Over the last couple of years, supply chain risk has become a key concern for the U.S. government. In December last year, for example, the U.S. Senate passed the Federal Acquisition Supply Chain Security Act of 2018, which contains powers to establish a security council specifically charged with supply chain risk. Further legislation with ramifications for supply chain management — such as the Manufacturing, Investment, and Controls Review for Computer Hardware, Intellectual Property, and Supply Act — has been tabled at a federal level. The hazards are many, but all point to a recognition that with increasing globalization and digitalization, supply chains have become longer, less transparent, and open to a range of threats. That means a business anywhere in the chain with weak security and controls is a potential target.
“Supply chain risk is a huge issue in the U.S. right now,” says Dan Shoemaker, director of the Master of Science in Information Assurance Program at the University of Detroit Mercy Center for Cyber Security and Intelligence Studies. He says it came to the attention of the U.S. government over fears that Chinese malware was turning up in U.S. military equipment. The risk with purchasing software is that vendors never give buyers the source code because of their need to protect intellectual property. So, companies effectively buy most software blind.
Shoemaker says this exposes organizations that build and use complex systems to two key risks: 1) malware can be injected into components at the bottom of the supply chain where transparency tends to be lowest; and 2) poor-quality counterfeit products can slip into a system because of cost-cutting pressures.
“This is the frontier in supply chain risk — we have systems built on top of systems that have all been built by mysterious people, and we have no idea who they are, and we often have no idea of how secure they are,” Shoemaker says. He adds, half-jokingly, if he were a country that wanted to take over the world, he would set up shop as a cut-price programming shop. “Everything I sent up the process ladder would have a killer piece of software in it that basically said, ‘When I push the button, I’ll take over the world,’” he says. “That would be easy to do because unlike other things, we just buy software without carefully looking at the ingredients.”
Internal auditors can suggest processes to reduce such supply chain risk, he says, and insist their organizations follow procedures established by the U.S. National Institute of Standards and Technology (NIST), such as NIST 800-161 that deals specifically with IT procurement and supply chain management, and also International Organization for Standardization (ISO) standards such as ISO 27000 dealing with information security.
“Installing a standards-based process will help you understand what you are buying, because you can demand to see everything that is going on at any level of the supply chain,” he explains. “It will be documentation — not a physical examination of the actual activity — but that documentation will not be available otherwise.”
In fact, supply chain documentation is often ignored or badly managed by the purchasing organization. Without a solid understanding of the contracts upon which agreements to buy are based, organizations run the risk of being arbitrarily overcharged by suppliers.
“Once signed, a shrewd supplier will hand the contract to their commercial department to start drafting claims against you while the ink is still wet,” Christopher Kelly, partner at Kelly & Yang in Melbourne, Australia, says. Complex supply chains that entail huge, ongoing projects subject to multiple amendments can be daunting. But internal auditors typically can get to grips with the structure of their supply chains by mapping what it looks like. That will help flush out conflicts of interest between related-party companies, directors, and shareholders who may sit on both sides of a procurement deal, as well as reduce the risk of compounding overhead costs, for instance, within the project.
Contract agreements can be voluminous and take effort to digest, so internal auditors who put in the hours have a fighting chance of helping their organizations manage them because each contract effectively builds its own distinctive rules around costs, profits, and target parameters, Kelly says. Failing to understand the contractual intricacies is the No. 1 mistake internal auditors make, he adds. Internal auditors trained in financial accounting, for instance, cannot assume that they will be able to apply Generally Accepted Accounting Principles to any items of expenditure. IT costs allowable under the contract as a direct cost, for example, may already be included in the overhead rate. Accruals may or may not be allowed. Only the contract’s terms will make the correct treatments clear.
If the organization and its internal auditors are on top of their contracts, however, data mining and analytics become a powerful way of validating the costs charged against those allowed under the contract. That requires attention to detail. Keyword searches for entertainment, gifts, parties, or rework because of the supplier’s mistakes can expose multiple errors, duplications, and advance charges, for instance. Cost analysis also reduces the risk of organizations being charged up front by the supplier for work not yet completed and then the supplier going out of business.
“When the internal auditor does his or her job well, the cost recoveries are amazing,” Kelly says. The biggest recovery he achieved was about $9 million. “I didn’t get a bonus, but it got me noticed,” he says. “And as an auditor wanting to advance in his or her career, that’s not a bad thing.”
Outside of the contract terms, changing the manager on the buyer side of the contract can be disastrous. On one audit, Kelly found that while the supplier had used the same manager on the project for 10 years, there were frequent changes to management personnel at the buying business. “The contractor was running rings around the buyer with unbudgeted charges, and when I asked for the contract, I was shown a heap of boxes and told, ‘We think it’s in there,’” he recalls. “It’s vital to keep continuity of knowledge when managing large-scale projects.”
2019 Supply Chain Trends
The five themes impacting supply chains most in 2019:
- Revision of the Minimum Security Criteria under the U.S. Border Protection’s Customs-Trade Partnership Against Terrorism (CTPAT).
- Supply chain growth in Africa, which increases exposure to risks.
- Ongoing mass migration, which poses both security and corporate social responsibility risks.
- Dramatic shifts in politics, such as elections in Brazil, the U.S.-China trade dispute, and uncertainty over Great Britain’s departure from the European Union.
- The continued threat to supply chains posed by cybersecurity issues.
