The Value in the Business Ecosystem: Internal audits must delve into the risks posed by the organization's ever-expanding chain of third, fourth, and fifth parties.

Author:Kostek, Brian

Whether they know it or not, consumers in today's economy are likely being impacted by an organization's third parties daily. From online merchants, and the delivery partners they use to complete the transaction, to call centers and other support services, third parties support organizations in almost every imaginable way.

In the end, these end-to-end business "ecosystems" are what drive value creation and revenue for today's organizations. Some examples may not be in the control of the organization or its third parties, such as the recent coronavirus outbreak that has had a global impact on operational value chains. And as things go wrong, it is likely that the organization with the brand name is the one impacted and not the third party supporting the product or service in the marketplace.

Understanding an organization's end-to-end processes and how those processes deliver value should be the objective and outcome of an internal audit. That means internal auditors must look beyond third parties to incorporate key fourth, fifth, and sixth parties into planning, scoping, and executing every audit--a process known as "ecosystem management."


Focusing on an organization's ecosystem can change the underlying approach and output of an internal audit. Aiming scoping questions, walk-throughs, and outputs at the organization's external partners shifts the emphasis from control gaps, issues, and items requiring resolution to how the business protects its value-driving activities and profit-making ability. This doesn't mean that an organization should change how it plans its annual internal audit schedule. Instead, it should integrate three key principles into how it executes each audit. In other words, the annual audit schedule should continue to focus on higher risk areas, but the scope of each audit should include the ecosystem principles. This approach may result in longer and more complex audits.

Focus on End-to-end Processes

Audits should focus on the auditable entity and how each process supports the desired inputs and outputs. The scope of the audit of each end-to-end process should include a view of third, fourth, and fifth parties that drive business value. This approach requires auditors to conduct activities as if the external parties are internal to the organization. The audit should demonstrate how the auditable entity delivers value: through internal people, processes, and technologies only; external parties; or a mix of both.

Focus on Return on Investment (ROD and Value-generating Activities Audits should focus on how each process and end-to-end activity supports ROI generation. If the process doesn't support the organization's ROI, auditors should question its role in the broader organizational ecosystem. The role of external parties in supporting value-generating activities should be a key focus of this exercise.

Include Business Resilience in the Context of Business Activities To get operational resilience right requires a change in perspective by management, boards, IT functions, and control functions. For a long time, organizations have focused on determining the probability of an adverse event occurring and ways to prevent it or...

To continue reading