Mitigating risks associated with third-party vendors is an important aspect of an organization’s enterprise risk management strategy. At the 2023 AICPA® & CIMA® SOC & Third-Party Risk Management Conference in April, we heard from a risk advisory and assurance services practice area leader for Warren Averett, LLC, who knows a thing about mitigating risk.
In his session, “How to Handle Vendor Management,” Paul M. Perry, CPA, CITP, CDPSE, CISM, highlighted the challenges companies face when managing third-party vendors. Perry elucidated requirements and best practices and explained the proper approach to reviewing third-party vendor activities during SOC engagements.
As a component of enterprise risk management, Perry urges companies to adopt formal vendor-management policies that outline procedures for:
Identifying and ranking vendors
Selecting vendors
Assessing vendor risks
Performing due diligence
Ensuring appropriate language and requirements are included in vendor contracts
5 vendor management challenges and solutions
1. Lack of accountability with outsourcing
Problem: Companies often outsource vendor management, especially when they have limited internal resources. But outsourcing can result in a lack of accountability: Who is responsible for maintaining security and regulatory compliance? And if there is a security breach, who will be held accountable?
Solution: Open communication: A balanced approach where the company’s team and vendors share responsibility and maintain open lines of communication to prevent confusion and promptly address problems that arise.
2. Inadequate documentation of the vendor partnership
Problem: When companies fail to properly document their vendor relationships — when there’s no integrated system of documenting and archiving such information — that information can be lost when key personnel leave the company.
Solution: Use software to create an online system for accurate documentation of vendors that tracks any changes in vendor operations, financial health, business practices and regulatory compliance to ensure they meet evolving standards.
3. Failure to conduct vendor reviews
Problem: Inadequate vendor reviews invite negative consequences and can lead to underperformed controls around understanding issues with third-party vendors.
Solution: Perform routine vendor reviews based on an established framework for the review process and document archival.
4. Insufficient communication with vendors
Problem: Companies outsource responsibility to third parties without establishing communication channels and reporting mechanisms.
Solution: Create a vendor-management team that includes a management-level member, IT and compliance personnel and other staff who directly interact with vendors. A designated team that oversees vendor management and maintains communication channels allows personnel to hold one another accountable and collaborate to resolve problems.
“Finding the right group is important,” Perry said. “Don’t rely on just one person to do all of it, it’s always better when you have a team.”
5. Unclear scope of services
Problem: When leadership or the vendor-management team don’t have a clear understanding of a vendor’s responsibilities, essential tasks might not be completed and preventable risks might be overlooked.
Solution: Align the vendor’s role and responsibilities with your company’s values, strategic goals and compliance requirements. Clearly define and document the services the vendor provides.
Each company or organization will have a vendor-management system designed to meet its specific goals and objectives, but it is essential that any such system defines the vendor’s scope of work, documents transactions and provides for regular reviews.
Designed for CPA firms that are interested in providing SOC for service organizations examinations — SOC 1®, SOC 2®, and SOC 3® examinations — the SOC for Service Organizations Toolkit includes learning resources, templates, pricing considerations and more.
Plus, join us online or in Vegas for AICPA & CIMA Engage 2024 for updates on and solutions to pressing needs regarding risk mitigation.