Ron Steinkamp, Partner in Charge, Public Sector Advisory Services, discussed key contract risks facing organizations in the public and private sector; and what can be done to actively and effectively manage these risks in the latest Missouri Municipal League Review.
Government organizations rely on outside third-parties to provide the goods and services they need to operate effectively. Contracting with an outside third-party exposes these organizations to significant risks. Picture these scenarios:
- A contractor prepared and submitted inflated invoices and false change orders for labor and materials on a project to build a water treatment plant for a State agency resulting in overbilling of $4.8 million.
- A municipal government contracted with a fire safety company to annually inspect and re-size firefighter safety equipment. However, the company failed to perform this critical function, putting the safety of firefighters in jeopardy.
- A freight merchant submitted false fuel and weight claims to the U.S. Government totaling $13 million for oversized air shipments when the standard load was actually delivered via ground transport.
Scenarios like these are just a few of the many risks affecting organizations that work with third-party vendors. As Government organizations continue to rely on outside suppliers or service providers, their exposure to risk and fraud increases.
You might be asking, "What measures could these organizations have taken to prevent and detect these scenarios?" If you're unsure how to tackle this question, you are not alone. The truth is for many organizations, there is uncertainty regarding what actions to take to mitigate risk. A 2014 national study showed that while more than 65 percent of organizations rely heavily on third-party relationships, a large majority fail to allocate resources to assess potential associated risks.
7 common risks of third-party relationships
Navigating a third-party relationship is complicated for organizations in any industry, but especially in Government. Risks connected with third-party contracts pose a significant challenge to organizations of all types and sizes. Every organization should be aware of and actively manage some of the most common third-party contract risks:
- Reputation—Third-party contractor damages the reputation of the organization through their actions, or lack thereof.
- Performance—Third-party contractor fails to meet timelines and/or fails to perform in accordance with terms of the contract.
- Compliance—Third-party contractor fails to comply with laws and regulations governing the performance of the contract.
- Non-Conforming Goods—Third-party contractor delivers goods or services not conforming to contract specifications.
- Change Order Abuse—Third-party contractor increases the price or extends and expands the contract scope through the use of multiple change orders.
- Cost Mischarging—Third-party contractor charges the organization for costs (material or labor) not allowable, reasonable or allocable to the contract.
- Data Breaches—Third-party contractor, either intentionally or through the ineffectiveness of its information technology security and controls, mismanages critical organization or customer data.
How to manage the risks
The harsh reality is many organizations do not have the necessary processes or safeguards in place to address key third-party contract risks. Many organizations struggle with grasping the complexities involved in a contract review. Establishing comprehensive procedures within an organization to ensure compliance of the contractor or supplier against the contract terms and conditions does not happen overnight. To avoid paying the price down the road, start managing third-party contract relationships before signing on the dotted line. It is critical to take the following actions to protect your organization:
- Include a "right to audit" clause – Make sure every contract signed has a "right to audit" clause included in the terms and conditions. The "right to audit" clause not only provides you with the contractual and legal right to conduct an audit of the outside parties compliance with the contract, but also puts them on notice that their records are subject to an audit and acts as a preventative control. The Association of Certified Fraud Examiners (ACFE) provides a sample "right to audit" clause that could be used as a starting point for developing your own.
- Educate and empower employees – Employees who play a role in your third-party contract relationships should be educated on the critical terms and conditions of each contract and empowered to ask questions. Provide them with an understanding of the risks as well as the knowledge and ability to review and question invoices, change orders and good/service delivery.
- Review internal controls – Ensure your
internal checks and balances have been designed and are operating
effectively to protect your organization from errors or potential
wrongdoing by outside third-parties. Some key controls include
making sure there is a formal process with proper segregation of
duties for reviewing and approving:
- Change orders
- Invoices/payment applications
- Receipt/acceptance of goods and services
- Assign a contract monitor – An employee
or employees (depending on number of contracts) should be assigned
the role of contract monitor. Duties the contract monitor should
- Identifying critical terms, compliance requirements, scope, timelines, and deliverables.
- Assessing and monitoring the risks in the contract.
- Establishing processes and internal controls to manage the risks.
- Tracking and monitoring contract compliance, progress and timelines.
- Ensuring goods/services are delivered in accordance with the contract.
- Conduct periodic contract audits – Exercise the "right to audit" clause and include contract audit responsibilities within the scope of your Internal Audit function or periodically contract with professional auditors to audit contracts for compliance and performance.
4 key steps to conducting a successful contract audit
If you currently rely on third-party contractors or recently signed a contract, it is not too late for your team to conduct a contract audit. Proper risk management through a contract audit is critical to reign in risk especially with organizations facing a myriad of security breaches in today's evolving technological environment. Conducting a contract audit can be a daunting task, but with the right approach, you can keep your organization out of harm's way. Here are four key steps to conducting a successful contract audit:
- Contract assessment and prioritization—Identify all key third-party contracts and risk factors. Assess each contract based on risk and prioritize. Based on the prioritization, determine which of the higher risk contracts you would like to audit and develop an audit schedule
- Contract audit planning—Review the contract and identify scope of work, terms and conditions, applicable laws and regulations and payment terms. Develop an audit plan focused on compliance, payments, performance and change orders.
- Audit execution
- Compliance review—Review contractor compliance with terms and conditions as well as applicable laws and regulations. Examples include insurance, prevailing wage, diversity, bonding, lien waivers, permits and taxes.
- Payment review—Review contractor
invoices/payments for the following:
- Compliance with contract terms
- Appropriateness of labor, material, equipment, insurance, taxes, markups and other changes
- Adequacy, accuracy and completeness of support
- Duplicate and/or inappropriate charges
- Integrity, accuracy and appropriateness of subcontractor invoices
- Proper and timely payments to subcontractors
- Appropriateness of retainage (if applicable)
- Performance review—Review key performance criteria based on contract specifications and deliverables including material specifications, level/expertise of labor, quality of deliverables and delivery timelines.
- Change order review—Review change orders for compliance with contract terms and accuracy, including change orders that are appropriate, priced correctly and not duplicative.
- Reporting—Report back to management on issues and make recommendations to resolve them.
How confident are you with your organization's third-party risk management processes and controls? To avoid harmful risks, confidence in your organization's efforts is key to stay in front of potential errors and fraud. No one likes to be taken advantage of, but unfortunately, this can happen when dealing with third-party contractors. Take the lead now in order to equip your organization with the right tools to monitor contracts. Ultimately, mistakes will be made, but your organization can save face and dollars by consistently monitoring third-party relationships to avoid potential errors.
For more information, please contact Ron Steinkamp, Partner in Charge, Public Sector Advisory Services, at 314.983.1238 or firstname.lastname@example.org.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.