Third-party risk and ISAE 3402

From full outsourcing of complex functions such as IaaS, PaaS services, or component manufacturing to small contracts with local service providers and suppliers, organizations in various sectors and sizes heavily rely on external service organizations.

Outsourcing activities result in cost savings, operational efficiency, or expanded expertise within the organization. Outsourcing also implies increased risk exposure. Understanding, analyzing, and effectively responding to risks as part of an enterprise risk management (ERM) approach is essential for minimizing exposure to financial losses, non-compliance with regulations, and reputational damage.

Understanding third-party risks

Third-party risk is not limited to multinational companies outsourcing key business functions to offshore suppliers. In today’s world, most organizations regularly engage with service providers as part of regular business operations, as discussed in the previous chapter. Even small businesses rely on service organizations for various activities, from hosting servers, IT support to payroll processing. The increase in outsourcing to third parties amplifies the potential risks organizations face.

Analyzing this third-party risk at any given time is essential for business continuity and maximizing the impact of risk management efforts. Given the significant reliance on data in most businesses, any third party with access to sensitive or confidential information can pose a potential risk to business continuity. When outsourcing, as with other categories, risk levels and hierarchies can be considered. These hierarchies and levels form the basis for setting risk priorities by management and the basis for the risk framework in an ISAE 3402 | SOC1 report.

Risk prioritization and ISAE 3402

Setting risk priorities is not a one-time exercise; all parameters can be adjusted over time, depending on factors ranging from economic developments to changes in the regulatory environment to evolving strategic initiatives. While not exhaustive, the types of third parties that typically pose a higher risk to your organization include service organizations such as:

• Cloud computing/on-demand computing
• Software-as-a-Service (SaaS)
• Internet service providers (ISPs)
• Credit card processing platforms
• Online order fulfillment
• Data center and co-location providers
• HR and payroll administration
• Third-party administrators (TPAs)
• Printing and postal services
• Third-party logistics services (3PL)
• Accounts receivable processing and collection services
• Third-party due diligence

Thorough due diligence before entering into a new third-party contract is just the beginning. Like business risks, third-party risks must be regularly and proactively managed throughout the lifespan of a vendor relationship, as parameters adjust over time. This involves leveraging internal audit, financial, legal, and – in many cases – independent auditors issuing an ISAE 3402 assurance opinion.