Ensuring vendor contracts contain audit rights and making sure the board is thinking through controls environment are key ways to minimize risk
Today is the deadline for companies to submit their second annual report on the presence of conflict minerals in their supply chains. In an article for the Wall Street Journal’s CFO Journal, Deloitte & Touche partner Kristen Sullivan notes that in the first year of the compliance regime just one quarter of companies disclosed the smelter or refiner where conflict minerals in their products were processed, despite the SEC’s rule requiring this information. She says she expects ‘much more attention around the disclosure of facilities in year two reporting’, in part because of increased scrutiny by leading NGOs.
Given the approaching deadline, it’s understandable that conflict minerals should be first among companies’ supply chain concerns. But there’s another supply chain risk that demands more attention: fraud. In a recent poll of more than 2,000 professionals conducted by Deloitte Financial Advisory Services, almost 23 percent of respondents say employees are the number one source of supply chain fraud risk, compared with 17.4 percent who name vendors and 20.1 percent who cite other third parties. Where employees are involved, fraud can take the shape of setting up a ghost vendor where payments are extracted from the company for goods and services that were never received or kickbacks in exchange for rigging bids for certain vendors, says Larry Kivett, a partner at Deloitte Financial Advisory Services.
Just under 29 percent of respondents say their company experienced fraud within their supply chain during the prior year, which Kivett says seems low, considering that only 38 percent say their company has a program in place to prevent or detect fraud in its supply chain. In working with clients, Deloitte focuses on what due diligence processes they have to monitor third-party relationships. Before entering into a relationship, clients are advised to understand as much as they can about who the principal parties are. For example, do they appear on lists of politically exposed persons?
Once a relationship has been established, companies need to continually monitor changes in their supplier base. If you have a lot of vendors, you should consider refreshing with some frequency those that provide certain types of services, operate in key geographic areas or with whom you have a close strategic fit based on how much you rely on them or the amount of money involved in the service contracts, Kivett explains.
One leading practice to prevent fraud is to make sure there are audit rights in your contract with a vendor ‘that allow you to go back and analyze the detailed billings you’re receiving from that third party,’ he notes. To encourage employees to disclose conflicts of interest they may have – for example, an ownership stake in a third party that provides services to the employee's company or a spouse employed by such a vendor – the company must make sure employees are aware that they are required to disclose such information and that a mechanism is provided for doing so, Kivett says.
There are also key things the board can do to prevent or minimize the risk of fraud, particularly at firms whose risk profiles are higher because they have experienced fraud within the past year. ‘If I’m a board member, I’d want to have an understanding of what management is doing in order to evaluate what the broad risks are and the types of fraud schemes that could be occurring within the supply chain’ and where some of the potential areas of weakness are, Kivett says.
If a certain vendor needs to be removed, the board plays a key role in assessing the strategic impact that may have. In certain cases, such as in the oil and gas sector, there are third-party vendors that operate in very remote regions or offer highly specialized services that make it hard to replace them immediately, Kivett explains. It’s also the board’s responsibility to ‘think through potential control efficiencies, such as whether management is appropriately going through its vendor set-up processes for new vendors coming on board.’
Although the conflict minerals rule may be the most pressing supply chain compliance issue they face, companies need to ensure they have the processes in place to minimize other supply chain risks that are much more common.