Do you know how to audit a third party in the supply chain?

by Mónica Ramírez Chimal, MBA

Mónica Ramírez Chimal (mramirez@asserto.com.mx) is Partner and Founder of her own consulting firm, Asserto RSC, in Mexico City, Mexico.

Great! Your business is expanding, and with that you need more suppliers, vendors, agents, and distributors in different cities — some even in other countries. You get the contract signed, and everything moves according to it…until certain news changes everything. A supplier is using people who entered the country illegally, students, or minors, or they are not complying with the labor, health, and security requirements needed to operate.

You can think, “Well, that is their problem. I have hired them to perform certain activities, so it is not my problem who or what they use to do it.” Wrong! This is your problem, and it could cost you a lot, from damage to your company’s image and reputation to loss of sales, fines, compliance and legal issues, etc.

So how can you prevent this situation?

Identify contract scope

Let’s start with the contract. In order for you to review or audit and have access to the third party’s processes, personnel, facilities, etc., the contract should include a “right to audit” clause.[1] Make sure you have it, and if not, add it immediately.

Add to it the scope for anti-money laundering, fraud, anti-bribery, labor abuses, poor working conditions, etc. Include the risks that are more likely to happen in your business, and verify in advance the regulation of the third party, just like an inventory. Does the contract comply with their regulation and yours too? Is the contract clearly written? Are costs accurately identified and understood by all? Are third-party risk management roles and responsibilities clearly defined within the organization?

Make sure to audit annually

Send a team from your company to carry out an audit at least once a year. I suggest that either Internal Audit or Compliance does it, since the risks can affect one of them or both. The content of the review will be determined by the scope. Ask for documentation and ask to interview personnel. Do not rely on interviews from only top management. Include every level so you can have a better picture of what is going on in the company. The examples mentioned in the scope require interviews; do them.

Observe everything

Observe not only the person you are interviewing, but the facilities. Is it wet, humid? How is the lighting at night? What are the conditions of the furniture? In case of an emergency, is there an emergency kit? Is there a sickbay? Pay attention to personnel behavior when you are there. Do they look nervous? Do they look happy? Is there disorder, or is everything clean and tidy? How is their attitude? Do they have time for lunch? Walk through the facilities. Understand clearly their processes and how they do it. Believe me, just by taking a walk, you’ll get a lot of information.

It’s important to verify which place you are going to. Check the culture and their clothing. To have an effective review, it is important that they see you as an equal. Clothing is very important. For instance, in many factories, the dress code is informal. If you appear wearing a suit and tie or heels and a jacket, it is very probable that you are going to intimidate people. You do not want that. What you want is for people to feel comfortable with you so they are open to answer your question and share anything with you. And this brings me to: be humble. In my experience as an external consultant, the people in the lower levels of the company know more detail about what is going on, but nothing will come out of their mouths if your attitude is arrogant or bossy. Be humble, and you will get a lot from people!

Keep the details to yourself

Make sure that your audit plan is not known, at least by most people. I know, at least the manager has to know you are there. But when you are there, try not to reveal your audit plan. No one should know what you are going to do step by step! Any person from Compliance or Internal Audit knows that surprise audits are key to getting information. I remember auditing a provider in Monterrey, Mexico. This company’s business line was electronic components. After we arrived, the manager in charge asked me for my audit plan. I explained to him that I couldn’t give it to him, but he would soon know what I was going to do. I started walking through the facilities. I said, “Good morning,” and kept walking. I took several things from the production line. I asked for a plastic bag in order to put what I was taking in, and they gave it to me.

After three days, the people from the production line reported that “someone” had taken material. When the manager called me to his office, I said, “This is what I took from the production line.” And he was shocked. The things I had in the plastic bag had a total value of a quarter of a million Mexican pesos. And personnel didn’t report it immediately! They even gave me a plastic bag. I said: “This is why I didn’t tell you what I was going to do. If I had said it, they would have known I was the one checking, and very likely they would have rushed to report me. By not knowing what I was going to do or who I was, they acted naturally, and they need to know that this type of situation should be reported right away! Imagine if I was a visitor? I would have easily gotten out with all these components!”

Include social media in your review. Check the company’s news on the internet. Check the names of people who you are investigating, and include Facebook, Instagram, Twitter, etc. A lot can be taken from there.

Also, go to the facilities during weekends and outside regular work hours. Check who is there, and afterward, verify with documentation (i.e., payroll and/or reports) if they are paid extra hours; this will help you to minimize the risk of labor abuses.

