Frazier Deeter CPAs and Advisors


1230 Peachtree Street NE

Suite 1500

Atlanta, GA 30309

main 404.253.7500


3480 Preston Ridge Road

Suite 375

Alpharetta, GA 30005

main 404.573.4200


401 Commerce Street

Suite 920

Nashville, TN 37219

main 615.259.7600


2801 W. Busch Boulevard

Tampa, FL 33618


10 Questions to Ask About External Business (Third Party) Relationships

06.15.2015 As more and more companies are engaging with third party vendors, there is a greater need to understand what makes the external business relationship a success.

Outsourcing, insourcing, co-sourcing… the way that companies choose to leverage external business relationships to produce results continues to expand into more components of their organizational structure. Organizations are incorporating external business relationships to lower operational and labor costs and leverage external core competencies, scale, and capacity that may be outside of the company’s in-house capabilities. Organizations are also looking to increase revenue through licensing, franchising, partnerships and other channel arrangements.

Unfortunately, studies show an increasing number of organizations do not track information on some or all of their third parties. Given the nature of these relationships, organizations face potential risks related to brand, reliability, business continuity, security, privacy, processing integrity, confidentiality and financial dependence. In many scenarios, organizational compliance extends to third parties. Examples of regulations or requirements in which third parties could put compliance at risk include: 

    • Sarbanes-Oxley Act (SOX) 
    • Consumer Financial Protection Bureau (CFPB) Bulletin 2012-03 
    • Health Insurance Portability and Accountability Act (HIPAA) 
    • Payment Card Industry (PCI) Data Security Standard 
    • Foreign Corrupt Practices Act (FCPA) 
    • Experian Independent Third Party Assessment (EI3PA) 
    • The Office of the Comptroller of the Currency (OCC) Bulletin 2013-29 
    • Gramm-Leach-Bliley Act (GLBA)

Establishing and maintaining an enterprise-wide, third party governance program is critical for today’s organizations to mitigate the associated risk, reduce potential data loss, misuse and audit findings and provide trust and confidence to stakeholders and customers. 

Organizations should consider responses to the following 10 questions to evaluate the current state of their third party relationships governance program: 

  1. Have we inventoried the third party relationships that exist in our organization today? 
  2. How are we identifying and tracking new or changing relationships? 
  3. Have we assessed and prioritized the risks related to those relationships? 
  4. When evaluating new relationships, do our selection criteria address risks to the organization? 
  5. Where applicable, do our agreements and contracts include adequate terms and conditions to require third-parties to provide independent assurance to mitigate potential risks, convey trust and confidence, and demonstrate compliance with laws and regulations? 
  6. Are responsibilities to manage these risks clearly defined individually for each third-party and as a whole? 
  7. Are we monitoring the various risks and contract requirements associated with each existing relationship and at what interval? 
  8. Are these relationships dependent on subservice organizations? 
  9. How do we gain comfort that information provided by third-parties is valid, accurate, and complete? 
  10. Does our risk assessment process identify potential negative events resulting from third party relationships and include procedures in place to respond?

The use of third parties to improve performance is a business strategy that is here to stay and broaden into additional areas within an organization. The key to managing risk effectively is to ask the right questions and consider risk management throughout the entire spectrum of your providers, whether in-house or external.

Have concerns about third-party relationships? The next blog in this series will discuss addressing the evaluation of third-party organizations through the use of Service Organization Control (SOC) reports.

About the Blogger

Brandon Sherman is a Senior Manager in Frazier & Deeter’s Process, Risk & Governance Practice. He focuses on providing advisory services to identify, assess and manage clients’ strategic, operational, financial, IT and compliance risk. His primary responsibilities include internal control, business process improvement, data analytics and IT assessments, as well as service organization control (SOC) reporting and Sarbanes-Oxley 404 (SOX) engagements.




CPA based investment management
Frazier & Deeter, a Top 100 Largest CPA Firm in the United States, has accountants and business advisors who offer a full range of assurance and advisory services in the areas of audit, tax and management consulting and personal tax planning and compliance. As a leading accounting firm, we serve clients across the nation and internationally that include closely-held companies, SEC companies, and nonprofit entities. Headquartered in Atlanta, Georgia, we have been recognized as the 56th largest accounting firm in the nation, as one of the Top 25 Best Managed CPA firms in the country, and one of the Best Accounting Firms to Work for in the U.S.
Secure File Transfer
best firm to work for IPA Top 100 FirmsIPA Best of the Best 2015Top100Accountingfirm
©2016 Frazier & Deeter, LLC. All Rights Reserved.