By Douglas Small, Capstone Advisory Group Reagan Demas, Baker & McKenzie LLP
With the increased scrutiny on third party relationships from U.S. and foreign regulators, a company’s right to audit the books and records of its third party vendors, agents and other business partners is paramount. Audit rights are often touted as critical components of any compliance program, but they can also be burdensome to all parties involved. For a third party forced to open its books to scrutiny, they are an intrusive and time-consuming prerequisite to doing business with global companies critical to their survival. For the company that wishes to manage its third party partners, audit rights are a challenge to negotiate and an increasing burden on internal financial and human resources when exercised. Are audit rights practical and at all effective in today’s business environment? In this article, we will explore the impact of audit rights on both a company and its third party vendors, as well as how global companies can exercise audit rights in an effective and efficient manner with minimal disruption to both the third party and the company’s bottom line.
Audit Rights Today
Audit rights come in many forms and can be industry specific, but the primary purpose is the same: to provide a company with a process to ensure that the agreed upon goods or services are being delivered as described under the terms of the agreement. Audit rights can be found in a variety of places, including on the back of purchase orders, in operating agreements and within other governing legal documents. Today, most companies have standard agreements with their third parties that have explicit language concerning the right to examine the books and records to ensure compliance with those agreements and, more recently, compliance with anti-corruption laws, including the Foreign Corrupt Practices Act (“FCPA”) and the newly enacted UK Bribery Act (“UKBA”). Audit rights for compliance with the operating agreement often directly benefit the company’s bottom line as findings typically ensure the appropriate funds are being exchanged for defined goods or services. The financial value derived from a review of books and records to ensure compliance with anti-corruption regulations is less clear, and in many circumstances such audits require additional investment of human and financial resources not directly recovered in the audit’s findings. However, history has shown that managing and remediating compliance risk with third parties on the front end is far less expensive than investigating issues after a whistleblower brings matters to light or regulators come calling.
Compliance with Operating Agreements
Enacting the audit right provision for operating agreement compliance is commonplace in many industries. For example, in the oil and gas industry, the third party audit of joint venture partners, drilling companies and engineering companies is a frequent occurrence and parties to applicable agreements know what to expect. These large companies have teams of auditors going from company to company, ensuring that each party is operating the joint venture in accordance with applicable agreements and under appropriate accounting guidelines. In other industries or operations in emerging markets, where third parties are less familiar with the audit right process, these engagements can be more challenging and sometimes virtually impossible to conduct. Sometimes a third party is reluctant to provide access to its books and records, even though the audit right clause in the agreement requires them to do so. Even those third parties that allow the audit to be conducted often limit on-site access to records, personnel and time, thus, diminishing the effectiveness of the audit.
Compliance with Anti-Corruption Laws
It’s one thing for a vendor or third party to allow access to its books and records to determine if they are providing goods and services in accordance with an agreement. Such records are usually finite in nature and are normally separated in the accounting records by a project code, vendor number or other identifier allowing the third party to easily provide records relevant to the company. The right to review records to determine whether an improper payment was made to a foreign government official entails a far wider scope of review.
The Nuts and Bolts of Negotiating Audit Rights
Audit rights are an important part of a company’s compliance “insurance policy.” In the event of an allegation of impropriety, you will be expected to be able to access and review all records relating to your activities, including those records held by agents, distributors, and other intermediaries.
Negotiating effective audit rights in contracts with third parties can be challenging. Many third parties don’t want them at all; others want them watered down to be practically non-existent. How hard should a company push to include audit rights in agreements, and what are the critical elements to include?
There are many ways to negotiate practical audit rights provisions to allay concerns by the third party while still maintaining the company’s right to access the information it needs. One of the more common concerns third parties express relate to privacy considerations. Companies can alleviate such concerns by agreeing to sign a confidentiality agreement prior to the audit, and agree to review records in accordance with all applicable laws (e.g., not review personnel files or other documentation that may contain personal information). Companies may also need to agree to abide by other existing agreements or confidentiality obligations the third party may have in place with other customers.
