3 Tips for Aligning Internal and External Control Assessments

4 minute read

February 2023

While cybersecurity traditionally owns control assessments, they need help from procurement to get a true measure of internal and external (third-party / vendor) control effectiveness. Working together, they can make significant efficiency and security gains if they align on internal control standards and external control effectiveness.

Cybersecurity and procurement share the same overarching goals: when everything goes right, both business functions ensure that the company is fully protected while partnering with secure third parties, vendors and suppliers. Still, each unit has its own focus, meaning procurement prioritizes efficient onboarding, while cybersecurity prioritizes risk mitigation. This difference in focus can lead to friction between these two teams, even when they’re working toward the same outcome. Without the proper governance, both teams can avoid collaboration because it seems like extra work, but when alignment is carried out with an emphasis on operational efficiency and resilience, both units see the benefits.

By taking the effort to align internal and external controls, procurement and cybersecurity can streamline the organization’s risk management processes while improving the quality of its security practices, enabling cross-functional collaboration and securing the organization’s data.

Below are 3 tips for aligning internal and external control evaluations:

1.Give internal control owners a view into the external controls that are relevant to their domain

Your internal controls should set the standard for external controls. That means for each of your organization’s internal controls, there should be a series of related controls in your vendor ecosystem. Internal control owners should have visibility into relevant external controls that they can scan to ensure there aren’t any vulnerabilities at the vendor level. Additionally, linking internal and external controls enables owners to make strong comparisons between the state of the internal and external risk landscapes, providing each team with useful benchmark data and contextualizing individual data points.

Aligning external and internal controls means your security standards extend throughout the organization . Where cybersecurity teams with limited insight into the security of new vendors must react to attacks they could never have seen coming, teams with visibility into the vendor landscape can act now to prevent costly breaches later.

2.Segment the vendor ecosystem by geography and service type

If an analyst notices that a certain internal control is connected to multiple at the vendor level, the best way to determine the cause of these deficiencies is to segment the third-party ecosystem by geography and service type and root out the independent variable.

Geography: If more than one of the vendors that have issues with a particular control are located in the same region, that region may not have the same regulatory requirements as yours. Solving this problem may mean writing specific controls into contracts when dealing with vendors from this region, or simply choosing to focus on vendors from countries whose regulations resemble yours more closely. Geographical variation can also result in a multilingual vendor pool, meaning your organization should be ready to communicate across the language gap if you choose to work with a vendor whose risk-management practices are documented in another language.

Service Type: If more than one of the vendors that have issues with a particular control are listed under the same service type, there may be a connection between the type of work that they do and that control’s effectiveness rating. At this point, it’s worth asking: what kind of access is necessary to complete this function? Do these organizations have enough access? Too much? Would providers from another region provide this service with the desired controls already in-place?

Your vendors might not align perfectly with your internal security standards, but with insight into their control effectiveness, you can make more informed decisions regarding your relationships. By evaluating risk and identifying the causes behind control discrepancies, you turn risk into a known quantity and enable smarter collaborative choices.

3. Assess control effectiveness in aggregate

The vendor ecosystem isn’t just a series of individual vendors grouped together, but a system of relationships that add up to enable an organization’s functions. Procurement passes third-party control ratings to cybersecurity, who integrates the data into the aggregated effectiveness rating for your internal control. For that reason, it’s not enough to know if individual vendors are doing their part—what’s important is your organization’s control effectiveness when internal and external controls are combined. Only then is it possible to tell where a vulnerability is most likely to be exploited at the vendor level. For instance, you may notice that your aggregated cloud security rating is poor, which would enable you to drive remediation plans internally and with the relevant vendors. Aggregated effectiveness ratings make control remediation actionable, efficient, and precise.

Want to learn more about aligning internal and external cybersecurity? Read our blog, “ 3 Reasons to Align Cybersecurity and Third-Party Risk Management,” to learn how risk alignment enables collaboration and mitigates vulnerabilities across the vendor ecosystem.

Related Articles

About Us

ProcessUnity is a leading provider of cloud-based applications for risk and compliance management. The company’s software as a service (SaaS) platform gives organizations the control to assess, measure, and mitigate risk and to ensure the optimal performance of key business processes. ProcessUnity’s flagship solution, ProcessUnity Vendor Risk Management, protects companies and their brands by reducing risks from third-party vendors and suppliers. ProcessUnity helps customers effectively and efficiently assess and monitor both new and existing vendors – from initial due diligence and onboarding through termination. Headquartered outside of Boston, Massachusetts, ProcessUnity is used by the world’s leading financial service firms and commercial enterprises. For more information, visit www.processunity.com.