Audit committees need to have oversight of risks to their organizations from third parties such as suppliers, distributors, sales people and service providers, according to a new report.
The report, “Oversight of third-party risks,” is part of PricewaterhouseCoopers’ Audit Committee Excellence Series. It points out that companies today are increasingly interlinked with their suppliers, distributors and other providers. However, these third parties can pose both reputational risks to companies’ brands, not to mention compliance and regulatory risks.
Bribery of officials abroad, for example, can expose companies to penalties under the Foreign Corrupt Practices Act. Besides bribery, other third-party risks could relate to environmental issues, software piracy, health and safety, and labor laws.
Many corporate boards assign risk oversight to the audit committee since it’s typically responsible for financial reporting compliance and internal controls. The audit committee also oversees the internal audit function, which increasingly has been tasked with risk management duties.
Unlike most risks, though, third-party risks are often governed by legal contracts spelling out the obligations, rights and recourses of the company and its providers, the report points out. But because third-party risks are oftentimes not covered by a company’s existing risk assessment processes, they ought to be a distinct part of the company internal controls system. The audit committee needs to understand how many significant third-party relationships a company has and the nature of those relationships. They should also evaluate whether the company’s legal counsel is engaged enough in third-party risk control and if they understand the importance of their role.