Audit Committee Primer on 3rd Party Risk Management

IMG_1655

Every U.S. company conducting or seeking business abroad is subject to the Foreign Corrupt Practices Act (FCPA) and it’s no secret that 3rd party issues still present the highest risk under the FCPA.  In fact, some say that 90%+ of reported FCPA cases involve third-party intermediaries!

Yet many Boards and Audit Committees seem unsure as to their role as well as how to assess this risk is being managed.

I am hopeful the information provided herein will help board and audit committee members in their oversight role and become a partner in compliance.

Overview

3rd party risk management is a term that often refers to risk management activities related to your 3rd party intermediaries, and could include screening, data collection, documentation, ongoing monitoring, and auditing.

Regulators whose mission is to enforce compliance, expect a risk-based approach that drives 3rd party risk management – “boiling the ocean” is not only a waste of time, energy and money, but also sends the message that you are more than likely not using a risk assessment as your foundation for the compliance program.  As stated in the FCPA Guide, the [a]ssessment of risk is fundamental to developing a strong compliance program, and is another factor DOJ and SEC evaluate when assessing a company’s compliance program.

Many companies seem to struggle with the risk assessment and since we all know by now the risk assessment drives compliance, it’s important for the audit committee to truly understand how risk is being assessed.

Governance

From a governance perspective, many boards assign the risk management element to the audit committee.

Here are some things the audit committee might do to enhance their effectiveness –

  • Assess whether the individual that “owns” the 3rd party risk oversight program has appropriate standing and visibility in the company
  • Evaluate the culture of compliance by assessing management’s tone, attitude, and conduct towards compliance.
  • Assess whether the due diligence program or screening process is appropriate to identify the risks potential 3rd parties might pose to the company, and how the company plans to mitigate and monitor those risks if it moves forward with the relationship. (See below)
  • Understand the company’s activities regarding 3rd-party relationships in high-corruption risk locations and industries. Discuss if, and why, the company is using “middle men” in corruption hot spots.
  • Inquire whether the company has rights to audit, rights to terminate, and adequately monitors compliance on an ongoing basis.
  • Assess wherever the company exercises its rights to audit and how that is determined.
  • Understand how management determines the benchmarks and reporting protocols for 3rd party relationships. Discuss management’s process for review and follow-up on the reports.
  • Inquire as to how the company documents each procedure performed within the compliance process.
  • Understand the role internal audit plays in the governance risk and compliance processes.
  • Assess the company’s fraud risk management program. Ask whether technology is being used to help monitor transactions and other data.

3rd Party Due Diligence Program

  • Enforcement authorities across the globe expect companies to carefully review the corruption risk posed by 3rd parties that sell products for, or act on behalf of, the company
  • Implementing a 3rd party due diligence program, along with other measures, may help protect the company from responsibility for any corrupt actions by its vendors, suppliers, and other 3rd parties
  • A 3rd party due diligence process should include the following:
    • Policies and materials necessary for on boarding new 3rd-parties (and potentially alerting existing 3rd-parties to the company’s compliance expectations)
    • An active management program that enables the company to maintain oversight of 3rd-parties as appropriate
    • The scope and threshold levels for the Due Diligence program should be determined by the company’s Legal or Compliance team in accordance with the company’s assessment of risk and desired level of risk mitigation

Why 3rd Party Due Diligence

  • Reduce 3rd party risk
  • Good business practice
  • Business process tool
  • Meet standards for best in class compliance programs
  • Establishes expectations of ethical business practices
  • Mitigate penalties and fines in the event of a violation of law or regulation
  • Federal Sentencing Guidelines
  • OECD Guidelines
  • UK Bribery Act – strict liability/affirmative defense.
  • Many bribery cases have involved a 3rd party who made an improper payment on an company’s behalf

What is 3rd Party Due Diligence?

