Make effective use of third-party audit rights

The Biden administration unveiled a memorandum in June on how he plans to tackle international corruption. The memo calls on federal departments and agencies, such as the Department of Justice, to work with like-minded international partners to make recommendations on an anti-corruption strategy. In response to the memo, the DOJ should borrow recommendations from its existing guidelines on corruption and effective compliance programs, the US Foreign Corrupt Practices Law Resource Guide, and the GM Criminal Division Assessment of Corporate Compliance Programs.

The Resource Guide and Corporate Compliance Guidelines highlight the need for companies to leverage and exercise third party audit rights in order to maintain effective compliance with anti-corruption laws and regulations. Agreements with suppliers often provide for the “right to audit”, but it is up to the purchasing organization to exercise this right.

A heavyweight with hidden advantages

It’s no surprise that most organizations do not fully understand the risks presented by their relationships with third parties, let alone request or assess the audit results of each contracted third party. A critical first step in determining whether the time is right to exercise the right to audit a particular third party begins with an assessment of risks, including legal, reputational and operational risks, as well as the risk of loss of revenue and waste and abuse of payment. The good news is that this risk-based approach to third-party management can help an organization better understand its exposure to regulatory actions and demonstrate its commitment to comply when or if misconduct is revealed.

Assess your organization’s third-party risks

According to a recent Gartner study, “Significant risks cannot always be identified before the start of a business relationship. Modern risk management must take into account continuous changes in relationships with third parties and mitigate risk iteratively, that is, on an ongoing basis, rather than at specified intervals. This means going beyond the standard due diligence questionnaire to integrating suppliers into continuous monitoring.

For starters, focus on risk and value. There is usually no shortage of third parties with agreements that include an audit right, so what can we best focus on to deliver maximum value given our resources?

Then, perform periodic risk assessments to assess known, unknown, or emerging risks related to third parties. If your organization already uses continuous monitoring to oversee third parties, prepare for what is typically a quarterly risk assessment process by aggregating all known issues related to third party nonperformance, financial discrepancies, false declarations or any other non-conformity on the part of the supplier. If your organization only performs ad hoc third-party compliance checks, contact key stakeholders to document any known deficiencies with the vendor. Also take into account recent developments such as known cases, trends or allegations (public or otherwise) of inappropriate behavior on the part of the third party itself, or in its industry or jurisdiction. The goal of the risk assessment is to uncover something problematic, such as changes in the behavior of third-party vendors, that might suggest a need to trigger the audit right.

Information about each third party with respect to known and emerging risks must then be carefully considered in order to rank the risks of each supplier. The risk ranking creates an objective basis for comparing suppliers of sizes, specialties, etc.

During this process, data analysis can be useful to identify third parties with important key risk indicators to help refine the scope for further investigation and / or audit. For example, payment anomalies identified during a forensic examination of business data can be highlighted through data analysis to determine whether:

  • Third parties have charged prices above fair market value, which may be indicative of a bribe payment;
  • High risk transactions, such as discounts, commissions and / or “consultations” or “service charges” should be assessed as to their reasonableness; and,
  • Significant gifts, sponsorship of charitable events or donations are made to “politically exposed persons”.

Other factors to consider when deciding whether to exercise audit rights

Consider the value proposition of the audit and the value provided by potential audit work. In addition, the contracting organization must take into account:

  • Availability of resources – both human and monetary;
  • Materiality of the impact on the organization – operational or regulatory;
  • How a regulator would perceive the decision of the procuring organization to audit (or not); and,
  • Whether the audit objective is achievable within the parameters set out in the audit right clause.

Emerging and changing risks are a business reality. Given the impending wave of international regulatory review of corruption and the fact that the pandemic has disrupted the supply chains of most companies, it would be prudent for companies that engage and rely on third parties objectively assess the benefits of exercising any audit right.

Previous COVID Precautions, Needs of Community College Students Must Be Balanced
Next Waukesha Florist Beautifies The Ryder Cup; "Everything must be perfect"