The Risky Business of Using Outside Service Providers
Many companies with outsourced services address threats to their businesses after they have sustained damage. However, there are best practices a company can put into place before something goes wrong—particularly in the case of third and fourth party service providers. The media has covered a number of recent stories in which the internal controls of third or fourth party providers failed—inflicting substantial harm on clients.
For example, according to ZDNet.com, Nice Systems (“Nice”), a Verizon business partner that facilitates customer service calls, maintained confidential customer calling records on an Amazon S3 server. Wrongly configured security settings on the server controlled by Nice allowed unauthorized access and retrieval of Verizon customer-sensitive data.
Many businesses focus on their core competencies and outsource other business function cycles to outside service providers (OSPs; also known as third and fourth party service providers.) These functions can be any area, including payroll, benefits, accounting, compliance, customer service, and IT services, to name a few. In these situations, even when a function, task, or process is transferred to an OSP, many of the associated risks remain with the business. Businesses put their trust in these service providers, but it is the responsibility of the business to manage and monitor OSPs and the possible risks associated with the provider relationship. At times, third party service providers outsource an entire activity or a portion of an activity to another party (also known as a fourth party). In the example above, Nice acted as a third party for Verizon, while Amazon served as a fourth party.
Here are ten best practices for businesses to effectively manage OSP risks:
- Perform Due Diligence During the Procurement Stage. During procurement, or the request for proposal (RFP) stage, it is critical to ask the right questions, gather relevant information, and obtain and validate references. Attempt to understand the risks associated with the direct-service provider (third party), as well as with any additional parties involved, that may create a fourth party relationship. Additionally, it is important to have a clear understanding of how a third party manages and monitors fourth party risks.
- Incorporate a Strict On-Boarding Process for New OSPs. Extra care and diligence are required to set up processes and controls from the beginning. Service Level Agreements (SLAs), which document what services will be provided and define the performance standards to be met, are always advisable, during contract negotiation and establishment of the contract terms. Anticipate what can go wrong with the process, and test working scenarios of sending and receiving data as well as other communication protocols prior to going live.
- Extend Organizational Ethical Standards to OSPs. Clearly communicate the importance of ethical business conduct to an OSP before engagement. Provide them with an official Code of Conduct as a reference for understanding service expectations. If a business does not have an official Code of Conduct, one should be developed prior to entering into any OSP agreement.
- Develop a Roster of Existing OSPs. For current service providers, survey and document company-wide relationships, including type of services provided and existing management and monitoring procedures.
- Perform Regular Risk Assessments. Review information for each relationship and assess any risks associated with each provider. These risks may include access and control of business data, key personnel, operational issues, cybersecurity, legal and regulatory, business continuity, and branding/PR related risks, among others.
- Monitor and Manage OSPs throughout the Relationship. Never stop paying attention to OSPs. Continue “trusting,” but also continue “verifying” their performance and the risks associated with outsourcing to OSPs. As with any relationship, performance should be monitored to ensure that goals and expectations are met. Even before beginning the relationship, decide on the monitoring mechanisms’ frequency and means. Depending on the risks identified, a combination of monitoring controls with different frequencies should be put in place, for example, annual field visits in addition to weekly calls and monthly score cards. Additional methods can include appraisal/assessment checklists, heat-maps, and incident reports.
- Obtain SOC-1 and SOC-2 Reports. For all OSPs that process, store, or transmit financial statement relevant and/or proprietary data, companies should obtain copies of the OSP SSAE‑16 reports. These reports address the suitability of the design and operating effectiveness of controls at a service organization relevant to a user entity’s internal control over financial reporting (SOC-1 reports). In addition, a SOC-2 report is used by service organizations that hold, store, or process client information that would not directly affect their financial statements.
At a minimum, companies should review control testing results and user control considerations annually, to ensure that (a) there is a clear understanding of the division of responsibility between the OSP and the company pertaining to data integrity, security, and retention; (b) the company has mitigating controls in place to address the control testing findings that may have an adverse impact on the company’s operations; and (c) user control considerations identified by the OSP are addressed by the company.
- Train Employees to be Aware of Risks. Risks should be communicated effectively to employees managing relationships with OSPs. Designing training programs to include tools and procedures for managing OSP risks is essential to maintaining the proper oversight and preserving control over the relationship.
- Perform Annual Contract Reviews Before Renewal. Prior to contract renewal, ensure that adequate information is available to cover prior performance and compliance with SLAs. Only if results are satisfactory should a renewal be considered.
- Implement Contingency Plans for When OSPs are Terminated. Contract termination is usually an option for nonperforming contracts. As such, an organization should always be prepared for the possibility of urgent termination and replacement, in order to ensure seamless service that is non-disruptive to the organization’s staff or clients.
If you have questions about the best approach to OSP risk management for your business or would like to discuss having an OSP risk assessment performed, contact Alexander Moshinsky, Director, Operational Advisory and Risk Management at 212.331.7448 | AMoshinsky@BERDONLLP.com.
Berdon LLP, New York Accountants