As the compliance and regulatory world becomes increasingly complex with every passing year, many tax-exempt organizations are seeking outside consulting help. This is a great strategy, which allows organizations to do what they do best, fulfill their tax-exempt mission without spending time processing payroll, retirement distributions, and billings and collections, etc. The strategy can also result in significant costs savings as organizations can select a value-based outside consulting option, which typically come at a much lower price than having to hire internal experts. But having an outside partner is not the same as putting things on autopilot and forgetting about them. In most cases, the organization still has a responsibility to safeguard assets and ensure compliance and accurate reporting, even when the task is performed by another party. So how does one effectively manage third parties?
The first step is assessing the risk involved with each third-party vendor. Whether it’s a scoring rubric, a yes/no checklist, or another tool, the few simple questions to ask are: Does this vendor have access to my customer/client, employee, financial data? What type of data – sensitive, protected, etc.? and to what extent? If there was an interruption in the vendor service, how long could we manage without experiencing severe consequences or sustaining significant financial loss? If, for instance, the organization’s monthly billing is done by a third party, interruption in service that lasts a few days may not be as critical as accessing daily patient data on a platform, maintained by a third party. The frequency for doing vendor risk assessment can range and should be considered based on the organization’s growth, changing strategies, adding new business lines, etc. Organizations that grow more quickly are more likely to require an annual assessment as opposed to mature organizations which may be growing at a slower pace. Other items to consider are regulatory requirements as there are different sets of associated expectations. For example, vendor due diligence expectations for a retirement plan sponsored by a tax-exempt organization may differ based on the number of eligible plan participants (100 or more versus fewer than 100). Similarly, expectations for organizations utilizing third-party investment managers would increase as the size and complexity of their investment portfolio increases.
Once the critical vendors for the organization have been identified, it is time to think about the specific due diligence procedures. While the list below is not all inclusive, here are a few ideas to get you started:
- Meet with the vendor annually to discuss needs and strategy. If the vendor is managing your organization’s client/customer data, what are they doing to secure the data? What are the new and upcoming regulatory changes and how are they preparing for those? More importantly, how would they help your organization prepare for them? Consider discussing your organization’s strategic goals, perhaps the vendor’s application, technology, services that are working for the organization today are different from the ones that would be needed tomorrow. Periodic meetings with the vendor would also give you a perfect opportunity to inquire about any areas of concerns at the vendor level (turnover, capacity, etc.) that may impact your organization by extension.
- Ask for and review the vendor’s Service Organization Controls (SOC) 1 report. Many service providers such as payroll providers, billing processors, investment managers, retirement plan third party administrators are examined by an independent auditor on an annual basis. The auditor reviews and tests specific controls at the vendor and provides an opinion as to whether or not the checks and balances at the vendor were designed and operated as intended. While SOC 1 reports can be lengthy, reviewing them doesn’t have to be overwhelming. Start by reviewing the opinion to ensure it doesn’t include any exceptions or modifications. If the opinion is “clean”, take a look at the testing exceptions noted by the vendor auditor. Are there any exceptions relevant to the functions the vendor performs for your organization? If so, do you have internal controls that would have detected and corrected any impact on your end? Consider discussing the audit exceptions with the vendor and understanding the steps they are taking to address them in the future.
- Ensure there are strong controls over the input information your organization is providing to the vendor. In most cases, the vendor does not verify the completeness or accuracy of the information your organization is providing. Even if the vendor has strong checks and balances in place, the output would only be accurate to the extent the input was. Typically, the SOC1 report includes a list of complementary user controls which the vendor assumes your tax-exempt organization has in place. Consider reviewing those on an annual basis and ensuring they have been properly implemented.
- Review your contractual agreements and ensure that vendor has responsibility to notify you of any fraud, noncompliance with laws and regulations, adverse actions, etc. within a certain timeframe so your organization has an opportunity to take action before it is too late.
Your vendor can be a valuable partner in growing your business and retaining your best employees. Vendor management doesn’t have to be complicated or overwhelming. If you need further guidance or have any questions on this topic, we’re here to help. Please do not hesitate to reach out to our trusted experts to discuss your specific situation.
This material has been prepared for general, informational purposes only and is not intended to provide, and should not be relied on for, tax, legal or accounting advice. Should you require any such advice, please contact us directly. The information contained herein does not create, and your review or use of the information does not constitute, an accountant-client relationship.