Government organizations rely on outside third parties to provide the goods and services they need to operate effectively. Contracting with an outside third-party exposes these organizations to significant risks. Picture these scenarios:
Scenarios like these are just a few of the many risks affecting organizations that work with third-party vendors. As government organizations continue to rely on outside suppliers or service providers, their exposure to risk and fraud increases.
You might be asking, “What measures could these organizations have taken to prevent and detect these scenarios?”
If you’re unsure how to tackle this question, you are not alone. The truth is for many organizations, there is uncertainty regarding what actions to take to mitigate risk. A 2014 national study showed that while more than 65% of organizations rely heavily on third-party relationships, a large majority fail to allocate resources to assess potential associated risks.
Navigating a third-party relationship is complicated for organizations in any industry, but especially in government. Every organization should be aware of and actively manage some of the most common third-party contract risks:
The harsh reality is many organizations do not have the necessary processes or safeguards in place to address key third-party contract risks. Many organizations struggle with grasping the complexities involved in a contract review. Establishing comprehensive procedures within an organization to ensure compliance of the contractor or supplier against the contract terms and conditions does not happen overnight.
To avoid paying the price down the road, start managing third-party contract relationships before signing on the dotted line. It is critical to take the following actions to protect your organization:
Make sure every contract signed has a “right to audit” clause included in the terms and conditions. The “right to audit” clause not only provides you with the contractual and legal right to conduct an audit of the outside party’s compliance with the contract, but also puts them on notice that their records are subject to an audit and acts as a preventative control. The Association of Certified Fraud Examiners (ACFE) provides a sample “right to audit” clause that could be used as a starting point for developing your own.
Employees who play a role in your third-party contract relationships should be educated on the critical terms and conditions of each contract and empowered to ask questions. Provide them with an understanding of the risks as well as the knowledge and ability to review and question invoices, change orders and good/service delivery.
Ensure your internal checks and balances have been designed and are operating effectively to protect your organization from errors or potential wrongdoing by outside third parties. Some key controls include making sure there is a formal process with proper segregation of duties for reviewing and approving:
An employee or employees (depending on number of contracts) should be assigned the role of contract monitor. Duties the contract monitor should have include:
Exercise the “right to audit” clause and include contract audit responsibilities within the scope of your Internal Audit function or periodically contract with professional auditors to audit contracts for compliance and performance.
If you currently rely on third-party contractors or recently signed a contract, it is not too late for your team to conduct a contract audit. Proper risk management through a contract audit is critical to reign in risk especially with organizations facing a myriad of security breaches in today’s evolving technological environment. Conducting a contract audit can be a daunting task, but with the right approach, you can keep your organization out of harm’s way. Here are four key steps to conducting a successful contract audit:
Identify all key third-party contracts and risk factors. Assess each contract based on risk and prioritize. Based on the prioritization, determine which of the higher risk contracts you would like to audit and develop an audit schedule.
Review the contract and identify scope of work, terms and conditions, applicable laws and regulations and payment terms. Develop an audit plan focused on compliance, payments, performance and change orders.
Review contractor compliance with terms and conditions as well as applicable laws and regulations. Examples include insurance, prevailing wage, diversity, bonding, lien waivers, permits and taxes.
Review contractor invoices/payments for the following:
Review key performance criteria based on contract specifications and deliverables including material specifications, level/expertise of labor, quality of deliverables and delivery timelines.
Review change orders for compliance with contract terms and accuracy, including change orders that are appropriate, priced correctly and not duplicative.
Report back to management on issues and make recommendations to resolve them.
How confident are you with your organization’s third-party risk management processes and controls? To avoid harmful risks, confidence in your organization’s efforts is key to stay in front of potential errors and fraud. No one likes to be taken advantage of, but unfortunately, this can happen when dealing with third-party contractors. It’s important to equip your organization with the right tools to monitor contracts. Ultimately, mistakes will be made, but your organization can save face and dollars by consistently monitoring third-party relationships.
For questions or assistance, contact our contract compliance experts.