Make effective use of third-party audit rights

The Biden administration unveiled a memorandum in June on how it plans to fight international corruption. The memo directs federal departments and agencies, such as the Department of Justice, to work with like-minded international partners to make recommendations on a strategy to counteract corruption. In response to the memo, the DOJ is expected to borrow recommendations from its existing guidance addressing corruption and effective compliance programs, the Resource Guide to the U.S. Foreign Corrupt Practices Act, and the DOJ’s Criminal Division Evaluation of Corporate Compliance Programs.

Both the resource guide and the corporate compliance guidance highlight the need for companies to leverage and exercise audit rights over third parties in order to maintain effective compliance with anti-corruption laws and regulations. Vendor agreements often provide the “right to audit,” but it is up to the procuring organization to exercise that right.

A heavy lift with hidden benefits

It’s not surprising that most organizations do not fully understand the risks presented by their third-party relationships, let alone request or assess audit results from every third party under contract. A critical first step in determining whether now is the time to exercise the right to audit a particular third party begins with an assessment of risks, including legal, reputational and operational risks, as well as the risk of lost revenue and payment waste and abuse. The good news is this risk-based approach to third-party management can help an organization better understand its exposure to regulatory actions and demonstrate its commitment to compliance when or if misconduct comes to light.

Assessing your organization’s third-party risks

According to a recent Gartner study, “material risks cannot always be identified prior to the start of a business relationship. Modern risk management must account for ongoing changes in third-party relationships and mitigate risks in an iterative way — that is, on a continual basis, rather than at specified intervals.” This means moving beyond the standard vendor onboarding due diligence questionnaire to continuous monitoring.

To begin, focus on risk and value. There is typically no shortage of third parties with agreements that include a right to audit, so where can we best focus to deliver maximum value given our resources?

Next, conduct periodic risk assessments to evaluate known, unknown or emerging risks related to third parties. If your organization already utilizes continuous monitoring to oversee third parties, prepare for what is typically a quarterly risk assessment process by aggregating any known issues related to third-party nonperformance, financial discrepancies, misrepresentations or other noncompliance by the provider. If your organization conducts only point-in-time compliance checks of third parties, reach out to key stakeholders in order to document any known deficiencies with the vendor. Also consider any recent developments such as known cases, trends or allegations (public or otherwise) of improper behavior by the third party itself, or in their industry or jurisdiction. The focus of the risk assessment is to uncover something problematic, such as changes in behavior by third-party vendors, that could suggest a need to trigger the right to audit.

Information on each third party with regard to known and emerging risks should then be thoroughly reviewed in order to risk-rank each vendor. Risk ranking creates an objective basis for comparing vendors of different sizes, specialties, etc. In addition, any instances of known or potential risk should be assessed against the prior risk rating — if one is available — with changes documented.

During this process, data analytics can be helpful in pinpointing third parties with significant key risk indicators to help narrow the field for further investigation and/or an audit. For example, payment anomalies identified through a forensic review of business data can be surfaced via data analytics to determine whether:

• Third parties charged prices above fair market value, which may be an indication of a bribe payment;
• High-risk transactions, such as discounts, commissions and/or “consulting” or “service fees” should be assessed for reasonableness; and,
• Big-ticket gifts, charitable event sponsorships or donations are being made to “politically exposed persons.”

Other factors to consider in deciding to exercise rights to audit

Consider the value proposition of the audit and the value delivered by potential audit work. In addition, the procuring organization should take into account:

• Availability of resources — both human and monetary; 
• Materiality of impact on the organization — operational or regulatory;
• How a regulator would perceive the procuring organization’s decision to audit (or not); and,
• Whether the objective of the audit is achievable under the parameters that are set forth in the right-to-audit clause.

Emerging and changing risks are a business reality. Given the looming wave of international regulatory scrutiny into corruption and the fact that the pandemic has upended supply chains for most companies, it would be prudent for businesses that engage and rely upon third parties to evaluate objectively the benefits of exercising any audit rights.