Explore new approaches to third party audits for a more effective, risk-aligned third party risk management program.
Compliance officers have been insisting on (and should continue to insist on) including third party audit rights in contracts with third party intermediaries. The provision is in the contract for a reason—so that it can be exercised. The DOJ and the SEC expect companies to develop and implement effective third party audit programs.
But the key to implementing a real third party audit program depends on the use of risk-ranking formulas and a broad definition of the term “audit.”
Re-Thinking the Way Third Party Audit Provisions are Drafted
Contracts with third parties should include basic language authorizing the company to conduct audits of the third party. Usually, the contract does not define the type of audit that will be conducted, but generally includes a requirement that the third party cooperate.
After reading my posting, I hope everyone will rethink the way in which the audit provision is drafted.
Related: Building Your Third Party Due Diligence Checklist: The Right Pieces, Processes and Presumptions
An audit can include a variety of techniques. There is the traditional financial audit, where a company’s internal auditors show up at the third party’s facilities, review the books, the transactions and complete a report.
But there are more possibilities. The audit provision should explicitly state that the purpose of the audit is to ensure overall compliance with anti-corruption laws and other requirements in the contract. A “compliance audit” is included in the general term “audit” and focuses on overall compliance controls, including third-party due diligence procedures, training, certification, gifts and meals reimbursement and adherence to other company requirements.
Matching Compliance Audits to Compliance Risk
Aside from the broad range of compliance audits, there are a number of strategies for conducting less invasive “audits” that are intended to determine whether a third party is in compliance with anti-corruption laws and contractual requirements.
This category includes (but is not limited to):
- Phone or Legal Audits: A phone or legal audit is conducted by telephone and follows a script of questions concerning the third party’s operations, legal status, and update on relevant issues. It can include document requests as a follow up to confirm certain representations made during the interview.
- Transaction Testing: This is a very effective way to review a sample of third party financial transactions. It can be keyed to a discrete time or a random sample. The transaction review usually leads to follow up inquiries concerning a set of transactions or particular persons involved in the transactions.
- Spot Checks: A compliance officer can conduct spot checks on specific issues of concern. Is the third party tracking gifts and meals expenditures on behalf of the company involving foreign government officials? Do we know how much money is being spent in wining and dining a particular foreign government official?
Each of these inquiries, while less invasive than an all-out, boots-on-the-ground financial audit, can be labeled as “audits” of a third party.
Bottom Line
The strategy is to assign types of “audits” to your third party population based on a risk-ranking formula. CCOs need to work closely with internal auditors in developing such a formula for assigning audit priorities.
Instead of just using one tool—the formal financial audit—CCOs need to embrace a variety of tools based on available resources and the risk-ranking results.