Close up of hands typing on a laptop.

Risk Trends in 2024 and Beyond: IT Third-Party Risk Management

Risk Trends in 2024 and Beyond: IT Third-Party Risk Management

Synopsis
4 Minute Read

Canadian companies rely more heavily than ever on third parties for technology-related services. In many cases, it makes financial sense to outsource IT support, given the rate of technology adoption, the increased specialization of roles required to manage new digital tools, and the ongoing labour shortage.

However, organizations must understand the risks of trusting third parties with sensitive information and network access.

It is essential to review and stress test third-party liability clauses and access permissions to ensure the integrity of security controls. And that organizations conduct regular cyber security threat assessments to find and remediate weak links.

Read more
Hash Qureshi
Partner
Richard Arthurs, FCPA, FCMA, MBA, CFE, CIA, CRMA, QIAL
Partner, National Leader - Internal Audit
Gord Chalk, MBA,CMC
Consulting Leader, Energy and Utilities
Insight
Confidence Whitepaper Enterprise Risk Internal Audits and Controls Cyber Security Technology Risk
This insight is one of 15 risks in our 2024 Risk Trends Report. Navigate back to the main page for the full list of risk trends that you should be monitoring for in the year ahead.

How well do you really know your third parties?

Canadian companies are more reliant on third parties for technology-related services than at any other time in history — a trend that has been accelerated by the rate of digital innovation throughout and since the COVID-19 pandemic. The reasons for this are severalfold.

One is that many organizations are struggling to find the expertise needed to manage technology at the rate they’re adopting it. This has been amplified by the ongoing labour shortage, which is forcing many IT functions to split their focus between recruiting for IT needs and supporting other areas of the business.

There are also numerous instances where it makes good financial sense to outsource IT support. New roles are emerging as the sector becomes increasingly specialized. Specialist expertise is also more expensive than ever, and it’s hard to justify hiring an employee whose skills may not be required on a full-time basis.

Moreover, the broad definition of third parties doesn’t just include the individual contractors and consultants who perform specialist work. Software-as-a-service (SaaS) providers are now ubiquitous, covering everything from day-to-day administrative tools (word processors, email, storage servers, etc.) to finance, inventory, and logistics systems.

Organizations trust external vendors with more information and network access than ever before. While there are certainly instances where this is logical, even necessary, the sense that this has become the new status quo can easily breed complacency.

Third-party liability clauses, managing third-party access permissions, and regularly conducting cyber security threat assessments cannot become another box to tick when a new third party is brought on board. These must be reviewed and stress tested regularly with the express purpose of finding and remediating the weak links associated with those third-party dependencies.

Related risks

  • Cyber security and privacy risk exposure
  • Fraud
  • Quality and/or project management issues
  • System outages

""Key questions to ask

  • How many new third-party contracts has your company set up since 2020?
  • Does your organization complete a detailed risk assessment before setting up contracts with third parties? Is risk mitigation accountability identified in the contract?
  • Do your business resilience and disaster recovery plans consider the accountabilities of specific third parties? Are these third parties prepared to act on your behalf when needed?
  • Do the third parties you depend upon have appropriate response plans in place in the event of a disruption to their organizations? Have these plans been tested?
  • What steps have you taken to ensure the operating effectiveness and resiliency of the third party you are relying upon?
  • Do you have a customized code of conduct and training for third parties? Does this include cyber security expectations?

""Red Flags

  • Excessive complaints related to third parties
  • Whistleblower tips
  • System quality and performance issues

Internal Audit Project Opportunities

Vendor Management Audit
This audit assesses how the organization selects, monitors, and manages its vendors to ensure they meet specific criteria, provide quality products or services, and adhere to contractual obligations.
Supplier Compliance Audit
This audit evaluates whether the organization's suppliers comply with relevant regulations, standards, and contractual requirements.
Due Diligence Audit
This audit examines the process of evaluating and selecting third-party vendors or partners to identify potential risks and assess the suitability of these relationships.
Contract Compliance Audit
This audit reviews the contracts with third parties to ensure that both parties are fulfilling their obligations and that the agreements align with legal and regulatory requirements.
Information Security and Data Privacy Audit
This audit focuses on how the organization's third-party vendors handle sensitive information and data, ensuring that appropriate security measures are in place and that privacy regulations are followed.
Anti-Corruption and Bribery Audit
This audit investigates the organization's third-party relationships to ensure compliance with anti-corruption laws and regulations, safeguarding against unethical practices.
Financial Audit of Third-Party Transactions
This audit examines the financial transactions and payments made to third parties to detect any irregularities or potential fraud.
Performance and Service Level Audit
This audit assesses the performance of third-party vendors in delivering products or services as per agreed-upon service level agreements (SLAs).
Business Continuity and Disaster Recovery Audit
This audit evaluates whether third-party vendors have adequate plans and measures to ensure business continuity and recovery in case of emergencies or disasters.
Ethics and Social Responsibility Audit
This audit reviews third-party vendors' policies and practices regarding ethical and social responsibility aspects, such as labour practices, environmental sustainability, and diversity.
Third-Party Risk Assessment and Management Audit
This audit analyzes how the organization identifies, evaluates, and mitigates risks associated with its third-party relationships.

Risk Trends in 2024 and Beyond

View all the risk areas featured in this year’s report. 
Read more

Insights

View all
  • Agility

    November 05, 2024

    Agronomy 101: Navigating the trends shaping crop farming

    As crop farming evolves, so do the challenges — from soil health to chemical-resistant weeds. That’s where agronomy comes in.

    Read more

  • Progress

    November 05, 2024

    Outsourced HR: Your partner in support

    Feeling overwhelmed as the only HR professional in your company? You’re not alone.

    Read more

  • Confidence

    October 31, 2024

    How can the mortgage industry comply with FINTRAC’s anti-money laundering obligations?

    FINTRAC expanded its regulatory scope to include the mortgage industry starting on October 11, 2024. How can your business comply with the new AML requirements?

    Read more