How audit committees can take the lead in stemming third-party risks

Audit committees have plenty of risks to worry about within their organisations. But risks outside company walls – third-party risks including bribery and fraud along the supply chain – can be just as harrowing.

The risk of fraud appears to be a growing concern globally. Thirty-seven per cent of respondents in a 2014 global economic crime survey by PwC reported being hit by fraud, up from 30% in the 2009 survey. And 62% of audit committee members want to devote more time to oversight of the risk process, according to a 2015 survey by KPMG.

A new report from PwC offers advice for audit committees to mitigate third-party risks. Many of the world’s large companies have thousands of suppliers – the PwC report said that 89 of the companies in the Fortune 500 average more than 100,000 suppliers each. The risks that companies are exposed to because of those suppliers can be exponential – especially if those third parties have third-party suppliers of their own.

A company’s brand and reputation are at stake, and some companies have faced legal action and fines for the actions of third parties. Also at stake is the potential loss of intellectual property (IP).

PwC recommends that audit committees take the lead on third-party risks, noting that these types of risks are not always covered by a company’s traditional internal controls or enterprise risk assessments.

Audit committees should:

• Understand the nature and number of significant third-party relationships.
• Evaluate how audit committee oversight should consider controls over third-party risks comprehensively.
• Evaluate whether general counsel is sufficiently engaged and aware of the importance of its role in third-party risk control as it relates to contracts with those third parties.

Steps toward mitigation

The report offers five advance steps and four ongoing steps that an audit committee can take to facilitate its oversight and potentially mitigate third-party risks. Here are some steps to take as a relationship is being formed:

Due diligence on reputation and capabilities: From simple web searches to using questionnaires about compliance practices to making site visits, knowing more about a third party is the first step.

Proper reporting lines for third-party compliance: This relates to a company’s governance. Organisations will be better equipped to mitigate risk if there is an assigned owner of the third-party management function.

Adequate contracts and policies: Agreements should cover protection of IP, training of third-party employees, and rights to audit, and should define how the third party will “protect the company’s IP, how employees will be trained in protecting the IP, and also anti-corruption matters for employees.”

Right to terminate the relationship for violations: Standard contracts should protect the company in the event that a third party violates terms of the agreement.

Extend employee hotlines: To prevent the risk of corruption, PwC recommends giving third parties access to the company’s whistleblowing hotlines. Enabling anonymous reporting at the supplier level can give the company an early warning.

Additional ongoing measures include:

Set up monitoring of high-risk parties: This process is defined differently by companies, based on dollar value of the relationship, the nature of the company’s IP that the third party can access, or other measures.

Obtain periodic representations of compliance: Third parties could be required to submit evidence of compliance, including that entity’s own audit. A company’s decision to require periodic updates should depend on the level of risk the third party presents to the company.

Exercise the right to audit with a documented process: Following through on the right to audit with an actual audit that sends a clear message to the third party about the importance of compliance with a contract.

Monitor metrics and reporting: Key metrics should be regularly tracked, with specifics related to the nature of the third party’s work with the company. Following up is vital when data reports are late or incomplete.

Related CGMA Magazine content:

“6 Steps to Manage Risks and Drive Performance”: Keeping enterprise risk management top of mind with board members, senior executives, and midlevel managers can be challenging, says Lynn Fountain, a management consultant and former chief audit executive. These steps can help companies manage different types of risks and drive performance.

“Forging Co-operation Between Internal Audit, External Audit, Audit Committee”: The varied roles of internal auditors, external auditors, and audit committees often intersect. A 2015 report by the Center for Audit Quality and the Institute of Internal Auditors describes how they can work together for mutual benefit.

—Neil Amato (namato@aicpa.org) is a CGMA Magazine senior editor.