Upload
hacong
View
217
Download
1
Embed Size (px)
Citation preview
Table ofContents
AGENDA
© 2015 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 2
Third-Party Risk Management Frameworks
AICPA Clarity Project
AICPA's Consideration of Cybersecurity
HITRUST and SOC 2
© 2015 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 3
SOC Hot TopicsThird-Party Risk Management Frameworks
GRANT THORNTON
Third-Party Risk Management FrameworksReal Business Risks
© 2015 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 4
TPR FRAMEWORKS
• Third parties can provide real value to companies through the realization of cost-savings,revenue enhancement, or gained expertise.
• The number and complexity of third-party relationships continues to increase.• The quality of a Company's risk management program needs to keep pace with the level
of risk these third-party relationships cause.• There is an expectation of strong governance and oversight especially as it relates to
critical activities or services provided by a Company's third parties that may:‒ Cause significant risks to operations if the third party fails to meet expectations (e.g.,
core operations, data privacy, business continuity, financial viability)‒ Require significant investments in resources to implement the third-party relationship
and manage the risk (outsource an entire business function(s) as an example)‒ Have a major impact on the company’s operations if an alternative third party is
required or if the outsourced activity has to be brought in house
Third-Party Risk Management FrameworksThird-Party Risk – Common Barriers
© 2015 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 5
TPR FRAMEWORKS
Limited Visibility
FragmentedResponsibility orLimited Authority
Fragmented ownership or lack of authorityover the full lifecycle of third-party risk
InconsistentProcesses/PoorData
Differing processes, multiple vendor masters,inaccurate service mapping, duplicate entries
Limited visibility to full complement of third-party services and key risks
ResourceConstraints
Risk-based focus; use of integrated technology Managed service offerings and emergence of risk
consortiums
Maintain a catalog of third parties, contracts, andresulting risks
Provide a risk-based segmentation of third-partyservices
Create a disciplined ownership, governance, andescalation framework
Establish three lines of defense, nominate IA SME
Increased regulatory demands requiringmore comprehensive and more frequentreviews
Work contracts through an upfront vetting process Make use of rules-based due diligence process, use
technology to drive consistency
Themes Issue Action Taken
Best Practices – TPR Frameworks
© 2015 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 6
TPR FRAMEWORKS
FOCUSING ON THE CRITICAL AREAS FOR IMPROVEMENT
• Experience has shown that to arrive at a solid and best-in-class risk managementprocess, firms need to develop or improve in the following 10 areas:1. Be comprehensive – A detailed inventory of all third parties with whom the firm has a
relationship - start with the vendor master list and AP payment reports but also useenterprise-wide surveys and data algorithms to reconcile data.
2. Catalog risks – A comprehensive catalog of specific risks to which third parties canexpose the firm. Many institutions do not fully understand all the risks of their thirdparties. A master risk register, tied to the issues that the regulators are actively pursuingwill help start this process.
3. Risk-based segmentation of the supplier base – Not all suppliers or their servicescarry the same amount of risk. Devote the most effort to activities defined as critical.Tiering the third parties will help to ensure that those marked as high risk will be treatedin a similar fashion.
Third-Party Risk Management Frameworks
© 2015 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 7
TPR FRAMEWORKS
4. Rules-based due diligence testing – Treating every third-party relationship the samedoes not make sense. Carefully designed rules can help firms focus their investigationson the most critical areas.
5. Disciplined governance and escalation framework – At many firms, third-party riskmanagement does not have a natural owner. Establishing one and giving that group theright decision-making power is essential.
6. Incorporate independence reviews – Plan for an independent review of criticalactivities to set a baseline for the third-party risk management framework andprocesses.
7. Streamlining third-party relationships – Company mergers, acquisitions, and lack ofcorporate-wide sourcing activities may have produced too many duplicative third partiesand services, and a rationalization initiative will not only save money but will also lowerrisk potential.
Third-Party Risk Management FrameworksBest Practices – TPR Frameworks
© 2015 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 8
TPR FRAMEWORKS
8. Use of integrated technology and MIS workflow – Increase efficiency and accuracyof risk assessments: purpose-built off-the-shelf applications have matured over the lastfew years and may be the right answer for third-party risk management needs, asbuilding them can prove difficult.
9. Identifying an Internal Audit “central point of contact” (CPC) – Designate anInternal Audit CPC for third-party risk management similar to other enterprise risks. Thisperson should be your czar in understanding what the regulators are looking for andshould find and address weaknesses before the examiners do.
