Third parties are becoming increasingly important to succeeding in today’s complex business environment. Many organizations are assessing their core strengths and turning to a diverse range of outside organizations where specialist capabilities are required. While such relationships can give organizations a competitive advantage, they also can impact their reputations.
Like all business relationships, trust is integral in working with third parties. Internal auditors can help their organization ensure that trust is fostered and maintained. Moreover, they can assess whether the organization has established effective processes to support its third-party relationships.
A History of Setbacks
Using third parties has its risks. Choosing a partner and determining the type of contractual arrangement to put in place can be difficult because of the range of options available (see “Third-party Relationships and Impacts” at right).
Once chosen, there is no guarantee that the third-party relationship will succeed. There are numerous examples where the actions of third parties have significantly damaged the reputation and financial strength of the contracting organization. In these instances, competitors press their advantage.
TSKJ A joint venture formed by the U.S.’s M.W. Kellogg Co. (now known as KBR), France’s Technip, Japan’s JGC, and Italy’s Snamprogetti, TSKJ won four contracts worth more than $6 billion between 1995 and 2004 to design and build liquefied natural gas facilities on Bonny Island, Nigeria. None of the participants had a majority stake in the joint venture. TSKJ reportedly used agents to bribe Nigerian government officials, and the U.S. Securities and Exchange Commission (SEC) initiated the case in 2009. The SEC declared that each joint venture partner had culpable knowledge of the payments because senior executives from each company, including some who were serving on the TSKJ steering committee, participated in meetings where the bribery was discussed.
The four companies paid a combined $1.7 billion in civil and criminal sanctions for the decade-long bribery scheme. These include: Snamprogetti and its parent company ENI paid $365 million; Technip paid $338 million; and consortium leader KBR and its former parent Halliburton paid $579 million.
The nonfinancial impacts in this case included reputational damage and criminal charges against current and past joint venture parent employees. KBR’s U.S. Foreign Corrupt Practices Act (FCPA) violations impacted successor liability after Halliburton acquired KBR in 1998. These were based on book and record violations and Halliburton’s lack of post-acquisition vigilance. On the financial side, the FCPA and U.K. Bribery Act investigations affected share price and capitalization for all the companies.
Supermarket Cyberattack In 2013, a cyberattack of a U.S. supermarket chain impacted an estimated 40 million customer debit and credit cards. A phishing attack was used to gain access to the company’s network and compromise a third-party vendor. The chain suffered significant reputational damage. The cost of the breach was an estimated $202 million, and the chain paid $18.5 million to settle legal claims by 47 states.
Food Contamination In January 2013, news outlets reported that foods advertised as containing beef contained undeclared or improperly declared horse meat — as much as 100 percent of the content in some cases. This initially was discovered by the Food Safety Authority of Ireland, who found horse DNA in frozen beef burgers sold in several Irish and British supermarkets. Investigations uncovered complex supply chains — one involved eight separate vendors and traders across five European countries. The supermarkets lacked visibility across the supply chain and did not have suitable controls to verify the end product.
The supermarkets’ reputations suffered significantly, with financial repercussions as well. A U.K. House of Commons report stated, “The evidence suggests a complex network of companies trading in and mislabeling beef or beef products, which is fraudulent and illegal.”
The Importance of Audit Planning
Third-party trust features in most audit plans, whether it’s part of a review, a review of the third party itself, or a holistic third-party governance framework audit. Understanding the organization’s risk profile/supply chain and benchmarking against a third-party governance framework can help internal audit address the correct risks, prevent adverse outcomes, and add value to management. Whether auditing individual activities or an entire third-party governance framework, auditors can compare them with the elements of the “Third-party Governance Framework” below to identify improvement areas.
With a vast range of partnership structures and operations across industries, implementation of a governance process can be challenging. Risk management within trust relationships will depend on the nature of the relationship, including level of influence, ownership/management control, and the third parties’ appetite for control monitoring and risk management. Questions to ask include:
- Is the organization able to perform the service in-house?
- Has the organization performed appropriate due diligence before third-party engagement?
- Has the organization prioritized and ranked its third-party relationships according to risk?
