Risks from the services provided by third parties – have you had them independently validated? (Part 1)
In today’s global economy, business enterprises, the government, and the public are vastly expanding their reliance on automated systems to conduct their daily activities, such as using mobile devices to conduct business meetings across cities or countries, conducting retail merchant and bank activities, buying and selling inventories, controlling government health care data, making airline reservations, paying utilities bills, and a multitude of other essential services for the public as well as between businesses and the government. Outsourcing such services to third parties gives the user entities[1] more focus on their core business. Regardless of various assessment criteria to select those third parties, one question still remains open, “are there sufficient insights to validate if the systems function properly as advertised by those third parties?”
In several countries in Asia, public incidents in recent years such as mobile banking charged irregularities, bank ATM systems unable to function properly, customer information leakage, in certain cases, resulted in financial penalties and, in one country, the implementation of mandatory annual audits of these systems by independent auditors. These types of annual audits have resulted in more uniform and consistent reporting on the business process controls at the affected entities. Moreover, it has given the government a better approach to measure such audits against generally accepted criteria. Some international models for audits exist and globally accepted as a benchmark measure.
Without these audits, the types of incidents described would likely continue. Given the increasingly connected nature of the businesses nowadays, a failure in one key system could have a ripple effect on the economy as a whole, which may lead to negative public perception of the affected businesses within such industry.
Independent audits by a qualified audit firm can help identify problems and provide advices to address these problems. While considerable work may be necessary to address these audit findings, without the independent auditor’s work, the nature and extent of the control problems may not be aware of. The initial audit would be the first step to improve the system of controls. There are several well-established audit standards that can be implemented to strengthen the control environment. Eventually, insights from the auditors’ work could be presented in a detailed report to the user entities or even to the public, following international auditing standards and in a format accepted by businesses worldwide, such as those issued by the IFAC/IAASB or AICPA.
Without an investment in adopting an accepted process for business issue remediation, it is likely that the incidents described above would continue to occur and could become even more damaging, as organisations continue expanding their reliance of others for critical business transaction processing. The question for the next article on this topic will be: “What sort of insight information would be presented in the report to the user entities or the public?”
[1] The business using the services of a third party is called a user entity.
Comments are closed here.