  • Defined as “Reasonable Inquiry” and not absolute certainty
  • Not necessarily an investigation or detailed fact-finding
  • Companies are advised to maintain a standard practice or written policy
  • Important to define an escalation process when red flags are uncovered during the due diligence
  • Companies should use logic and rational thinking when evaluating 3rd parties and be able to defend their position
  • Due diligence is not the same for everyone. The approach may vary depending upon the type of company.
  • Include 3rd parties, transactions & relationships
  • Consider rationalizing and culling 3rd-party list – reduce the numbers:
    • If Not Active, archive the 3rd party from all appropriate systems
    • If Active, identify key information including a Business Sponsor and Business Justification

Goal: significant reduction in number of Active 3rd-parties

  • More in-depth investigation of higher risk entities
  • Based on preliminary risk assessment

Written Agreements – Some Suggestions

Ensure key contracts are drafted to – Clearly explain the scope of anti-bribery provisions by:

  • Stating that anti-corruption and anti-bribery provisions apply to the contracting party and associated persons or entities, including owners, directors, officers, employees, agents, and/or outside parties acting on behalf of the collaboration
  • Explaining how broadly the term “government official” is defined under the FCPA. Under the FCPA, an individual or entity may be considered a “government official” if the individual is a candidate for political office; is acting in an official capacity; or is an employee or official of a commercial entity that is partially government-owned or over which a government body exerts control

Require explicit anti-corruption representations by the contracting party, including – 

  • Affirmative representations regarding the contracting party’s current compliance with anti-corruption and anti-bribery requirements
  • Certifying receipt of, and current compliance with, existing anti-corruption and anti-bribery policies on an annual basis
  • Requiring the contracting party to notify the company in writing if any associated persons or entities currently have or assume positions as government officials while continuing to work on any of the collaboration’s activities

Ensure contracts with collaborators are drafted to – Require specific undertakings by the contracting party, including:

  • Requiring the contracting party and associated persons or entities to keep accurate and complete records of expenses for work on any of the collaboration’s activities
  • Requiring the contracting party to notify the company immediately and in writing if it becomes aware of a breach or potential violation of anti-corruption or anti-bribery provisions
  • Providing the company with a right to interview the contracting party and associated persons or entities in the event of a breach or potential violation of anti-corruption or anti-bribery provisions
  • Requiring the contracting party and associated persons or entities to cooperate in good faith in the event of a breach or potential violation of anti-corruption or anti-bribery provisions
  • If the assignment or sub-contracting of contracts is generally permitted, requiring written approval of this modification by the company for FCPA assessment purposes

Some Red Flags

According to a recent benchmarking report published by Navex Global, most companies have uncovered 3rd party “red flags.” While they are often discovered through multiple channels, most companies identified them through their internal due diligence processes (65%).

  • Agents, consultants, joint ventures, and contractors that reside outside the country where the services are to be rendered
  • Demand an unusually high commission without a corresponding level of service or risk
  • Do not have the company resources or staff to undertake the scope of work required under the agreement
  • Have a close family connection or other personal or professional affiliation with a foreign government or official
  • Refuse to disclose their complete ownership
  • Refuse to sign representations, warranties, and covenants that they have not violated and will not violate the requirements of the FCPA
  • Request that false invoices or other documents be prepared in connection with a transaction
  • Request payment before conclusion of contracts or award of bids
  • Engage in transactions in a country with a general reputation for bribery and corruption
  • Have a lack of transparency in expenses and accounting records
  • Request to provide services without written contract
  • Request to retain other intermediaries to perform similar functions as agent
  • Request reimbursement of expenses with incomplete documentation

Some Red flags when dealing with Agents and Consultants

  • Requests for excessive compensation or “success fee”
  • Are fees reasonable and proportionate to legitimate services?
  • Claims (or threats) based on personal ties
  • “My brother works for the Ministry of Commerce, so you won’t succeed without me”
  • Requests for payment
    • In cash
    • To someone other than the agent
    • To accounts in third world countries

