Posted on

COVID-19 – Coronavirus: Crisis Management, Business Continuity, Fraud, and More!

Some of the biggest mistakes made when handling a crisis are not dealing with the problem head on, thoughtless or insincere comments, lack of communication with stakeholders, unprepared spokespeople, getting defensive after receiving backlash, or, sitting back and letting the problem grow. Domino’s, Sony, Samsung, BP, United Airlines, Equifax, KFC, are all good examples of companies who stumbled with crisis management. Companies should study these crises and learn from the mistakes!

gettyimages-1201634413-170667a

At the time of this writing and according to a report by Dun & Bradstreet 94% of Fortune 1000 Companies are experiencing supply chain delays, work place absences, lower productivity, travel cut backs, and reduced trade and investment.

This should be a wake up call for every Board and their senior leadership team!

Impact of the Coronavirus

The risk of a global pandemic is often listed as a top ten risk for any company and is frequently mentioned in most global risk surveys.  The Coronavirus has infected over 75,000 people and caused 2,007 deaths and has now reached a critical phase where public health systems need to act decisively to contain the growth in epicenters outside China.  Additionally, companies are now grappling with managing the impact on their ability to achieve their strategic goals, reduce employee concerns and meet customer demands.

Clearly, the main emphasis is and should be on containing and mitigating the disease itself. But the economic impacts are also significant, and many companies are feeling their way towards understanding, reacting to, and learning lessons from rapidly unfolding events. Unanticipated twists and turns will be revealed with each news cycle, and we will only have a complete picture in retrospect.

The impact of the Coronavirus has been widespread and we’ve witnessed a decline in the market as companies are adjusting their forecasts, temporarily closing facilities, experiencing supply chain disruptions and managing employee fears and concerns.

Manage the risks

Companies must stress test their level of preparedness in an effort to ensure continuity of business operations and work to mitigate any potential impact, prepare for possible further disruption and from this and other possible crises.

We recommend the following measures be taken to manage the risks imposed by the Coronavirus.

Maintain continuous communications with stakeholders

Events are unfolding with incredible speed and the situation and outlook is changing daily. The epicenter of the virus has spread beyond Wuhan.  It’s imperative to gather intelligence about the spread of the virus as well as maintain continuous communications with key stakeholders including employees, customers and suppliers. While there are obvious reasons why business operations are disrupted in times like this, our stakeholders don’t enjoy disruptions and expect their needs to be met regardless.

Picture9
An effective crisis management plan helps companies achieve their strategic goals

Test your crisis management and business continuity plans

A crisis is a low-probability, high impact event that threatens the viability of the company and is characterized by ambiguity of cause, effect and means of resolution, as well as a belief that decisions must be made swiftly. 

Any emotionally charged situation that, once it becomes public, invites negative stakeholder reaction and thereby has the potential to threaten the financial well-being, reputation, or survival of the company or some portion thereof.

How prepared are you for disruptions to your supply chain or possible closure or inability to staff a facility.  Helpful steps de the following:

  • Identify your core services required to maintain your supply chain
  • Analyze staffing requirements and ensure employees have an ability to work remotely
  • Check your cash flow, liquidity, and insurance
  • Establish communication protocols in the event a crisis occurs
  • Conduct a crisis simulation to raise awareness and test the effectiveness of your plan

These steps will also provide the Company the opportunity to prepare for the next crisis in addition to this one.

Assess your supply chain

There are predictions that the peak of the impact of the Coronavirus on global supply chains will occur in the weeks to come and possibly force thousands of companies to reduce production or temporarily shut assembly and manufacturing plants in the U.S. and Europe. The most vulnerable companies are those which rely heavily or solely on factories in China for parts and materials. The activity of Chinese manufacturing plants has fallen in the past month and is expected to remain depressed for months.

Companies are advised to assess their supply chains, consider stockpiling critical parts and materials, and implement contingency plans including the identification of other suppliers.  Additionally, companies are advised to monitor their supply chain and communicate in advance any possible disruptions to operations or to supply chains.  Operational resiliency is critical in times like this.

Prepare for a changed economy and stakeholder expectations

We should expect that the Coronavirus crisis will change business and society in many ways. The impact of the virus may increase online shopping, online education, and individual behaviors. It is also likely to change how companies configure their supply chains and reinforce the trend away from dependence on sole sourcing, mega-factories and leaving crisis management to chance.  Once the critical stage of the crisis has been navigated, we recommend conducting a formal review and a root cause analysis. This exercise will help identify what was learned and where there are gaps or weaknesses, so the Company can make ten appropriate adjustments to their plans, policies, and behaviors.

gettyimages-1152441608-170667a

Consider Reporting and Disclosures

The outbreak has coincided with deadlines for filing annual reports due in March 2020, and decisions about filing paperwork for initial public offerings.

