Internal Audit has a key role to play as part of an organisation's approach to managing risk in the supply chain
Reading this article and answering the related questions can count towards your verifiable CPD if you are following the unit route to CPD and the content is relevant to your learning and development needs. One hour of learning equates to one unit of CPD. We suggest you use this as a guide when allocating yourself CPD units
"A supply chain is made up of interconnected parts of a whole, all of which add up to finished products bought by customers. Before a consumer buys a car, iron ore is extracted from the earth. The ore is transported to a plant, where it's turned into steel, which is made into the chassis of the automobile. To make the car, various components from engines to batteries, electrical components, rubber tires, a metal body, and paint are assembled. Once the car is made, it's sold in a retail setting to the end consumer."(1)
From a management perspective, securing the supply chain presents organisations with two key issues; how to ensure a cost effective and resilient supply of goods and services, and how to manage the digital risk associated with this activity. In the increasingly interconnected world of modern business, companies often integrate elements of their data and systems with their suppliers.
While Cyber Security is not the intended focus of this article, it is a key consideration for Supply Chain Management. If the supplier suffers a data breach, how does that impact the organisation?
Suppliers can pose various risks to an organisation's cyber security, for example in terms of:
- Allowing third-party access to an organisation's systems, could create a "back door" if not well managed and activity monitored.
- Suppliers could have access to and store the personal data or intellectual property of a client organisation either intentionally or unintentionally.
- If the supplier's systems are compromised, it would increase the opportunity for phishing attacks, viruses or other malware originating from the supplier's systems.
Based on the findings of the UK Government's Cyber Security Breaches Survey for 2022, it appears that while organisations acknowledge a risk, outside of the finance (34%) and information and communications sectors (28%) that have a generally more sophisticated approach to cyber security, overall, relatively few businesses or charities are taking steps to formally review the risks posed by their immediate suppliers (13%) and wider supply chain (7%). Action Fraud estimates that 70% of fraud is "cyber enabled".
Some of your key suppliers may not be of a sufficient mass to have the resources to invest in Enterprise level security systems, or even sufficient knowledge to ensure their systems are patched and their staff trained. In addition to ensuring that the chosen supplier has the requisite skills and capacity to deliver our goods and services, we also need to ensure that if we are leveraging technology to streamline digital interaction, that Cyber Security is given due consideration.
As part of any supplier/client relationship, we need to understand what the digital interconnectivity may look like and the associated risks. To understand this, knowledge of the data we are sharing is key in being able to assess the impact of data loss.
Supply Chain Lifecycle – A Cynics View
For some organisations, the approach to creating and managing a supply chain and/or outsourcing can be summarised as follows:
You may feel this is a somewhat cynical view but sadly it is not - this sort of thing happens far too often.
In the UK alone, business failures have averaged about 4,000 per quarter since the start of the pandemic. What if some were your key suppliers?
In the following paragraphs, we will look at some of the processes that internal auditors will look to see are in place to minimise the supply chain risk.
Supply Chain Mapping
How well do we know the supply chain?
As noted above, the supply chain is split into products and services that we acquire from third parties to support the function of an organisation. However, with each interaction there is also likely to be an exchange of data and information - some of it could be Intellectual Property (IP) or Personally Identifiable Information (PII).
While the supply chain and how it is managed in many instances is a matter for individual organisations, in some sectors such as transport, energy, and public services there is an expectation that they will adhere to guidance as set out in Network and Information Systems (NSI) for organisations that operate the UK's Critical National Infrastructure (CNI). For the rest, there is a requirement to ensure that ethical-based regulations are adhered to including Modern Slavery and ESG requirements.
Although we are no longer in Europe, the new Digital Operational Resilience Act (Regulation (EU) 2022/2554) due to be in place from January 2025 looks to address resilience in the Financial Services sector. DORA - as it is known - is an attempt to address concerns over IT resilience and requires adherence to rules for the protection, detection, containment, recovery and repair capabilities against ICT-related incidents. DORA explicitly refers to ICT risk and sets rules on ICT risk-management, incident reporting, operational resilience testing and ICT third-party risk monitoring.
This Regulation acknowledges that ICT incidents and a lack of operational resilience have the possibility to jeopardise the soundness of the entire financial system, even if there is "adequate" capital for the traditional risk categories.
For UK based organisations that are part of the supply chain of EU affected financial institutions, DORA can and will impact on them in terms of requirements placed on them by their EU based clients.
How well do we know our suppliers?
To fully understand the operations of your suppliers, we need to consider the approach to Supplier Relationship Management and ask some key questions:
- How well do you know your suppliers and who are their strategic partners and subcontractors?
- Who are our main supply partners?
- Do you understand their attitude to business continuity and security and how they manage their own supply chain risks?
- As an organisation, have we identified those suppliers that provide a business-critical service(2) or are a business-critical supplier(3) - there is a difference.
- Do we have a Register of Contracts and is it maintained, complete and up to date.
Identifying those suppliers and supplies that are most important to us should be central to our approach - these require greater attention due to the potential impact that disruption in this area could cause. These may be included on the Risk Register and have a dedicated resource charged with supplier relationship duties.
For these, it is important to work to get to know the organisations, their market and social, economic and political environments in which they operate. We are looking at pro-active monitoring in these cases and a back-up plan.
Supply Chain Management
Do we have an approach?
Dependant on the maturity of the function, we would expect to be able to verify that an organisation has the following processes in place:
- It will have considered its supply chain risk and developed a supply chain strategy that is maintained.