Sample Process – 3rd Party Management & Oversight

  • Accountability
  • Business Sponsorship and Data Collection
  • Business Justification
  • On-Boarding Questionnaire
  • FCPA Certification
  • Risk Assessment
  • Investigative Due Diligence
  • Written Agreements
  • Training
  • 3rd-Party Program Controls
  • 3rd-Party Qualification Requirements
  • Governance Structure
  • On-going Communication
  • Investigative Due Diligence (Recheck: When time has elapsed, new information is uncovered, or there has been sometyoe of change)
  • Monitoring (Ongoing or Real time)
  • Investigations
  • Operationalize all previous steps and ensure that you document the procedures performed (Emphasis added).

Some Pervasive Issues in Practice the Audit Committee Should Understand

  • “Boiling the Ocean” – not risk focused (this includes training)
  • Business rushes compliance or pushes back
  • Lack of (qualified) resources – Does legal, compliance, and internal audit (The Bermuda Triangle™) have the appropriate experience and qualifications to cover their roles and responsibilities?
  • Silos – inventory, purchasing, manufacturing, etc. – different systems, duplications of due diligence screenings and compliance efforts
  • Ignoring the subsequent discovery of facts
  • Complexity – 3rd party interactions – numerous contact points; locations
  • Failing to train 3rd parties on how to report violations – extending the hotline
  • Incomplete data to make informed decisions or failing to identify the Business Sponsor
  • Expectations and obligations are not in writing – Contracts!
  • Sub-contracting arrangements are not addressed or prohibited
  • Overlooking local language searches – lost in translation
  • A right to audit never results in an audit or is too broad (mountains of documents)., Right to audit becomes an audit obligation.
  • Failure to follow-up or appropriately follow up on “red flags”
  • Paper tiger or exercise – a program that gives the impression of being powerful, but has no substance
  • Poor communication
  • Internal Audit engagement (late or not at all)
  • Company – culture of compliance is weak or doesn’t exist

The Department of Justice Evaluation of Corporate Compliance Programs devotes an entire prong to 3rd party risk management. Audit Committees must be able to answer these questions.

  • Risk-Based and Integrated Processes How has the company’s 3rd-party management process corresponded to the nature and level of the enterprise risk identified by the company?
    • How has this process been integrated into the relevant procurement and vendor management processes?
  • Appropriate Controls What was the business rationale for the use of the 3rd parties in question
    • What mechanisms have existed to ensure that the contract terms specifically described the services to be performed, that the payment terms are appropriate, that the described contractual work is performed, and that compensation is commensurate with the services rendered?
  • Management of Relationships How has the company considered and analyzed the 3rd party’s incentive model against compliance risks?
    • How has the company monitored the 3rd parties in question?
    • How has the company trained the relationship managers about what the compliance risks are and how to manage them?
    • How has the company incentivized compliance and ethical behavior by 3rd parties?
  • Real Actions and Consequences Were red flags identified from the due diligence of the 3rd parties involved in the misconduct and how were they resolved?
    • Has a similar 3rd party been suspended, terminated, or audited as a result of compliance issues?
    • How has the company monitored these actions (e.g., ensuring that the vendor is not used again in case of termination)?

Fourth Parties

Sometimes issues arise not from the third-party, but from the fourth party or a sub-contractor to the third-party.  The board should ask management if they have clear insight into the supply chain, specifically the third-party ecosystem.  You should also ask legal if we are contractually controlling, prohibiting or ensuring there is a timely notice and approval process, regarding the use of  any fourth parties or third-party subcontractors.

For further guidance on 3rd party risk and how to make your board a partner in compliance, please refer to this Blog post by Tom Fox and sign up for Michael Volkov’s webinar.

I welcome your thoughts, comments, and suggestions.

Jonathan

Attribution:

  • DOJ
  • SEC
  • PWC
  • Tom Fox
  • NAVEX Global