Other concessions may be required by the third party, many of which can be agreed without inhibiting the integrity of the audit rights provision. A company can require reasonable notice be given to the third party prior to an audit, and agree that the company will cover all costs associated with the audit. In certain circumstances a company can agree not to copy or remove any documentation from the third party’s offices, or limit the time allotted for the review. In the latter instance, be sure the time allotted is more than sufficient for a complete review of the anticipated volume of records.
In addition, some third parties may ask that the audit provision only allow for an audit under certain circumstances (e.g., when an investigation by authorities is launched or an allegation of impropriety is raised). While some limitation can be negotiated, companies should be certain that their right to audit is broad enough to cover all anticipated circumstances. For instance, audits only in the event of subpoena are ineffective in the compliance arena because internal investigations are often required prior to disclosure to or involvement of regulators. Limitation of compliance audit rights to instances where warranties or other terms in the agreement are alleged to have been breached can be effective in certain circumstances where the third party balks at broader rights language. Agreement that only “material” breach will authorize an audit is not advised in part because, unless the term is clearly defined in the agreement, the two parties’ definition of “materiality” can differ substantially. Many third parties ultimately insist on reciprocal audit rights, so companies must negotiate these provisions with an eye towards limiting the possibility of those terms used as a harassment tool against the company in the future.
Finally, the scope of materials to be audited can be a sticking point in negotiations. In many instances, a third party will work to limit the scope of the audit to selected information relating to compliance with the contract’s basic terms and conditions. Limiting audit rights to price, delivery, and other basic terms effectively guts the provision from a compliance perspective and is not advised. It is important that the company be able to access all financial records relating to the company, particularly details of cash disbursements. Similarly, in the context of a JV, try to include the right to audit the books and records of the partner entity as they relate to the JV and not just the right to audit the books the JV itself. These scoping discussions must be undertaken before the contract is signed, not at the time an allegation of impropriety is raised.
When and Where to Audit:
Determining which third parties warrant the attention of an audit differs for each company based on its appetite for risk. Companies that do business in industries with a history of government enforcement action know the risks and understand that a low risk appetite will serve them well in the long run. For other organizations whose exposure to regulatory bodies is limited, they may be more amenable to risk and less willing to spend time and financial resources engaged in the compliance audit process. In order for such companies to gauge risk and make informed choices regarding when to negotiate, implement or exercise audit rights over third parties for compliance issues, they must first conduct a risk assessment to determine which third parties to review, and under what circumstances to conduct these reviews. An appropriate risk assessment should be mapped out in advance and will differ from company to company, but any risk assessment should include three key factors when determining where and when to deploy compliance (and audit) resources:
- Nature of Third Party Relationships
The geography in which a company operates plays an important role in assessing compliance risk. Companies succeeding in today’s global market environment are doing so often by way of expansion into the fast-growing economies of emerging markets. It has been well documented that doing business in Brazil, Russia, India and China (commonly referred to as the “BRIC” nations) comes with a heightened degree of corruption risk. This is due in part to the high number of state owned businesses operating in these regions. Of the 13 actions filed by the Securities and Exchange Commission (“SEC”) in 2011, four related to improper payments to officials in China to obtain business from state owned entities (Watts Water Technologies, Rockwell Automation, International Business Machines and Maxwell Technologies) . Beyond the BRIC nations, areas such as Africa, Latin America and even parts of the European Union pose significant risk of bribery and corruption. Any mapping of risk and determination of when to exercise audit rights should consider the nature and prevalence of compliance risk in the geographic region.
Nature of Third Party Relationships
In assessing any third parties to be audited, certain relationships are considered to pose higher risks than others. This, of course, depends on how each individual company uses its third party network. Many companies use third party sales and marketing agents to sell their products to customers, while others rely on distributors and resellers to channel their products through the supply chain. Once items are sold, logistical third parties, such as freight forwarders and customs brokers, are used to move products across oceans and border to their final destination. Utilization of these third parties is critical to the success of any organization, but history has shown that use of these types of third parties can increase the likelihood that improper payments will be made to officials. Over the past two years, the Department of Justice (DOJ) and the SEC have brought numerous actions against companies for actions of their associated third parties including Panalpina, Daimler, Altec Lucent, Johnson & Johnson, ABB Ltd, Innospec, Alliance One, Diageo and Maxwell Technologies. These actions resulted in combined settlements in excess of $770 million paid to the SEC and DOJ. Simply put, the vast majority of FCPA cases before the U.S. government today relate to improper activities of third parties. Companies are therefore wise to carefully assess the risk of their specific third parties and structure their compliance audits to ensure highest-risk third parties are audited with greater thoroughness and frequency.
