Can you be sure that your suppliers are on the up and up? Sounds like a job for internal audit.
It’s every company’s worst nightmare: A call comes into corporate communications from a reporter from 60 Minutes looking for a comment for a damaging piece they are airing in few weeks.
That’s exactly what happened to flooring retailer Lumber Liquidators last year. The show ended up running a segment about how the company was selling potentially unsafe laminated flooring in the United States that it sourced from a supplier in China. 60 Minutes, acting on a tip from a short seller, claimed the flooring contained dangerous levels of toxic formaldehyde, a chemical that is known to cause cancer.
Most laminate flooring contains some formaldehyde, but the claims lodged against Lumber Liquidators said the levels in the flooring made by a Chinese supplier exceeded formaldehyde emissions standards set by California. In response to the claim, Lumber Liquidators, which is now facing a class-action lawsuit, pulled all the flooring from its shelves as its stock price tumbled from $70 a share to less than $13.
It wasn’t the first charge that Lumber Liquidators didn’t have a handle on its suppliers. In 2013 the U.S. Department of Justice sued the retailer on another claim: that some of its China flooring suppliers were harvesting timber in eastern Russia, in the habitat of the last remaining Siberian tigers and Amur leopards in the world. It is illegal to import lumber into the U.S. from this region. In October, Lumber Liquidators agreed to pay $13 million to settle the charge.
Certainly, Lumber Liquidators isn’t the first company to take a beating for the unscrupulous business practices of a supplier, nor will it be the last. Companies like Apple, Walmart, and Nike are under constant criticism for the actions of their overseas suppliers. And it’s not just reputational risk; vendor and supplier management is fraught with risks such as corruption, money laundering, product delays, financial fraud, and many others.
Such risks raise plenty of questions: Does your organization effectively identify top supplier risks? Are they high enough up on your company’s risk register? Is internal audit staff properly trained, equipped, and supported to assess the management of risks among top strategic suppliers? Do audit staff have the proper access to test suppliers own risk management processes and controls? How about secondary and tertiary suppliers?
In fact, audit firm KPMG put third-party risk management, including supplier management, near the top of its list of most critical risk-management issues for 2016. “As the role of third parties in companies' interaction with governments has grown and supply chains become more stretched, companies' monitoring of their third parties has become critically important,” the firm wrote in the risk report. “Companies are challenged to identify which of these numerous third parties are putting them at risk.”
A Job for Internal Audit
Internal audit can play a big role in helping companies identify rogue suppliers and help weed out those that put companies at risk. Supply chain performance is increasingly a critical element of competitive advantage. Therefore strategic minded internal audit teams need to be highly involved in ensuring that controls are in place and functioning well and that supply-chain risks are being properly managed.
Another imperative is involving internal audit early on in the planning process. Companies that bring in internal audit to audit processes and controls for mitigating risk in response to risks that have already occurred will be constantly chasing their tails. Internal audit should play a large role on recommending internal controls and processes long before the risks have materialized. In other words, companies should be proactive in leveraging internal audit in supplier risk management, not reactive.
Companies that don’t fully involve internal audit in their supplier risk-management processes do so at their peril. They also increase the chances that 60 Minutes could come calling with a few very tough questions to answer.
Joseph McCafferty is head of audit content for MIS Training Institute. He can be reached at firstname.lastname@example.org.