10. Establish three lines of defense – Organize third-party risk management programacross three lines of defense:̶ Business Owners: They own the risk and need to implement actions for risk identification and
mitigation.̶ Third-Party Oversight: They establish the policies and procedures, provide oversight for key
risks, and identify opportunities for improvements, as third-party risk regulations change.̶ Internal Audit Department: They set the audit standard for you’re the third-party risk
management program, conduct reviews, and identify potential risks that require remediation.
Third-Party Risk Management FrameworksBest Practices – TPR Frameworks
Third-Party Risk Management FrameworksKey Risk Summary
© 2015 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 9
TPR FRAMEWORKS
• This table summarizes the key third-party risks for which companies should plan to protect the interestsof their clients, employees, and the overall health of their operations.
• These risks may contribute to operational and reputational harm if not handled properly with a potentialfor Significant Revenue Impact.
Third-Party Risk Management Frameworks
© 2015 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 10
TPR FRAMEWORKS
Text
CORPORATEDRIVERS
KEY RISKDOMAINS
THIRD-PARTY RISKLIFECYCLE
Text
Text
Third-party risk framework
Governance:How best tostructure theorganization(committees,specific roles
andresponsibilities,escalations) formanaging third
parties
Policies andStandards:
Thedevelopment of
third-partypolicies and
standards thatconvey bothmanagement
and regulatoryexpectationsaround risks
BusinessProcesses:
Efficientprocesses to
identify,segment, andmanage risksacross the full
third-partylifecycle
Tools andTechnology:
Tools andtechnology that
effectivelysupport the
third-party riskmanagement
processes anddata
integrationneeds
Risk Metricsand
Dashboard:Identifies risk
andperformance
associated withthird parties,
tailoredtowards
multiple levelsof
management
Risk Culture:Tone at the
top, clarity onrisk appetite,appropriatetraining and
awareness, topromote
positive riskculture
Contractual Risk
Continuity ofService/Product Risk
Financial ViabilityRisk
Personnel/Phys-ical Security Risk
CreditRisk
4th Party Risk(subcontractors)
Legal/RegulatoryRisk
Geo-political Risk
InformationSecurity Risk
StrategicRisk
Planning, riskidentification
Due, diligence,third-partyselection
Contract negotiationand on boarding
Termination andoff-boarding
Growth/innovation(products/services)
Improved ClientExperience
CostOptimization
Improved Time toMarket
Risk andComplianceManagement
On-going monitoringand mitigation
Continuous improvement
Third-Party Risk Management FrameworksA changing landscape
© 2015 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 11
TPR FRAMEWORKS
• Current bilateral processes are inefficient, expensive, and do not providecentralized functionality across planning, due diligence, contracting, ongoingmonitoring, and termination.
Current Practice
ClientsThird Parties
Risk Consortiums
ClientsThird PartiesOne-to-One Many to One to Many
Third-Party Risk Management FrameworksBenefits to a third-party risk consortium
© 2015 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 12
TPR FRAMEWORKS
• KY3P is a centralized data hub which enables firms to standardize and simplify the third-party risk management process, including due diligence and ongoing monitoring processes,and to reduce duplication and more efficiently distribute and communicate risk criticalinformation.
RegulatoryPressure
Evolving industryregulations require
increased due diligence
Increased Resources
Duplicative, manual, andinefficient processes are
expensive to maintainand require extensiveresources for upkeep
Best Practices
Streamlined processes helpfirms implement industry
best practices andensure audit readiness
Cost Reduction
Reduce costs by facilitatinga more efficient third-party
oversight process
Customer Onboarding
Standardized processesenable firms to collaboratequickly and more effectively
Time to Market
Information required fromcustomers needed within
specifictimeframes
Efficiency
Efficient processes andaggregated information
enable firms to store andreuse data across multiple
requests
Repetition
Multiple requests forinformation from third
parties creates duplicativeprocesses
for both firms andthird parties
Control
Permissioning systemsenable firms to maintain
control and gaintransparency
over who has viewed theirdata
Security
Third parties want toensure their data issecure and currentlylack visibility into who
has access to theirinformation
Key Challenges to Third Parties
Planned Benefits
Third-Party Risk Management FrameworksConsortium functionality
© 2015 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 13
TPR FRAMEWORKS
Industry IncidentManagement
Industry-wide event monitoring – third parties can raise alerts Standard questions developed, exchange of standard information through the portal from the
third party, and visible to all those permissioned
KY3P Data Hub Summary risk ratings and financial ratios sourced from D&B and S&P Repository for third-party audit reports and supporting documentation
Due-DiligenceQuestionnaire
Standard set of industry questions by risk domain agreed across the three design banks forthe third parties to complete, with a quality assurance feedback loop
Daily News andScreening andMonitoring
Proactive notification of negative news and relevant events (e.g. mergers/divestitures) Screening for relevant sanctions against third parties
Request-For-ServiceMarketplace
Ability to source custom third-party risk services such as verification/validation, onsite reviewassessments, audit reviews, etc. from ecosystem participants
OtherFunctionality As identified by the Product Committee comprising HSBC and the other design banks
Planned functionality
© 2015 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 14
SOC Hot Topics
AICPA Clarity Project
GRANT THORNTON
• Under the direction of the Auditing Standards Board, members of the"Clarification Project" undertook the initiative to revise and restructurethe Statements on Standards for Attestation Engagements (SSAEs).
