Managing Risks in Vendor Relationships

By Mark Scott, J.D., CFE

Organizational management increasingly needs to understand and mitigate its risks effectively to ensure long-term success. Effective risk management requires, among other things, a comprehensive and ongoing set of tools and processes to handle the dangers associated with third-party relationships.

Contracting with an outside third party subjects organizations to risks with the potential for significant financial and reputational harm, such as from fraud, breach of contract, error, breach of confidentiality, data loss and so on. The risks associated with vendor relationships, however, can be unique and vary depending on the vendor as well as the service or process outsourced. Common areas for vendor risks include:


Strategic risks

Reputation risks

Industry risks

Geographical risks

Compliance risks (e.g., the Sarbanes-Oxley Act, the Foreign Corrupt Practices Act, the UK Bribery Act, the Health Insurance Portability and Accountability Act)

Operational risks

Transaction risks

Credit risks

Consider, for example, the case of Federic Bourke, an American investor who was convicted of conspiring to violate the Foreign Corrupt Practices Act (FCPA), a federal law that outlaws certain bribes paid to foreign officials. Bourke invested $8 million with Victor Kozeny, a Bahamas-based Czech businessman, in an effort to privatize Azerbaijan’s government-controlled oil company. The U.S. government alleged that Kozeny bribed Azeri officials to ensure the privatization of the oil company, and the U.S. prosecutors secured Bourke’s conviction without offering clear evidence that Bourke knew that Kozeny was paying bribes. Instead, the government successfully argued that Bourke’s willful blindness (i.e., intentional ignorance) to the circumstances suggesting that Kozeny would make unlawful bribes was sufficient to establish Bourke’s criminal culpability. Bourke’s conviction, which resulted in a one-year sentence and a fine of $1 million, demonstrates the importance of conducting due diligence on third-party relationships and recognizing — and resolving — apparent red flags.

Although most managers are aware of the inherent risks associated with using vendor products and services, many do not have the necessary processes or controls in place to address such risks. But in today’s increasingly globalized world, such preventive measures matter more than ever.

Organizations are increasingly contracting with vendors to gain a competitive edge, enhance product offerings, and reduce costs, and these developments, in combination with the global economic downturn, have contributed to greater regulatory scrutiny. Regulators acknowledge the risks associated with vendor relationships and have demanded that leaders monitor and take responsibility for the actions of their vendors through various laws and standards such as the Sarbanes Oxley Act, the Gramm-Leach-Bliley Act, the FCPA, the Health Insurance Portability and Accountability Act, as well as the Payment Card Industry Data Security Standard (PCI DSS) requirements. Consequently, vendor management is currently at the forefront of organizational risk management priorities.

This article seeks to provide fraud examiners with guidance on managing the risks that stem from these types of third-party relationships. Although there are many steps management can take to mitigate vendor risks, this article focuses on two in particular: due diligence for selecting qualified vendors and ongoing due diligence for monitoring third-party risks.

Due Diligence in Vendor Selection
Management should perform due diligence on potential vendors. Due diligence requires a reasonable inquiry to verify the background, performance history and financial health of vendors being considered to provide goods or services. Ideally, due diligence will provide management with the information needed to address the possible risks presented by potential vendors.

The level of inquiry, however, should be tailored based on the risks posed by each particular vendor. That is, the more risky a relationship is to an organization, the greater the risk management responsibilities become.

Due Diligence Basics for Selecting Qualified Vendors
The evaluation of a potential vendor might include the following measures:

Checking the vendor against government watchlists (e.g., the General Services Administration’s Excluded Parties List System, the Office of Foreign Assets Control’s List of Specially Designated Nationals and Blocked Persons List, and the Bureau of Industry and Security’s Denied Persons List)

Reviewing the vendor’s corporate registry records

Searching politically exposed persons (PEP) databases, if conducting business internationally, to assess whether the vendor and its personnel are connected with foreign governments; PEPs are individuals (e.g., politicians, government officials, legal officials, and high-ranking military officers) who might be or have been in a position of political authority

Verifying the vendor’s key employees

Searching the vendor’s corporate records to determine what other companies the key employees have been involved with

Verifying the vendor’s insurance

Verifying any professional licenses held by the key personnel

Confirming the vendor’s physical addresses (e.g., use online tools to check addresses, conduct reverse address searches, etc.)

