Asia Pacific CFO Hot Topics

What CFOs need to know about third-party risk

  • Share
  • CFO’s role in mitigating third-party risk

    While using third parties is a regular aspect of doing business, these third-party business relationships do not come without risks. Our Asia-Pacific Fraud Survey shows that fifty-five percent of organizations in Asia-Pacific believe risks are more likely to arise from third parties than from internal staff.

    CFOs are becoming more influential and are increasingly looked to by boards for their views on compliance matters. In addition, regulators and other external stakeholders rely on the CFO as a key interface with the company.

    Due diligence is a critical component of the compliance framework for companies to determine the trustworthiness of a third party. In making such an evaluation, CFOs need to heed red flags that may appear.

    CFOs also need to strategically invest their time and resources in forensic data analytics and frequent compliance audits, as these form the basis of a strong monitoring system for third-party relationships.

    Knowing your third party

    EY - Knowing your third party

    Knowing your third party – find out more. [See a transcript of this video]

    The importance of managing third-party risk

    Recent prosecutions by regulators demonstrate that companies can be liable for the actions of third parties acting on their behalf.

    Fines make headlines but they do not tell the whole story. Companies also have to bear hidden penalties such as the investigation cost, reputational damage, loss of business opportunities while undergoing investigations, risk of class action litigation, and the cost of remediation.

    The UK Bribery Act and the US Foreign Corrupt Practices Act (FCPA) require companies to apply third-party due diligence procedures.

    Weak systems and controls in Asia-Pacific

    Types of third parties representing the biggest compliance risk
    EY - Types of third parties representing the biggest compliance risk

    Q: Which type of third parties represents the biggest compliance risk to your company?
    Base: All respondents (681)

    Although it is expected by regulators, only 65% of respondents say that all of their third parties are required to comply with their company’s anti-bribery/anti-corruption code (ABAC) of conduct, according to our Asia-Pacific Fraud Survey.

  • Third-party due diligence

    Due diligence helps CFOs understand third parties better

    Performing third-party due diligence is critical, as it represents a systematic and consistent effort to vet business relationships tiered by levels of inquiry based on a thorough business inventory and risk assessment.

    It helps CFOs to not only understand the third parties, with whom the company will be contracting, but also the broader context in which they will operate.

    How to undertake comprehensive due diligence

    • Create risk profiles by understanding the cultural and business norms, prior incidents of fraud, previous litigation and adverse press, other non-performance contracts within the industry and geography, or the experience of their peers
    • Have complete transparency in the way that the third party is remunerated not just in its fees or commissions, but in its expenses
    • Structure to apply the company’s travel and entertainment expense policy appropriately to third parties
    • Go deep enough to include the beneficial ownership of the third party and its reputation

    Red flags that CFOs need to be aware of

    • Omission of certain key personnel/shareholders
    • A lack of information or trading history
      This factor alone would not rule out start-ups.
    • A business address in a non-commercial zone or at service office suites
    • Low capitalized company
      Suppliers with small capital base could be acting merely as middlemen for undisclosed suppliers, which pose a further risk.
    • Tampering or irregularities with the tendering process
      This includes the acceptance of late bids, bids being accepted despite failings in technical specifications or scoring, and bids at or very close to set budgets.
  • Forensic data analytics

    Forensic data analytics identifies unethical practices

    The use of forensic data analytics (FDA) enables companies to transform large volumes of transactional data into valuable actionable business intelligence within a short period of time.

    FDA does not rely on sampling but uses 100% of the available and relevant data to:

    • Obtain meaningful insights for investigative, legal, regulatory, anti-fraud or risk mitigation matters
    • Assist internal audit and compliance teams to focus on potentially anomalous transactions across business functions and enhance their focus of reviews in times where costs are being heavily scrutinized
    • Allow companies to continuously evolve and adapt internal policies and procedures to mitigate risk from the onset, leading to a proactive response to potential issues rather than reactive investigations after it happens
    • Help companies quickly and efficiently identify any red flags that suggest they should be on guard for potential ABAC policy breaches
    • Quantify the actual impact of fraudulent behavior and identify the amount of revenue generated from kickbacks for potential FCPA or UK Bribery Act violations, minimizing the assessment of fines by regulators

    Reds flags commonly detected by FDA

    • Multiple suppliers with same address
      Shared or similar addresses, contact details or bank accounts are potential red flags, as are overly close relationships within a small group of local vendors.
    • Multiple payments just below authorized level
      Examples of this type of red flag include: evidence of unusual data trends such as split payments to bypass approval thresholds, large numbers of one-time vendor payments to bypass supplier due diligence procedures, duplicate payments, lack of proper supporting documentation around vendor set-up, diligence or payments, and multiple duplication in vendor master files.
    • Generic description of expense reimbursement claims
      Text mining within databases to identify “concepts” or generic descriptions can further focus on high-risk transactions.
  • Frequent compliance audit

    Frequent compliance audit is a critical part of on-going monitoring

    Having audit provisions in the performance contract is important for companies to assure audits are conducted in a timely manner. They require the third party to:

    • Obey the relevant national and local laws and regulations
    • Comply with the company's ethical policies
    • Agree to regular audits or reviews

    The provisions also demonstrate to the third party the importance of maintaining an ethical business, and full and transparent information of all business dealings on behalf of the company.

    Audits and reviews should go deep enough to include the beneficial ownership of the third party and its reputation.

    Lastly, there must be an incentive for compliance or a threat of disengagement for non-compliance.