- It will have systems and processes in place to monitor the financial health of its key suppliers.
- It will have a process in place for collecting and analysing data in relation to geo-political, economic, environmental and social sources to flag up potential issues.
- It will have put in place, as the organisation, a set of metrics to help monitor supply and adhere to the chosen approach where raw materials are concerned - for example 'just in time' supply management.
- It will have a defined set of KPI's to monitor and report on performance where services are outsourced.
- With the organisation, there will be an acknowledgement that Supply Chain Management does not exist in a silo and cross function communications will be driven at Board level.
- An organisation in its initial and on-going due diligence will have ensured that the supply chain is an ethical fit and suppliers meet legal requirements and standards, including but not limited to adherence to Modern Slavery Act and Environmental, Social & Governance (ESG) requirements.
- The organisation will have put in place processes to ensure that there is a consistent approach to engaging with key suppliers ensuring that lines of communication are established, used, encouraging two-way dialogue and remain open.
Ultimately Supply Chain Management is about building relationships with suppliers.
Who supplies the suppliers?
Where a data processing agreement provides for limitations in the use of sub-processors without our specific agreement, the same should apply to the Supply Chain. The use of unauthorised and in some cases sub-standard suppliers further down the supply chain renders any due diligence carried out on the lead sub-contractor almost worthless.
When putting our trust in third parties, we need to ensure that they in turn do not use unauthorised suppliers.
Unauthorised subcontracting can create continuity and quality issues and may be in contravention of our ethical policies.
The due diligence process should include:
- Establishing capacity as part of initial due diligence, have we taken any steps to ensure that the supplier(s) have the capability to deliver the volume of goods and services required, including a growth margin when compared to our requirements forecast.
- Sustainability purchasing and sourcing practices that we adhere to need to be mirrored in our supply chain.
- Technology that may be used to enable us to monitor activities within our supply chain, for example access to production planning.
- Right to Audit is included in every contract, and as a minimum for our key suppliers is exercised on a periodic basis.
Risk in the supply chain
Have we assessed risks and vulnerabilities?
Purchasing, Logistics & Production
- Poor inventory management leads to surpluses or shortfalls impacting on cash flow and production.
- Natural Raw Materials - scarcity in supply of natural raw materials can lead to production issues and cost inflation.
- Loss of key supplier impacting availability of finished goods (insolvency increasingly likely during recession).
- Ethical considerations - third parties operating outside expected values and behaviours (for example sub-contractors or suppliers accepting or offering bribes due to local custom and practice).
- Sub-standard quality - production or sourcing of poor-quality parts/goods resulting in recall. As an example, in 2014, over 17,000 Aston Martins were recalled as the supplier of a small low value part was found to be using sub-standard plastic material and not to the specification that was agreed upon initially.
- Climate activism - activism is increasing and manufacturing or logistics sites have become fair game.
- Theft or damage - loss due to theft or damage of materials and or goods in transit, including piracy.
- Supplier Access - particularly digital, creates vulnerabilities. If the vendors' systems are unsupported or unpatched, access becomes a significant vulnerability and opportunity for ransomware.
- Domain Squatting - a simple typo squatting could lead an unsuspecting employee to log in to a fraudulent page giving threat actors both their credentials and an opportunity to infect a machine with malware. This type of attack is economical for threat actors requiring little work with potentially huge rewards.
- Old Technology - as technology ages, the number of known vulnerabilities grows, and patches to close those vulnerabilities shrink. It is not uncommon to find vendors running out of date, unpatched, or no longer supported operating systems.
- Shadow IT - it's reported that 50% of a company's technology spending is done without guidance from IT departments. Thus, there are unknown assets to those responsible for cybersecurity and configured by those who may not have the skills necessary to make them secure.
Supply chain management
- Non-compliance with regulations - in particular overseas frameworks, due to lack of understanding.
- Political and/or civil unrest - including strikes and border delays that impede production or delivery.
- Natural disaster disrupts logistics or production.
- Siloed processes impact supply and/or demand.
Have we considered Resilience in the Supply Chain?
Remember the pandemic and Governments across the world scrambling to secure PPE, or the impact on the motor industry and technology as a whole in the weakness of supply of computer chips?
Have we put in place a plan to enhance resilience in the supply chain, by ensuring that where possible we spread the risk across a range of suppliers and geographic regions?
Going forward we have to consider climate change and the impacts on the environment of having supply chains that may be 'too long'.
Internal Audits Role
From an internal auditor's perspective, the question is not to look to solve this problem, but test how management have designed and implemented systems, processes and controls to do this.
Even with AI, the area is too big and complex for Internal Audit to look into each arrangement - nor should it. That is for management. To be effective, Internal Audit is operating - as it should - as the third line of defence in the Three Lines Model, or the Check part of the Plan, Do, Check mantra.
When auditing in this area, planning is as ever key, and a central part of this is asking a few simple but key questions.
Our objective is to test whether the systems and processes put in place by management not just in respect of the initial due diligence, but through the supply chains lifecycle, including consideration if exit options are fit for purpose.
Internal Audit has a key role to play as part of an organisation’s approach to managing risk in the supply chain, providing independent assurance to those charged with governance, but to ensure that the scope of their work is clearly defined so as to avoid the possibility of providing false assurance in this complex area.
(1) McKinsey & Company
(2) Business Critical Service - a product or service that has been identified by management as acritical to its ability to deliver products and services
(3) Business Critical Supplier - a supplier that delivers a product or service that is considered 'unique' in the marketplace