Armanino Blog
Article

The Reality of Risk in Third-Party Contract Relationships

by Ronald Steinkamp
May 22, 2017

Share

Government organizations rely on outside third parties to provide the goods and services they need to operate effectively. Contracting with an outside third-party exposes these organizations to significant risks. Picture these scenarios:

  • A contractor prepared and submitted inflated invoices and false change orders for labor and materials on a project to build a water treatment plant for a state agency resulting in overbilling of $4.8 million.
  • A municipal government contracted with a fire safety company to annually inspect and re-size firefighter safety equipment. However, the company failed to perform this critical function, putting the safety of firefighters in jeopardy.
  • A freight merchant submitted false fuel and weight claims to the U.S. government totaling $13 million for oversized air shipments when the standard load was actually delivered via ground transport.

Scenarios like these are just a few of the many risks affecting organizations that work with third-party vendors. As government organizations continue to rely on outside suppliers or service providers, their exposure to risk and fraud increases.

You might be asking, “What measures could these organizations have taken to prevent and detect these scenarios?”

If you’re unsure how to tackle this question, you are not alone. The truth is for many organizations, there is uncertainty regarding what actions to take to mitigate risk. A 2014 national study showed that while more than 65% of organizations rely heavily on third-party relationships, a large majority fail to allocate resources to assess potential associated risks.

7 Common Risks of Third-Party Relationships

Navigating a third-party relationship is complicated for organizations in any industry, but especially in government. Every organization should be aware of and actively manage some of the most common third-party contract risks:

  • Reputation — Third-party contractor damages the reputation of the organization through their actions, or lack thereof
  • Performance — Third-party contractor fails to meet timelines and/or fails to perform in accordance with terms of the contract
  • Compliance — Third-party contractor fails to comply with laws and regulations governing the performance of the contract
  • Non-Conforming Goods — Third-party contractor delivers goods or services not conforming to contract specifications
  • Change Order Abuse — Third-party contractor increases the price or extends and expands the contract scope through the use of multiple change orders
  • Cost Mischarging — Third-party contractor charges the organization for costs (material or labor) not allowable, reasonable or allocable to the contract
  • Data Breaches — Third-party contractor, either intentionally or through the ineffectiveness of its information technology security and controls, mismanages critical organization or customer data

How to Manage the Risks

The harsh reality is many organizations do not have the necessary processes or safeguards in place to address key third-party contract risks. Many organizations struggle with grasping the complexities involved in a contract review. Establishing comprehensive procedures within an organization to ensure compliance of the contractor or supplier against the contract terms and conditions does not happen overnight.

To avoid paying the price down the road, start managing third-party contract relationships before signing on the dotted line. It is critical to take the following actions to protect your organization:

Include a “right to audit” clause

Make sure every contract signed has a “right to audit” clause included in the terms and conditions. The “right to audit” clause not only provides you with the contractual and legal right to conduct an audit of the outside party’s compliance with the contract, but also puts them on notice that their records are subject to an audit and acts as a preventative control. The Association of Certified Fraud Examiners (ACFE) provides a sample “right to audit” clause that could be used as a starting point for developing your own.

Educate and empower employees

Employees who play a role in your third-party contract relationships should be educated on the critical terms and conditions of each contract and empowered to ask questions. Provide them with an understanding of the risks as well as the knowledge and ability to review and question invoices, change orders and good/service delivery.

Review internal controls

Ensure your internal checks and balances have been designed and are operating effectively to protect your organization from errors or potential wrongdoing by outside third parties. Some key controls include making sure there is a formal process with proper segregation of duties for reviewing and approving:

  • Contracts
  • Change orders
  • Invoices/payment applications
  • Receipt/acceptance of goods and services

Assign a contract monitor

An employee or employees (depending on number of contracts) should be assigned the role of contract monitor. Duties the contract monitor should have include:

  • Identifying critical terms, compliance requirements, scope, timelines and deliverables
  • Assessing and monitoring the risks in the contract
  • Establishing processes and internal controls to manage the risks
  • Tracking and monitoring contract compliance, progress and timelines
  • Ensuring goods/services are delivered in accordance with the contract

Conduct periodic contract audits

Exercise the “right to audit” clause and include contract audit responsibilities within the scope of your Internal Audit function or periodically contract with professional auditors to audit contracts for compliance and performance.

4 Key Steps to Conducting a Successful Contract Audit

If you currently rely on third-party contractors or recently signed a contract, it is not too late for your team to conduct a contract audit. Proper risk management through a contract audit is critical to reign in risk especially with organizations facing a myriad of security breaches in today’s evolving technological environment. Conducting a contract audit can be a daunting task, but with the right approach, you can keep your organization out of harm’s way. Here are four key steps to conducting a successful contract audit:

1. Contract assessment and prioritization

Identify all key third-party contracts and risk factors. Assess each contract based on risk and prioritize. Based on the prioritization, determine which of the higher risk contracts you would like to audit and develop an audit schedule.

2. Contract audit planning

Review the contract and identify scope of work, terms and conditions, applicable laws and regulations and payment terms. Develop an audit plan focused on compliance, payments, performance and change orders.

3. Audit execution


Compliance review

Review contractor compliance with terms and conditions as well as applicable laws and regulations. Examples include insurance, prevailing wage, diversity, bonding, lien waivers, permits and taxes.

Payment review

Review contractor invoices/payments for the following:

  • Compliance with contract terms
  • Appropriateness of labor, material, equipment, insurance, taxes, markups and other changes
  • Adequacy, accuracy and completeness of support
  • Duplicate and/or inappropriate charges
  • Integrity, accuracy and appropriateness of subcontractor invoices
  • Proper and timely payments to subcontractors
  • Appropriateness of retainage (if applicable)

Performance review

Review key performance criteria based on contract specifications and deliverables including material specifications, level/expertise of labor, quality of deliverables and delivery timelines.

Change order review

Review change orders for compliance with contract terms and accuracy, including change orders that are appropriate, priced correctly and not duplicative.

4. Reporting

Report back to management on issues and make recommendations to resolve them.

How confident are you with your organization’s third-party risk management processes and controls? To avoid harmful risks, confidence in your organization’s efforts is key to stay in front of potential errors and fraud. No one likes to be taken advantage of, but unfortunately, this can happen when dealing with third-party contractors. It’s important to equip your organization with the right tools to monitor contracts. Ultimately, mistakes will be made, but your organization can save face and dollars by consistently monitoring third-party relationships.

For questions or assistance, contact our contract compliance experts.

Stay In Touch

Sign up to stay up-to-date with the latest accounting regulations, best practices, industry news and technology insights to run your business.

Author
Ron Steinkamp - Risk Assurance & Advisory| Armanino
Partner
Ron Steinkamp, CPA, CIA, CFE, CGMA, CRMA, CCA, CCP
Resources
Related News and Insights
Women in Nonprofit Leadership Panel
Webinar
Women in Nonprofit Leadership Panel
Aspiring nonprofit leaders should hear the insightful stories of these women industry leaders to empower their journeys.
December 14, 2021 | 10:00 AM - 11:00 AM PT
The Evolution of Gaming Companies
Webinar
The Evolution of Gaming Companies
From seed-funding to acquisition, position your gaming company for success.
December 9, 2021 | 01:00 PM - 02:00 PM PT
Environmental, Social and Governance (ESG) and Risk Management
Webinar
Environmental, Social and Governance (ESG) and Risk Management
How to integrate ESG into your risk management practices and processes.
December 9, 2021 | 10:00 AM - 11:00 AM PT
View All