Audit Committee Primer on 3rd Party Risk Management

Every U.S. company conducting or seeking business abroad is subject to the Foreign Corrupt Practices Act (FCPA) and it’s no secret that 3rd party issues still present the highest risk under the FCPA.  In fact, some say that 90%+ of reported FCPA cases involve third-party intermediaries!

Yet many Boards and Audit Committees seem unsure as to their role as well as how to assess this risk is being managed.

I am hopeful the information provided herein will help board and audit committee members in their oversight role and become a partner in compliance.


3rd party risk management is a term that often refers to risk management activities related to your 3rd party intermediaries, and could include screening, data collection, documentation, ongoing monitoring, and auditing.

Regulators whose mission is to enforce compliance, expect a risk-based approach that drives 3rd party risk management – “boiling the ocean” is not only a waste of time, energy and money, but also sends the message that you are more than likely not using a risk assessment as your foundation for the compliance program.  As stated in the FCPA Guide, the [a]ssessment of risk is fundamental to developing a strong compliance program, and is another factor DOJ and SEC evaluate when assessing a company’s compliance program.

Many companies seem to struggle with the risk assessment and since we all know by now the risk assessment drives compliance, it’s important for the audit committee to truly understand how risk is being assessed.


From a governance perspective, many boards assign the risk management element to the audit committee.

Here are some things the audit committee might do to enhance their effectiveness –

  • Assess whether the individual that “owns” the 3rd party risk oversight program has appropriate standing and visibility in the company
  • Evaluate the culture of compliance by assessing management’s tone, attitude, and conduct towards compliance.
  • Assess whether the due diligence program or screening process is appropriate to identify the risks potential 3rd parties might pose to the company, and how the company plans to mitigate and monitor those risks if it moves forward with the relationship. (See below)
  • Understand the company’s activities regarding 3rd-party relationships in high-corruption risk locations and industries. Discuss if, and why, the company is using “middle men” in corruption hot spots.
  • Inquire whether the company has rights to audit, rights to terminate, and adequately monitors compliance on an ongoing basis.
  • Assess wherever the company exercises its rights to audit and how that is determined.
  • Understand how management determines the benchmarks and reporting protocols for 3rd party relationships. Discuss management’s process for review and follow-up on the reports.
  • Inquire as to how the company documents each procedure performed within the compliance process.
  • Understand the role internal audit plays in the governance risk and compliance processes.
  • Assess the company’s fraud risk management program. Ask whether technology is being used to help monitor transactions and other data.

3rd Party Due Diligence Program

Why 3rd Party Due Diligence

What is 3rd Party Due Diligence?

Goal: significant reduction in number of Active 3rd-parties

Written Agreements – Some Suggestions

Ensure key contracts are drafted to – Clearly explain the scope of anti-bribery provisions by:

Require explicit anti-corruption representations by the contracting party, including – 

Ensure contracts with collaborators are drafted to – Require specific undertakings by the contracting party, including:

Some Red Flags

According to a recent benchmarking report published by Navex Global, most companies have uncovered 3rd party “red flags.” While they are often discovered through multiple channels, most companies identified them through their internal due diligence processes (65%).

Some Red flags when dealing with Agents and Consultants

Sample Process – 3rd Party Management & Oversight

Some Pervasive Issues in Practice the Audit Committee Should Understand

The Department of Justice Evaluation of Corporate Compliance Programs devotes an entire prong to 3rd party risk management. Audit Committees must be able to answer these questions.

Fourth Parties

Sometimes issues arise not from the third-party, but from the fourth party or a sub-contractor to the third-party.  The board should ask management if they have clear insight into the supply chain, specifically the third-party ecosystem.  You should also ask legal if we are contractually controlling, prohibiting or ensuring there is a timely notice and approval process, regarding the use of  any fourth parties or third-party subcontractors.

The fourth party is simply a company’s third-party’s third-party. As you know, your company is not only responsible for its third party activities, it is also responsible for your third-party’s third-party, who is referred to as fourth-party. When a fourth-party to your third-party is critical or material to their operation, there is more likely than not greater risk and you should have a plan in place to appropriately manage that risk.

For further guidance on third (3rd) party risk and how to make your board a partner in compliance, please refer to this Blog post by Tom Fox and sign up for Michael Volkov’s webinar.

I welcome your thoughts, comments, and suggestions.