Continuous improvement can take many ways, shapes and forms. Typically, when it comes to third-party risks, a Chief Compliance Officer (CCO) or compliance professional will consider the ownership structure to see if there is any involvement by a government official or employee of a state-owned enterprise, or a close friend or family member. There may also be inquiry into knowledge of anti-corruption legal regimes such as the Foreign Corrupt Practices (FCPA) and compliance programs. Other information about criminal and legal history and references, both professional and commercial, may also be required. Hopefully these indicia are reviewed and updated on a regular basis.

One thing that is most generally not considered is the financial health of the third party. It turns out such an oversight may have some significantly ramifications for an accurate picture of a third party. The financial health of third parties as not only a key metric but also a key due diligence tool which allows a more robust assessment prior to contract signing and in managing the relationship after the contract has been signed.

A third party which is in a weakened financial position can come back to damage your business in a variety of ways. Obviously, a company which is under financial strain is more susceptible to cutting corners to obtain business. You can almost begin to see the fraud triangle forming at this point and a rationalization for committing a FCPA violation forming in the mind of a third party.

But it is more than simply being open to potentially illegal conduct such as violating the FCPA to get business. James Gellert, CEO of RapidRatings has noted, “Cyber security is, obviously, a hot topic for everybody. A company that, at the beginning of a working relationship, maybe onboarding or the due diligence procurement event, one may do a series of checks from a compliance and info security perspective and that company looks fine, it gets green lit and it comes on board as a supplier. Over time, if that company is weakening in its financial condition, the chances are likely that they are going to begin under-investing in maintaining the quality of their cyber security program. In a case like that, over time, a company partner of that firm is taking increased risks for cyber security breach, because that company is weakening but because they’re not managing the financial condition of it on an ongoing basis, they’ve missed a leading indicator of that cyber security problem and when that problem actually hits, it’s too late, it’s effecting revenue, it’s effecting reputation, it’s effecting all sorts of things.”

A database of financial health is important because “traditional risk management has focused more on protecting downside risk and detecting downside risk is being able to understand where a company or a partner exists on a spectrum of risks that can be from poor to really good, and that means a user of our data is in a position to be able to do more than just protect from a company’s failing for one reason or another, but be able to align with the strongest partners and that creates resiliency and a third party ecosystem”.

This is considering your third parties in much broader manner which allows a more robust assessment of their strengths and weaknesses. The financial health of a third party may tell you how well that third party will perform. Such information can be useful to you for business planning, particularly around strategic risk. Understanding the financial viability of third parties, be they traditional vendors, business partners, or even fourth parties, can help you meet your compliance requirements, maintain operational stability, through the avoidance of business disruption and support business continuity initiatives. Even better, you can cut through siloes to develop risk management strategies across multiple business functions.

This moves compliance into the business process cycle, creates greater efficiencies and at the end of the day, more profitability. This type of approach allows the compliance function to demonstrate solid return on investment going forward. It also allows compliance to cut through many corporate siloes including such disciplines as business development, supply chain or procurement, manufacturing and finance.

Continuous improvement through monitoring of ongoing financial health is a tool where technological solutions can have an impact. Understanding the financial viability of third parties can help the compliance practitioner meet the Department of Justice (DOJ) requirement to more fully operationalize a compliance program. It can also lead to more and better operational stability and with that ever-sought increase in corporate profitability. As compliance moves into the business process, this type of review should become part of your compliance toolkit going forward.

Three Key Takeaways

  1. What is the financial health of your third-parties? Do you even know?
  2. Poor financial results can open a company to engaging in risky behavior.
  3. Financial health monitoring can be used as continuous improvement.

 

For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit this month’s sponsor Affiliated Monitors at http://www.affiliatedmonitors.com/.

Third parties still present the highest risk around FCPA compliance. It is therefore critical that you use monitoring and auditing when it comes to continuous improvement for this high-risk area. Today I want to consider three aspects of a company’s audit program for its compliance function: the types and purpose of third-party audits, planning for third-party audits and interviewing third parties.