The U.S. Securities and Exchange Commission (SEC) in their February 19, 2020 Public Statement have urged listed companies to factor coronavirus risks in their financial reporting disclosures.

Typically, the risk disclosures in these filings would contain information on factors that could materially affect their financial operations.  The challenge is providing investors with accurate information about the future when information about the outbreak is changing by the day.

Something that might be overlooked is a squishy issue related to the impact of an illness, like Coronavirus on executives. Remember there is no “health-of-the-CEO” disclosure requirement. Just because it’s material doesn’t trigger an automatic duty on the part of a company to disclose the information.

While companies have options on executives medical disclosures, they often have a strong incentive to provide timely information. Doing so prevents employees from leaking information and investors from raising questions about why a CEO is no longer appearing in public.

When the board of directors is considering disclosure, don’t forget about the executive’s right to privacy. If the CEO has not authorized the disclosure of personal information, the company may be in trouble if it’s releasing information.

While actual effects may be difficult to assess, the SEC said companies should work with their auditors and outside counsel to ensure that their financial reporting and auditing processes are “as robust as practicable in light of the circumstances in meeting the applicable requirements.”

Risk factors in annual reports on Form 10-K are contained in Part I, Item 1A of Form 10-K. Risk factors in quarterly reports on Form 10-Q are contained in Part II, Item 1A of Form 10-Q and are only required to be set forth if there are any material changes from the risk factors as previously disclosed in a company’s most recent Form 10-K. Smaller reporting companies are no longer required to include risk factors in their Form 10-K or Form 10-Q but may choose to do so.

Between January 1, 2020, and February 27, 2020, over 540 annual and quarterly reports have already been filed that mention coronavirus or COVID-19 in their risk factor sections. Some themes are:

  • Closures or Cancellations of, or Reductions in, Operations or Production in Mainland China or Surrounding Areas, including Restrictions on Transportation and Going into Public
  • Effect on Suppliers or Logistics Provider
  • Indirect Demand Effect
  • General Risk and Uncertainty
  • Effect on Planned Entry or Expansion into, or Existing Investments or Projects in, China or Surrounding Areas

Below are some examples of companies that have begun to signal potential impact of the global outbreak on their balance sheet.

  • Microsoft Corp. said that its personal-computing business is likely to miss its revenue targets for the company’s current quarter because suppliers are gearing up operations at a slower pace than the technology giant anticipated.
  • Marriott International Inc. said it expects the epidemic to weigh on its fee revenue in 2020.
  • Rio Tinto PLC warned the epidemic is threatening its supply chain as it reported a 41% decline in annual net profit, but said it would pay a record final dividend.

Also, Between January 1, 2020, and February 27, 2020, over 160 annual and quarterly reports have already been filed that mention coronavirus or COVID-19 in their management discussion and analysis (MD&A) sections. While the MD&A section generally deals with quantitative and qualitative comparisons across relevant historical periods, the discussion also includes significant information regarding the Company’s future outlook and expectations

Lastly, Between January 1, 2020, and February 27, 2020, over 420 filings on Form 8-K have already been furnished or filed with the SEC that mention coronavirus or COVID-19 in the body of the Form 8-K or in the exhibits thereto.

For consideration in preparing these reports, the SEC has published two statements encouraging registrants to monitor the necessity for disclosures regarding the novel coronavirus outbreak (January 30, 2020 Public Statement) and indicated that registrants and their advisors may contact the SEC staff regarding any need for assistance related to impacts on disclosure as well as in order to seek relief or guidance on the effects of the novel coronavirus on financial reporting for affected parties (February 19, 2020 Public Statement).

Board and Fraud

Benjamin Franklin once pointed out, “By failing to prepare, you are preparing to fail.”

A crisis situation can and often does increase the pressure on senior management and of course salespeople to meet their sales targets! Deviant behavior is easily justified.

Companies and their boards need to recalibrate and in most cases increase their oversight today and subsequent to the crisis. Why? Because of the likely mindset to maintain and if that’s not possible, make up for lost opportunities!

It not only looks bad, it is bad when Boards are forced to act by circumstances, as opposed to their getting out in front of problems on their own.

They should request frequent updates from senior management – trust be verify!

In a crisis, sins of omission can become equally or more problematic than the issue(s) that precipitated the crisis.

