Vendor (Supplier) Risk Assessment _and_amp; SOX 1337
lostraveller last edited by
Hi, I am putting together a risk assessment framework for a uk bank and need to consider SOX.
Can anyone give me advice on does SOX have anything that relates to Vendors (Suppliers) and the risk they may introduce to the business.
Any thoughts welcome.
milan last edited by
Generally, procurement risks are more prevalant and have more impact on ICOFR issues in a manufacturing concern than would be in a bank. However, the following are procurement issues related to SOX for any company:
Addresses executive-level responsibilities for disclosure controls and procedures over material information included in public reports; effective financial and procurement processes, including authorization and spending controls, and management of outstanding purchase commitments and risks contribute to full disclosure.
Addresses disclosure requirements in specific areas including off-balance-sheet transactions, pro forma disclosures and special purpose entities; relationships with third parties, including suppliers, may have reporting implications requiring consideration.
Addresses responsibilities for internal control over financial reporting, including an annual assessment by management of the effectiveness of such controls with the external auditor attesting to that assessment; all key procurement and disbursement processes affecting financial reporting must be effectively controlled in a manner that is auditable.
Addresses the requirement to disclose information on material changes in the company’s financial position and results of operations quickly on a ‘current and rapid’ basis; therefore, changes over time in procurement and expenditure processes and in the related risks should be evaluated in this context.
Addresses record retention by external auditors; management may want to consult with counsel to ensure the organization’s retention practices are appropriate in light of the realities of today, including retention practices affecting the entity’s procurement and disbursement processes.
Addresses senior executives responsibilities for certifying accuracy of the financial condition of the company’s reports; as with Section 302, effective procurement and disbursement processes and controls must be in place to provide reliable information.
Some Business Process Risks:
Price, Currency, Commodity, Equity, Interest Rate, Financial Instrument, Liquidity, Concentration, Opportunity Cost, Cash Flow, Credit, Default, Concentration, Settlement, and Collateral
Particularly conoentrated in the following for procurement activities:
Relevance, Integrity, Access, Availability and Infrastructure
Employee/Third Party Fraud, Reputation, Management Fraud, Illegal Acts, and Unauthorized Use
Some other areas for consideration:
Controllable risks might include:
Financial/total cost/price (including sourcing)
Global sourcing (services and products)
Legal and contract-related
Planning, forecasting and alignment
Customer service and satisfaction
Human resource (skills, qualifications,
competencies, organization, culture)
Information for decision-making (management,
measurement, and control information)
Hope this helps,
milan last edited by
With signficant reliance on IT systems and integration of multiple IT suppliers, some IT areas for concern related to suppliers/vendors:
- Manage your Technology Vendors and their Inherent Risks
- Implementing Controls to Reduce Vendor Risk
- Practice Due Diligence when Selecting Vendors
Managing Technology Vendors
Management should develop a vendor risk assessment to monitor service provider performance and potential changes in institution requirements throughout the life of the contract.
Monitoring should include:
Key service level agreements (SLAs) and contract provisions;
Financial condition of the service provider;
General control environment of the service provider through the receipt and review of audit reports and other internal control reviews; and
Potential changes due to the external environment.
How to Perform a Vendor Risk Assessment
Inventory all technology vendors
To identify vendors to be measured for risk
Measure and Assign an Aggregate Risk score to each vendor
Quantity of Risk - risk inherent in using the vendor vs.
Quality of Risk Management and Control - risk management and control initiatives
Develop the program for periodic review vendor controls
Assess Quantity of Risk
Logical or Physical Access
Assess Quality of Risk
Service Level Agreements
Vendor Assurance Reports
Key contract components include:
Ownership of Intellectual Property
Limitation of Liability
Third Party Assignment
Scope of Service
Security and Confidentiality
Service Level Agreements (SLA)
An SLA should be included to specify and clarify performance expectations and establish accountability
An SLA should formalize the performance criteria against which the quantity and quality of service should be measured
Management should closely monitor the service provider’s compliance with the SLA
Financial Condition of Technology Vendors
Annually review the financial viability of your vendors
Utilize the vendors’ annual financial
statement and independent auditor reports
Closely monitor declining vendors
SAS No 70 reports on the processing of transactions by service organizations
SysTrust assurance on any defined electronic system Certification
Certifications based on private, proprietary information created by the preparer
Institutions are increasingly dependant on technology developed and managed by third parties
Institutions must understand and manage the risks and controls associated with vendors who help deliver the technology solutions designed to support business operations
Contracts are written to address current needs when at a point in time
Over time an institution’s needs may change based on regulatory, economic, or other factors
Institutions need to monitor for changes and update its contracts accordingly