Reviewing and performing appropriate due diligence on a third party’s financial statement is an integral part of an organization’s third-party risk management (TPRM) program that can help identify red flags and risks. Equipping your organization to identify red flags within third-party financial statements can be done with the help of an internal subject matter expert or an external party/professionals that can conduct thorough financial due diligence. Once this occurs, the rest of your TPRM team can work to properly mitigate these red flags and risks by working with the third party to address these concerns or find an alternative third-party provider for the necessary product or service.
This blog will include details that your organization can use in your third-party financial reviews. We’ll review a list of common red flags to be aware of and identify who in your organization can help distinguish these red flags and risks. You’ll also learn how your staff and departments can work together and avoid obstacles to suitably mitigate the red flags found within third-party financial statements.
Sifting Through Third-Party Financial Data to Find Common Red Flags
When performing financial due diligence on a third party, the financial statements, which typically will include an income statement, balance sheet, cash flow statement and some notes from the auditor and/or the organization’s management team, are the most valuable collection of information to assess key risks and identify red flags.
Financial statements come in all shapes and sizes and vary in length, detail and reliability, among other factors. Typically, it’s preferred and recommended to receive audited financial statements from a third party (i.e., reviewed and audited by an external financial audit firm, which will provide an opinion letter on its findings on the third party). This is because these financial statements go through additional review from an independent firm from the organization’s management team, which prepares the financial information. Many times, a private third party may not provide audited financial statements, or will provide incomplete financial data, which will inevitably create less reliability on the information provided and can in and of itself be a red flag.
Income Statement Red Flags
A third party’s income statement can provide you with a broad understanding its financial performance over a specific period.
Here are some common red flags to be aware of when reviewing this document:
- Nonexistent or minimal revenue: If a third party doesn’t generate any, or very little, revenue this might indicate that the organization doesn’t yet have a viable way of making money from selling its product or services to clients.
- Declining revenue: A trend of revenue losses or declining performance in revenue can indicate business issues and an inability for the third party to sustain itself over an intermediate or longer-term timeframe.
- Negative or declining profitability: Key profitability metrics such as gross profit, operating profit, earnings before interest, taxes, depreciation and amortization (EBITDA) and net income are worth calculating and compiling. If the third party struggles to generate sufficient profitability across all or some of these metrics, or has a declining trend in these metrics, it can signify a lack of revenue or inability to manage costs, and therefore, a reliance on external capital or cash infusions to sustain long-term operations.
- Increasing costs: If costs continue to increase in an unsustainable manner that drives negative or declining profitability, it may reveal that the third party is incapable of efficiently scaling its operations to remain a viability entity.
- Restatements, write-offs, divestitures or large one-time expenses: A third party may write-off or restate revenue or expenses on its income statement or have large one-time expenses, which may be related to common corporate events such as mergers and acquisitions, restructuring or divestitures. These events may be a red flag on its overall performance if these balances are material or occur frequently.
Balance Sheet Red Flags
Reviewing a third party’s balance sheet will give your organization insight into how well the liabilities and assets are managed to generate revenue.
Consider the following red flags that may reveal some shortcomings on the third party’s sustainability:
- Low or insufficient cash and cash equivalents balances: Cash is king, and if a third party doesn’t have enough of it, it may require an external infusion or additional capital to sustain its operations, service its clients and remain viable.
- Goodwill and intangibles make up a large percentage of total assets: This may signify that the entity won’t be able to convert its assets into capital or liquidity if it ever requires it to service clients or its obligations.
- Low current ratio or greater liabilities than assets: Current ratio is defined as current assets over current liabilities, which typically should be greater or equal than one to show a third party’s ability to service its current obligations. Additionally, if a third party has a larger balance in total liabilities vs. total assets, it may show balance sheet pressure in the future if obligations come due and the third party doesn’t have enough total assets to meet these obligations.
- Large debt obligations: Debt is a necessary component of many third-party balance sheets. However, if debt loads become unsustainable and balloon on a balance sheet and can’t be serviced, essentially the inability to pay interest and/or principal balances, it may indicate a red flag on a third party’s future financial health and viability.
Cash Flow Statement Red Flags
Understanding the flow of cash entering and leaving your third party will reveal how well it can manage its cash position and therefore pay its debts and fund the expenses needed to operate.
Here are some red flags that may indicate poor cash management:
- Negative or declining cash flows from operations: Cash flow from operations summarizes how a third party generates cash from its main assets and liabilities in its daily, normal course business. With a negative or declining cash flow from operations, it may signal issues with the third party’s ability to efficiently generate cash in its primary operating environment.
