Implementing an Effective Third Party “Audit” Program
Just remember, it’s not a lie . . . if you believe it. – George Costanza
We all have our favorite episodes and scenes from the Seinfeld series. As we grow older, we like to reference them more and more – maybe because it reminds us of your “youth” (looking back, my 30s were certainly younger than my 50s).
Jerry is on his way to take a lie detector test to confirm that he does not watch the television show, Melrose Place. Of course he is lying, and George gives him that great advice. It is a great episode; one of my favorites.
Now, watch this transition. Compliance officers need to apply George’s advice when defining the term “audit.” To analogize, say to yourself “its an audit . . . if you believe it is.”
Let me take a moment to set up my point.
Compliance officers have been insisting on third party audit rights in contracts with third party intermediaries. The provision is in the contract for a reason – so that it can be exercised. DOJ and the SEC expect companies to develop and implement effective third party audit programs.
The key to implementing a real third party audit program depends on the use of risk-ranking formulas and a broad definition of the term “audit.”
Contracts with third parties should include basic language authorizing the company to conduct audits of the third party. Usually, the contract does not define the type of audit that will be conducted, but generally includes a requirement that the third party cooperate.
After reading my posting, I hope everyone will rethink the way in which the audit provision is drafted.
An audit includes a variety of techniques. There is the traditional financial audit, where a company’s internal auditors show up at the third party’s facilities, review the books, the transactions, and complete a report.
But there are more possibilities. The audit provision should explicitly state that the purpose of the audit is to ensure overall compliance with anti-corruption laws and other requirements in the contract. A “compliance audit” is included in the general term “audit” and focuses on overall compliance controls, including third-party due diligence procedures, training, certification, gifts and meals reimbursement, and adherence to other company requirements.
Aside from the broad range of compliance audits, there are a number of strategies for conducting less invasive “audits” that are intended to determine whether the third party is in compliance with anti-corruption laws and contractual requirements.
This category includes (but is not limited to):
Phone or Legal Audits: A phone or legal audit is conducted by telephone and follows a script of questions concerning the third party’s operations, legal status, and update on relevant issues. It can include document requests as a follow up to confirm certain representations made during the interview.
Transaction Testing: This is a very effective way to review a sample of third party financial transactions. It can be keyed to a discrete time or a random sample. The transaction review usually leads to follow up inquiries concerning a set of transactions or particular persons involved in the transactions.
Spot Checks: A compliance officer can conduct spot checks on specific issues of concern. Is the third party tracking gifts and meals expenditures on behalf of the company involving foreign government officials? Do we know how much money is being spent in wining and dining a particular foreign government official?
Each of these inquiries, while less invasive than an all out, boots-on-the-ground financial audit, can be labeled as “audits” of a third party.
The trick is to assign types of “audits” to your third party population based on a risk-ranking formula. CCOs need to work closely with internal auditors in developing such a formula for assigning audit priorities. Instead of just using one tool – the formal financial audit; CCOs need to embrace a variety of tools based on available resources and the risk-ranking results.