You should generally plan your audit out four to six weeks in advance. It should be done in conjunction with your corporate legal department taking the lead to preserve the attorney/client privilege. You will need to work with the Business Sponsor to establish key business contacts and to facilitate the discussion of audit rights and the audit process with the third party. You should prepare initial document request lists for financial information queries, review findings from previous audits and their resolutions. If there are any opened or closed internal investigations, they should be similarly reviewed. Finally, if there are any related Department of Justice (DOJ) and Securities and Exchange Commission (SEC) enforcement actions in your industry, take care to review and finally be cognizant of them.

Next consider the entry points of foreign government involvement; both direct and indirect. In the direct category, there are the following areas: customs and duties, corporate taxes and penalties, social security or national insurance issues for employees, obtaining in-country visas and work permits, public official gifts and entertainment, training of and attendant travel for employees of government owned entities, procurement of business licenses and permits to perform work and, finally, areas around police escort and security. In the indirect category, some of the key areas to review are: customs agents and freight forwarders, visa processors, commercial sales agents, including distributors and, finally, those who might be consultants or other channel partners.

Document review and selection is important for this process. You should ask for as much electronic information as possible well in advance of your audit. You should ask for some of the following categories of documents; trial balance, chart of accounts, journal entry line items, financial and compliance policies, prior audited financial statements, bank records and statements, a complete list of agents or intermediaries and revenue by country and customer. It is important to try and obtain records in database or excel format and not simply in .pdf.

When you are ready to commence your interviews, the lead interviewer needs to be culturally sensitive, patient and must negotiate a good working relationship with auditors on your team, who will be reviewing the documents from the forensic perspective. You should focus on potential interviewees who interact with government entities, foreign government officials or third parties, including those personnel involved with:

  • Business Leadership;
  • Sales/Marketing/Business Development;
  • Operations;
  • Logistics; and
  • Corporate Functions: Human Resources, Finance, Health, Safety and Environmental, Real Estate and Legal.

It is important that you conduct the audit interview as precisely that, an audit interview and not an investigative interview. This is not the time to play ‘got-cha’. The audit interview process also affords the opportunity to engage in training while you are interviewing people. For the interview topics, I suggest some or all of the following:

  • General policies and procedures;
  • Books and records pertaining to FCPA risks;
  • Test knowledge of FCPA and UK Bribery Act including facilitating payments and their understanding of your company’s prohibitions;
  • Regulatory challenges they may face;
  • Any payments of taxes, fees or fines;
  • Government interactions they have on your behalf; and
  • Other compliance areas you may be concerned about or that would impact your company, including: trade, anti-boycott, anti-money laundering, anti-trust.

Particular care should be given to the review you make around the General Ledger (GL) accounts. Here you need to review commission payments to agents and representatives, any facilitation payments, all payments around travel, meals and entertainment, payments made around training, gifts, charitable contributions, political donations and sales and promotional expenses. If there were payments made for customs or freight forwarders and other processing agents, permits, licenses, taxes and other regulatory expenses should be reviewed. Additionally, any entries pertaining to community contributions and social responsibility payments should be assessed and, finally, they a review of any security payments, extortion payments, payments to legal consultants or tax advisors or fines and penalties should be considered.

Regarding bank accounts and cash disbursement controls, you should review the following:

  • Review controls around bank accounts and cash disbursements;
  • Identify and review authorized signers, approval levels, and bank reconciliations;
  • Ensure all bank accounts are included in the General Ledger;
  • Identify and review certain bank and cash disbursement transactions;
  • Identify offshore bank accounts.

In the area of cash funds review the following:

  • Review controls around petty cash funds;
  • Ascertain processes in place regarding disbursement and reconciliation of cash funds;
  • Identify and review payments to government officials, agents, or any unusual or suspicious activities; and
  • Identify and review certain bank transactions and test for any improper payments.