• The effort was intended to restructure the guidance to more easilyallow practitioners to adhere to relevant guidance for theirengagements by performing the following:– Removing unnecessary redundancy across the standards– Removing contradictory guidance existent within the standards– Aligning U.S. standards with International standards
© 2015 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 15
AICPA CLARITY PROJECT
Clarity ProjectAICPA Clarity Project
© 2015 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 16
AICPA CLARITY PROJECT
• The result of the AICPA's Clarity Project was to centralize orconsolidate guidance applicable to attestation engagements into thefollowing chapters:‒ Chapter 1 – Concepts Common to All Attestation Engagements‒ Chapter 2 – Examination Engagements‒ Chapter 3 – Review Engagements‒ Chapter 4 – Agreed Upon Procedures Engagements‒ Chapter 5 – Prospective Financial Information‒ Chapter 6 – Reporting on Pro Forma Financial Information‒ Chapter 7 – Compliance Attestation‒ Chapter 8 – Reporting on an Examination of Controls at a Service Organization Relevant
to User Entities' Internal Control over Financial Reporting
Clarity ProjectAICPA Clarity Project
© 2015 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 17
AICPA CLARITY PROJECT
• Under the new structure, practitioners need to adhere to guidancewithin at least two of the Attestation Chapters and incrementalperformance guidance within chapters 5-8‒ For example, a service auditor will need to adhere to chapters 1, 2, and 8 in
order to issue a SOC 1 report‒ For a SOC 2 report, a service auditor will need to adhere to chapters 1 and 2
Clarity ProjectAICPA Clarity Project
© 2015 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 18
AICPA CLARITY PROJECT
• The "Responsible Party" is responsible for the following:‒ The subject matter;‒ Its assertion about the subject matter;‒ Measuring, evaluating, and, when applicable, presenting subject matter that is
free from material misstatement, whether due to fraud or error; and‒ Providing a practitioner with the following: Access to all information of which the responsible party is aware that is relevant to
the measurement, evaluation, or disclosure of the subject matter Access to additional information that the practitioner may request from the
responsible party for the purpose of the engagement Unrestricted access to persons within the appropriate party(ies) from whom the
practitioner determines it is necessary to obtain evidence
Clarity ProjectAICPA Clarity Project
© 2015 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 19
AICPA CLARITY PROJECT
• The "Practitioner" is responsible for the following:‒ Having the appropriate competence and capabilities to perform the engagement‒ Complying with relevant ethical requirements‒ Maintaining professional skepticism and‒ Exercising professional judgment through the planning and performance of the
engagement
Clarity ProjectAICPA Clarity Project
© 2015 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 20
AICPA CLARITY PROJECT
• Changes to the standards that may affect a Service Organizationinclude the following:‒ Introduction of the term Complementary Subservice Organization‒ Monitoring the Effectiveness of Controls at Subservice Organizations‒ Addition of a new planning requirement‒ Rendering an opinion when the responsible party is not the engaging party and
refuses to provide an assertion
Clarity ProjectAICPA Clarity Project
INTRODUCTION OF THE TERM COMPLEMENTARY SUBSERVICE ORGANIZATION:
• A complementary subservice organization is a subserviceorganization that performs a function on behalf of the serviceorganization or responsible party that is critical to the achievement ofa control objective
• The new standard will now require complementary subserviceorganization controls assumed in the design of the serviceorganization's controls to be listed within the report in additional tocomplementary user entity controls
• Not all subservice organizations will be noted as complementary
© 2015 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 21
AICPA CLARITY PROJECT
Clarity ProjectAICPA Clarity Project
MONITORING THE EFFECTIVENESS OF CONTROLS AT SUBSERVICE ORGANIZATIONS:
© 2015 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 22
AICPA CLARITY PROJECT
• The new standard requires that service organizations implement processes thatmonitor the controls at subservice organizations and provides the following controlsuggestions:
– Review and reconcile output reports– Hold periodic discussions with the subservice organization– Make regular site visits to the subservice organization– Test controls at the subservice organization by members of the service organization's internal
audit function– Monitor external communications, such as customer complaints relevant to the services by
