Audits are inherently stressful exercises. Even the most organised and prepared teams will naturally feel nervous about having their processes and record-keeping reviewed. Not only is there a personal element, where it's your own work being checked, but the potential impact on the business of a failed audit can be considerable. We're talking fines, reputational damage or worse.
So it's understandable to feel the pressure. That being said, an audit failure need not be a catastrophe. In fact, there's usually an opportunity for remedial action built into the process and the nature of an audit is that it will provide a clear roadmap for strengthening internal processes.
The best medicine, of course, is prevention. Prevention of poor processes, knowledge gaps and lack of control across your contract and vendor portfolio. It reduces the headaches of audit preparation, removes the fear of audit failure and puts your business in a position of strength."
3 common reasons businesses fail audits
We often hear from businesses that struggle with visibility, control and compliance. If this sounds familiar, watch the video below.
1. Poor visibility
Do you know where all your contracts are stored? Can you quickly gather up-to-date information and certificates from your vendors? If the answer to these questions is no, you’re not alone. We often hear from customers who have contracts and vendor information all over the place. They rely on anything from Sharepoint to emails for storing agreements and many businesses even use a combination of locations.
It’s not uncommon to hear stories about teams looking for an agreement, but only seeing a due diligence report or certificate in the supplier entry. They lack visibility of the Master Contract Record which means they also can’t see potential risks that require attention."
Without a dedicated place to store information, there is often no real structure around naming conventions or version control. This increases the time and resources required to gather evidence. And while stakeholders in your business may eventually compile everything required by an auditor, it takes a lot more effort than necessary to retrieve agreements from where they shouldn’t be.
2. Fragmented internal processes
Businesses that store contracts anywhere and everywhere often pair this approach with fragmented internal processes. Stakeholders across different parts of the business may be doing third-party risk management in different ways, for example, and there is no way to capture the various processes being carried out.
Even if this information can be captured, inconsistent processes will be interpreted as vulnerabilities during an audit - leading to failure."
When different departments in the same business are working in different ways, it’s impossible to prove coherent, compliant processes. Your business may find itself unable to demonstrate how:
- Risk is being escalated and mitigated
- Changes in legislation are being managed
- Vendors are being communicated with
- How certifications are kept up-to-date
- Vendors are being held accountable for ESG requirements
Inconsistent processes combined with a lack of centralised repository for contracts and vendor information can lead to multiple versions of the ‘truth’. This makes it difficult to know what information is accurate and can lead to you providing auditors with incomplete, out-of-date or incorrect evidence of your processes.
3. Relying on an individual's knowledge
When an organisation lacks visibility and control, it doesn’t just indicate low levels of contract and vendor management maturity. It also highlights the lack of collaboration within the business itself. Instead of everyone working from the same version of the truth and practising the same processes, it’s likely that a few individuals - usually main stakeholders - hold a lot of knowledge in their heads.
However, reliance on just a few people negatively impacts their time. Preparing for an audit becomes their main objective and takes them away from focusing on their job role. It also negatively impacts the business if they leave as they take knowledge of policies, procedures and the portfolio with them.
Your business will recruit to replace them but the new employee will have the responsibility of learning everything from scratch. The likelihood is that they’ll be trying to upskill whilst facing the same issues of not being able to locate the information they need or trying to learn multiple internal processes.
If your business has already failed an audit, trying to replace an individual’s knowledge whilst processes are still broken increases the risk of being in the same position again. The ability to execute compliant processes consistently comes into question and can reduce your business’s ability to pass an audit in the future."
1. Focus on areas of failure so you know what to fix
Failing an audit can be stressful but anyone who has responsibility for its success should see it as an opportunity. A light will be shone on weaknesses in your control system and identify areas that could lead to your business being non-compliant.
If any of the above challenges around contract and vendor management sound familiar, it should give your business extra impetus to resolve them. By following the steps below, you’ll prevent audit failure from happening again.
1. Focus on areas of failure so you know what to fix
Once you have sat and reviewed the results of your audit, it’s time to take it back to the wider team. Discuss the results with every stakeholder that is involved in the contract and vendor management process and analyse what isn’t working. Start to explore the key factors that have contributed to poor internal controls and processes and what needs to be done to improve them in the future.
Focus on highlighted weaknesses and work across your business to understand how they can be fixed. It could be a simple resolution such as storing contracts in a centralised repository so you can deliver complete evidence more easily. Or it could be something more serious such as revising your risk mitigation practices and putting new processes in place.
If you’re not prioritising cross-team collaboration during these critical decisions, your processes are likely to fall down again in the future."
2. Look for areas to automate and standardise
It’s likely that using manual and inconsistent processes have contributed to audit failure. Consider what these processes are and how they can be digitised, automated and standardised. The solution you use to automate these activities also needs to help you tighten up your processes - closing any gaps that leave you vulnerable to non-compliance.
Operating with best-practice workflows requires stakeholders from different departments to work in a consistent manner. Automated alerts help contract and vendor owners to escalate issues more proactively so risk mitigation strategies can be triggered sooner. Implementing a contract and vendor management solution can evolve manual processes already in place.
Think about the ideal future state of your business and how technology can alleviate headaches for your team when it comes to administrative tasks and audit preparation."
3. Define the criteria for what your business needs
Put together a working group, allowing different functions to come together and outline exactly what they require from a contract and vendor management solution. Make time to have an in-depth discussion about how it will help to improve their day-to-day work life; not just how it will help the business to pass its next audit.
Any feature marked as a requirement should work to address the failings of your original audit. When it comes to restoring visibility, taking control and safeguarding compliance, consider prioritising the following features:
- Contract repository
- Ability to attach and save external documentation
- Tracking hierarchy and relationships of contracts
- Assigning contract and vendor ownership
- Audit Reporting and a fully defensible record of all actions
- Search capabilities
- Automatic notifications for internal and external owners
4. Get buy-in from your CFO (or relevant C-Suite stakeholder) and go to market
Once you have established the features you need, it’s time to put a business case together for contract and vendor management software. To get buy-in from the C-Suite level, especially the Chief Finance Officer, you will need to demonstrate how the solution will resolve the issues outlined in the audit whilst creating a return on investment.
Once your business case has been pitched and approved, it’s time to go to market and look for a CLM and VLM software provider. With so many solutions available on the market, attending demos and ensuring that providers really understand your business’s pains will be crucial to reaching your shortlist and a buying decision.
If providers aren’t speaking to you about the importance of visibility, control and how their system can help your business to prove its compliance, you need to consider this as a red flag. ROI is based on more than just pricing."
Think longer-term about how your potential provider will work with you to prevent audit failures and keep your business protected from operational disruption.
Failing an audit is frustrating, but it doesn’t have to be the end of the line for your business. With the right contract and vendor management system in place, you can:
- Centralise agreements and vendor information in a secure repository
- Standardise and streamline internal processes
- Automatically build a complete and auditable history of every action taken
- Restore visibility across the organisation
- Take greater control of third-parties with a dedicated Vendor Portal
- Safeguard compliance and pass your next audit with confidence.
If your business has failed an audit and doesn’t want to find itself in the same position again, book a discovery call with one of our experts to see how Gatekeeper can help.