Vendor (Supplier) Risk Assessment _and_amp; SOX 1337

  • Hi, I am putting together a risk assessment framework for a uk bank and need to consider SOX.
    Can anyone give me advice on does SOX have anything that relates to Vendors (Suppliers) and the risk they may introduce to the business.
    Any thoughts welcome.

  • Hi,
    Generally, procurement risks are more prevalant and have more impact on ICOFR issues in a manufacturing concern than would be in a bank. However, the following are procurement issues related to SOX for any company:
    Section 302
    Addresses executive-level responsibilities for disclosure controls and procedures over material information included in public reports; effective financial and procurement processes, including authorization and spending controls, and management of outstanding purchase commitments and risks contribute to full disclosure.
    Section 401
    Addresses disclosure requirements in specific areas including off-balance-sheet transactions, pro forma disclosures and special purpose entities; relationships with third parties, including suppliers, may have reporting implications requiring consideration.
    Section 404
    Addresses responsibilities for internal control over financial reporting, including an annual assessment by management of the effectiveness of such controls with the external auditor attesting to that assessment; all key procurement and disbursement processes affecting financial reporting must be effectively controlled in a manner that is auditable.
    Section 409
    Addresses the requirement to disclose information on material changes in the company’s financial position and results of operations quickly on a ‘current and rapid’ basis; therefore, changes over time in procurement and expenditure processes and in the related risks should be evaluated in this context.
    Section 802
    Addresses record retention by external auditors; management may want to consult with counsel to ensure the organization’s retention practices are appropriate in light of the realities of today, including retention practices affecting the entity’s procurement and disbursement processes.
    Section 906
    Addresses senior executives responsibilities for certifying accuracy of the financial condition of the company’s reports; as with Section 302, effective procurement and disbursement processes and controls must be in place to provide reliable information.
    Some Business Process Risks:
    Price, Currency, Commodity, Equity, Interest Rate, Financial Instrument, Liquidity, Concentration, Opportunity Cost, Cash Flow, Credit, Default, Concentration, Settlement, and Collateral
    Particularly conoentrated in the following for procurement activities:
    Relevance, Integrity, Access, Availability and Infrastructure
    Employee/Third Party Fraud, Reputation, Management Fraud, Illegal Acts, and Unauthorized Use
    Some other areas for consideration:
    Controllable risks might include:
    Financial/total cost/price (including sourcing)
    Product/service outsourcing
    Global sourcing (services and products)
    Legal and contract-related
    Planning, forecasting and alignment
    (demand/supply imbalance)
    Supply interruption
    Supplier qualification
    Customer service and satisfaction
    Human resource (skills, qualifications,
    competencies, organization, culture)
    Information for decision-making (management,
    measurement, and control information)
    Hope this helps,

  • With signficant reliance on IT systems and integration of multiple IT suppliers, some IT areas for concern related to suppliers/vendors:

    • Manage your Technology Vendors and their Inherent Risks
    • Implementing Controls to Reduce Vendor Risk
    • Practice Due Diligence when Selecting Vendors
      Managing Technology Vendors
      Management should develop a vendor risk assessment to monitor service provider performance and potential changes in institution requirements throughout the life of the contract.
      Monitoring should include:
      Key service level agreements (SLAs) and contract provisions;
      Financial condition of the service provider;
      General control environment of the service provider through the receipt and review of audit reports and other internal control reviews; and
      Potential changes due to the external environment.
      How to Perform a Vendor Risk Assessment
      Inventory all technology vendors
      To identify vendors to be measured for risk
      Measure and Assign an Aggregate Risk score to each vendor
      Quantity of Risk - risk inherent in using the vendor vs.
      Quality of Risk Management and Control - risk management and control initiatives
      Develop the program for periodic review vendor controls
      Assess Quantity of Risk
      Data Confidentiality
      Earnings Exposure
      Logical or Physical Access
      Regulatory Risk
      Assess Quality of Risk
      Service Level Agreements
      Financial Condition
      Vendor Assurance Reports
      Vendor Contracts
      Key contract components include:
      Ownership of Intellectual Property
      Dispute Resolution
      Limitation of Liability
      Third Party Assignment
      Scope of Service
      Performance Standards
      Security and Confidentiality
      Operational Controls
      Service Level Agreements (SLA)
      An SLA should be included to specify and clarify performance expectations and establish accountability
      An SLA should formalize the performance criteria against which the quantity and quality of service should be measured
      Management should closely monitor the service provider’s compliance with the SLA
      Financial Condition of Technology Vendors
      Annually review the financial viability of your vendors
      Utilize the vendors’ annual financial
      statement and independent auditor reports
      Closely monitor declining vendors
      Vendor Reports
      AICPA Reports
      SAS No 70 reports on the processing of transactions by service organizations
      SysTrust assurance on any defined electronic system Certification
      Certifications based on private, proprietary information created by the preparer
      Vendor Certifications
      To close:
      Institutions are increasingly dependant on technology developed and managed by third parties
      Institutions must understand and manage the risks and controls associated with vendors who help deliver the technology solutions designed to support business operations
      Contracts are written to address current needs when at a point in time
      Over time an institution’s needs may change based on regulatory, economic, or other factors
      Institutions need to monitor for changes and update its contracts accordingly

Log in to reply