IIA-Australia White Paper - Assurance Over Third Party Service Providers

WP - Assurance Over Third Party Service Providers

This is a members only resource. Please login to access. 

Author

Narelle Sheppard BFinAdmin PFIIA CIA CGAP CRMA FCPA AAICD

Date

 2022

Topics Explored

Governance

Format

White Paper

Extract/Description

Internal Audit can consider third party risks in developing the annual Internal Audit plan, provide assurance and advisory services in relation to the third party risk management framework, and consider third party risks when undertaking engagements.
Where ‘right to audit’ clauses are included in contracts with third party service providers, Internal Audit can undertake audits of these third party service providers.

Key Points

  1. Engaging third party service providers can reduce an organisation’s control over their product or service, which makes the third party risk management process important.
  2. ‘Right to audit’ clauses are included in some contracts and allow Internal Audit to undertake site visits and obtain information to assess controls at third party premises.
  3. ASAE 3150 and ASAE 3402 reviews can be useful but attention mut be given to the scope of review set by the engaging party.
  4. Internal Audit can provide assurance in relation to third party risks in a number of ways.
  5. Organisations should have a fit-for-purpose third party risk management provisions in their risk management framework.
  6. Third party risk management roles can be defined using the IIA’s ‘Three Lines Model’.

Relevant Industries

All

Level of Assumed Knowledge

Expert