- Significant cash flows from investment: Although third parties must continually invest in capital projects or expenditures to sustain future growth, large negative balances in cash flow from investment may signify that the third party spends too much in a certain initiative that may not generate a sufficient return on investment.
- Negative or limited cash flows from financing: If a third party requires cash or capital to sustain its operations over a long term, equity and debt financing are important tools to achieve this objective. However, if a third party struggles with raising capital in either fashion from financing or is consistently paying down debt obligations, resulting in negative cash flows from financing, it can signify an inability of the management team to secure capital to make up for any cash needs today or in the future.
Qualitative Red Flags
In addition to the common red flags found in the three main financial statements, your organization should also be cognizant of other items in the footnotes, management discussion and analysis section, audit opinion and other disclosures provided by the third party.
Some of these common, qualitative red flags include:
- Qualified audit opinion: If an auditor issues a qualified opinion, that may mean that the third party has material deficiencies in its provided financial statements and details. This is important to review and monitor when your organization is provided audited financial data on a third party.
- Going opinion concerns: Under the going concern assumption, the independent auditor attests that following its review, it believes the third party can sustain operations for the foreseeable future (at least the next 15 months). If there are going opinion concerns highlighted by the audit firm, this may signify a serious red flag in the third party’s viability as a business in the near/intermediate term that must be addressed.
- Significant customer or supplier concentration: This can be a red flag for the third party’s future if one of these customers or suppliers ever goes out of business or churns from working with the third party.
- Debt covenant issues or breaches: Debt agreements typically have covenants (i.e., minimum capital or liquidity ratios) that a third party must maintain if it has outstanding debt or financing arrangements available. If these covenants disclose breaches or non-compliance, this can be a red flag that must be noted on the third party’s financial viability.
- Material subsequent events: The third party must disclose any material events that occur after audited financial statements are prepared and disclosed. Some of these may be notable and might indicate red flags if they note a negative trend or occurrence on the third party’s performance or viability.
Collaborating Across the Organization: Best Practices to Identify and Mitigate Common Red Flags
Your organization has multiple teams focused on TPRM, which cross collaborate across your third-party provider base to ensure risks are identified and appropriately mitigated. When thinking through your financial review processes, it’s important to have subject matter experts or resources available to help sift through third-party financial data and compile the red flags that may exist.
It’s recommended to hire a subject matter expert or group of subject matter experts who have a background in reviewing financial statements and footnotes and who can compile appropriate assessments that best fit your organization’s TPRM program needs. These folks may have a background as a certified public accountant (CPA), credit risk analyst or have knowledge on reviewing financial statements. If your organization chooses to go in a different direction, there are a variety of external suppliers and tools that can be utilized in lieu of hiring internal dedicated staff.
Whichever approach your team decides on, these dedicated internal/external team members or tools can help identify these common red flags discussed above as well as any other pertinent details in third-party financial reviews. Once these items are compiled, it’s important for your organization to work together to properly address and mitigate these red flags.
This plan of action for the rest of your team should include a variety of activities, such as:
- Working with the third party to ask and inquire for additional information to support some of your findings in your financial reviews
- Collecting additional documentation or artifacts to address some of these red flags and concerns
- Exercising any service level agreement rights your organization may have with the third party to either exit the contract or receive some sort of concession if the third party has breached any financial performance clauses
- Searching for other third-party providers that can replace or augment the shortcomings of your current provider
Concluding Thoughts: Third-Party Financial Reviews Can Identify Red Flags to Minimize Risk on Your Organization
Financial reviews should be a mainstay in your organization’s TPRM program. By using the common red flags and best practices identified in this blog, your teams can ensure they have their bases covered with a solid starting framework on the fundamentals on third-party financial reviews.
It’s also important that your organization designate internal or external resources to assist in these financial reviews and assessments to make these processes work more effectively and seamlessly. This will help the rest of your TPRM team and staff work together to monitor and mitigate these risks that come up in third-party reviews, leading to a more well-rounded, repeatable and complete financial due diligence process on third-party providers working with your organization.
Red Flags in Critical Vendor SOC Reports
When you begin your initial due diligence or regular monitoring of a vendor, one of the first...
12 Common Red Flags Caught in Vendor Reviews
Third party risk management is a constant cycle. With oversight guidelines from regulators, there’s...
6 Vendor Cybersecurity Red Flags
A cybersecurity plan helps protect organizations from potential vulnerabilities. A vulnerability...
Subscribe to Venminder
Get expert insights straight to your inbox.
Ready to Get Started?
Schedule a personalized solution demonstration to see if Venminder is a fit for you.