Internal controls play a critical role in helping a company achieve its core mission. They do so not only by ensuring the reliability of financial statements, but by helping companies minimize surprises and leverage opportunities as the business develops.
But as business complexity increases, so must the controls that track the flow of information, material, labor, and capital throughout the organization. That's because each of those elements are increasingly shared among partners, contractors, the supply chain, and other parties that help the company achieve its objectives.
The facing-page foldout illustration—the 13th in the ongoing “GRC Illustrated” series created by the OCEG and Compliance Week—provides examples that may help your organization address this key question: How far do you reach with your controls?
The Supply Chain
The business press has been filled with examples of supply chain breakdowns, from lead-painted toys and contaminated pet food to toxic cough syrup and defective tires.
Many of those recent incidents involved outsourcing partners in China; however, supply chain breakdowns that impact corporate earnings and brand are not restricted to developing nations. As a result, companies need to do a better job assessing potential supplier risks. According to risk experts, too many companies make supply chain decisions based on cost alone, without thoroughly assessing downside risks. “People get too focused on price,” Carl Lidstrom of the consulting firm RMR Risk Management Resources recently told Compliance Week. “It may be one-fifth or one-tenth of the price, but that's not the whole story. And you may not know the whole story for a long time.”
That risk assessment process is absolutely critical, as the brand closest to the consumer typically absorbs all the impact once a problem emerges. For example, when Dell was forced to recall batteries that were overheating and posing a fire risk, consumers didn't care that the units were manufactured by Sony: They blamed Dell. When a JetBlue Airbus 320 was forced to make an emergency landing at Los Angeles International Airport in September 2005 due to faulty landing gear, nobody cared that the gear was manufactured by Messier-Dowdy: Consumers blamed JetBlue. Similarly, Mattel was blamed for its numerous product recalls, not the supply chain partners that caused the problem.
Those incidents aren't only embarrassing, costly and—in some cases—life threatening, but they can be absolutely devastating to the corporation. As Compliance Week reported back in July, New Jersey importer Foreign Tire Sales was forced by the National Highway Transportation Safety Administration to recall 450,000 tires manufactured by a Chinese supplier after a fatal accident. The recall is expected to cost between $60 million and $80 million, and Foreign Tire Sales has acknowledged that it does not have the money and might have to file for bankruptcy.
The challenge for companies, of course, is that visibility and control over the flow of material, information, labor, and capital decreases as the supply chain branches out. As a result, it is more difficult for management to gauge whether partners are in compliance with internal policies and external regulations. Yet, as described, management and the organization as a whole will suffer if controls and compliance break down.
Outsource Partners
While supply chain partners are typically involved in the development or manufacturing of your core products and services, outsource partners typically perform administrative support activities on your behalf. Payroll services like ADP and Paychex are examples of outsource partners—they act as an outsourced employee benefits or human resources department, so that you can focus on your core business.
As a result, these partners are typically intimately familiar with your company's financial standing, and often have access to critical corporate data assets, whether those are investment accounts or employee social security numbers.
And though these outsource partners don't typically pose the same direct threat to your customers as your supply chain, they do post a threat. That's because outsource partners include financial services firms that handle your customers' data, such as credit card information. As the foldout illustration shows, these outsource partners also include call center and customer support services, many of which operate in developing nations where legal and regulatory frameworks may differ from the U.S.
It is, therefore, equally critical that companies are confident that policies and procedures among outsource partners are being followed, despite the decreased visibility that may come from remote or even overseas functions. This is especially important for partners who have access to—or are managing—customer transaction data. Myriad complicated state and federal regulations and standards exist for such data, as do private-party standards of equal importance. For example, the Payment Card Industry's data security standard applies to companies that process credit or debit card information, including merchants and third-party service providers that store or transmit that data. Better known as “PCI compliance,” the standard creates unique challenges for companies with myriad locations and stores, not to mention outsource partners.
Partners with access to critical customer or corporate data must utilize that information exactly as you specify and must adhere to all the standards and regulations to which you will be held. Effective communication must occur across all parties to ensure those requirements are being met, and ongoing monitoring systems and/or processes need to be employed on a regular basis—with frequency based on the aforementioned risk assessment—to ensure compliance and address deficiencies.
Extensive due diligence is another wise tactic employed to lower risk. As is the case with the supply chain, companies should consider visiting outsource partners on a regular basis, including unscheduled visits. In addition, “Plan B” backup strategies should be in place, in the event that a particular outsource partner violates corporate policies or federal laws, or in the event that their systems or procedures are breached.
Companies must address the questions that are most appropriate for their organization, industry, culture, risk appetite, and outsource partner relationships. For example, what access do your partners have to your business systems and databases? Why do they have that access, and what protections do you—and they—have in place to protect that data? What sub-contractors or partners of theirs might also be tapping into that data? Is there an independent and objective third party, like an external auditor, that can contribute to the assessment of your partners' systems and help you achieve your objectives?
Consultants
Sometimes the “extended enterprise” is contained within the walls of the organization. Numerous consultants and contractors are employed to do everything from low-stakes administrative work and high-stakes strategy work. But even “low stakes” administrative work, such as technical maintenance, can introduce high risks. For example, a technology consultant employed to conduct weekly data backups or server maintenance will often be granted “super user” or administrator access to databases that contain employee, customer, and general business information. For extended engagements, it is not unusual to provide building access and identification cards.
