Getting Third-Party Agents Under "Control"
You would think that knowing the corruption risks created by use of third-party agents that every company — big and small — would focus on due diligence and anti-corruption compliance for its third-party consultants and agents. But that is not the case.
Numerous companies have faced the daunting task of applying anti-corruption controls to its third-party agents. It takes perseverance and commitment. A dedicated compliance or legal staff member usually has to devote full time to such a project.
There are ten basic questions which need to be addressed as a starting point to compliance.
1. Who are your third-party agents and in what countries do they operate?
2. What services does each agent provide?
3. How much is each agent paid and how are such payments made?
4. Did the company execute a written contract with the third-party agent?
5. What specific anti-corruption controls are included in the written contract?
6. Who reviewed and approved the third-party relationship and the written contract (if it exists)?
7. What due diligence has been conducted of the agent?
8. What record, if any, exists as to the reasons for approval?
9. How much has the company paid the third-party agent and what services has the third party-agent provided?
10. How does the company monitor the third-party agent’s activities and payments made to the agent?
Many companies do not even know who, how many, and what their third party agents have been hired to do and the services they have provided. The initial step is to identify who the agents are, what services they have provided (if any), and how much they have been paid.
Many companies are surprised to find that they are using a large number of agents, the agents do not have a written contract and the agents have received large payments for unspecified services. These are not just red flags — they are screaming red banners of corruption. These agents need to be terminated as quickly as possible, and eventually reviewed as part of a retrospective audit.
After the initial triage of ongoing agents, the remaining agents need to be ranked based on risk. For each, a package of materials responding to the questions above needs to be assembled and reviewed. A third party review committee should be established, consisting of personnel from senior management, auditing, compliance and legal.
The objective of the review is to bring the use of third parties under control. In carrying out the task, the need for due diligence procedures and the design of such procedures will become clear. The information learned during the review will guide the future compliance plan. The review cannot be derailed into a retrospective review of possible violations. That can be done later. The forward-looking process is aimed at gathering the necessary information, and implementing new compliance procedures. A retrospective review would be delayed until the information is gathered and a new program is implemented. The retrospective audit can then be used to tweak the existing compliance program to address risks and issues which have not been identified.