Folding Client Business Partners into the Fraud Risk Assessment

SeattleAs regular readers of the InnerAuditor blog know, out of town members of our RVA ACFE Chapter are encouraged to submit speaker questions via e-mail for use during our live training sessions. A reader asked a series of questions related to ethical practice for our August 28, 2014 event, Ethics 2014 for CPA’s and Fraud Examiners that we’re co-sponsoring with the Virginia State Police and the President of the Tidewater Virginia Chapter of the Institute of Internal Auditors. One of the questions concerned various ethical exposures involving compliance with the U.S. Foreign Corrupt Practices Act and extending to the business partners of the CPA’s audit client. Should a CFE’s fraud risk assessment include due diligence performed on the business partners of the fraud examiner’s client? Turns out there are a number of interesting ethical and due-diligence considerations.

There is certainly such a thing as third party risk, traditionally represented only by a few key suppliers and agents, and now significantly expanded in today’s global market place by technology firms, joint venture partners, foreign stakeholders, consultants and co-marketers and a whole host of others. Joining with every one of these partner types can expose our clients to significant categories of collateral risk. An overseas consultant can pay a bribe on our client corporation’s behalf to a foreign corporation without our client even knowing it; foreign joint venture partners of one of our client’s domestic suppliers can engage in unethical behavior thereby exposing the client to significant corruption accusations and reputational risk; the client’s law firm can pay for expensive vacations for foreign officials during off-shore tax negotiations; and the list of risks and exposures can go on and on, limited only by our imaginations.

Clearly, then, the net of the CFE’s fraud risk assessment has to be cast widely enough to encompass a thorough understanding of the histories and practices of all the business partners conducting business on our client’s behalf. The recent Target corporation example of on-going data breaches facilitated by hacker use of an infrastructure and maintenance supplier to penetrate Target’s customer systems should be enough to convince any practitioner of the degree of fraud risk represented by business partners, whether ethically challenged or not. The idea that customers, agents, resellers and other parties are not part of a client’s operating or risk profile is no longer a defensible position; a new era of corporate and social responsibility (and the stepped up number of prosecutions recently undertaken under legislation like the Foreign Corrupt Act) has changed that notion forever.

I’m sure all our readers are familiar with the basic mechanics of conducting a fraud (or any type) of risk assessment by now. Although criteria may vary from one assessment to the next, each risk assessment requires the steps of information gathering, analysis and interpretation. In the case of the assessment of the degree of risk represented by third party business partners, the first step is critical; that is to schedule up a list of just who those third parties are (sometimes, in the case of medium to large companies, a daunting task in itself). After your list is complete, for each of the partners you’ve identified, see if you can document an answer for a set of questions like these:

–does your risk assessment client have a formal business contract with this partner? If so, read the contract carefully and make a copy for your work paper file;
–what requirements and rights regarding ethical compliance and anti-corruption are contained in the contract or (absent a contract) in any documentation you can obtain bearing on the exact relationship between the parties;
–does the contract include an audit clause;
–try to find out exactly who owns each listed business partner;
–as far as you can determine, has the partner disclosed to your client all the partner’s relevant third party relationships;
–have all the partner’s operating locations, foreign and domestic, been disclosed;
–does this partner have on-going litigation or governmental relationships that might create an adverse impression among the existing customers of your client or among external regulators?

Following the information gathering phase, the examiner should look for and resolve any apparent red flags involving individual and/or combined partners during the analysis and interpretation phases. Red flags can include limited information about one or more partners, inconsistent or contradictory data, and operations in politically charged locales, prior regulatory sanctions as well as connection to or ownership by politically exposed individuals. Look especially for involvement in non-domestic environments with uncertain economic or commercial requirements. The due diligence process involves fraud examiner/management evaluation of each of the key business partner risk factors identified. A table can be prepared of potential identified risks localized by partner and a remediation plan for management consideration of recommended steps management can take to address potential threats should be written.

Lastly, try to get client management to commit to performance of a formal approval process before engaging with any new, significant business partner and then for on-going review of existing partnerships as a component part of the annual Enterprise Risk Management (ERM) process.

Comments are closed.