Companies strategically use third parties to help increase revenue, reduce cost and/or provide critical expertise or products and services. As a result, many vendor agreements include “right to audit” clauses as a way to determine compliance with the parameters of the contract. The “right to audit” clause provides the procuring organization with the right to access and review third-party books and records.
Although this clause is seldom used by most organizations as a compliance tool under business-as-usual conditions, the “right to audit” can be increasingly useful for business leaders in the current environment. After all, the pandemic has upended risk profiles for most companies, making it prudent to reevaluate the risk and any potential significant negative impact of doing business with third parties. Further, the act of requesting an audit of third parties itself—provided the requests are well-documented and objectively thought out—serve as further proof of the procuring organization’s ongoing commitment to compliance. If third-party misconduct does come to light, whether through the audit request or another means, regulators are likely to view proactive oversight by the procuring organization positively and may reward these efforts with leniency.
Still, most organizations do not have the appetite or resources to review audit results from every third party under contract, nor should they. To determine whether now is the time to exercise the right to audit a particular third party begins with an assessment of risks, including legal, reputational, and operational risk, as well as the risk of lost revenue and payment waste and abuse.
Assessing Your Organization’s Third-Party Risks
The pandemic has created an environment of increased pressure on business of all types—suppliers and purchasers alike—to perform under challenging circumstances. This in turn increases the likelihood of inappropriate, and often illegal, behavior by third parties to meet contract standards. Business leaders should inventory all third-party types to identify whether the risk of doing business with each category of vendor has changed in the wake of the pandemic. Consider the company’s risk appetite, latest enterprise-wide risk assessment and overall risk strategy to determine whether the heightened likelihood of a negative impact to the company exists.
Stakeholders should be surveyed to identify issues experienced related to third-party non-performance, financial discrepancies, misrepresentation, or other non-compliance by the provider. Identified changes in behavior by third-party vendors may indicate increased risks in the relationship and a need to exercise audit rights.
Further, Internal Audit and second-line risk functions should reevaluate their testing plans to assess their coverage of key third-party pandemic risk elements. Conducting a comprehensive risk-rating process is an effective means to identify potentially “auditable” third parties against established criteria.
Risk-Ranking Third Parties
First, risk ratings are developed based upon the procuring organization’s risk appetite, as well as an understanding of the key risks of the third party. This approach provides an objective basis for identifying actual risk arising from the pandemic and can aid in comparing risk levels between third parties related to specific risk areas such as financial health, compliance controls, impact on data sensitivity, resiliency, and likelihood of fraud and/or corruption.
The following questions are key points to consider when conducting a risk-rating process:
- What are the key components of a high-risk profile for a third-party vendor (differences can occur based on type of relationship and industry) and what changed resulting from the pandemic?
- Are there known cases, trends, or allegations (public or otherwise) of improper behavior by the third party itself, or in their industry or jurisdiction?
- What are the pressures that a third party (by type) now faces in the pandemic? Can data analytics be leveraged to provide efficient and effective coverage of the key pandemic risk indicators and red flags to identify exceptions, trends, and areas for further investigation?
- Once all third-party vendors have an objective risk score, they can be ranked according to those ratings to determine where to best focus “right to audit” requests.
To Audit or Not to Audit?
Higher-risk vendors that are good candidates for audit should also be evaluated against the following criteria before ultimately making the decision to audit (or not).
Parameters in the “right to audit” clauses: These clauses vary so it is important to determine whether the objective of the audit is achievable under the parameters that are set forth. For example:
- Under what circumstances can the audit be requested?
- How much advance notice is required?
- Are there limitations on what can be audited (types of data or method of access) or with whom audit results can be shared?
- Which entity is responsible for assuming the cost of the audit?
Reporting considerations: Before exercising a “right to audit,” business leaders should consider the potential results of the audit and whether any would be material enough to report beyond the department/division using the third party. For example, would the result of the audit rise to a level that requires reporting to the board or to other stakeholders? Similarly, are regulators and enforcement agencies reviewing how the organization chooses to exercise its audit rights, especially in high-risk areas never before audited?
Resource constraints: If the procuring organization’s internal audit function either does not have sufficient resources or appropriate expertise to conduct the audits, management should consider whether to outsource or co-source, and whether that additional cost outweighs the benefits. Further, business leaders should consider whether there are Covid-19 restrictions that would impair the ability to audit altogether.
As a result of the pandemic, company risk profiles have changed significantly. The risk that vendors have relaxed their own compliance standards is high, furthering the need for procuring organizations to reevaluate the risk of doing business with third parties. Selective and well-documented use of the “right to audit” clause can provide companies with an effective tool in mitigating risks associated with third parties and help avoid larger issues down the line.
This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.
Kristin Bone and Eva Weiss are partners at StoneTurn.
StoneTurn is a global advisory firm, that assists companies, their counsel and government agencies on regulatory, risk and compliance issues, investigations and business disputes.
Bloomberg Tax Insights articles are written by experienced practitioners, academics, and policy experts discussing developments and current issues in taxation. To contribute, please contact us at TaxInsights@bloombergindustry.com.