the subservice organization– Review Type I or Type II reports on the subservice organization's system
Clarity ProjectAICPA Clarity Project
ADDITION OF A NEW PLANNING REQUIREMENT:
© 2015 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 23
AICPA CLARITY PROJECT
• The new standard requires the service auditor to read the reports ofthe internal audit function and regulatory examinations that relate tothe services provided to user entities and the scope of theengagement as part of understanding the service organization'senvironment
• The results should be taken into consideration as part of the riskassessment and in determining the nature, timing, and extent of thetests
Clarity ProjectAICPA Clarity Project
RENDERING AN OPINION WHEN THE RESPONSIBLE PARTY IS NOT THE ENGAGING PARTY AND REFUSES TOPROVIDE AN ASSERTION:
© 2015 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 24
AICPA CLARITY PROJECT
• In the past, the standards required the practitioner to resign from theengagement and decline to provide a report
• Under the new guidance, the practitioner is able to issue a report, butthe report must include a statement regarding the written assertion
• This action allows for the issuance of a report when the EngagingParty may want third-party assurance over a subject matter with whichthe responsible party is uncomfortable
Clarity ProjectAICPA Clarity Project
© 2015 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 25
SOC Hot TopicsAICPA's Consideration of Cybersecurity
GRANT THORNTON
Center for Audit Quality and AICPA Cybersecurity
© 2015 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 26
AICPA CYBERSECURITY
• The Center for Audit Quality and the AICPA undertook an effort last fallto provide additional guidance to practitioners regarding the amount ofassurance that needed to be sought for both audit and attestationengagements.
• A couple of key conclusions that came out of those meetings includedthe following:‒ The risk of a cyber attack is not yet a financial reporting risk for a financial
statement audit; however, the effects of a cyber attack may be relevant basedupon the contingent liability
‒ The responsibilities of an auditor do not yet include the requirement to concludeon the effectiveness of cybersecurity controls as part of ICFR
AICPA's Consideration of Cybersecurity
Center for Audit Quality and AICPA Cybersecurity
© 2015 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 27
AICPA CYBERSECURITY
• The AICPA formed a working group, under the direction of the Assurance ServicesExecutive Committee, to develop a cybersecurity attestation engagement
• The purpose of this working group was to explore the possibility of defining criteriaagainst which an entity could be assessed
• In January 2016, the working group released the first draft of its position paper to theASEC:‒ The position paper outlined requirements for practitioners with respect to
competence and capabilities as well as experience with the subject matter‒ The position paper outlined criteria that would be required for a practitioner to
undertake the engagement‒ Comments were provided to the working group to revise the position paper to
address key concerns of ASEC
AICPA's Consideration of Cybersecurity
© 2015 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 28
SOC Hot Topics
HITRUST and SOC 2
GRANT THORNTON
Health Information Trust Alliance (HITRUST)
© 2015 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 29
HITRUST AND SOC 2
BASIC FACTS:
• Organization formed in 2008 and headquartered in Frisco, TX• Developed the HITRUST Common Security Framework (CSF), which brings
together the following standards into a single framework specific to the healthcare industry‒ ISO 27001, 27002, and 27799‒ NIST 800-53 and 800-66‒ Health Insurance Portability and Accountability Act (HIPAA)‒ CoBIT‒ PCI Data Security Standard (PCI DSS)‒ FTC Red Flags‒ Considers federal and state regulations
HITRUST
Common Security Framework (CSF) – Overview
© 2015 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 30
HITRUST AND SOC 2
• The CSF provides certifiable compliance, common understanding, andacceptance:‒ An accreditation and certification process to drive transparency and adoption of
baseline information security controls‒ Follows a risk-based approach to allow security controls to be prioritized
• Emerging opportunities for leveraging the HITRUST CSF atHealthcare Organizations:‒ Monitoring Business Associate compliance - Anthem, Health Care Services
Corp., Highmark, Humana and UnitedHealth Group will require approximately7,500 Business Associates to obtain HITRUST Certification within 24 months(announced June 2015)
‒ The Office of Civil Rights (OCR) refers to the HITRUST CSF as resource to usewhen defining risk analysis and assessment programs
