Mónica Ramírez Chimal (mramirez@asserto.com.mx) is Partner and Founder of her own consulting firm, Asserto RSC, in Mexico City, Mexico.
Great! Your business is expanding, and with that you need more suppliers, vendors, agents, and distributors in different cities — some even in other countries. You get the contract signed, and everything moves according to it…until certain news changes everything. A supplier is using people who entered the country illegally, students, or minors, or they are not complying with the labor, health, and security requirements needed to operate.
You can think, “Well, that is their problem. I have hired them to perform certain activities, so it is not my problem who or what they use to do it.” Wrong! This is your problem, and it could cost you a lot, from damage to your company’s image and reputation to loss of sales, fines, compliance and legal issues, etc.
So how can you prevent this situation?
Identify contract scope
Let’s start with the contract. In order for you to review or audit and have access to the third party’s processes, personnel, facilities, etc., the contract should include a “right to audit” clause.[1] Make sure you have it, and if not, add it immediately.
Add to it the scope for anti-money laundering, fraud, anti-bribery, labor abuses, poor working conditions, etc. Include the risks that are more likely to happen in your business, and verify in advance the regulation of the third party, just like an inventory. Does the contract comply with their regulation and yours too? Is the contract clearly written? Are costs accurately identified and understood by all? Are third-party risk management roles and responsibilities clearly defined within the organization?
Make sure to audit annually
Send a team from your company to carry out an audit at least once a year. I suggest that either Internal Audit or Compliance does it, since the risks can affect one of them or both. The content of the review will be determined by the scope. Ask for documentation and ask to interview personnel. Do not rely on interviews from only top management. Include every level so you can have a better picture of what is going on in the company. The examples mentioned in the scope require interviews; do them.
Observe everything
Observe not only the person you are interviewing, but the facilities. Is it wet, humid? How is the lighting at night? What are the conditions of the furniture? In case of an emergency, is there an emergency kit? Is there a sickbay? Pay attention to personnel behavior when you are there. Do they look nervous? Do they look happy? Is there disorder, or is everything clean and tidy? How is their attitude? Do they have time for lunch? Walk through the facilities. Understand clearly their processes and how they do it. Believe me, just by taking a walk, you’ll get a lot of information.
It’s important to verify which place you are going to. Check the culture and their clothing. To have an effective review, it is important that they see you as an equal. Clothing is very important. For instance, in many factories, the dress code is informal. If you appear wearing a suit and tie or heels and a jacket, it is very probable that you are going to intimidate people. You do not want that. What you want is for people to feel comfortable with you so they are open to answer your question and share anything with you. And this brings me to: be humble. In my experience as an external consultant, the people in the lower levels of the company know more detail about what is going on, but nothing will come out of their mouths if your attitude is arrogant or bossy. Be humble, and you will get a lot from people!
Keep the details to yourself
Make sure that your audit plan is not known, at least by most people. I know, at least the manager has to know you are there. But when you are there, try not to reveal your audit plan. No one should know what you are going to do step by step! Any person from Compliance or Internal Audit knows that surprise audits are key to getting information. I remember auditing a provider in Monterrey, Mexico. This company’s business line was electronic components. After we arrived, the manager in charge asked me for my audit plan. I explained to him that I couldn’t give it to him, but he would soon know what I was going to do. I started walking through the facilities. I said, “Good morning,” and kept walking. I took several things from the production line. I asked for a plastic bag in order to put what I was taking in, and they gave it to me.
After three days, the people from the production line reported that “someone” had taken material. When the manager called me to his office, I said, “This is what I took from the production line.” And he was shocked. The things I had in the plastic bag had a total value of a quarter of a million Mexican pesos. And personnel didn’t report it immediately! They even gave me a plastic bag. I said: “This is why I didn’t tell you what I was going to do. If I had said it, they would have known I was the one checking, and very likely they would have rushed to report me. By not knowing what I was going to do or who I was, they acted naturally, and they need to know that this type of situation should be reported right away! Imagine if I was a visitor? I would have easily gotten out with all these components!”
Include social media in your review. Check the company’s news on the internet. Check the names of people who you are investigating, and include Facebook, Instagram, Twitter, etc. A lot can be taken from there.
Also, go to the facilities during weekends and outside regular work hours. Check who is there, and afterward, verify with documentation (i.e., payroll and/or reports) if they are paid extra hours; this will help you to minimize the risk of labor abuses.
Document everything in detail
Check documentation versus physical things, such as my example of security risk and theft, and what personnel tell you in the interviews versus what the documentation shows (e.g., the extra hours). When an observation arises, validate it with the person. Explain what you have done and what you have discovered. In this way, you involve the person, the person has an opportunity to explain what happened, and your perception is corroborated. If your observation is right, then it is also useful for the person to be aware of what that observation could bring to his/her job and how it affects the process, the company, other people, etc.
Only after you have validated your observations with the employees involved do you present your findings to senior management.
Check all your contracts
With all the observations validated, check the contract(s) your company has with that third party. Can your observations be included in the contract as a clause? For example, you can include in the contract that there can’t be outsourcing from your provider with others, or that the facilities should remain the same. The contract should also include provisions for monitoring compliance and enforcing the contract.
Ally yourself with Internal Audit
If the provider has an Internal Audit area or Compliance area, talk to them. By getting in touch with them, you can know what the company is lacking (i.e., what have been their common observations). You can have an ally. But make sure that the talk does not influence your audit plan. Listen, take notes, but continue with your plan.
If, after you’ve completed your review, your observations coincide with what they have told you, that’s great news! It means they are effective, and you can help them by giving more voice to their observations. This is a win-win situation for all parties. But if your observations do not have anything to do with what they tell you, you have a last resource: check the external audit report. If that doesn’t coincide, you’ll have to include more revisions in your compliance program for that third party. In other words, make sure that sufficient resources are allocated to provide assurance that third-party relationships are properly managed.[2]
But it is worth it! If you don’t check what is going on with your third parties, you’ll only have a lot of paperwork: documentation that can be easily forged — documentation that may be far away from what reality is.
Conclusion
Use your knowledge of the industry and of the processes to design the control tests. Many types of tests can be done, but it is important to tailor them according to the scope of the review. Check the third parties of your supply chain before it is too late; and even if the results are positive, continue monitoring. You never know when things can change.
Takeaways
-
Observation is a key audit control. Look at the facilities, at people’s behavior. A lot of information can be taken from these sources.
-
When interviewing people, take into account your clothing. For people to be open, they need to be comfortable with you and see you as their equal.
-
Audits should be a surprise. It is fine if people know you are there, but do not share your audit plan in advance.
-
The best tests are the ones that are mixed: documentation versus physical assets, information from an interview versus documentation, etc.
-
A third party’s Compliance department or Internal Audit can be a great ally. But first make sure they are effective.