Remember, bad actors are always lurking, so vigilance is important. It’s not uncommon during times of crisis the opportunity for fraud increases, so be cognizant of the following:

  • Those using the crisis as an excuse for not performing key tasks
  • Compensation models that reward based on financial performance
  • Requests by users for system access to modules, folders, applications, etc. that had previously been unnecessary or denied
  • Management override/circumvention of controls
  • Gaps created when employees roles and responsibilities change
  • Bribes being paid to secure products, supplies, or services negatively impacting the company
  • Revenue recognition schemes
  • Expense manipulating schemes
  • Phishing schemes

Investigations & Compliance

A crisis could limit “live” human interaction and thus conducting investigations and maintaining the compliance program could be problematic. Some areas I believe we need to focus on:

  • Ethics training schedules
  • Delays to time-sensitive internal investigations
  • Challenges related to acquisition due diligence
  • Third party audits
  • Internal audits
  • Compliance reviews
  • Collaboration with legal, compliance, and internal audit
  • Exit interviews
  • Executive sessions with the Audit Committee

gettyimages-1144178813-170667a

Some ways We can help!

Contact us to inquire about how we can help you prepare and respond to crises, which includes the following key service offerings:

  1. Investigations, which can be done remotely
  2. Corporate Governance reviews
  3. Crisis plan development and review
  4. Crisis simulation
  5. Supply chain vulnerability assessment
  6. Enterprise-wide risk assessments and management
  7. Internal control reviews
  8. Fraud risk assessment and investigations
  9. Monitoring using technology
  10. Training and awareness
  11. Staffing to fill gaps

Coronavirus Business Continuity & Crisis Management Discussion Guide©

Operations

  1. Do you have a crisis management/ business continuity/pandemic preparedness plan? If so, have you reviewed for relevance to the current crisis?
  2. Have you identified the risks this pandemic can pose to your organization, the impact of those risks and developed strategies to manage those risks?
  3. Have you identified the critical (both important and time sensitive) activities of your business and prioritized what has to be done to maintain them?
  4. Have you established authorities, triggers and procedures for activating your response plan, alerting business operations (e.g., shutting down operations in affected areas) and transferring business knowledge to key personnel?
  5. Have you outlined the actions that need to be executed to limit the loss of life and property before, during and immediately after this crisis?
  6. Have you identified the acceptable time frames for resumption of usual business operations should they be impacted by this crisis?
  7. Is your business directly or indirectly dependent on government operations?
  8. Have you shared your plan with federal, state and local public health agencies and/or emergency responders to help them understand your capabilities and plans?
  9. What are your operational and revenue stream risks due to the potential disruption of your business?
  10. Are any of your operations or revenue streams at risk from potential disruptions to key suppliers and vendors?
  11. Have you identified all critical third parties (e.g., contractors, service providers, vendors, suppliers), linked them to critical business processes, requested their business continuity plans and assessed the residual risk to your organization?
  12. Do you have an arrangement with your critical suppliers and third parties where they will inform you if they cannot make a delivery or provide services?
  13. Have you considered the feasibility of sourcing goods, ingredients, component parts or services from alternative suppliers?
  14. Have you stockpiled critical inventory/ (raw materials) at risk of being disrupted?
  15. Have you analyzed your supply chain in order to adjust forecasts as necessary?
  16. Have you established a qualified crisis communications group who can proactively assist in internal and external communications?
  17. Have you developed and planned for scenarios likely to result in significant increase or decrease in demand for your products or services during this crisis?
  18. Have you conducted any exercises to test the effectiveness of your plan and the readiness of your people and organization during this type of crisis?

Personnel

  1. Are your employees able to work remotely and continue with their tasks uninterrupted?
  2. Have you established policies for flexible work arrangements (e.g., telecommuting) and flexible work hours (e.g., staggered shifts)?
  3. Do you have the necessary IT infrastructure and security to meet the demands of a remote workforce including increased monitoring activities related to potential cyber-attacks?
  4. Based on an increased threat level for a cyberattack, do you have a plan in place for educating and increasing cybersecurity awareness among your workforce?
  5. Have you identified key personnel required to maintain business operations by location and function and are they at risk of becoming unavailable?
  6. Do key personnel understand their roles and responsibilities before, during and immediately after this crisis?
  7. Do you have contact information for all personnel in case you need to contact them directly during this crisis?
  8. Are any of your office locations/ plants/facilities located in high-risk areas?
  9. Have you established appropriate monitoring of governmental health agencies for ongoing updates on impacted or high-risk areas and associated guidance?
  10. Will a remote workforce place you at risk of violating privacy laws and are your employees trained to avoid this risk?
  11. Have you thought through, implemented and communicated policies and procedures to reduce employee concerns such as healthcare plan coverage, prevention and treatment; attendance including paid time off; payroll continuation; travel; and group meetings?
  12. Do you understand the special needs of employees and customers and how you will address those needs during this crisis?

