Internal Auditors Must Rethink Third-Party Providers

Most modern organizations have at least one process that is outsourced or co-sourced to a third-party provider. There are numerous reasons why this may be a good decision. Sometimes there may be non-core functions that third parties perform better. Other times it is more financially feasible to have an outside party perform a function. And other times third parties help manage work the work load. Whatever the reason, outsourcing something in some capacity is here to stay.

What that means for internal auditors is that now there is some company outside of your organization that bears the burden of identifying and managing risk (or helping the company manage and identify risk). Without proper oversight, these vendors can actually increase risks.

Most of us by now understand the basics of vendor management auditing

  • The vendor needs to be properly vetted before initiating a contract
  • The contract should it should contain a right to audit clause
  • There should be clear expectations detailed in a documented service level agreement
  • Financial due diligence is important
  • Operational due diligence is critical
  • Periodic vendor reviews should be mandatory

And in the end, no matter who messes up, your stakeholders only see our organization.

Once we understand these concepts, auditing our organizations vendor management process is a fairly straightforward process. But the question I ask is, have we identified and are we auditing the right third-party provider risks. I believe that there are three types of third-party providers. And I also believe that we are only auditing two types of third-party providers. The three types of third-party providers are

  • Company direct
  • Stakeholder direct
  • Stakeholder indirect

Company direct
The company direct third-party provider is one that provides services for the organization. For example many organizations outsource payroll to ADP. The company sends pay data to ADP who then initiates direct deposits or checks, perform tax calculations, benefits calculations, and much more. External stakeholders typically are not affected by and do not see any of the work performed by ADP. The organization (and its employees) are the primary beneficiary of these services. So the company is directly impacted by these third party provider services.

Stakeholder direct
I have been in the higher education industry for almost 9 years. I have been out of school for…well let’s just say a lot longer. One of the first things I noticed is that campuses now have several food venues ( Papa John’s , Jamba juice , Chick-fil-A ) and many other amenities that did not exist on campus when attended college. In many instances, universities pay someone else to manage these services. For example a company called in e Follet manages the bookstore. Chartwells manages all food venues (Starbucks, Chick-fil-A, etc). These are but a few examples of third parties providing services directly to customers on behalf of an organization. These third parties do more than provide a product or perform a service. They become unofficially delegated representatives of the organization. They interact directly with customers. If these providers make errors, customers still blame the organization, not the third party.

I believe auditors have done a decent job of identifying and auditing company direct and stakeholder direct third-party providers . I believe that the stakeholder indirect third-party provider category is an untapped source of risk. Please allow me to explain.

Stakeholder indirect
This is where third parties perform services for your customers that are indirectly related your product/service offering. Oftentimes customers are aware of the third party, however, your organization played a significant role in bringing the customer to the third party. As a result, your organization may be blamed for any product or service errors that occur.

So what do I mean?
Delta has been my airline of choice for many years, mostly because it is convenient and fairly consistent. And for those of you who fly Delta, you know that almost any destination includes a layover in Atlanta, Georgia. I love Hartsfield airport. It has everything you need and it’s easy to navigate. My experience over the last 10 years is that this airport is usually a model of efficiency. Delta has been in the airline business long enough to know how to route people effectively and efficiently. However, I recently returned from a trip that I would classify as one of the worst travel experiences I’ve ever had.

Three hours prior to my flight, I received a notification from the Delta app as well as an email informing me that my flight would be delayed by an hour. This flight delay meant that I had approximately 10 minutes to make it from one terminal to the next to catch my last flight. Atlanta’s airport is huge, so this was nearly impossible task. This is not the first time this has happened . In other instances Delta has either a) held the second plane if there were a significant number of passengers or B) arranged for inconvenienced passengers to fly on another flight , or C) made hotel arrangements and booked those passengers to fly out the next day .

My flight was a redeye and was the last flight out to my destination for that day. As expected, Delta had a process for making hotel accommodations. Upon arrival, we were ushered to customer service representatives who assisted us. Friendly airline personnel made hotel arrangements, reschedule flights , and told us where to catch the shuttle to get to the hotel . They even gave us a nice travel pack with toiletries and a T-shirt and a nice carry bag. this experience with the embodiment of good customer service after a disappointing event.

At this point, what I like to call “the handoff” occurred. Delta was officially done with us. A group of us made our way to the designated area just outside of the airport and waited for the hotel shuttle. It was after midnight, fairly cold and rainy. Over 40 people stood outside waiting. Thirty minutes passed and we were still waiting. An hour…still waiting. We called the hotel after the first 30 minutes and were told the shuttle was on its way. Another 20 minutes and still no shuttle. We must have looked pitiful because drivers for competing hotels started asking us “Are you okay?” and “What hotel are you waiting for?”.

Unfortunately, some drivers used our misfortune as an entrepreneurial opportunity. One driver approached us under the guise of concern. He asked, “Where are you all going”?  When we told him, he said that he would take us. We thought this was very kind, especially considering  it was probably against the rules. As we approach this van, informed us that he would take us to the hotel however, we had to take care of the driver. Now what this really meant is that he wanted us to pay him. Desperate to get to the hotel, some paid him as much as $20 per person to travel approximately 5 miles.  However, many of us decided to not pay and waited for our regularly scheduled shuttle.

Our driver finally arrived in a small van, gathered a small group and never returned.   After a considerable amount of time, a driver for another hotel approached us. He asked how long had we been standing outside. At this point we didn’t know. he offered to take us to our hotel.  He made it a point to tell us that he was not a hustler and that he was not going to ask us for money. This polite young man safely delivered several weary passengers to our hotel on this dreary late night. Because of his kindness, many of us did in fact give him some money.

The young lady at the front desk of the hotel was friendly and efficient. Working alone, she checked us in as quickly as she could. I open the door to a clean fresh room , dropped my bags on the floor and fell asleep almost immediately.

The next day, hotel staff informed us that shuttles run every 30 minutes (not our actual experience). A group of us ended up on the same bus going back to the airport. Our driver was nice, competent and friendly. He was shocked when we told him about the previous night! With this new driver, we made it to the airport in early. And I eventually made it home.

A few days later, Delta sent an apologetic email and a survey. Both were appropriate, but conveniently focused on the core services Delta offers. For example, the survey inquired about the way Delta handled the flight delay.  It asked if the communication about the flight delays where timely and relevant. It also inquired about the way customer service agents handled the booking of new flights. However, it did not mention or ask about the services provided by the hotel. This is important because Delta selected this location and gave us no other choice. So logically it would be in the best interest of the organization to inquire about the services performed on its behalf by third party provider. this inquiry never happened.

I understand that this was third party, however,how many customers with a similar experience would directly blame Delta? After all, we would not have been in that situation had it not been for Delta. This is why I believe organizations and auditors must rethink third party providers. We must rethink how we classify them, how we vet them and how we review their performance compared to our expectations. The risks are real and no organization should fully trust another organization to perform functions on its behalf. Proper due diligence, monitor and a well placed audit can mean the difference between a third party provider that adequately represents the organization or one that stains the reputation.

Your thoughts?

You can leave comments below (click where it says you must be logged in to comment). You can log in with your LinkedIn or Twitter accounts or setup an account here.

Robert Berry (108)

Robert (That Audit Guy) Berry is a risk, compliance and auditing advocate, educator and innovator. He helps good professionals become better by creating articles, web services and training that allow them to expand their knowledge network.

Leave a Comment

Scroll to Top