Managing Third-party Evidence Requests


Recent discussions with people in numerous organizations reveals that requests for evidence — about compliance and certifications — between business partners, customers and suppliers is becoming unmanageable.

These requests for information have gone from just a few questions and maybe a document or two about four years ago, to hundreds-to-thousands of such requests, with many tens-to-hundreds of pages and many spreadsheets. Involving requests from customers, and demands of suppliers, organizations are beginning to drown in a sea of third-party certifications, audit and risk evidence requests.

Some of the information being sought is staid, such as “Do you have policies in place covering your information assets?” However other questions delve into trade-secrets, involving what organizations consider to be their secret-sauce.

For example, one recent request asked for the details of the indexing engine being used within a database for a transaction system a company used for booking many of its sales contracts. Another evidence request asked for a detailed mapping of meta-data that was being used behind the scenes for managing customer rewards programs. Neither of these requests was honored and legal counsel had to be involved in both to resolve the situations.

The explosion of third-party information, audit-evidence and certification requests is not limited to the private-sector. The public-sector with its many overlapping agencies may actually be some of the worst offenders in terms of the volume of the requests and the depth of information being sought.

In a few select cases, some firms are using more automated methods to request, gather and analyze the information to manage business risks that run from suppliers to customers. However for most, the procedures for issuing the requests, gathering information, responding to the requests, and analyzing the responses are highly manual, cumbersome and involve many different people in different job-functions.

For some, the information being sought is translating to less-agile market action and higher prices that are impacting the bottom-line in the private-sector. And, the information being requested is beginning to pose a threat to organizations where “secret-sauce” information is being sought or provided.

Given the litigious and risk-oriented complexion of the market, the behavior is unlikely to go away anytime soon.

Rather, it is time to formalize and automate the procedures and introduce controls, to manage the explosion of third-party evidence gathering, responding, and analysis.

Related research

How the Masters of IT Deliver More Value and Less Risk

Automation, Practice and Policy in Information Security for Better Outcomes

Want to find out how your organizations practices for procedural controls are impacting your organization, or how these compare with your peers?
Try the two-minute Assessments@ITPolicyCompliance


Tags: , ,

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: