Leveraging internal audit to minimize risk of third-party vendors in healthcare

Third-party vendors play an important role in today’s evolving healthcare environment. Healthcare organizations rely heavily on third-party vendor support through the supply chain to sustain daily operations of the organization. Third-party vendors that have access to personally identifiable information (PII), protected health information (PHI) and other critical systems and data can expand an organization’s cybersecurity risk, particularly in data breaches. With cyber breaches and ransomware attacks increasing in sophistication, volume and magnitude, healthcare organizations struggle to stay ahead of the game. Now more than ever, implementing and maintaining a mature vendor risk management program should take priority in the organization. Internal audit can play an important role in developing and implementing an effective vendor risk management program.

The role of internal audit

How and what can internal audit do to assist healthcare organizations in their evaluation of the risks associated with third-party vendors? How can internal audit help determine the effectiveness of the processes for ongoing assessments and monitoring mechanisms such as scorecards, questionnaires, and on-site assessments in the management of the overall risks?

Internal auditors can evaluate the design effectiveness of the existing controls to mitigate risk, identify process gaps and provide recommendations for improvement over the third-party risk management processes.

In evaluating an organization’s third-party vendor risk, internal audit should assess the following questions:

• Has the organization assigned responsibility for vendor oversight?
• Has the organization assigned responsibility for vendor oversight?
• What vendor management policies and procedures are in place?
• Who maintains the list of vendors and does it include the appropriate information?
• Has management determined what vendors are critical to the day-to-day operations of the health system?
• Was a vendor risk assessment performed before onboarding the vendor?
• Is on-going monitoring of both performance and risk exposure of vendors performed?
• Is a vendor performance scorecard periodically completed?