Vendor Audits A Compliance Tool from a Supply Chain Angle

By Emma Hodges (Director) and Ash Klass (Senior Associate) of Forensic Risk Alliance (FRA).

Why the interest in vendor audits?
In recent years, companies have become more and more vulnerable to vendor, supplier or procurement fraud.  This is not surprising as we see fraud and corruption schemes develop in complexity and opacity.  From the days of a briefcase of cash being used to make bribe payments to government officials, to now more commonly the creation of legal and financial structures and networks, including use of dummy vendors and shell companies, to funnel money out of companies.  This shift to schemes more deeply embedded in the supply chain has an obvious impact on the supply chain function.  It is therefore increasingly important that supply chain management operates a vendor management system that not only enables efficient and effective monitoring of vendor quality, performance and spend but one that also addresses fraud and anti-bribery and corruption (ABC) compliance risks.  
One way that companies try to safeguard from these risks is by performing vendor audits.  A compliance-focused vendor audit involves gaining access to and taking a closer look at the vendor’s own books and records.  From an anti-fraud and corruption compliance perspective, the focus of a vendor audit will be on the vendor’s books and records in key business risk areas and on particular accounting areas that experience demonstrates are often used to record or disguise improper transactions.  
In recent years, performing compliance-focused vendor audits has become best practice across a wide range of industries, and particularly in the logistics space where third-parties are often engaged to perform services on behalf of companies.  Such situations have historically resulted in companies getting into hot water where third-parties have made bribe payments on their behalf.  Vendor audits are generally considered an effective way to demonstrate and evidence that a company is maintaining careful oversight of third-party relationships and upholding a high standard of controls and procedures from an ABC compliance perspective.  
Companies may undertake a vendor audit for a variety of reasons, including:
As part of a vendor selection process
Where there have been allegations of misconduct or overbilling by the third-party; 
Determining whether to renew vendor contracts 
As a proactive measure to determine whether third-parties are abiding by ABC legislation and contract clauses 
Periodic review of suppliers as part of a company’s internal controls framework  
Oftentimes, an independent forensic accounting firm will be engaged to conduct vendor audits.  Their audit will involve reviewing the vendor’s policies and procedures, financial books and records, sample high risk transactions as well as interviewing key employees of the vendor. 
How does this impact the supply chain function?
As companies are increasingly encouraged from a compliance risk perspective to strengthen their management of third-party relationships, supply chain management can do its part to assist, including:
- Obtaining certifications from third-parties of compliance with ABC clauses
- Conducting regular interviews with the suppliers’ management team to understand their compliance protocol
- Considering whether new and re-negotiated agreements with third-parties include appropriate ABC clauses and right-to-audit clauses
- Being alert to and identifying situations where a company may wish to exercise its right-to-audit third parties 
We often consider that supply chain forms one of the key lines of defence when it comes to ABC compliance.  As one of the main functions responsible for managing relationships with vendors, the supply chain is well positioned to identify potentially problematic situations (from a compliance perspective) as regards to vendor activities.   
With the right training and support, supply chain management should be empowered to perform an ongoing monitoring function and be able to flag up anomalies in supplier spend and behaviour.  Potential red flags to be aware of may include:
Advance payments
Cost overruns / request for additional payments
Low level of detail provided on invoices and expenditure
Constant changes to billing details / requests for payments to offshore accounts
Payments to parties different to the supplier
Change in the quality of supply
Changes in ownership
Where supply chain management can identify and report any such red-flags to a company’s compliance function, it provides an opportunity to consider whether a vendor audit should be initiated.
In terms of conducting a vendor audit, the ease at which vendor documentation (contracts, invoices, schedules) is made available to the audit team directly affects the efficiency of conducting the audit.  Supply chain management can help by ensuring that it maintains its own records relating to vendors in good order.
Additionally, qualitative information provided by the supply chain management team, relating to the relationship with the vendor, roles and knowledge of key individuals of the vendor, etc, is often very helpful to the audit team.  Therefore, the supply chain team often serves as a valuable starting place for informational meetings held by the audit team.
In summary
For companies to have the option to initiate a vendor audit, it is important to have appropriate ABC and right-to-audit clauses in contracts with third-parties.  Where possible, consider including specifics regarding the files and documentation allowed to be accessed in the event that a right-to-audit clause is exercised as well as identifying who is entitled to access the information (i.e.  the company’s employees, management and/or third party consultants).  Companies should seek legal advice regarding appropriate clauses to include. 
Vendor audits form a major part of a company’s outward compliance messaging.  Undertaking vendor audits demonstrates that the company values transparent and compliant behaviour and the supply chain team can really help reinforce this outward messaging through all of its interactions with third parties. www.forensicrisk.com