Do you want to access the full text of articles?

Please see our digital edition archive for the full text of articles.

Alternatively:

If you are a Chartered Accountants Ireland member, please visit the RIS service where Accountancy Ireland is available free of charge via the EBSCO databases.

If you are an Accountancy Ireland subscriber (i.e. you pay each year to receive your copy of Accountancy Ireland) please contact our Subscriptions Department quoting your subscription number and include details of the article you want.

All other users should enquire from their local public or college library about accessing full text Accountancy Ireland articles.


Contract Risks - RM in an Increasingly Complex Environment

Author: Liam McCaul

How proactive and comprehensive is your company’s assurance coverage over the exposures in this increasingly complex area?

Most facets of a company’s business are guided by contracts. For example, customer agreements, distribution agreements and licensing of property are all situations where companies are directly impacted by contracts. Globalisation and the trend to outsource non-core business processes have also contributed to the increasing use and importance of contracts. As a result, the number of contracts a typical company employs has increased substantially.

Contracts have also become increasingly complex for companies from a legal and technical perspective. As the number and complexity of contracts increases, so does the volume of risks associated with those contracts. Consequently, managing the risks of noncompliance with contractual requirements has become an increasingly important focus for management and for Internal Audit.

Understanding Contract Risk and the Importance of Strong Contract Controls

Improving controls over contract risks should be a focus area for most companies. In their recent study, The Contract Management Benchmark Report, the Aberdeen Group states, “ineffective management of supplier contracts costs businesses $153 billion per year in missed savings opportunities.”

However, under most corporate risk management structures, contract risks are often not addressed using a systematic approach.

For example, in a December 2006 Ernst & Young survey of 140 financial executives, only 52% of respondents considered their controls to be either very effective or effective. Of the remaining respondents, 22% “did not know” how effective their controls were and 26% of respondents indicated that their contracts controls represented an “opportunity for improvement”.

These survey results reinforce the need for management and key stakeholders to focus on improving controls over this important high risk area and to ensure appropriate monitoring activities (either through Internal Audit or a separate Contract Risk Framework and monitoring program) are in place.

Contract risk is increasing, driven mainly by the following factors: -The increasing trend towards outsourcing and reliance on third parties for various activities. For example, logistics, manufacturing, payroll, and IT. -The increasing number of patents, copyrights and trademarks and the subsequent licensing of intellectual property. To more fully exploit newly developed technology, companies are licensing the intellectual property to a host of partners rather than developing the production and sales infrastructure internally. -The increasing complexity related to globalisation. Geopolitical, environmental, and regulatory risks as well as operational and business risks on a country by country basis need to be considered when developing contractual agreements. -The growing number of business affiliations and franchise businesses. Joint ventures and partnerships have become commonplace as an efficient method to enter new markets or launch new products and services. These arrangements have a high potential to result in contractual issues. -The increasing speed of change. It is highly likely that the processes, personnel, and controls in place at the inception of a contract will have changed by its expiration. The static nature of a contract versus the ever-changing business environment increases the likelihood of contract issues arising.

In addition to these factors, the inherent nature of the contracting process increases the likelihood of contract non-compliance. Most companies have strong internal controls around the initiation of contracts. But many companies do not always have a similar focus on the controls required for the administration phase of contracts.

As a result, managing the risk of non-compliance with contractual requirements has increased in importance. The irony is, under most corporate risk management structures, contract risks are often not addressed using a systematic approach. Indeed, a recurring theme in many contracts is a reliance on trust to mitigate contract risk.

Is Management of Contract Risk Through Relying on Trust Acceptable?

A basic expectation of any contract is that each party to the contract will honour their commitments in the agreement. In order to minimize inadvertent or intentional noncompliance, both parties need to establish systems and processes to monitor compliance with contractual commitments and to exchange information. The compilation, processing and dissemination of contractual information relies on an open and free exchange which helps each party monitor the status of the contractual relationship and identify any issues or areas of noncompliance.

Ideally, data anomalies or compliance discrepancies identified can be quickly addressed and resolved and both parties will adhere to the contract and exercise good business practice. But this is not always the case. Very often, contract related problems stem from a lack of transparency between parties. This fundamental contract problem could arise for several reasons, including: -One party may be reluctant to provide information for confidentiality reasons; -One party may not have personnel at the proper level or skill to oversee the contract commitments; and -One party may not have the processes and systems to generate the desired information. For example, the contract may allow deduction of actual expenses incurred but the contracting party, due to systems and to meet financial reporting timelines, uses estimates.

Without properly designed and operating controls and monitoring systems, the parties to the contract must trust each other’s integrity, systems, interpretations and calculations. However, trust cannot replace good corporate governance. Relying on trust may put companies in the unenviable position of having to defend against claims suggesting management failed in its responsibilities by trusting an outside party instead of performing due diligence and implementing proper monitoring controls.

