With 80% of FCPA cases in 2019 involving third parties, it is widely recognised that an effective third party monitoring programme is an important component of a robust compliance framework. But anyone that has set up and administered such a programme will recognise that the process is replete with challenges. Re-sellers, distributors and agents, interacting with end-customers in foreign markets (and often with government officials) on your behalf pose significant compliance risks. It is therefore common for organisations to develop a monitoring programme, often centred around onsite visits / audits, to ensure those third parties are complying with local / global legislation, industry regulations and contractual stipulations. Summarised below are some of the lessons we have learned, sometimes the hard way, in delivering such programmes:
It is important to recognise sellers, distributors and agents are also customers - some of the highest risk third parties in your ecosystem are those representing your organisation in the market place on your behalf. However, these companies are also important commercial relationships, often critical to meeting growth objectives in emerging / frontier markets. Your organisation's commercial / relationship manager (C/RM) for these customers will likely want to be involved in the upfront communications with the third party and have early sight of any issues your work identifies. It is important therefore to proactively reach out to the C/RM as you begin your work and keep them informed on progress, as well as being sensitive when reporting any findings (since they could be seen as a threat to competing commercial objectives).
Confirm if you have audit rights, and expect to sign an NDA - review the commercial contract carefully. Usually, a contract will include audit rights giving you permission to review the books, records and controls in place at that third party. Even if this clause does not exist, typically third parties are willing to accommodate you, now seeing independent audits as business as usual. However, during your work you will likely encounter commercially sensitive information (e.g. invoices to their end-customers with sales prices allowing you visibiity of their profit margins, commercial agreements with your competitors etc.). In our experience this can make third parties (understandbly) nervous and therefore ask the tester to sign an NDA. Your legal team will probably want to review the NDA before you sign it. This can take time, and in cases where it is presented during the kick-off meeting and you are perhaps onsite for only 2-3 days, it can derail the timetable. Get this agreed upfront as part of the planning process.
Understand what the third party has been engaged to perform for your organisation and tailor your testing plan accordingly - the variety of services third parties perform on your behalf will expose you to a range of compliance risks. It is important to understand this upfront so you can tailor your work programme accordingly. Reviewing the commercial contract, discussion with the C/RM and a kick-off call with the third party before commencing testing can provide you with the relevant information. Your work programme should also be 'modular' in nature (i.e. the opposite of a one-size-fits-all programme, where certain tests are performed based on the activities performed / risks faced by individual third parties, rather than a carte blanche approach).
Co-ordinate with other assurance providers - often times we find other parts of the organisation are auditing the same third parties. For example, H&S audits in the Extractives / Construction & Engineering sectors; GxP audits in the Pharmaceuticals & Life Sciences (P&LS) sector. If uncoordinated, this can place an unfair burden on the (often small) third parties and make an impression that the third party is being singled-out, or that their client is not tightly managed. Where possible, stagger visits (and share the results as part of an integrated assurance platform).
Understand local legislative / regulatory requirements in detail - individual jurisdictions will have specific rules on certain activities which may be more restrictive than your domestic legislation. These requirements should be built into your work plan and help to contextualise any findings. For example, to combat bribery and corruption in the P&LS sector, regulators in certain countries have installed specific limits on the volume of sample drugs which are permitted to be provided to Health Care Professionals (HCPs), with their provision only permitted for a limited period of time post marketing authorisation. You can perform research online, liaise with local colleagues and engage independent experts. We have also had good results by contacting the department for trade for the domestic country in question, usually based in the local consulate, who should be able to share the relevant information. This is vital to ensure relevant assurance is provided over a third party's compliance with all applicable legislation / regulation, as well as helping to build credibility with the third party being reviewed.
Be respectful of the third party's time - in our experience the owner / commercial director of the third party will likely want to be involved throughout the audit. This can cause significant disruption to their day-to-day business activities. It is important to therefore restrict the amount of time on site as much as possible. This can be achieved by sending information requests and sample selections well in advance of coming on site. We also usually recommend that third party monitoring utilises smaller sample sizes across a shorter period of time, and is delivered in a matter of days rather than weeks. This approach clearly creates some inherent limitations in the level of assurance provided, and it is important that this is clearly communicated in the audit report so as to avoid an expectation gap with the user of the report.
Be prepared to respond to multiple red flags - in our experience, compliance maturity in many (although not all) smaller third parties tends to be low compared with recognised good practice. While you are unlikely to uncover a 'smoking gun' during the course of your testing, you will likely find several significant control gaps and weaknesses, as well as potentially 'red-flag' type transactions (e.g. generous gifts / hospitality). You may need to draw on more resources than initially expected and/or have an organised workflow based on a set of agreed principles on how to respond to potential issues. For example, are you broadly clear before you begin on any 'lines in the sand' at which the organisation should end the relationship vs. work with the third party to remediate, based on factors such as criticality of finding, strategic importance of the third party etc.? Is there any risk appetite guidance to support determining these positions?
Consider if monitoring is the best use of your budget / resources - increasingly, we are finding organisations redirecting their investment from the monitoring programme to being more proactive in helping their third parties establish a reasonable compliance framework, often strengthening the relationship at the same time as most third parties will typically be grateful for the support from a collaborative partner. This can include sharing a template Code of Conduct, Risk & Control Matrices (RACMs), compliance policies, training materials and tailored forms to record higher risk activities (e.g. provision of gifts, hospitality etc.). In due course, the third party can then be audited to assure the materials provided have been effectively implemented.
We hope the above reflections provide some useful pointers for your monitoring and audit approach. We are always learning - what else have you encountered? Please share any thoughts or experiences in the comments section below.