The potential impact of high-risk vendors can be an operational nightmare and have a material impact on your business. The key to mitigating this risk is to implement a vendor risk management program that allows you to monitor and identify non-compliant vendors so that you can react and address issues as quickly as possible.
A robust vendor risk management program can leverage third-party relationships to create value across your company through the recovery of inaccurate billings, identification of control gaps, non-compliance with contract terms, and protection of your companies’ reputation. Through our years of experience working with some of the largest companies in the world to manage their complex vendor ecosystem, we’ve outlined the critical components of a successful vendor risk management program, how audits support success, and an overview of how to evaluate the effectiveness of your program.
An optimal vendor risk management program should include at the minimum:
- A comprehensive risk ranking of the company’s vendors which is refreshed regularly
- Clearly defined controls used to monitor vendors
- Documented procedures for ongoing oversight and management of vendors
- Key Performance Indicators (KPIs) to measure the program effectiveness
- Audits to evaluate vendor compliance
When setting up items #1 through 4 above, organizations should leverage best practices in their industry to ensure that the controls and processes are set up to efficiently address the risk factors specific to their size, industry and vendor environment. Item #5 is a critical component that many organizations overlook – the need to actively monitor vendor compliance.
Why Audit Your Vendors?
Implementing a regular audit program to evaluate the compliance of targeted high-risk vendors can provide valuable business insights, cost recoveries, and uncover areas of non-compliance before they escalate in severity. Vendor audits are performed for a variety of reasons, including:
- Periodic review of vendors who have been identified as high risk to evaluate vendor compliance with contract terms and regulatory requirements
- In cases of known non-compliance, determining the level of misconduct or non-compliance by the vendor
- Gaining insight into the effectiveness of vendor selection, onboarding process, and performance measurement
- Due diligence prior to contract execution or renewal
The critical success factors in a vendor audit program are the identification of the right audit targets and implementing an audit program that addresses the key risks in your environment. Getting these two areas right ensures that the company’s internal resources and budget for external audit partners are spent efficiently and effectively.
Typical Vendor Audit Components
Vendor audits are generally focused on a vendor’s risk level and potential impact on your company. These audits typically include a portion of the following procedures depending on the trigger of the audit:
- A detailed review of the vendor contract to assess the risk areas and understand audit limitations
- An analysis of performance and billing, with a focus on transactions identified as high risk
- Interviews with relevant personnel at the company that are key points of contact with the vendors
- A vendor questionnaire that captures valuable compliance related information
- Interviews with the vendor’s senior management of the third-party
- Vendor process’ control effectiveness assessments
How Companies Measure the Effectiveness of Their Vendor Management Programs
The saying “You can’t manage what you can’t measure” most certainly applies to measure the performance of your vendor management program. Some of the key performance indicators to be implemented include the following:
- The frequency of vendor risk assessment and ranking
- The percentage of critical vendors whose contracts have been updated to include or revise certain key clauses. These clauses can be related to revisions/additions of rights to audit, cybersecurity implementations, meeting regulatory requirements, payments terms, and other key areas depending on your company’s supply chain and risk posture.
- The percentage of vendors that have received training sessions or training procedures from your company’s supply chain team
- Cost recoveries through the programs audits and internal reviews
- The number of control gaps identified at the vendors and the timeline for remediation
A robust vendor management program drive values through managing risk and identifying non-compliance. Vendor audits are an effective method to monitor compliance within a vendor management program. Implementing the right KPI’s is critical to measure the effectiveness of the program and its related audits.
Selecting the right partner can help implement a comprehensive program that utilizes industry best practices and can perform audits to independently evaluate compliance with complex contract terms and identify value while ensuring that the relationship between the company and vendor is not harmed by the process.
Connor Consulting is a leading independent audit firm that specializes in contract and supply chain compliance. Connor is a strategic advisor to industry leaders such as ARM, HDMI, Dolby and many others.
If you would like to learn more about our services and how we can help you with your compliance programs, please contact us to explore the benefits of a contract compliance program for your organization:
+1 (415) 578 5002 or fill out an inquiry at http://www.connor-consulting.com/work
About the Authors
David Gettelman is a director at Connor Consulting Corporation. David has over 10 years of experience in the technology, semiconductor, and consumer electronics industries.
Ana Newman is a manager at Connor Consulting Corporation. Ana has over 7 years of experience in audit, risk, and compliance services across the technology and finance industries.
They have managed hundreds of audits and have helped numerous companies collect lost revenue and improve their control environment and licensee or vendor base relationships. Connor Consulting has global teams with an average experience of 10+ years that specialize in IP royalty audits, third party review, contract compliance, and software asset management and license compliance.