HITRUST
Common Security Framework (CSF) – Overview
© 2015 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 31
HITRUST AND SOC 2
• The HITRUST CSF consists of:‒ 14 Control Categories (high level topics based on ISO 27001 and ISO
27002)‒ For example: Access Control
‒ 46 Control Objectives (statement of desired results or purpose)‒ For example: To prevent unauthorized access and compromise or theft of
information and information assets
‒ 149 Implementation Requirements (prescriptive statements)‒ For example: Password management policies shall be developed, documented,
adopted and communicated to all users to address the need to…)
HITRUST
CSF – Scope
© 2015 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 32
HITRUST AND SOC 2
• The HITRUST CSF addresses the following information security and privacy areas of focus,referred to as Control Categories:
HITRUST
Information SecurityManagement Program
Security Policy
Physical andEnvironmental
Security
Access Control
Organization ofInformation Security
Communications andOperations Management
Human ResourcesSecurity
Business ContinuityManagement
Information SystemsAcquisition, Development
and Maintenance
Risk Management
Compliance Information SecurityIncident Management
Privacy Practices
Asset Management
CSF – Control speculations and implementation requirement levels
© 2015 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 33
HITRUST AND SOC 2
• The CSF is applicable to healthcare organizations of varying size and complexity‒ The CSF allows for flexibility in implementing controls to the degree that is appropriate for a given
environment‒ Within the control specifications across the control categories of the CSF, “implementation
requirement levels” relate the organization’s risk profile to the minimum level of controls needed
• Implementation Requirement Levels Explained‒ Level 1 – the minimum set of security requirements for all systems and organizations as determined
by the industry (e.g., HIPAA compliant)‒ Level 2 & 3 – required for systems and organizations with increased complexity/risk as determined by
organizational, regulatory and system factors
• Organizational factors include organization’s size and complexity of environment (e.g., volumeof business)
• Regulatory factors include the compliance requirements applicable to the organization basedon its business / industry or data in its systems (e.g., PCI, CMS, State requirements)
• System factors include attributes that would increase the likelihood or impact of a vulnerabilitybeing exploited (e.g., number of users, third-party connectivity, use of mobile devices)
HITRUST
Assessment Types
© 2015 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 34
HITRUST AND SOC 2
• Self Assessment‒ Performed by the organization‒ Allows an organization to understand their current level of compliance with the
CSF‒ Can be quickly completed with low to medium level of effort‒ Can be used as a stepping stone to a validated assessment
• Validated Assessment‒ Performed by an authorized CSF assessor‒ Timely process with medium to high level of effort needed to complete the
assessment‒ Allows an organization to understand their current level of compliance with the
CSF‒ Results in either a Validated Report or Validated Report with Certification
HITRUST
Types of Reports
© 2015 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 35
HITRUST AND SOC 2
HITRUST and SOC 2
• HITRUST CSF Certification‒ Certification through an assessment by a HITURST approved assessor‒ Issued by HITRUST
• SOC 2 Only‒ Adopted the HITRUST CSF framework but the service auditor does not express an opinion on
whether the controls at the service organization are suitably designed and operating effectively tomeet the HITRUST CSF
‒ Issued by CPA Firm• SOC 2 + HITRUST CSF
‒ Service auditor's report expresses an opinion on the fairness of presentation of description andsuitability of design and operating effectiveness of controls based on the Trust Services Principles andCriteria and the HITRUST CSF
‒ Issued by CPA Firm• SOC 2 + HITRUST CSF + CSF Certification
‒ Service auditor expresses a SOC 2 + HITRUST CSF opinion‒ Organization has achieved HITRUST CSF certification‒ Issued by a CPA Firm that is also a HITRUST approved assessor
Benefits of Combining HITRUST CSF Assurance and SOC 2
© 2015 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd 36
HITRUST AND SOC 2
• Leverage the HITRUST CSF controls in SOC 2 engagements
• Realize significant time efficiencies and cost savings by synergiesbetween the HITRUST CSF controls and the Trust ServicesPrinciples and Criteria
• Reduce the inefficiencies and costs associates with multiplereporting requirements
• Communication through a single deliverable
HITRUST and SOC 2