Financial and Legal

  1. Have you stress tested your cash flow liquidity, and business interruption insurance in the event of a prolonged business disruption due to this crisis?
  2. Are you aware of your options for cash flow for operations that recent emergency legislation may provide?
  3. Have you factored COVID-19 risks and impacts into your financial reporting disclosures?
  4. Have you adjusted financial forecasts according to expected impact to sales or revenue streams?
  5. Have you adjusted budgets to account for increased costs related to any of your business continuity plans if appropriate?
  6. Have you reviewed your debt covenants and communicated potential issues with your financial institution?
  7. Have you reviewed existing contracts with suppliers, service providers, event managers, etc. and anticipated any conflicts arising out of force majeure clauses?
  8. Have you assessed the risk of violating applicable laws and/or regulations?
  9. Have you thought through the tax implications associated with potential business continuity actions– ex pat considerations, tax jurisdictions based on changes in your supply chain, etc.?
  10. Do you understand how the recent changes in tax guidance adopted in response to the crisis may affect your business and plans?
  11. Have you reiterated the importance of ethics and reassessed your fraud risks?
  12. Have you assessed the risk of violating applicable laws and regulations?
  13. Have you considered litigation implications related to existing contracts such as notice, anticipatory breach, force majeure, etc.?
  14. Have you proactively communicated with parties to existing contracts to address possible disruptions to contract performance?
  15. Have you spoken with your trusted advisors to ensure they can continue to service your needs?

The Guide is not intended to be complete.  Always consult with the appropriate professionals.

Some Closing Thoughts

Companies need to develop a strategy that enables the deployment of appropriate tactics to manage the risk of a crisis. The strategy needs to be owned by those charged with governance and the tactics need to be simple and understood, otherwise the chances of success are significantly reduced.

Throughout the process always remember to distinguish between what’s important vs. what’s urgent. Understand that managing a virtual team might be new for some and stress levels yes might be high, so pick up the phone and talk to your teammates.

“Crisis management is like wrestling a Bull:  You rest when the Bull wants you to rest and you’re done when the Bull gives up!” JTM

 

Young cowboy wrestling a steer in a rodeo.

We welcome you thoughts and comments.

Stay safe, be smart!  Click here for more information on crisis management.

Best,

Jonathan Pic

Jonathan T. Marks, CPA, CFF, CITP, CGMA, CFE and NACD Board Fellow

Contributing Authors:  

Paul Zikmund, CFE, CBCP, CAMS, CRMA, CECM

Raina Rose Tagle, CPA, CISA, CIA

 

Attribution:

Akin Gump

Handbook of Research on Crisis Leadership in Organizations

HBR – https://hbr.org/2020/02/lead-your-business-through-the-coronavirus-crisis

HBR – https://hbr.org/2020/02/how-coronavirus-could-impact-the-global-supply-chain-by-mid-march

LA Times

Pearson & Clair, Reframing Crisis Management

WSJ

Posted on

IIA Philadelphia and Baker Tilly’s Fraud & Ethics Symposium is Postponed! Stay tuned for the new date.

Register here!

This one day fraud symposium, sponsored by Baker Tilly’s Global Forensic, Compliance and Integrity Services and Solutions Practice Group and hosted by the Institute of Internal Auditors, Philadelphia Chapter, will include topics such as:

  • Culture
  • Current trends in white-collar crime
  • Tone is the middle
  • Policy management
  • Case study on a local fraud

Planned speakers

Jonathan T. Marks, CPA, CFF, CFE, Partner | Firm Leader, Global Forensic, Compliance and Integrity Services and Solutions, Baker Tilly

“Symposium Coordinator, Host, and Moderator”

Jonathan is the firm leader of the global fraud and forensic investigations and compliance practice. He has more than 30 years of experience working closely with his clients, their board, senior management and law firms on global and cross-border fraud and misconduct investigations, including bribery, corruption and compliance matters. He is a well-regarded author and speaker, who has gained international recognition for developing thought leadership that has enhanced the profession.

Niki A. den Nieuwenboer, Assistant Professor of Organizational Behavior and Business Ethics, The University of Kansas School of Business

“Tone in the Middle”

We know that leadership matters in fostering ethical conduct at work. However, the focus is often on top level managers and their “tone at the top.” The role of middle managers has remained somewhat of a mystery until now. Niki den Nieuwenboer will discuss her recent study that examined a case where middle managers, in response to upper management pressures, coerced front-line employees to deceive upper management about their performance. She will spotlight the creative role that middle managers played in finding ways to cheat, and discuss implications for ethics management and fraud prevention.