Source: BSI’s Supply Chain Risk Insights 2019 report.
New supply chain risks are not as easy to detect and deal with. “We’re seeing key shifts to global supply chains this year, driven by quite dramatic changes in the geopolitical landscape,” said Jim Yarbrough, global intelligence program manager at BSI, the business standards company, at the launch of a new report this year (see “2019 Supply Chain Trends” on this page). “The concern is that as supply chains change — with Chinese companies moving operations to Africa, for example, or the U.S. sourcing goods from other Southeast Asian nations — major implications will also evolve.”
Rapid change requires a flexible strategy from internal audit teams. “It is important to look at the supply chain through the lens of risk and resilience,” Jonathan Eaton, practice leader in Grant Thornton’s National Supply Chain Practice in Charlotte, N.C., says. “That means digging into the operating model to identify the potential failure points.”
Internal auditors can do that by using a Six Sigma tool called failure mode and effects analysis (FMEA), for instance, or a host of other tools. But, he says, the question they need to address is, “In your unique business model and industry, what are the failure modes within your supply chain that can hurt your business?” Eaton says that’s something audit leadership will ultimately need to determine. “The buck stops with the chief internal audit executive on this,” he says. “If he or she knows that a business could be vulnerable within the supply chain, but does not know where, when, or why, then he or she must take action to find out. A deep dive into the processes using FMEA is a great place to start.”
Internal audit leaders need to ensure they are positioned as a trusted advisor to the business; otherwise, helping the business deal with supply chain risk is going to be virtually impossible.
“You have to be able to proactively track, manage, and measure risk,” he says. “But nobody has a silver bullet that is going to deal with all of the possible combinations of risk that can arise. That is why having a good relationship with the business is important for internal auditors, because the people who manage the supply chain have to be forthright with internal audit about what the risks are and the triggers that make them real.”
This task recently has become more difficult. Many companies have expanded their business and sales through the use of multiple sales channels, and they often have not reconfigured their supply chains to deal with the range of new platforms or delivery requirements that are in play. Managing risk in the supply chain in this scenario becomes a way of protecting against the potential erosion of profitability, says Eaton, and internal audit needs to have an in-depth knowledge of the business’ operations to be able to truly assist the organization in this area.
He sees the ability to track, manage, and measure risk as internal audit’s central role when it comes to supply chain resilience — particularly because those processes should be aligned to the biggest financial supply chain risks the business faces. Eaton describes robotic process automation (RPA) as a brilliant tool once audit understands the business’ failure modes and its strategy for tracking, managing, and measuring risk. RPA deals with high-volume, repetitive processes, so it can continually scan supply chain transactions in real time and be programmed to alert for weaknesses and red-flag events. He says too few businesses have made this move. “Internal auditors can introduce thought leadership into an organization in this area by bringing in these advanced technologies to mitigate the risk and build supply chain resilience,” he adds. But he also warns that an overdependence on technology and analytics can equally make internal audit blind to the more complex interrelated risks in the supply chain. For supply chain technology to work well, it needs to be aligned strategically with the business’ objectives for supply chain risk management.
Supply chains are also open to bribery, corruption, money laundering, and human trafficking risks. More recently, sanctions have become a pressing issue as the trade war between China and the U.S. gathers pace, and the Trump Administration applies pressure on its allies to keep its sanctions against Iran effective, for instance. The Office of Foreign Assets Control, the U.S. sanctions watchdog of the Department of the Treasury, has been increasing its activity in this area.
“Corporations need to make sure they understand the risk in their supply chain if they want to avoid being caught in the crosshairs,” says Samar Pratt, managing director of Exiger, a global governance, risk, and compliance business in London. But she warns that the boundaries between different types of risks can be porous. “If people want to evade sanctions, they will lie — which is where sanction risk crosses over into potential fraud,” she says.
Internal auditors should expect their organizations to do solid due diligence checks, she says. “While there is only so much a firm can do, as long as it can demonstrate it is taking a risk-based approach to its due diligence, it will help the organization demonstrate to internal audit it is taking appropriate steps. As part of this process, organizations are increasingly using artificial intelligence-powered, automated due diligence technology to detect red flags while onboarding new suppliers, or to monitor third parties on an ongoing basis.” Other methods include looking at the countries where raw materials are coming from, for instance, and, potentially, where the risk warrants it, sending people to those countries to ask questions on the ground.
“The due diligence needs to be proportionate to the risk and reflect the risk appetite of the organization,” she adds. While internal auditors are not specialists in investigating fraud in the supply chain, IIA standards require them to look for fraud indicators. If found, internal audit is likely to refer those issues to the organization’s fraud or financial crime team and possibly the legal team. Pratt says internal audit’s follow-up role is frequently overlooked. That involves coming back in post-investigation to examine what went wrong in the supply chain and add significant value to the business by focusing on the lessons learned and whether controls need to be strengthened.
Making an Impact
While the direct impact of mishandling a contract or breaking a government sanction can be significant, the reputational damage can be equally long-lasting and harmful. And as geopolitical risk increases and digitalization gathers speed, supply chain resilience is likely to become even more important. It is a difficult area for internal auditors to master. Doing so requires wide-ranging knowledge of different types of contracts, the business, and its supply chain structure — as well as keeping up to date with fast-changing threats. But the rewards can be great. Internal auditors who can play a central role in helping their organizations build robust supply chains will enable them to compete globally and successfully integrate new products and services into their offerings.