In these instances, it is wise to ensure that access controls are appropriately configured and that audit trails and logs cannot be turned off or circumvented. This way, even administrators know that every action is recorded and can be traced.
Some of the more notable data breaches have occurred as a result of negligence or honest mistakes made by consultants. Consultants are more likely to travel to and from the client location with laptops—laptops that contain client data. If laptops are lost or stolen, the client company (rarely the consultant) can be harmed. Companies should consider including contract provisions that require encrypted hard drives on any laptop that will store or access company information. These provisions should include periodic and random audits of compliance with this provision.
Contract Representatives
Contract representatives and other partners that sell products and services on behalf of the company can also introduce significant risk if not well controlled and monitored. Some of the more notable Foreign Corrupt Practices Act cases involved contract representatives rather than full-time employees.
“The lingering perception that using a contractor or agent is a sure way to insulate a company from FCPA danger is completely false and the Government has had no problem prosecuting executives and corporations that try to do so,” says Eric Morehead assistant general counsel at the United States Sentencing Commission. “A ‘hear no evil, see no evil' policy is no policy at all, and many recent cases show that ignoring the actions of foreign subsidiaries, distributors, or agents is very perilous.”
Proof of Morehead's claims are many. $8.6 billion agricultural provider Monsanto agreed to pay a $1.5 million fine in 2005 for paying an Indonesian official through a local consultant. InVision Technologies agreed to pay a $1 million fine after its distributors and local sales agents allegedly made payments in the far east to various government officials. ABB Vetco Gray agreed to pay a $10.5 million fine—and an additional $16.4 million to settle a related SEC case—due to alleged payments made in Nigeria, Angola, and Kazakhstan through subsidiary operations and local agents.
Simple Steps in a Complex World
To maximize the risk-adjusted value of outsourcing in the global economy, organizations should consider extending their program of internal control and compliance into their network of partners.
Risk Assessment. All of this starts with a risk assessment, so that extensions of the program are appropriately focused on higher-risk, thus higher-value, areas. The risk assessment should look at all key flows of materials, information, capital, and people in the supply chain and outsourced relationships. As with any risk assessment, management should start with enterprise objectives to focus the assessment. What are the key relationships that contribute to enterprise value? Are there sales and marketing activities being conducted on in geographies with high corruption risk? Are there key financial flows to outsourced payments processors? Are there key information flows that contain employee, customer, or business information? Are sound labor practices followed in the supply chain? Are materials appropriately handled?
Be Proactive. Consider the full range proactive structures that can be used to address these risks. Consider everything from policies, procedures, insurance, process controls, technology controls, and workforce controls (i.e., mandating that contractors and partners screen employees for prior misconduct). Keep in mind that many of these controls and incentives will be managed by the outsource partner or supplier—and that visibility will depend on contracts and the sharing of information. Are there control activities—such as approvals, authorizations, or verifications—that can be deployed or managed to minimize non-compliance with corporate or federal policies? What types of reports, disclosures, and certifications should be used to ensure that these structures are in place? Should training and policies be provided to supply chain and outsource partners?
Detect. Once the agreements, controls and incentives are in place, they must be monitored. A company should determine how much information it needs—not just how much it wants—to effectively monitor the proactive structures. How much information is needed? How much is too much? Should supply chain and outsource partners be required to disclose immediately material issues discovered via internal audits? Should unannounced audits be required? How many per year?
Respond, Remediate, and Improve. If any problems arise, companies should work with their outsource partners (and others if necessary) to identify the root cause and truly fix the problem. Do local relationships in distant geographies exist so that investigations can be appropriately conducted? Has this type of issue occurred before? If so, was it fixed the same way that is being proposed? Are fixes that consistently fail being put in place?
Inform and Communicate. As noted above, visibility decreases as the supply chain and extended enterprise grow in size and complexity. Thus, developing formal communication systems and even mandating particular communications is very important. How will problems be discovered? What access should companies have to outsource partner audits? What types of reports, disclosures, and certifications should be in place? Can controls be embedded in shared systems to reduce the cost of preparing reports and disclosures and to reduce the lag time of being notified?
Culture. Companies should also take time to understand informal structures and the general culture of supply chain and outsource partners. For example, what is the “tone at the top” at your supply chain partners? Can and should their ethical values be assessed, much like you assess the integrity of your own organization?
These are just some of the questions that companies need to consider as they ascertain how deep within their supply chain they should extend their controls. The foldout illustration in this edition of Compliance Week may be helpful in eliciting additional questions particular to your organization.
The rapid and global expansion of supply chain and outsource partners has created extraordinary benefits for many companies, from decreasing costs and improving profit margins to boosting quality and efficiency so companies focus on their core business objectives. But that expanded global footprint and its often entangled relationships creates an increased risk of non-compliance, and impediments to corporate performance. Companies need to take those relationships into account when assessing control systems, and must ask the right questions regarding how far those controls should reach to the extended enterprise.
No comments yet