For gifts, travel and entertainment, you should explore payments made through employee-reimbursed expenses, scrutinize for any suspicious expenses submitted, expenses lacking adequate documentation, incorrect posting; and identify and review accounts associated with gifts, meals, entertainment, travel, or promotion. Around payroll, consider the risks around the use of ghost employees, hiring of relatives of government employees, and the use of bonus payments and be sure to request a payroll listing and review for any such persons.

Around training you should determine whether your company provides industry specific training to government entities, and review GL accounts and expenses for related items. In looking at payments under local law, you should obtain list of payments to the government required by local laws and identify and review payments to government authorities or employees, customs authorities or agents, income taxes authorities or license requirements. For payments made to third parties, you should review commission and expense payments for compliance with company policy and trace payments to the third party’s bank account.

Three Key Takeaways

  1. Start planning your third-party audit 4-6 weeks in advance of the actual audit.
  2. Use your business sponsor to help facilitate the process with the third-party.
  3. This is not a ‘got-cha’ interview but an open question and answer process where you have a golden opportunity to educate as you ask questions.

 

For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit this month’s sponsor Affiliated Monitors at www.affiliatedmonitors.com.

What are some of the ways to consider third party risk, management of that risk and strategic risk in a compliance program? Typically, a Chief Compliance Officer (CCO) or compliance professional will consider the ownership structure to see if there is any involvement by a government official or employee of a state-owned enterprise, or a close friend or family member. There may also be inquiry into knowledge of anti-corruption legal regimes such as the Foreign Corrupt Practices (FCPA) and compliance programs. Other information about criminal and legal history and references, both professional and commercial, may also be required.

One thing that is most generally not considered is the financial health of the third party. It turns out such an oversight may have some significantly ramifications for an accurate picture of a third party. I recently explored this issue with James Gellert, Chairman and Chief Executive Officer (CEO) of RapidRatings. His company focuses on the financial health of third parties as not only a key metric but also a key due diligence tool which allows a more robust assessment prior to contract signing and in managing the relationship after the contract has been signed.

Gellert explained for public companies, RapidRatings reviews public filings and for private companies “we get the financial statements from private companies either from our clients or, on their behalf, directly from their third parties in a solicitation process that we’ve created”. This information allows “insight into the long term and the short term financial health of companies, and that gets worked into supply chain risk management, third party risk management, customer evaluations on the credit side and the finance side of shops, underwriting and insurance, lending and banks, investing for asset management” and a variety of other uses.

A third party which is in a weakened financial position can come back to damage your business in a variety of ways. Obviously, a company which is under financial strain is more susceptible to cutting corners to obtain business. You can almost begin to see the fraud triangle forming at this point and a rationalization for committing a FCPA violation forming in the mind of a third party.

But it is more than simply being open to potentially illegal conduct such as violating the FCPA to get business. I asked Gellert to provide an example and he explained, “Cyber security is, obviously, a hot topic for everybody. A company that, at the beginning of a working relationship, maybe onboarding or the due diligence procurement event, one may do a series of checks from a compliance and info security perspective and that company looks fine, it gets green lit and it comes on board as a supplier. Over time, if that company is weakening in its financial condition, the chances are likely that they are going to begin under-investing in maintaining the quality of their cyber security program. In a case like that, over time, a company partner of that firm is taking increased risks for cyber security breach, because that company is weakening but because they’re not managing the financial condition of it on an ongoing basis, they’ve missed a leading indicator of that cyber security problem and when that problem actually hits, it’s too late, it’s effecting revenue, it’s effecting reputation, it’s effecting all sorts of things.”

