Third Party Audits: Biting the Bullet
The next compliance frontier in anti-corruption enforcement is third-party audits. We have spent the last few years fashioning third-party audit contractual provisions to define when and how such audits can be conducted. The issue now is for compliance professionals to work with their internal audit teams to adopt a third-party audit strategy.
The first constraint is the obvious one – how much money can we spend? The budget for third-party audits should increase; in many cases it may be starting at zero, so anything is an increase.
Assuming there is money available for third-party audits, then the question becomes who to audit and how to audit. Not all audits are the same.
Given a limited budget, there are many techniques for leveraging limited resources. The most expensive audit is the full-on, boots on the ground, hands-in-the-files, audit of a third-party. That means lots of resources, time and a comprehensive review and report. These are valuable audits and should be reserved for those situations where a top-to-bottom audit is required.
A best practice (which is rare) is for the compliance team to participate in the audit and conduct its own compliance audit with respect to training, access to reporting avenues, compliance with corporate policies, and culture surveys. As compliance resources increase, this is an area where compliance professionals should participate.
As I have mentioned before, there are a number of other “auditing” techniques that can be used for third parties (and company offices). These are less than the full-on audit described above, and may be limited to: transaction testing; desk-top phone audits; issue spot-check audits; and other less resource-intensive sampling of third-party performance and activities.
With all the tools and resources available, a third-party audit plan should be focused on one critical factor – risk. Many companies are relying on risk-ranking formulas to decide which third parties should be examined and how.
A risk-ranking formula assigns weights to various factors to rank third-party entities for audit purposes. These factors include: (1) amount of revenues; (2) length of relationship; (3) percentage of revenues earned through government contracts; (4) last time audited; (5) significant increase in revenues; and (6) geographic market and general corruption risks.
One trick that compliance professionals and auditors may want to consider is to announce in advance to all third parties, or a smaller subset of third parties, that the company expects to conduct an audit of unnamed third parties during the year. That may lead to a slight improvement in all third parties in anticipation of being audited during the year. Of course, this strategy depends on the company’s relationships with its third parties and the importance of the company’s business to the third-party or vice versa.
Companies can no longer rest easy because they have audit rights. They have to exercise those audit rights, identify new issues of concern, and use that information to improve the compliance program.
Third-party audits can reveal serious corruption concerns. If that occurs, there has to be a mechanism for following up on these important issues. These issues cannot be ignored until renewal nor can they be brushed under the rug. If problems are identified, they need to be dealt with immediately and with appropriate attention and follow-up.
An apparent FCPA violation can lead to more, or it can be confined to a specific area, actor or customer. Whatever may be occurring, the company has to know and has to respond.
When most people think of auditing, digging through books and records immediately comes to mind. In my experience many compliance experts wouldn’t view anything less a true “audit”. Conducting this type of traditional auditing on 3rd parties provides obvious risk mitigation benefits; however it can come with some major draw backs to the business. One of the biggest risks from an operational perspective is that that a good 3rd party provider decides to deny the audit rights and severs their relationship with the business. In many cases these “high risk” 3rd parties are those which are most important to the company’s success (in emerging markets) and often may be in high demand in the market place which makes it easy for them to move on. Secondly if the 3rd party does comply with the audit many times this can cause damage to the relationship between the 3rd party and the company. These are risks worth taking if you have identified serious red flags or have other strong indicators of wrong doing, but may not be if you are basing your actions on soft indicators such as CPI, revenue, and length of relationship. Compliance and internal audit professional’s needs to be strategic in these efforts and should consider first utilizing the data they have available and secondly using create ways to evaluate risk through less invasive ways before diving in head first.