Jacqueline T.
Jackie Thornley

The use of information technology (IT) services provided by other organisations (third parties) is becoming more widespread throughout state and local government entities.

When third-party vendors provide hardware and software services, they become part of an entity’s network and control frameworks for protecting, responding to, and recovering from external cyber attacks.

What is third-party provider risk?

Third-party provider risk is the risk introduced into your entity when you use outsourced services. This can include financial risk, reputational risks (from data breaches), and risks from disrupted business operations. Your entity may have robust risk management practices and controls in place, but the third-party vendors may not.

There have been several high-profile attacks on third-party systems in recent years, which have impacted on Queensland public sector entities. This is an emerging and significant risk in managing cyber security.

In State entities 2023 (Report 11: 2023–24), we report that entities are not always managing the security risks that stem from using third-party providers for information system services and technologies.

Your entity’s risk management needs to consider risks associated with using third-party providers, including risks outside of your entity. Not only do you need to consider risks associated with the primary provider of the product, but also the risks of their vendors.

As part of your entity’s risk management program, you need to:

  • identify how you use third party services, the extent to which you use the third-party service providers, and the associated security risks
  • establish due diligence (vetting and continuous monitoring) processes when engaging new third parties or continuing with third-party services
  • define security standards and the appropriate contractual agreements, such as provision of a controls report, to manage security risks
  • establish a process to continually assess how well each third party manages its security risks and responds to and recovers from security incidents.

What should my entity consider?

As we discussed in our blog Risk management – where do we start?, good risk management supports greater preparedness for unexpected events. When entities identify third-party provider risks and commit to effectively managing them, they are better positioned to mitigate them.

Lights On with solid fill

Does your risk register include risks that consider the use of third-party providers? Have you developed controls to mitigate the risks and ensure that the remaining risk is not greater than your entity’s risk appetite?

Management needs to have in place a program of continuous monitoring of third-party providers. As these vendors are now part of your control environment, you need to liaise with them and obtain the necessary controls assurance reports.

Controls reports can include those prepared under ASAE 3402 Assurance Reports on Controls at a Service Organisation or SSAE 18 System and Organization Controls (SOC) Reports. These report on the design, implementation, and operating effectiveness of the controls in place at the vendor.

If you already have a third-party provider, are you obtaining a controls report from it?

If you are:

  • Is the report sufficiently specific to provide you with an understanding of the vendor’s controls and whether these are operating effectively?
  • What steps are you undertaking to review the report and discuss any documented control breakdowns with the vendor?

If you are not receiving a report from the vendor, how are you mitigating the risks to your entity from the third-party provider?

When entities undertake a software implementation or upgrade, they should perform due diligence over the third-party provider. This should include determining if the vendor has a controls assurance report it can provide to the entity.

Lights On with solid fill

Is the continued provision of a controls report written into your contract?

One of the risks that can arise from using third-party providers is business interruption. Does your entity’s business continuity plan include consideration around events involving providers?

Lights On with solid fill

Do you know what your providers’ business continuity plans are and do they know what your expectations of them are as part of your plans?

What should those charged with governance ask?

There are several questions those charged with governance (that is, boards, councils, chief executives, and chairs of audit committees) need to ask of management:

  1. Is management using third-party providers?
  2. Is the entity appropriately capturing the risks associated with third-party providers in its risk register?
  3. Is management receiving a controls report suitable for its needs from the vendor? If it isn’t, can it receive one? How is management mitigating the third-party provider risk if it’s not receiving a report at all or the report isn’t suitable?
  4. Is management reviewing and considering the controls report as part of the entity’s overall control environment? Is it included in management’s regular reporting to those charged with governance regarding the assessment of the entity’s overall control environment?
  5. If the report identifies control issues, is management considering the impact on the entity’s controls?
  6. Does management have processes in place if the third-party provider experiences a security breach? Is this considered as part of the entity’s business continuity plan and is it tested regularly?
  7. Where the entity is implementing a new third-party provided software, has management established due-diligence processes as part of the contract negotiations? Does this include providing a controls report with the appropriate level of detail regarding the third party’s controls?

Where to from here?

QAO is publishing a series of blogs on risk management, and entities need to consider third-party provider risk as part their risk management.

We have also included an audit on managing third-party cyber security risk in our Forward work plan 2023–26. It will examine how effectively public sector entities identify third parties with access to their data and network, assess potential security vulnerabilities, establish relevant controls, and minimise the impact of security breaches.

You can find out more about our upcoming audits on our Audit program page:


Related article