The financial cost of conducting compliance audits of third parties can be significant and internal audit departments are always seeking to leverage their limited human and financial resources and get the most “bang for its buck” in setting an audit schedule. In determining an audit schedule, many companies mistakenly base this decision strictly on revenue, turnover, or another monetary metric. Though it makes sense that the “most” risk could be correlated with the “most” money, in the area of anti-corruption compliance this is not always the case. The FCPA does not have a materiality threshold so financial exposure should not be viewed in its traditional light. A company that has three third parties that have received $2M in payments during the audit period may at first glance believe the company’s financial exposure relating to these third parties are equal; however, other factors must be considered to determine the company’s exposure, including (to name a few):
- How many transactions make up the $2M?
- How many purchase orders were used for each invoice?
- How frequently are invoices issued?
- How each vendor is paid (cash, check, transfer)?
- Who signed off of the payments?
- How long are the invoices in the accounts payable system?
Once these and other factors are taken into account, you can look deeper into the transactions of each particular vendor and determine if any internal controls are being circumvented by unbundling transactions for approval authority and flagging payments made outside the normal course of business or rushed through the accounts payable process. These are but a few of the important considerations to determine which third parties to include on an audit schedule.
Communicating and Scoping the Audit
When auditing third parties on compliance matters it is important to communicate your intentions early and often. This communication entails both internal and external communication with both the business unit utilizing the third party’s services and the third party directly. Internally, it is important to gain the business unit’s support and to provide it with a clear understanding of the purpose and potential benefit compliance audits can provide. Depending on the nature of the audit, the General Counsel’s office should be a part of these communications from the beginning. Communications with the third party should be geared towards alleviating concerns surrounding confidentiality and business interruption and clearly communicate the scope of records needed to be reviewed.
Privileged or Not Privileged?
When conducting audits of third parties, it is important to determine early in the planning stages if any risk of future litigation or regulatory scrutiny exists. In most audits or reviews of third parties solely for the purpose of ensuring compliance with the operating agreements or fee provisions, conducting the audit under privilege is not typically necessary. However, if the audit’s scope includes reviewing the third party’s compliance with anti-corruption issues or relates to specific allegations or evidence of impropriety, conducting the audit under the direction of counsel should be considered. This supervision can come directly through the General Counsel’s Office or, in certain circumstances where independence of the review is an issue, conducting the audit through outside counsel may be warranted. In either instance, if at any time during the review or analysis evidence of improper or illegal activities comes to the auditors’ attention that may require a separate or more in-depth investigation, the current audit should cease until legal counsel can advise on appropriate next steps.
Conducting the Audit
In order to conduct the most efficient audit (both in time and cost), it is imperative to complete as many of the audit steps as possible prior to arriving at the third party site. This will allow for the most effective use of audit resources within the limited time the third party will allow you on its premises. Some things to consider prior to the beginning of fieldwork would be:
- Interview your key business unit personnel who oversee the third party relationship and understand any known issues in the relationship. Determine if any company employees are related to or have a close relationship with the third party to be audited. Review expense reports of key account personnel to ensure no self-dealing or inappropriate entertainment is present.
- Provide a written questionnaire to the third party (if not already done as part of due diligence) or, if necessary, interview the third party to obtain key information concerning its business; for example, company ownership and structure, the use of consultants or employees who are associated with the government, the type of accounting system utilized and where accounting records are located, and whether the third party has any large recreational assets.
- Obtain and review copies of the third party’s anti-corruption and ethics policies and procedures, including its policy on gifts and entertainment;
- Request an electronic copy of the general ledger to run data analytics and narrow the population for on-site review.
