concerned about vendor management 10 30 12

© 2011 Grant Thornton LLP. All rights reserved. 1

CONCERNED ABOUT VENDOR MANAGEMENT?Understanding third-party risk for technology companies

October 30, 20121-2 p.m. CT

© Grant Thornton LLP. All rights reserved. 22

Awarding CPE for this sessionIn general The rule

Respond to all polling questions

Respond to at least 75% of the polling questions to pass with full credit

Group participation will not receive CPE

You have to be logged in individually to receive credit

If you experience any technical difficulties, please contact 888.228.0988 or [email protected]


Addressing your questions through Q&AStep 1

Step 2



Other helpful features you can use

Be sure to shut down all other applications to allow more Internet bandwidth.



Disclaimer

This Grant Thornton LLP presentation is not a comprehensive analysis of the subject matters covered and may include proposed guidance that is subject to change before it is issued in final form. All relevant facts and circumstances, including the pertinent authoritative literature, need to be considered to arrive at conclusions that comply with matters addressed in this presentation. The views and interpretations expressed in the presentation are those of the presenters and the presentation is not intended to provide accounting or other advice or guidance with respect to the matters covered.

For additional information on matters covered in this presentation, contact your Grant Thornton LLP adviser.


About TechAmerica

TechAmerica is the leading voice for the U.S. technology industry – the driving force behind productivity growth and jobs creation in the United States and the foundation of the global innovation economy. Representing approximately 1,000 member companies of all sizes from the public and commercial sectors of the economy, it is the industry’s largest advocacy organization and is dedicated to helping members’ top and bottom lines. TechAmerica is also the technology industry's only grassroots-to-global advocacy network, with offices in state capitals around the United States, Washington, D.C., Europe (Brussels) and Asia (Beijing). Learn more about TechAmerica at www.techamerica.org.

about:blank


WEBCAST PRESENTERS

Kirt SealePrincipal,

National Special Attestation

Reports Leader, Advisory Services

Warren W. Stippich Jr.Partner and

National Governance, Risk and Compliance Solution Leader,

Advisory Services


• Identify a framework for assessing third-party risk

• Examine the roles and responsibilities of risk management in finance, legal, procurement and business operations areas

• Understand tools that can be used to provide comfort that proper controls are in place

LEARNING OBJECTIVES


REAL RISKREAL IMPACT

Huawei Threat: Real or Overblown?

Jail, Hard Lessons in Cisco Gear Resale Scam

BlackBerry service goes down in Europe, Middle East, Africa

GoDaddy goes down and hacker takes credit


POLLING QUESTION #1

Has your company put a program in place to manage third party risk?

A: YesB: No


DEFININGTHIRD PARTIES

• Businesses that are not under direct business control of the organization that engages them

• Third parties may include:• Vendors• Distributors• Suppliers• Franchisees/licensees• Joint venture or alliance partners• Technology outsourcing providers


WHY IS THIRD PARTY RISK IMPORTANT?

ComplianceReputational

Financial

Strategic

Regulatory

Operational


SECTORS WITH HIGHER RISK

Technology providers• Data centers• Companies hosting IT

applications• Third party logistics

companies• Cloud or Software as a

Service providers• Telecom providers• Any outsourcing

company that manages information on behalf of others

Relevant industries• Government• Health care• Banking• Investment/fund

managers• Payroll management

companies• Financial Services


POLLING QUESTION #2

Which type of company presents heightened risk when in a vendor relationship?

A: Data centersB: Third party logistics companies C: Software as a service companiesD: A and CE: All of the above


RESPONSIBILITY FOR THIRD PARTY RISK MANAGEMENT

Internal audit

Finance

Legal

Business operations/ IT

Compliance

Procurement

Vendor Oversight Function


DEFINING THE THIRD PARTY UNIVERSE• Analyze comprehensive vendor listing (A/P master file, legal,

procurement)• Exclude the following:

– Maintenance, repair, operations vendors– Providers of raw materials or finished goods

• Confer with in-house legal resources– Additional source of data– Contractual details will be helpful

• Consider other departments that may need to be consulted


WHERE DO YOU BEGINPROJECT OBJECTIVE• Risk Assessment & Appeals Processes

– Customized the vendor due diligence process depending on the company’s specific risks

– Rule-based point values assigned– Cumulative score will dictate level of additional

investigation if required


POLLING QUESTION #3

A third party risk assessment should be part of an enterprise risk management program.

A: TrueB: False


FACTORS TO CONSIDER WHEN ASSESSING RISK

Risk Domain Assessment FactorsStrategic • Level of importance of vendor to

corporate operations

Reputational • Magnitude of potential loss if there are problems with the vendor relationship

Regulatory • Level of vendor oversight/monitoring

• Reporting required by outside regulatory body


FACTORS TO CONSIDER WHEN ASSESSING RISK

Risk Domain Assessment Factors

Operational • Type of vendor – nature of products/services provided

• Frequency of communication with vendor

Financial • Annual spend with vendor

Compliance • Current safeguards or controls design to ensure compliance with relevant regulations

• Availability of audit reports or existence of "right to audit" clause


EXAMPLE OF HOW TO DEFINE THE RISK UNIVERSEVendor Name

Vendor Type

Nature of service being provided

Contractual details

Geographical/global consideration

Applicable regulatory requirements (e.g., HIPAA, FCPA)

Primary relationship owner within organization (e.g., IT, finance, marketing)

Provides an audit report such as SOC 1

Right to audit clause

ABC Payroll

Payroll provider

Payroll processor

Five-year agreement approved by Legal department

Payroll processed in Kansas City, Kan.