Document everything in detail

Check documentation versus physical things, such as my example of security risk and theft, and what personnel tell you in the interviews versus what the documentation shows (e.g., the extra hours). When an observation arises, validate it with the person. Explain what you have done and what you have discovered. In this way, you involve the person, the person has an opportunity to explain what happened, and your perception is corroborated. If your observation is right, then it is also useful for the person to be aware of what that observation could bring to his/her job and how it affects the process, the company, other people, etc.

Only after you have validated your observations with the employees involved do you present your findings to senior management.

Check all your contracts

With all the observations validated, check the contract(s) your company has with that third party. Can your observations be included in the contract as a clause? For example, you can include in the contract that there can’t be outsourcing from your provider with others, or that the facilities should remain the same. The contract should also include provisions for monitoring compliance and enforcing the contract.

Ally yourself with Internal Audit

If the provider has an Internal Audit area or Compliance area, talk to them. By getting in touch with them, you can know what the company is lacking (i.e., what have been their common observations). You can have an ally. But make sure that the talk does not influence your audit plan. Listen, take notes, but continue with your plan.

If, after you’ve completed your review, your observations coincide with what they have told you, that’s great news! It means they are effective, and you can help them by giving more voice to their observations. This is a win-win situation for all parties. But if your observations do not have anything to do with what they tell you, you have a last resource: check the external audit report. If that doesn’t coincide, you’ll have to include more revisions in your compliance program for that third party. In other words, make sure that sufficient resources are allocated to provide assurance that third-party relationships are properly managed.[2]

But it is worth it! If you don’t check what is going on with your third parties, you’ll only have a lot of paperwork: documentation that can be easily forged — documentation that may be far away from what reality is.

Conclusion

Use your knowledge of the industry and of the processes to design the control tests. Many types of tests can be done, but it is important to tailor them according to the scope of the review. Check the third parties of your supply chain before it is too late; and even if the results are positive, continue monitoring. You never know when things can change.

Takeaways

  • Observation is a key audit control. Look at the facilities, at people’s behavior. A lot of information can be taken from these sources.

  • When interviewing people, take into account your clothing. For people to be open, they need to be comfortable with you and see you as their equal.

  • Audits should be a surprise. It is fine if people know you are there, but do not share your audit plan in advance.

  • The best tests are the ones that are mixed: documentation versus physical assets, information from an interview versus documentation, etc.

  • A third party’s Compliance department or Internal Audit can be a great ally. But first make sure they are effective.

 
2 The Institute of Internal Auditors: “Managing third-party risks” Tone at the Top, issue 67, April 2014. Available at https://bit.ly/2LGUSS9.
1 Matt Kelly: “Managing Third-Party Risks in Your Global Supply Chain” Gan Integrity Inc., November 30, 2017. Available at https://bit.ly/2vqW4hv.


Would you like to read this entire article?

If you already subscribe to this publication, just log in. If not, let us send you an email with a link that will allow you to read the entire article for free. Just complete the following form.

* required field

First name field cannot be blank!
Last name field cannot be blank!
We will send you an email that will give you access to this entire article.
Email field cannot be blank!
Enter a valid email!
Company field cannot be blank!
Enter a valid company!
Title field cannot be blank!

We're committed to your privacy. The Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA) uses the information you provide us to contact you about our relevant content, products, and services. For more information, check out our Privacy Policy.


About SCCE

The Society of Corporate Compliance and Ethics (SCCE) is a non-profit, member-based professional association. SCCE supports our members' work with education, news, and discussion forums. We are a community of leaders, defining and shaping the corporate compliance environment across a wide range of industries and geographic regions. In developing and maintaining effective ethics and compliance programs, our members strengthen and protect their companies.

952.933.4977

About HCCA

The Health Care Compliance Association (HCCA), is a 501(c)6 non-profit, member-based professional association. HCCA was established in 1996 and is headquartered in Minneapolis, MN. We provide training, certification, and other resources to over 10,000 members. Our members include compliance officers and staff from a wide range of organizations, including hospitals, research facilities, clinics and technology service providers.

952.988.0141

Facebook Twitter LinkedIn
Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US Government works. All rights reserved. All information provided through this site, including without limitation all information such as the “look and feel” of the site, data files, graphics, text, photographs, drawings, logos, images, sounds, music, video or audio files on this site, is owned and/or licensed by SCCE & HCCA or its suppliers and is subject to United States and international copyright, trademark and other intellectual property laws. Any third party logos and/or content provided herein is owned by such third parties and is used by permission herein. Your use of this site to is subject to our Terms Of Use and Privacy Statement.
Cookie settings