Performing site visits at the vendor’s principal place of business

Testing the reputation of the vendor and its key individuals (e.g., ask those in the industry about the vendor to gauge the vendor’s overall reputation for integrity)

Conducting a media analysis of the vendor and its key employees

Conducting interviews with the vendor’s employees

Requiring a W-9 form from the vendor

Reviewing the vendor’s policies and procedures on fraud, governance and compliance

Reviewing the vendor’s financial data

Reviewing the vendor’s banking information

Other information that might be valuable to a vendor due diligence investigation includes:

When the business began

Company profile and strategy

Form of business

Information about the vendor’s customers (e.g., the diversity of customers the vendor serves)

Staff size

Locations of facilities

Financial stability

Company specialization

Delivery track record

Involvement in the community

Process for reporting problems or asking questions

Potential Due Diligence Red Flags
Due diligence in vendor selection might reveal any of the following red flags, suggesting that a potential vendor is not qualified:

Inadequate financial resources

A poor record of performance

Reputation for dishonesty

Prior complaints or criminal or civil actions

History of fraudulent conduct

Undisclosed outside business interests or front companies owned by an employee of the purchasing entity

Vendor has family ties with an employee of the purchasing entity

Vendor offers a deal that is too good to be true

Business model does not make sense

Due diligence does not end once a vendor is selected. Management must contend with the risks that arise throughout the life of third-party contracts and relationships.

Ongoing Due Diligence Monitoring
Organizations can face significant risks if their vendor relationships are not carefully monitored; therefore, management should establish processes to review vendor risks on an ongoing basis.

The procedures used to monitor vendors should be similar to those used to evaluate potential vendors, and they should be based on areas that pose the greatest threat. That is, vendor risks should be assessed as they relate to the organization’s objectives.

Additionally, management should employ processes and controls to track and monitor red flags of any vendor-related fraud schemes that pose significant risks. For example, management may establish controls to monitor red flags of vendor-related frauds, such as whether a vendor:

Makes payments of unjustified high prices or price increases for common goods or services

Does not relate well to other contractors

Lists an address, telephone number or zip code that matches an employee’s address, an employee’s outside business or the address of an employee’s relative.

Provides an incomplete address (e.g., only a P.O. Box, no telephone number or no street address)

Lists multiple addresses

Has a reputation for corruption (or similarly, its industry or country of operation has a reputation for corruption)

Is not on the purchasing entity’s approved-contractor list

Lacks transparency in its accounting records

Similarly, purchasing entities should monitor the application of the accounts payable policies on vendor master files. The vendor master file is a database that contains a record of all vendors with whom an organization conducts business, and it will contain records for purchasing functions (e.g., vendor name and address, contact information and purchasing terms) and accounts payable functions (e.g., the purchasing terms, remittance address and general ledger account number). Vendor master file records should be reviewed on a regular basis for:

Inactive accounts

Duplicate vendors

Vendors with incomplete records

Accuracy issues

File format errors

Vendors with multiple remit-to addresses

Inconsistent naming conventions


There are numerous issues to grapple with when dealing with risk management, but recent events have contributed to increased regulatory scrutiny and heightened awareness regarding the risks posed by outside vendors. The risks associated with third-party relationships, however, can be managed through a comprehensive and ongoing vendor due diligence program.

Source: acfe

  1. saima qaiser 12 years ago

    Due Diligence in vendor selection is important and beneficial for both vendor and organization

Leave a reply

Your email address will not be published. Required fields are marked *



We're not around right now. But you can send us an email and we'll get back to you, asap.



Log in with your credentials

Forgot your details?