This customizable word document follows the IIA formal process for escalating an unrecognized systemic risk to the Chief Audit Executive.
Executive Summary
Our firm is subject to an unrecognized information technology risk that derives from our relationships with the third parties which drive or support a number of our business operations. This systemic risk stems from data breaches occurring or which have yet to occur at our business partners. While it is true that we have processes and controls in place through our Computer Security and Third Party Risk Management teams, they address the risk from an individual partner company standpoint. The problem is not with individual companies, but rather from the aggregate residual risk from these partner firms as a whole. This residual risk is added to by each partner company which holds or has access to sensitive information.
It is possible to determine the likelihood of a significant, reportable data breach across our population of third parties by using a simple equation derived from probability theory which shows that the risk of a third-party data breach is proportional to the number of third parties with access to sensitive data. But beyond this, knowing the value of this likelihood will then allow our company to manage this systemic risk by strategically limiting unnecessary access to sensitive data (i.e., Data Minimization Principle) while still being able to add third parties when appropriate.
Download the latest version: Internal Audit Memorandum to the Chief Audit Executive
About the Authors
​The original draft of this memorandum was written by Tim Smith. Tim retired after 20 years with KPMG US and KPMG International, where he specialized in data and analytics for IT and financial audit. In the last part of his career, he focused on the design, testing, implementation, documentation and training for the data analytics modules of KPMG’s proprietary audit software, CLARA. He previously led the IT audit practice in the KPMG San Diego office, providing IT audit, Sarbanes-Oxley compliance assistance, computer-assisted audit to clients in multiple industries. He also spent four years as IT Audit Manager at LPL Financial, the nation’s largest independent Broker-Dealer, leading a team of IT auditors, managing work on a variety of IT, financial and regulatory compliance audits and special projects. Tim is a CPA (California) and a Certified Information Systems Auditor. He is a member of AICPA, California Society of CPAs, ISACA San Diego and IIA. Tim is a coauthor on the white paper: Thomas Lee and Timothy Smith (2025). How to Calculate the Probability of a Third-Party Data Breach. Tim can be reached at Tim@CPA4it.com.