IRS, Department of Labor

Bob Peoples, Human Resources

Yes, SOC 1

No

IT Help Help Desk Support

IT support contractors

One-year auto-renewing contract

Local to each company site and headquarters

N/A Martin Technology, CIO

No No

Quick Print Printing/Mail service provider

Prints/mails invoices and marketing materials

Six-year agreement, approved by Legal department

Local to headquarters

N/A Sally Accountant, CFO

No No

Source: Grant Thornton LLP


WEIGHTING RISK FACTORSVendor Significance

of the data handled by the vendor

Potential magnitude of a financial loss

Potential magnitude of a reputational loss

Potential magnitude of an operational loss

The frequency of interaction

Expense of the vendor in relation to the income of the business unit supporting it

Significance of financial risk

Significance of operational risk

Significance of strategic risk

ABC Payroll

3 1 1 5 5 4 3 5 2

IT Help 3 1 1 3 5 2 1 4 1

Quick Print

2 1 4 2 4 1 1 1 1

Rating is from low (1) to high (5). Source: Grant Thornton LLP


NEEDS ANALYSIS APPROACH

High, medium or low-risk areas are determined based on the following Risk Factors - Strategic Importance - Business Operations Risk - Legal/Regulatory Compliance - System Reliance and Capability - Fraud Risk - External Factors - Human Capital Risk - Financial Impact - Market Impact - Reputation Impact

Needs analysis


RISK MITIGATION TECHNIQUES

• Transaction monitoring• Increased data analysis and reporting• Contract renegotiation• Independent reviews • Audits• Site visits• Questionnaire


USE OF ATTESTATION REPORTS

SOC 1 SOC 2 AT 101• provides vehicle

for reporting on a service organization’s system of internal control relevant to a user organization’s internal control over financial reporting.

• intended as auditor-to-auditor communication, with specific content dependent on the service organization’s system.

• address controls pertinent to the Trust Services Principles of security, availability, processing integrity, confidentiality and privacy.

• includes many of the same elements as a SOC 1 report

• principles and criteria developed by the AICPA and the Canadian Institute of Chartered Accountants.

• allows service organizations to provide user organizations and other stakeholders with a tailored report on controls that are relevant to the services.

• highly flexible and can be leveraged for multiple industry standards (e.g., NIST, ISO)


POLLING QUESTION #4

My company uses SOC reports when working with our vendors and customers.

A: AlwaysB: OftenC: InfrequentlyD: We have used SOC reportsC: Not sure


A FEW THINGS TO NOTE ABOUT SOC REPORTSConsider the following when reviewing a SOC report:

• Time period covered• Handling of subservice providers (carve-out vs. inclusive)• In-scope and out-of-scope locations• Construction of control objective and control activities• Sampling and testing methodology• Exceptions noted and management response


ADDING VALUECASE STUDY

Issue• A Fortune 500 Corporation experienced issues related to a third party that results

in self-disclosure of an issue• Company required a way to mitigate against future issues with vendors and third

partiesResponse• Grant Thornton created and managed a new process to onboard and assess the

compliance-related risk associated with newly identified third parties and business partners

• Team also worked to extract "legacy" third party relationships from a large number of Enterprise Resource Planning (ERP) systems, to capture, process and investigate

• Grant Thornton was also involved in the creation of supplemental qualification requirements for certain third party relationships as well as development of a technology solutions to evaluate new relationships.

Benefits Achieved• The results of this project included:

– Standardized the review and acceptance of a new third party business relationship

– Insight and seamless transparency into the third party relationships retained that would otherwise be unseen

– Validation of the creation of a new customer master or vendor master file within the Client’s local ERP system.

– More efficient process of creating valid agreements helping to further protect the Client from any unforeseen risks


KEY TAKEAWAYS

• Understand and evaluate your third party relationships

• Know your risks

• Take reasonable steps toward risk mitigation


QUESTIONS


KEEPING THIRD-PARTY RISK IN CHECK

This white paper addresses the process of information gathering, assessing and assigning risk ratings, and mitigating the high-risk relationships. Learn how using Service Organization Control reports can help manage third-party risk in our illustrative case study.

You will receive a downloadable copy of the paper in the follow-up email from Grant Thornton LLP.

Will insert white paper cover here


FOR MORE INFORMATION, CONTACT:

Warren Stippich

Partner, National Governance, Risk and Governance LeaderAdvisory ServicesT 312.602.8499E [email protected]

Kirt Seale

Principal, National Special Attestation Reports LeaderAdvisory ServicesT 214.561.2367E [email protected]


THANK YOU FOR ATTENDING

33

To retrieve your CPE certificate:• Respond to online evaluation form• Print your CPE Certificate from the CPE

confirmation email or participation tab *Note: Group participation will not receive CPE

• Download today’s slides as a reference resource

Thank you for attending.

Visit us online at:

www.GrantThornton.com

twitter.com/GrantThorntonUS

linkd.in/GrantThorntonUS

For questions regarding your CPE certificate, contact Learnlive at 888.228.0988.

concerned about vendor management 10 30 12

Documents

advisory grant thornton

yourgrant thornton llp

heightened risk

party logistics companies

service companies d

technology industrys

technical difficulties

outsourcing company