Warning Ahead: Many Vendor Contracts Are Missing Essential Internal Controls

The FDIC Office of Inspector General’s (OIG) deep dive into the state of vendor management has revealed widespread deficiencies including business continuity planning, vendor management, contract management, internal controls and cybersecurity. This is part four of a five-part blog series that looks at the report’s findings. 

Part 4: Internal Controls

The phrase “internal controls” is closely associated with accounting, but these valuable tools are also an integral part of risk management. Unfortunately, it’s an area where a lot of financial institutions (FIs) are getting it wrong, according to the FDIC’s Office of Inspector General’s (OIG) evaluation Technology Service Provider Contracts with FDIC-Supervised Institutions.

Internal controls are systematic process and system controls designed to ensure policies and procedures are performed accurately and efficiently. In short, they are the checks and balances that ensure everything is running as it should. They play a role in each of the four basic elements of the FDIC’s suggested framework for third-party risk management, according to FDIC guidance.

  1. Risk assessment. “This phase should also identify performance criteria, internal controls, reporting needs, and contractual requirements that would be critical to the ongoing assessment and control of specific identified risks.”
  2. Due diligence in selecting a third party. Third-party evaluation may include “scope of internal controls.”
  3. Contract structuring and review. “Management should ensure that the third party’s internal control environment as it relates to the service or product being provided to the financial institution is sufficiently audited. If material to the arrangement, specific internal controls to be maintained by the third party should be defined in the contract.”
  4. Performance monitoring should include reviewing “the adequacy and adherence to the third party’s policies relating to internal controls and security issues.”

Despite the frequent mentions of internal controls in guidance, the OIG review of 48 contracts at 19 FIs reveals glaring deficiencies. More than a third of contracts didn’t address internal controls for business continuity while another 31 percent glossed over details in a high-level discussion. Just 33 percent had a detailed discussion.

Contract coverage of incident response and reporting was similarly disappointing with 29 percent of contracts failing to address internal controls. Just 29 percent had a detailed discussion. The other 42 percent had high-level discussions that were short on detail.

The lack of contract provisions addressing internal controls is disturbing. Better provisions could give FIs greater confidence in data security, minimize fallout from breaches and allow for quicker system restoration, the OIG notes.

Either FIs aren’t thinking to ask about them (making me wonder if they are addressing internal controls during risk assessment and due diligence at all) or they don’t feel comfortable asking about them when negotiating with third-party vendors. Both are problems.

A lack of internal controls and process documentation with third-party vendors is a sign of a failing enterprise risk management system. Without internal controls, there is no way effectively review vendor relationships, and there’s no process to ensure problems are flagged and reported up the chain. A strong ERM program systematically evaluates risk and related financial exposures, applying it to every element of third-party risk management. Tools like Ncontracts’ Nrisk can help enhance your risk management process.

If your institutions’ contracts are falling short of expectations for internal control provisions, you need to reevaluate your entire approach to risk management. It’s a warning sign you shouldn’t ignore.