The Missing Link in Third Party Due Diligence
As the old saying goes, “don’t break your arm patting yourself on your back.” Everyone is pretty happy about their due diligence systems for screening third parties. I understand how they feel but there is still a long way to go.
It is one thing to screen a third-party at the on boarding process; it is quite another to build out an entire due diligence system that screens at renewal of a third-party relationship, monitors third-party activity and conducts a range of audits to ensure compliance by third parties. Even if you have implemented all of this listed above (which is more than a mouthful), there is one important link missing in the chain of compliance.
Call it the Missing Link – or from the Three Stooges – Curly Q. Link. (For whatever reason, most women I know hate the Three Stooges, but men love the Three Stooges, and especially Curly).
When it comes to third parties, the focus of due diligence is prescriptive and requires responding to red flags. As monitoring and auditing practices become more sophisticated and entrenched, we will see the focus become clear – follow the money.
We can read settlement action after settlement action and we know the fact pattern: a company makes payments to a third-party with the understanding that the money will be used for bribery purposes. In most cases, the third-party does not have the capability or the resources to provide the necessary services. In other cases, the payment scheme is intended to move money out of the company, to the third-party for improper purposes.
In the end, someone at the company is authorizing that the money be paid to the third-party with questions and red flags draped all over the transaction. This is where the rubber meets the road, as we say, and this is where compliance needs to dedicate resources.
If anyone is really serious about preventing bribery, then resources and efforts need to be allocated to the movement of money. There are a number of critical questions that have to be answered –
- What is the purpose of the payment?
- What legitimate service did the third-party provide?
- How did we verify that the third-party provided the service?
- Is the payment amount commensurate with the market rate for the service?
- What documentation has been provided to verify all of the above questions?
I have argued for years that the best way to ensure that money does not go out the door for bribery purposes is to put an ex-pat in control of finances in a high-risk country. If your company operates in China, an ex-pat controller should manage and make all payments to third parties. In China, for example, there usually is an improper relationship between a third-party and someone with access to company money which is then used to fund a bribery scheme.
If a company wants to make sure that it’s due diligence investment is successful, the company has to focus on payment authorizations and processes. It is a basic internal control that has to be designed and enforced.
Due diligence is designed to mitigate risk. Basic financial controls surrounding high-risk activities are critical for protecting the company from illegal bribery schemes involving a company insider and a third-party.