Mitigating Risk from Your Third-Party Vendors

September 8, 2016

A third-party vendor is an ancillary process outside the control of your organization, which performs a function or provides a service that isn’t central to your operating purpose, for example, a third-party payroll company.

Although your exempt organization may rely on third-party service providers, your management team carries the ultimate responsibility for maintaining an effective internal control system that produces accurate financial reporting. Taking ownership of this third-party responsibility has become one of the biggest hurdles for exempt organizations as more and more processes move to third-party providers.

Below are some suggestions on how to implement internal controls over financial reporting (ICFR) to assist your exempt organization with meeting the organizational goal of producing accurate financial information:

  • When engaging vendors with an impact on ICFR, ensure your evaluation process and/or request for proposals (RFP) includes consideration for meeting your organization’s internal controls standards.
  • Periodically evaluate key performance indicators (KPIs) of service providers with respect to service requirements relevant to ICFR.
  • Review a Service Organization Control (SOC) 1 report and determine whether follow-up actions are necessary.
  • Implement controls to verify the reliability of data relevant to ICFR that are sent to and received from service providers.

The internal control function is an indispensable tool in promoting efficiency and effectiveness of your exempt organization. It improves employee confidence, supports external reporting needs, and assists in ensuring your exempt organization serves its mission by using sound ethical practices.


For more information, please contact Aronson’s Melissa Musser, CPA, CISA, at or 240.364.2598.

Have an RFP you would like to submit? Click here.