phases
- Scope of TPRM
- Information gathering from senior management to derive pre-conceived maturity level
Audit (Assessment)
- Assess and gauge the effectiveness of the program by employing various techniques to validate the controls at the Framework and Lifecycle level
- Record deviations as per the type and category of gaps identified
- Identify the scope for improvement and alignment with internal standards
Assessment Report
- Tangible data to showcase the current maturity level of the TPRM program
- Custom reports for operations, Senior management and board to consume
- Actionable inputs and recommendations to improve the maturity of the program
TPRM Audit revolves largely around the existing checks and balances in the program, ranging from most critical activities to least critical. Each organization follows the standard lifecycle but implements it according to the organizational goals, regulations, local laws, and resources available that are adequate to meet security and regulatory compliance. A customized approach is needed to understand the TPRM function holistically and not restrict just to an audit checklist. The very purpose of Internal Audit is not just to pinpoint the gaps and inconsistencies but to help build a stronger program that is more aligned to the standards set and policies defined thus assuring the board and clients on your program taking the best step forward.
Worried about your Information Security and TPRM?
Contact us today for complete consulting and implementation of Information Security
Latest Resources
2024 Leadership Vision for Third Party Risk Management (TPRM)
CISOs have a diverse array of rapidly evolving priorities, threats, demands, regulatory pressures, and technology changes to address. Leaders need a structured approach to today's security and risk landscape covering third-party risk. This blog sheds light on...
TPRM Awareness, upskill and cross skill
The security world is very diversified, with the majority of the organizations practicing defensive security while a few have adopted offensive security as well. Security professionals need to keep abreast with developments in Third Party Risk Management space and...
DPDP Act 2023 (India) and Third Party Risk Management (TPRM)
The impact of globalization, social networking, outsourcing, adoption of cloud and technologies, cross border data flows are some of the prominent reasons why data collection and sharing is ubiquitous in this digital age. Many countries have realized the importance of...