Auditing of third-parties is critical to any best practices compliance program and an important tool in operationalizing your compliance program. This is a key manner in which a company can manage the third-party relationship after the contract is signed and one which the government will expect you to engage in going forward. As stated in the 2020 Update, under the section entitled, Management of Relationships, is the following query, Does the company have audit rights to analyze the books and accounts of third parties, and has the company exercised those rights in the past? This means you must not only have audit rights but also exercise them.
You should plan out the audit four to six weeks in advance, you should perform the audit with your legal counsel’s lead to preserve privilege, work with the Relationship Manager to establish key business contacts, discuss audit rights and processes with the third-party, you should prepare initial document request lists for financial information queries, take the time to review findings from previous audits and resolutions and also review details of opened and closed internal investigations, if there are any Code of Conduct questionnaires available take care to review and, finally, be cognizant of any related DOJ and SEC enforcement actions.
Three key takeaways:
- Be prepared.
- It is not an investigative interview but an audit interview.
- Listen, listen, and listen.