In addition to the review of individual third parties, RapidRatings has evaluated close to 12 million company years of financial data. As Gellert stated, “This database informs the financial health rating and the core health scores that we are producing on every company that we rate”. This is important because “traditional risk management has focused more on protecting downside risk and detecting downside risk is being able to understand where a company or a partner exists on a spectrum of risks that can be from poor to really good, and that means a user of our data is in a position to be able to do more than just protect from a company’s failing for one reason or another, but be able to align with the strongest partners and that creates resiliency and a third party ecosystem”.

This is considering your third party in much broader manner which allows a more robust assessment of their strengths and weaknesses. The financial health of a third party may tell you how well that third party will perform. Such information can be useful to you for business planning, particularly around strategic risk. Understanding the financial viability of third parties, be they traditional vendors, business partners, inter-affiliates, or even fourth parties, can help you meet your FCPA compliance requirements, maintain operational stability, through the avoidance of business disruption and support business continuity initiatives. Even better, you can cut through siloes to develop risk management strategies across multiple business functions.

This moves compliance into the business process cycle, creates greater efficiencies and at the end of the day, more profitability. This type of approach allows the compliance function to demonstrate solid return on investment going forward. It also allows compliance to cut through many corporate siloes including such disciplines as business development, supply chain or procurement, manufacturing and finance.

Another important aspect of what the RapidRatings approach can bring is around what Gellert termed “criticality”. He defined this as only managing those third parties which you believe are critical to your organization, either for business or risk-management reasons such as FCPA compliance. Yet this may cause “you to not monitor other areas of an organization to understand that they need to be looking at not just the critical third parties, but those in the next rung out and the next rung out and the next rung out, because all of those names really do have some impact.”

At this point many compliance practitioners might well throw up their collective hands and relate they are managing all the risks they can do so. However, this is where technological solutions such as those provided by RapidRatings, can have an impact. Understanding the financial viability of third parties can help the compliance practitioner meet the Department of Justice (DOJ) requirement to more fully operationalize a compliance program. It can also lead to more and better operational stability and with that ever-sought increase in corporate profitability. As compliance moves into the business process, this type of review should become part of your compliance toolkit going forward.

 

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2017

 

 

 

 

 

 

Today I want to look at internal controls for third parties. One of the questions that GSK faced during the bribery and corruption investigation of its Chinese operations is how an allegedly massive bribery and corruption scheme occurred? The dollars paid out went upwards of $500MM, which coincidentally was the amount of the fine levied by the Chinese court on GSK. It is not as if the Chinese medical market is not well known for its propensity towards corruption, as prosecutions of the Foreign Corrupt Practices Act (FCPA) are littered with the names of US companies which came to corruption grief in China. GSK itself seemed to be aware of the corruption risks in China. In a Reuters article, entitled “How GlaxoSmithKline missed red flags in China”, Ben Hirschler reported that the company had “more compliance officers in China than in any country bar the United States”. Further, the company conducted “up to 20 internal audits in China a year, including an extensive 4-month probe earlier in 2013.” GSK even had PricewaterhouseCoopers (PwC) as its outside auditor in China. Nevertheless, he noted, “GSK bosses were blindsided by police allegations of massive corruption involving travel agencies used to funnel bribes to doctors and officials.”

Where are the appropriate internal controls? You might think that a company as large as GSK and one that had gone through the ringer of a prior Department of Justice (DOJ) investigation resulting in charges for off-label marketing and an attendant Corporate Integrity Agreement (CIA) might have such controls in place. It was not as if the types of bribery schemes in China were not well known. In an article in the Financial Times (FT), entitled “Bribery built into the fabric of Chinese healthcare system”, reporters Jamil Anderlini and Tom Mitchell wrote about the ‘nuts and bolts’ of how bribery occurs in the health care industry in China. The authors quoted Shaun Rein, a Shanghai-based consultant and author of “The End of Cheap China”, for the following “This is a systemic problem and foreign pharmaceutical companies are in a conundrum. If they want to grow in China they must give bribes. It’s not a choice because officials in health ministry, hospital administrators and doctors demand it.”