As the audit proceeds to the on-site review, the auditor should already have a clear understanding of the third party’s operations. The on-site review is the critical stage of a compliance audit and where such audits differ the most from other types of financial or internal audits. The on-site field work is not a “tick and tie” operation of the trial balance to the supporting documentation. It is not what the numbers add up to, but what lies beneath the numbers that is important. The auditor should not only focus his or her attention on the face of the invoice, but rather analyze the purchase orders that make up the invoice, determine who is requesting the service and whether they are authorized to make such a request. The review should ensure that the control functions are working properly and that the invoice, purchase orders and voucher packages have all the appropriate approvals. It’s not just whether backup documentation and some approval exist, but whether that backup shows that appropriate processes were followed and whether the appropriate people provided necessary approvals.
Reviewing Financial Records: Anything of Value
The review of a third party’s financial records should focus on how assets, cash or anything of value could have benefitted unwarranted parties. The most prevalent vehicle for illicit benefits is cash, but bolder third parties may write checks directly to recipient officials. In past regulatory actions, payments were frequently channeled through another third party (consultant, broker, agent) or paid directly to a vendor (travel agent, educational institution) as a perk for an official masked within the books and records of the third party. The auditor should focus the review on cash disbursements and attempt to identify payments to “out of the ordinary” sources, which may include:
- Payments to consultants who have been put on a retainer, with no apparent associated value;
- Frequent or recurring payments made in dollar amounts that are under approval thresholds;
- Payments made to third parties who are paid outside the Vendor Master File;
- Payments to an account outside the country where the service was provided;
- Payments appearing in excess of fair market value for the services/goods provided;
- Payments made in larger round numbers.
Payments made outside the Vendor Master file present heightened risk. These payments often referred to as one-time payments, select payments or non-recurring payments, pose a high risk to the organization as the vendors who receive these payments are less likely to have been properly vetted via the company’s due diligence process.
In addition to cash transactions, use of company assets by third parties should be closely examined. Many companies have; for example, hunting lodges, ski lodges, boats and airplanes at their disposal and provision of these benefits to third parties that may have a connection to foreign officials must be tightly controlled and monitored. Auditors should ensure that a detailed log or system is in place to track the usage of these assets and proper approvals are present.
Reporting and Finalization
Documentation and memorialization of the audit process and findings should be prepared at the conclusion of the audit. In many instances, two reports should be prepared: one report to the third party directly and a second more detailed report to management for purposes of internal reporting.
The report to the third party should address any instances of non-compliance with the parties’ agreement and suggest remediation steps. The initial step in this reporting process should be a face-to-face meeting with third party representatives. In this meeting, the auditor should outline the findings and provide the third party with a detailed packet of documentation supporting these findings. It is important for the business unit representatives who have direct contact with and responsibility for the third party to be involved in the reporting process. This will ensure expedited resolution of the issues and, in many instances; the identified exceptions may be resolved during this initial exit meeting. Before a report is delivered to a third party, it should be forwarded to the General Counsel’s Office for review and comment. This should be done whether or not the original audit was conducted under the direction of counsel.
The second report prepared after an audit is for internal use only and should provide a detailed outline of the audit processes and methodology utilized. This report will document the work flow and outline the scoping procedures followed during the review. It should also outline the risks the company faces in continuing to conduct business with the identified third party. It is important to draft a well-documented exit plan if certain high risk factors are noted during the audit in the event the third party fails to appropriate remediate those issues.
Audit rights are an important weapon in a company’s third party compliance arsenal. An effective third party audit program should cover the following points:
- Create and implement a practical, effective risk assessment methodology to identify critical third parties and determine the audit population;
- Consistently apply the approach across its population of third parties;
- Communicate often with third parties and internal stakeholders to ensure a successful and efficient review of the third party relationship;
- Ensure the scope of the audit covers all potential areas of risk exposure;
- If problem areas are identified, ensure they are remediated in a timely fashion;
- Have a well-documented exit strategy ready to execute if the risk of doing business with a particular third party is deemed excessive.
Only by ensuring all critical aspects of a model third party audit program are achieved can a company effectively manage the risks associated with operating in today’s global marketplace.