- Has the organization selected the correct type of third-party relationship, such as an alliance, joint venture, or contract?
- Will the third-party represent the organization effectively and align with its culture?
- Does the third-party contract include an audit clause?
Audit objectives include:
- A clear vision and third-party strategy for service delivery.
- Consistent third-party governance structure design.
- A risk stratification model.
- Due diligence procedures, including cultural alignment.
- Design and use of a risk-based, standard contract template.
Internal audit typically perceives the execution phase as having the most direct impact on performance. Auditors should assess whether there are processes to support working with third parties to achieve shared objectives. Audit questions include:
- Is there clear stakeholder and role definition for all aspects of the contract life cycle?
- Do all of the relevant personnel have the appropriate knowledge, skills, and experience?
- Are established performance metrics based on identified risks?
- Is cultural alignment continually reinforced?
- Are technology and data being used as effective enablers to manage the relationship?
- Does the provision of information between partners align with anti-trust requirements?
Audit objectives include:
- Timely identification and resolution of issues.
- Effective performance management throughout the contract life cycle.
- Timely, accurate, and transparent third-party reporting.
- A joint culture of continual improvement within the organization and the third party.
Third-party assurance often focuses on how the third party is directly managed. It also is important to understand how it is monitored and assessed. In large, complex organizations, this involves understanding how responsibilities are split between the first and second lines in the three lines of defense.
The audit also must consider how management uses data to ensure effective monitoring. Organizations often generate significant volumes of complex data but do not always use it effectively. Auditors should ask:
- Have key risks been factored into third-party assurance?
- What level of assurance is required and can third-party assurance reports be used?
- What assurance is provided by the second line of defense?
- Have data-based key performance indicators (KPIs) and red flags been identified? Are they continually monitored, with management taking action where poor performance is identified?
- Does the third party have effective assurance mechanisms?
Audit objectives include:
- Risk-based assurance model.
- Scope covering end-to-end third-party risks, such as subcontractors.
- Analytically driven contract compliance program.
- KPI-based dashboard reporting, including red flags.
During this stage, internal audit should look for warning signs such as whether management is identifying and taking action on red flags. Examples include:
- Safety: safety incidents, a high number of recordable injuries, and significant audit findings.
- Performance: missed KPIs, disrupted service, and poor third-party governance.
- People: high turnover, poor culture and tone at the top, and reduced capacity and capability.
- Information: data leaks, bad press, and regulatory breaches.
To achieve effective third-party relationships, areas for improvement must be identified, communicated, and resolved so problems do not escalate. Management and assurance activities often overlook this phase. Improvement should be continual and can be applied to individual third parties and the overarching governance framework. Internal audit should assess whether this is being undertaken by asking:
- Are contract managers sufficiently trained to embed continual improvement?
- Are issues used to drive improvement actions?
- Is the effectiveness of the framework monitored through the use of portfolio-based metrics?
- How often are overarching processes controls reviewed?
- Are third-party outcomes routinely successful?
Audit objectives include:
- Improvement actions are routinely implemented.
- A joint culture of continual improvement is in place.
- The third-party governance framework is systematically evaluated and improved.
Collaboration, communication, and engagement are key to sustaining third-party relationships. Key principles for sustainable success are:
- Establish strong leadership and sponsorship.
- Involve third parties early.
- Develop agreements that include two-sided incentive plans.
- Identify continuous improvement opportunities.
- Align benefit realization to strategic objectives.
- Collaborate on product and service design.
- Engage in joint process improvement.
- Integrate systems and apply technology effectively.
- Establish shared KPIs focused on outcomes.
Third parties can cause significant exposure and adverse consequences to an organization’s objectives. Implementing and assessing a governance framework will maximize the opportunity to mutually achieve strategic objectives.
Risk management and internal audit should be active in third-party governance, from thought leadership and support during strategy development to controls monitoring, execution of third-party audits, and follow-up. The right audit and risk process will include thought and definition around risk exposures and the implementation of risk performance criteria and monitoring. Continuous monitoring throughout the process will help ensure appropriate oversight of, and ultimately comfort with, third parties.