You know the age old joke right? Suppliers, vendors, or third parties as they are commonly known, have become an integral part of business operations for most organizations. Wal-Mart utilizes over 60,000 of them, while Boeing has over 21,000. Know how many suppliers it takes to make pencils? Even the Dixon Ticonderoga Company has thousands. Alright, they do much more than change light bulbs as each has its critical role in the supply chain of large, complex organizations. The question I want to pose today though is if you are the Internal Audit (IA) group for one of these companies using thousands of vendors or suppliers, how do you audit such complex third party management and supply chain programs?
Understanding complex supply chains is challenging enough, let alone trying to audit them. Even some of the simplest supply chains often include third parties, fourth parties, fifth parties, partners and more - and their inter-relationships are mind-numbing. Why is auditing an organization's supply chain so important? It's because controlling supply chain risk is absolutely critical and top of mind for boards of directors, risk groups and regulators. The myriad of studies done by advisory firms, universities and the supply chain industry itself all come to similar conclusions. For example, a recent PricewaterhouseCoopers (PwC) analysis shows that businesses that experienced supply chain disruptions experienced steeper shareholder value drops than their peers; more intense stock price volatility; and deeper declines in return on sales and assets. To further complicate matters, supply chains are not getting simpler - they're getting more complex and this is true globally. Furthermore, there isn't parity in supply chain disciplines around the world. For example, US companies are applying greater regulatory scrutiny to business operations and supplier integrity, while there are more supply chain issues with companies in developing countries.
So how does IA go about auditing their organization's supply chain to mitigate risk? Here are a few ideas.
First of all, IA should ensure they have supply chain expertise on their team or external experts they can leverage. IA must then understand their role versus that of management. It's management's job to implement a supply chain framework and program that includes a strategy and approach to manage the best suppliers that will enable them to successfully achieve their business objectives. IA can work with business leaders to develop this supply chain program, but ultimately management owns it. The program must include end-to-end risk management across the entire supply chain.
Each time the supply chain program is audited, IA should ensure it is implemented and functioning as intended. One way to do this is for IA to evaluate a sample of vendors by risk or criticality to the organization according to procedures set forth in the supply chain program. This may include leveraging key risk indicators to identify any troubled vendors within the supply chain. As part of their review, it is important for IA not to just focus on controls, but to evaluate strategies as well. Basic blocking and tackling (onboarding, managing, monitoring, correcting) is critical to any supply chain program, but evaluating supply chain performance from a strategic and holistic perspective is critical. IA must also ensure the program aligns with corporate objectives, addresses risks and considers compliance obligations.
I will conclude with a simple anecdote that illustrates the point. A Harvard Business Review study showed that ever since retailers equipped their cash registers with bar code scanners, they promised a brave new world of supply chain management. Stores would automatically track the flow of goods and electronically transmit precise replenishment orders. Suppliers would synchronize their production schedules to real-time demand data. Fewer goods would sit around in warehouses; fewer customers would find products out of stock. However, in an in-depth study of 35 leading retailers, it was discovered that the data was often wildly inaccurate. The executives at one company with a reputation for expert data handling estimated that their data were “99% accurate.” Physical audits, however, showed that inventory levels were way off the mark for two-thirds of the stores, and it was estimated that those errors reduced the company’s overall profits by 10% through unnecessary inventory carrying costs and lost sales from out-of-stock items, or stock outs.
Although a good supply chain program or structure is in place, audits may show otherwise. It is critical for IA to understand its company's supply chain, focus not only on the structure and program but perform audits to validate results. For more information, contact me at Patrick.potter@rsa.com
