Third Party Risks and Internal Auditors
You remember the corny song – “People who need people are the luckiest people in the world.”
For a Chief Compliance Officer that saying is particularly important when it comes to third party risks. CCOs need their internal auditors. This relationship is even more important when it comes to third party risks.
Internal auditors are important to third party risks at two important stages of due diligence review and monitoring system.
First, during the due diligence process, the internal auditors are invaluable in assisting in designing financial controls which will govern the company’s payments to the third party. Depending on the information gathered during the due diligence process and the contract negotiations with the third party, the company has to impose certain requirements which have to be met before the third party gets paid. These requirements should be specifically included in the contract.
These include:
Detailed description of services provided in each invoice. This is a critical requirement for a company to secure, preferably in the written contract. The third party has to provide a detailed statement of services provided to the company in its invoice. The internal auditor needs to review the statement to make sure it is in sufficient detail and flag any potential issues. It has to be made clear that, if the third party fails to provide the necessary details, the third party will not be paid.
Specific payment arrangements for the third party to receive company payments. The third party needs to assure the company that it will receive payments at a local bank, or if justified, at an offshore location which does not raise red flags of an intent to avoid taxes or disguise the payments from regulators or law enforcement.
Rights of the internal auditor or a designated representative to conduct an audit of the third party’s books. Most CCOs are familiar with this requirement, and third parties are getting used to seeing this requirement in written contracts. As more companies impose this requirement, third parties are more agreeable to the provision. Some, however, are resisting the audit rights by trying to restrict the right to transactions between the parties. That is not acceptable.
After the due diligence process has been completed, and a written contract has been executed, internal auditors play a key role in monitoring the relationship with the third party. As always, the auditors are on the front lines of the relationship and are critical to flagging potential issues.
Internal auditors need to carefully review invoices and coordinate any issues with the CCO. Before making a payment on an invoice, the auditors need to coordinate the financial controller to ensure that they have a chance to review the invoice. If there are red flags which come up, they need to alert the CCO.
While auditors rarely have the time nor resources to conduct audits of third parties, they need to add a few third parties to a risk-ranking audit schedule. It is always hard to prioritize a third party audit but it is critical to try to conduct a few audits for high-risk third parties.
On occasion, when both a CCO and an auditor identify a third party for potential scrutiny during the term of a contract, it may be appropriate to refresh the due diligence and re-evaluate the third party. If the company identifies serious problems, the company should consider exercising its termination rights.
Above you write: “Rights of the internal auditor or a designated representative to conduct an audit of the third party’s books….Some [companies], however, are resisting the audit rights by trying to restrict the right to transactions between the parties. That is not acceptable.” Why do you feel this “is not acceptable”? Maybe this could be subject of a follow-up post?
As compliance professionals companies with thousands of suppliers and many suppliers that do object to the audit clause, compliance professionals often accept limitations to the audit clause so that our companies may only examine the suppliers’ books and records as they pertain to our companies. Are you suggesting this approach is not prudent?