By Mark Scott, J.D., CFE
Organizational management increasingly needs to understand and mitigate its risks effectively to ensure long-term success. Effective risk management requires, among other things, a comprehensive and ongoing set of tools and processes to handle the dangers associated with third-party relationships.
Contracting with an outside third party subjects organizations to risks with the potential for significant financial and reputational harm, such as from fraud, breach of contract, error, breach of confidentiality, data loss and so on. The risks associated with vendor relationships, however, can be unique and vary depending on the vendor as well as the service or process outsourced. Common areas for vendor risks include:
Compliance risks (e.g., the Sarbanes-Oxley Act, the Foreign Corrupt Practices Act, the UK Bribery Act, the Health Insurance Portability and Accountability Act)
Consider, for example, the case of Federic Bourke, an American investor who was convicted of conspiring to violate the Foreign Corrupt Practices Act (FCPA), a federal law that outlaws certain bribes paid to foreign officials. Bourke invested $8 million with Victor Kozeny, a Bahamas-based Czech businessman, in an effort to privatize Azerbaijan’s government-controlled oil company. The U.S. government alleged that Kozeny bribed Azeri officials to ensure the privatization of the oil company, and the U.S. prosecutors secured Bourke’s conviction without offering clear evidence that Bourke knew that Kozeny was paying bribes. Instead, the government successfully argued that Bourke’s willful blindness (i.e., intentional ignorance) to the circumstances suggesting that Kozeny would make unlawful bribes was sufficient to establish Bourke’s criminal culpability. Bourke’s conviction, which resulted in a one-year sentence and a fine of $1 million, demonstrates the importance of conducting due diligence on third-party relationships and recognizing — and resolving — apparent red flags.
Although most managers are aware of the inherent risks associated with using vendor products and services, many do not have the necessary processes or controls in place to address such risks. But in today’s increasingly globalized world, such preventive measures matter more than ever.
Organizations are increasingly contracting with vendors to gain a competitive edge, enhance product offerings, and reduce costs, and these developments, in combination with the global economic downturn, have contributed to greater regulatory scrutiny. Regulators acknowledge the risks associated with vendor relationships and have demanded that leaders monitor and take responsibility for the actions of their vendors through various laws and standards such as the Sarbanes Oxley Act, the Gramm-Leach-Bliley Act, the FCPA, the Health Insurance Portability and Accountability Act, as well as the Payment Card Industry Data Security Standard (PCI DSS) requirements. Consequently, vendor management is currently at the forefront of organizational risk management priorities.
This article seeks to provide fraud examiners with guidance on managing the risks that stem from these types of third-party relationships. Although there are many steps management can take to mitigate vendor risks, this article focuses on two in particular: due diligence for selecting qualified vendors and ongoing due diligence for monitoring third-party risks.
Due Diligence in Vendor Selection
Management should perform due diligence on potential vendors. Due diligence requires a reasonable inquiry to verify the background, performance history and financial health of vendors being considered to provide goods or services. Ideally, due diligence will provide management with the information needed to address the possible risks presented by potential vendors.
The level of inquiry, however, should be tailored based on the risks posed by each particular vendor. That is, the more risky a relationship is to an organization, the greater the risk management responsibilities become.
Due Diligence Basics for Selecting Qualified Vendors
The evaluation of a potential vendor might include the following measures:
Checking the vendor against government watchlists (e.g., the General Services Administration’s Excluded Parties List System, the Office of Foreign Assets Control’s List of Specially Designated Nationals and Blocked Persons List, and the Bureau of Industry and Security’s Denied Persons List)
Reviewing the vendor’s corporate registry records
Searching politically exposed persons (PEP) databases, if conducting business internationally, to assess whether the vendor and its personnel are connected with foreign governments; PEPs are individuals (e.g., politicians, government officials, legal officials, and high-ranking military officers) who might be or have been in a position of political authority
Verifying the vendor’s key employees
Searching the vendor’s corporate records to determine what other companies the key employees have been involved with
Verifying the vendor’s insurance
Verifying any professional licenses held by the key personnel
Confirming the vendor’s physical addresses (e.g., use online tools to check addresses, conduct reverse address searches, etc.)
Performing site visits at the vendor’s principal place of business
Testing the reputation of the vendor and its key individuals (e.g., ask those in the industry about the vendor to gauge the vendor’s overall reputation for integrity)
Conducting a media analysis of the vendor and its key employees
Conducting interviews with the vendor’s employees
Requiring a W-9 form from the vendor
Reviewing the vendor’s policies and procedures on fraud, governance and compliance
Reviewing the vendor’s financial data
Reviewing the vendor’s banking information
Other information that might be valuable to a vendor due diligence investigation includes:
When the business began
Company profile and strategy
Form of business
Information about the vendor’s customers (e.g., the diversity of customers the vendor serves)
Locations of facilities
Delivery track record
Involvement in the community
Process for reporting problems or asking questions
Potential Due Diligence Red Flags
Due diligence in vendor selection might reveal any of the following red flags, suggesting that a potential vendor is not qualified:
Inadequate financial resources
A poor record of performance
Reputation for dishonesty
Prior complaints or criminal or civil actions
History of fraudulent conduct
Undisclosed outside business interests or front companies owned by an employee of the purchasing entity
Vendor has family ties with an employee of the purchasing entity
Vendor offers a deal that is too good to be true
Business model does not make sense
Due diligence does not end once a vendor is selected. Management must contend with the risks that arise throughout the life of third-party contracts and relationships.
Ongoing Due Diligence Monitoring
Organizations can face significant risks if their vendor relationships are not carefully monitored; therefore, management should establish processes to review vendor risks on an ongoing basis.
The procedures used to monitor vendors should be similar to those used to evaluate potential vendors, and they should be based on areas that pose the greatest threat. That is, vendor risks should be assessed as they relate to the organization’s objectives.
Additionally, management should employ processes and controls to track and monitor red flags of any vendor-related fraud schemes that pose significant risks. For example, management may establish controls to monitor red flags of vendor-related frauds, such as whether a vendor:
Makes payments of unjustified high prices or price increases for common goods or services
Does not relate well to other contractors
Lists an address, telephone number or zip code that matches an employee’s address, an employee’s outside business or the address of an employee’s relative.
Provides an incomplete address (e.g., only a P.O. Box, no telephone number or no street address)
Lists multiple addresses
Has a reputation for corruption (or similarly, its industry or country of operation has a reputation for corruption)
Is not on the purchasing entity’s approved-contractor list
Lacks transparency in its accounting records
Similarly, purchasing entities should monitor the application of the accounts payable policies on vendor master files. The vendor master file is a database that contains a record of all vendors with whom an organization conducts business, and it will contain records for purchasing functions (e.g., vendor name and address, contact information and purchasing terms) and accounts payable functions (e.g., the purchasing terms, remittance address and general ledger account number). Vendor master file records should be reviewed on a regular basis for:
Vendors with incomplete records
File format errors
Vendors with multiple remit-to addresses
Inconsistent naming conventions
There are numerous issues to grapple with when dealing with risk management, but recent events have contributed to increased regulatory scrutiny and heightened awareness regarding the risks posed by outside vendors. The risks associated with third-party relationships, however, can be managed through a comprehensive and ongoing vendor due diligence program.