It is unlikely that key stakeholders will accept as justification that management trust the other party. How would shareholders or board members of a pharmaceutical company react if they were to discover that trust was the only control in place to prevent a contract manufacturer or wholesaler from distributing medications under the pharmaceutical company’s label?

While trust between two parties under a mutual contract is good, it is not – nor should it be – the sole defence against contract risks. All contractual relationships can benefit from a periodic objective review. However, such monitoring control activity should be risk focused and can be achieved through Internal Audit coverage or through a separate Contract Risk Framework and monitoring program.

Key Elements of a Contract Risk Framework

Leading companies are taking a broader view of their contractual environment and are working to identify the major contract risks impacting the business. This can be achieved through implementing a Contract Risk Framework that proactively addresses contract risks, by prioritising the most important risks, providing recommendations for control and process improvement, as well as aligning the risks with appropriate monitoring procedures. Key element of such a framework would include:

(a) Contract Risk Assessment The foundation of the framework is a contract risk assessment, to understand the key legal and business risk factors associated with each party and contract type and to identify the areas of focus for a subsequent audit and improvement plan. A risk assessment approach covers both financial and nonfinancial contract provisions and typically identifies areas of high impact while considering the likelihood of occurrence.

To appropriately evaluate a company’s contract portfolio, all contracts and associated amendments need to be identified. This includes both revenue and expense related contracts. It also includes contracts entered into by divisions, business units, foreign subsidiaries, functional area, or any other entity within the company. If there is no contract administration function, or centralised contract repository, a good starting point is the legal department or an analysis of sales and payables ledgers to determine active relationships. Once the inventory has been compiled it needs to be maintained on a regular basis.

An effective way to develop a risk assessment of a contract portfolio is to separate the risks into three areas; transactional accounting, operational, and legal/regulatory.

-The key transactional accounting risks are whether revenues or expenses have been recorded appropriately. For example, when ordering from a contract manufacturer has the proper payable amount been accrued, or when collecting royalties has the licensee over or under reported? -Within the area of operations, risks include those related to the failure to adhere to contract performance requirements. A contract manufacturer may not have sourced supplies from a required vendor, or may have adopted working conditions that violate appropriate standards. -The third area involves risks associated with non-compliance with regulatory and/or environmental requirements which may result in reputational risks and monetary fines. For example, the European Union has strict requirements around pricing of pharmaceutical products among member countries. If a pharmaceutical company uses channel distributors to facilitate getting product to market, the company needs to verify that its pricing does not facilitate inappropriate activities by the distributor.

There are a variety of options that can be used to evaluate these risks. Higher risk weighting can be assigned to those contracts with the highest monetary throughput, or can be assigned to sales versus supply contracts. Ultimately, the appropriate assessment approach will depend on the particular company and the industry.

As the assessment is performed, processes and controls are compared to leading practices to identify improvement recommendations. Often, these improvements may be implemented immediately and, in many cases, result in revenue enhancement or cost reduction.

(b) Monitoring Process To effectively mitigate the risks identified in the assessment phase a formal monitoring process should be implemented. The sheer volume of contracts will preclude the ability to monitor the entire contract portfolio. Instead, it is necessary to weight the risks and allocate monitoring resources appropriately.

For each contract reviewed, it is important to develop and perform compliance verification procedures through systems reviews, data extraction and data analysis. The intent of this step is to verify accuracy, relevance, and completeness of reported information, as well as identify issues and concerns for further testing. For example, a common analysis is to compare internal reports with reports that were provided to the company. The types of analysis will vary depending on the type of contract under review.

(c) Communicate Results of Monitoring Activities As a last step, communicate the results of the review to key stakeholders including relevant management responsible for the contractual relationship being reviewed, appropriate senior management and, as required, legal department personnel. The results of a review typically include any compliance or monetary findings as well as a summary of improvement ideas.

With many contracts, there may still be inherent risks that cannot be covered directly by company personnel due to lack of transparency or cooperation from the contracting party. In those cases, having a robust compliance program implemented by an independent party to address these risks may serve to reduce these risks to a tolerable level.

A company’s Contract Risk Framework should also be subject to review by the company’s Internal Audit function. In the absence of a Contract Risk Framework, appropriate consideration should be given to contract risk in the company’s Internal Audit risk assessment and planning process.

In Summary

Contracts expose a company to unique risks that extend beyond typical controls. However, many companies’ response to managing these risks has been neither systematic nor comprehensive. As the volume and complexity of contracts increase, this is becoming a major risk exposure for many companies. To protect company and shareholder interests, companies need to be proactive in assessing their contract risks. Using Internal Audit or a separate Contract Risk Framework, Companies should consider a periodic operational audit program of the contract process, assessment of the contract controls and a review of certain key contracts. By taking a proactive approach to contract risk, companies help mitigate contractual risks while making improvements that will enhance the business through increasing revenues or reducing costs.

Click here to subscribe to Accountancy Ireland.