Vendor audits: Are they worth the effort and expense?

From briefcases of cash to payments through complex structures, the use of dummy, shell or offshore companies and kickback-factored contracts, the manners in which monies are siphoned out of companies are increasingly creative and difficult to trace.

Many companies have been fined for improper payments made by their vendors (on their behalf) through a myriad of fraud and corruption schemes where supply chains are exploited.

Often the initial reaction from companies is vendor audits are expensive, difficult to conduct, excessively time-consuming and have an adverse impact on the efficiency of the organisation. But negative media reports, long drawn-out and costly legal battles, loss of faith and confidence by customers, loss of major contracts, and large amount of monies leaking from the company are some of the commercial realities.

A well-designed vendor management assessment and management process, incorporating vendor audits, can be efficient, cost-effective and enhance the quality of the organisation’s operation.

Companies undertake vendor audits, as part of a wider compliance program, for a variety of reasons, including:

• As part of a vendor selection and onboarding process;
• Annual/periodic review of the vendors as part of a company’s internal controls framework and prior to contracts being renewed;
• As a proactive measure to determine their third-parties’ compliance with legislation and contract clauses
• Investigations into allegations of misconduct or overbilling by the third-party

Compliance-focused vendor audits are increasingly being perceived as best practice across a wide range of industries, and particularly in logistics where the business model engages large numbers of third-parties. This high dependency on external third parties in the logistics industry has historically resulted in companies getting into hot water for fraud, bribery and corruption.

A compliance-focused vendor audit should take into account the risk assessment, scope, limitation, privacy considerations, strength of the audit rights, access, and documentation. The aim should not be to audit every vendor engaged by the organisation but to conduct a thorough audit with greater frequency for targeted, high-risk vendors.

Vendor audits focus on the third party’s books and records, and in particular accounting areas where it is commonly used to record or disguise improper transaction. Vendor audits include, but are not limited to:

• Data analysis of financial transactions and records
• Samples of high-risk transactions
• A review of vendors’ documents, e.g. contracts, ABC policies, etc
• Interviews with internal personnel who deal with the third parties
• Vendor questionnaires
• In-person interviews with the senior management of the third-party
• Transaction review for high-risk or red-flag transactions
• Proper documentation of the findings, red-flags and remediation plans

The supply chain forms one of the key lines of defence in terms of compliance as it is well-placed to identify potential instances of non-compliance by vendors. As such, supply chain management should be empowered, with appropriate training and support, to conduct ongoing monitoring of the vendors and highlight anomalies in the third party vendors’ behaviour and transaction pattern. Anomalies and red flags may include:

• Advanced payments
• Unjustified cost overruns or requests for additional payments
• Inadequate details provided on invoices
• Unverifiable modification to billing or payment details, including payments to offshore accounts and individuals or entities different to the third party rendering the service
• Changes in ownership or the quality of supply

To strengthen third party relationship management, compliance-related procedures can be incorporated into the supply chain process by way of:

• Conducting a regular review of the vendor master file, e.g. de-activating unused vendors, determining high risk vendors, etc
• Conducting regular compliance training sessions for third party vendors
• Obtaining certifications from third-parties regarding compliance with ABC clauses
• Conducting regular interviews with the supplier’s management team to understand their compliance protocol
• Considering whether new and re-negotiated agreements with third-parties include appropriate ABC and right-to-audit clauses
• Being alert to and identifying situations where a company may wish to exercise its right-to-audit third parties

The ease with which documentation, for example contracts and invoices, is made available to the audit team has a direct impact on the efficiency of the audit and this can be achieved by way of good documentation and records maintenance by the supply chain management team. Qualitative information that can be provided by the supply chain team - the historical working relationship with the vendor, past misdemeanors by the vendor, key individuals’ connection with government officials, etc - is imperative information to share with the audit team. As such, supply chain teams often serve as a valuable starting point for vendor audit teams as they plan their reviews.

The right of audit clause within third party vendor contracts is a valuable asset in a company’s compliance programme as it is increasingly common for customers, especially for government and large multinational customers, to mandate and exercise it in their supplier contracts. Where vendor audits are effectively incorporated into an organisation’s compliance program, it can yield valuable information and demonstrates sound vendor management efforts.

Rigorous and thorough vendor audits send strong, compelling compliance messages throughout the organisation and to the company’s third party vendors, demonstrating that the company values transparent and compliant behaviour. Vendors should in turn be less inclined to engage intentionally in unethical conduct if they know that an audit may be conducted at any time. Vendor audits are therefore often an effective way to demonstrate and evidence a company’s careful oversight of supply chain management from a compliance perspective. Companies should be prepared for their customers, especially government agencies and large multi-nationals, to want to exercise their right to audit clause within their contracts.

Weng Yee Ng is an associate director and Emma Hodges is a director at the Forensic Risk Alliance

Hybrid of home and office/site based approx. 1 day per week.
Up to £40,000
Essex Cares
Rotherham, South Yorkshire
CIPS Knowledge
Find out more with CIPS Knowledge:
  • best practice insights
  • guidance
  • tools and templates