Their article discussed the two primary methods of paying bribes in China: the direct incentives and indirect incentives method. Anderlini and Mitchell reported, “The 2012 annual reports of half a dozen listed Chinese pharmaceutical companies reveal the companies paid out enormous sums in “sales expenses”, including travel costs and fees for sales meetings, marketing “business development” and “other expenses”. Most of the largest expenses were “travel costs or meeting fees and the expenses of the companies’ sales teams were, in every case, several multiples of the net profits each company earned last year.””

It would be reasonable to expect that internal controls over gifts would be designed to ensure that all gifts satisfy the required criteria, as defined and interpreted in Company policies. It should fall to a Compliance Officer to finalize and approve a definition of permissible and non-permissible gifts, travel and entertainment and internal controls will follow from such definition or criteria set by the company. These criteria would include the amount of the spend, localized down into increased risk such the higher risk recognized in China. Within this context, there are four general internal controls to consider. (1) Is the correct level of person approving the payment / reimbursement? (2) Are there specific controls (and signoffs) that the gift had proper business purpose? (3) Are the controls regarding gifts sufficiently preventative, rather than relying on detect controls? (4) If controls are not followed, is that failure detected?

Below are 10 specific inquires you can make regarding your compliance internal controls specific to third parties.

1: Prior to entering the relationship, did management: confirm alignment with business strategy; analyze strategic risk; perform risk/reward analysis; and review its ability to provide adequate oversight and management on an ongoing basis?

2: Can the third-party’s activities be viewed as predatory, discriminatory or abusive?

3: Does your compliance regime include: policies and procedures to help manage third-party relationships; proper internal controls; training; monitoring; and auditing procedures to ensure consistent and ongoing compliance?

4: Was adequate due diligence conducted that included a review of all available information about the third-party (e.g. financial condition, reputation, knowledge of laws, complaints, operations and controls, internal controls and marketing materials?

5: Are expectations and obligations of both the company and the third-party outlined in a written contract prior to entering the relationship?

6: Does the board of director’s review and approve any material third-party relationships?

7: Does the contract outline fees to be paid, management information reports, audit rights, limit use of consumer information, exclusivity language, complaint management process, specifies circumstances that constitute default, dispute resolution process, and provides indemnification provisions?

8: Did the board initially approve the third-party relationship and does it review each significant third-party relationship on at least an annual basis?

9: Is there a process to verify the third-party’s operations are consistent with the written agreement and that risks are being controlled?

10: Does management allocate sufficient qualified staff to monitor significant third-party relationships and provide necessary oversight (and are these activities reported to the board of directors or designated committee)? What is the frequency of exceptions and how are they analyzed/documented/reported to management? When applicable, are you comparing and analyzing the third-party’s sales patterns?

Obviously, the use of third-parties can be a powerful and effective way for a business to achieve its strategic goals. This may be one of the key reasons why third-parties are still one of the leading indicia of bribery and corruption. Every compliance program should regularly review its third-party service providers and evaluate internal policies and procedures to ensure compliance.

Three Key Takeaways

  1. GSK in China continues to be an example of the lack of internal controls for an effective compliance program.
  2. General areas of review for compliance internal controls.
  3. Third parties are still the highest risk of corruption related issues.

For more information on how to improve your internal controls management process, visit this month’s sponsor Workiva at workiva.com.

 

In this episode, I visit with James Gellert, CEO of RapidRatings, a company which uses a financial dialogue to determine third party supplier health and viability. Gellert explains what supply chain resilience is and how can examining financial health of your suppliers can lead to a more financially efficient supply chain. We then discuss the company’s third party risk management tools. We consider how a company might evaluate a potential purchaser, partner or someone buying a part of a business. Finally we have a lengthy discussion of how a corporate compliance function use the health of a third party as a tool to determine third party compliance risk?

For more information on RapidRatings, check out their website by clicking here.