How to Manage Vendor Risks

Whether we like it or not, all business have to deal with outside third-party vendors.  Many business professionals understand the risks in dealing with vendors, but do not really have the processes in place to mitigate this risk.  Managing vendor relationships is key to a business’ long-term success.  As business is becoming more global, the issue of managing vendor relationships is becoming more and more important.

The Association of Certified Fraud Examiners (“ACFE”) published an article by Mark Scott, J.D., CFE, which outlined various considerations one should take into account when dealing with vendors:

Due Diligence Basics for Selecting Qualified Vendors

The evaluation of a potential vendor might include the following measures:

  • Checking the vendor against government watchlists (e.g., the General Services Administration’s Excluded Parties List System, the Office of Foreign Assets Control’s List of Specially Designated Nationals and Blocked Persons List, and the Bureau of Industry and Security’s Denied Persons List)
  • Reviewing the vendor’s corporate registry records
  • Searching politically exposed persons (PEP) databases, if conducting business internationally, to assess whether the vendor and its personnel are connected with foreign governments; PEPs are individuals (e.g., politicians, government officials, legal officials, and high-ranking military officers) who might be or have been in a position of political authority
  • Verifying the vendor’s key employees
  • Searching the vendor’s corporate records to determine what other companies the key employees have been involved with
  • Verifying the vendor’s insurance
  • Verifying any professional licenses held by the key personnel
  • Confirming the vendor’s physical addresses (e.g., use online tools to check addresses, conduct reverse address searches, etc.)
  • Performing site visits at the vendor’s principal place of business
  • Testing the reputation of the vendor and its key individuals (e.g., ask those in the industry about the vendor to gauge the vendor’s overall reputation for integrity)
  • Conducting a media analysis of the vendor and its key employees
  • Conducting interviews with the vendor’s employees
  • Requiring a W-9 form from the vendor
  • Reviewing the vendor’s policies and procedures on fraud, governance and compliance
  • Reviewing the vendor’s financial data
  • Reviewing the vendor’s banking information

Other information that might be valuable to a vendor due diligence investigation includes:

  • When the business began
  • Company profile and strategy
  • Form of business
  • Information about the vendor’s customers (e.g., the diversity of customers the vendor serves)
  • Staff size
  • Locations of facilities
  • Financial stability
  • Company specialization
  • Delivery track record
  • Involvement in the community
  • Process for reporting problems or asking questions

Potential Due Diligence Red Flags

Due diligence in vendor selection might reveal any of the following red flags, suggesting that a potential vendor is not qualified:

  • Inadequate financial resources
  • A poor record of performance
  • Reputation for dishonesty
  • Prior complaints or criminal or civil actions
  • History of fraudulent conduct
  • Undisclosed outside business interests or front companies owned by an employee of the purchasing entity
  • Vendor has family ties with an employee of the purchasing entity
  • Vendor offers a deal that is too good to be true
  • Business model does not “make sense”

Once the initial due diligence is conducted, it is important to constantly monitor vendors.  The ACFE article suggests the following:

Ongoing Due Diligence Monitoring

Organizations can face significant risks if their vendor relationships are not carefully monitored; therefore, management should establish processes to review vendor risks on an ongoing basis.

The procedures used to monitor vendors should be similar to those used to evaluate potential vendors, and they should be based on areas that pose the greatest threat. That is, vendor risks should be assessed as they relate to the organization’s objectives.

Additionally, management should employ processes and controls to track and monitor red flags of any vendor-related fraud schemes that pose significant risks. For example, management may establish controls to monitor red flags of vendor-related frauds, such as whether a vendor:

  • Makes payments of unjustified high prices or price increases for common goods or services
  • Does not relate well to other contractors
  • Lists an address, telephone number or zip code that matches an employee’s address, an employee’s outside business or the address of an employee’s relative.
  • Provides an incomplete address (e.g., only a P.O. Box, no telephone number or no street address)
  • Lists multiple addresses
  • Has a reputation for corruption (or similarly, its industry or country of operation has a reputation for corruption)
  • Is not on the purchasing entity’s approved-contractor list
  • Lacks transparency in its accounting records

Similarly, purchasing entities should monitor the application of the accounts payable policies on vendor master files. The vendor master file is a database that contains a record of all vendors with whom an organization conducts business, and it will contain records for purchasing functions (e.g., vendor name and address, contact information and purchasing terms) and accounts payable functions (e.g., the purchasing terms, remittance address and general ledger account number). Vendor master file records should be reviewed on a regular basis for:

  • Inactive accounts
  • Duplicate vendors
  • Vendors with incomplete records
  • Accuracy issues
  • File format errors
  • Vendors with multiple remit-to address
  • Inconsistent naming conventions”

It is important to remember that vendor relationships need to be scrutinized and monitored in the normal course of business in order to mitigate potential risks.

Permanent link to this article: https://betweenthenumbers.net/2012/03/how-to-manage-vendor-risks/

Leave a Reply

Your email address will not be published.

*