Elizabeth Simon, CPA, CFEDirector, Ethics & Compliance for Cox Communications

“Mapping Ethical Risk in Your Organization”

The new DOJ guidance on effective compliance programs is full of requirements to assess risk and manage the compliance program through a risk-based method.  Culture is also of importance, and ensuring a culture of compliance is emphasized in the guidance.  Having a compliance risk methodology that incorporates compliance, ethics, and culture to identify areas of risk is key to ensuring limited resources get directed to the right place.

Edwin J. Broecker Partner, Quarles & Brady 

“Investigations: Strategies to avoid common pitfalls”

Conducting an effective and thorough investigation into alleged wrongdoing has always been a hallmark of an effective compliance program. Unfortunately, many of the investigations fail to achieve their intended results.

Ed Broecker will address some of the common pitfalls to avoid in conducting an internal investigation. The session will discuss initial intake and appropriately triaging the allegation and developing the correct team and work plan to conducting interviews. The discussion will also address report writing and determining the root cause. This session will highlight many of the shortcomings in an investigation and offer practical suggestions for addressing them including issues around bias, privilege, confidentiality/privacy and reporting back to the complainant.

Michael Rasmussen – GRC Pundit and

Andrew Fletcher, Partner, Blank Rome

“The Code of Conduct – Effective Policy Development and Management”

The Code of Conduct sets the tone and reinforces the importance of conducting business within the framework of professional standards, laws, and regulations, together with policies, values, and standards.  It outlines the values and behaviours that define how organizations do business. It holds people accountable to be open-minded and responsive and to give their best.

Policies & procedures must be in place to safeguard and educate staff, to protect the organization against unnecessary risk, ensure the consistent operation of the business, uphold ethical values of the organization, and to defend the organization should it land in turbulent legal waters.

However, effectively developing and managing policies is easier said than done.

Good policies generally are –

  • Written in clear, concise, simple language.
  • Policy statements address what is the rule rather than how to implement the
    rule.
  • Policy statements are readily available to the campus community and their
    authority is clear.
  • Designated “policy experts” (identified in each document) are readily
    available to interpret policies and resolve problems.
  • As a body, they represent a consistent, logical framework for organizational action.

in practice, we know that ad hoc or passive approaches mean that key policies are outdated, scattered across the business, and not consistent– resulting in confusion for recipients; and an insufficient level of governance and reporting for auditors and regulators.

It is no longer enough to simply make policies available. Organizations need to guarantee receipt, affirmation AND understanding of policies across the business.

To consistently manage and communicate policies, organizations are turning toward defined processes and technologies to manage the Policy lifecycle. The continual growth of regulatory requirements, complex business operations, and global expansion demand a well thought-out and implemented approach to policy management.

Attendees will be guided through a discussion on how to develop and implement an effective policy management process within their organization.

policies graph

Matt Kelly  Compliance Expert and Author

“Whistleblower Activity: What’s Good, What’s Real, What Matters”

Compliance and audit professionals all talk about the need for a strong culture of whistleblower encouragement and protection. This session will review what some new data tells us about whistleblowing and corporate culture, and how risk assurance functions can develop a healthy appreciation for internal reporting.

  • How do levels of internal reporting correlate to corporate performance?
  • What types of whistleblower allegations are most likely to be true?
  • How should boards and risk assurance functions handle whistleblowing, based on what the data tells us?

This session will explore some of the data that professor Kyle Welch has been crunching, and some of the counter-intuitive findings he’s dug up. Then talk about how those findings would color what compliance, audit, and anti-fraud people do for investigations and working with senior leaders to cultivate a strong internal speakup culture.

Greg Paw Partner, Freeh Sporkin and Sullivan

Greg will be speaking about the latest updates related to Bribery and Corruption and how Internal Audit should be working with Compliance.

Register here

Best!
Jonathan

Jonathan Pic

Register here!

Location Exelon Hall – Just enter the building lobby at 23rd and Market Street and follow the signs down the stairs to Exelon Hall.  No building access is needed for access to the hall.

Continuing Professional Education Credits – The Philadelphia Chapter of the Institute of Internal Auditors is registered with the National Association of State Boards of Accountancy (NASBA) as a sponsor of continuing professional education on the National Registry of CPE Sponsors. State boards of accountancy have final authority on the acceptance of individual courses for CPE credit. Complaints regarding registered sponsors may be submitted to the National Registry of CPE Sponsors through its website: www.learningmarket.org.

*Speakers and Topics may change due to a variety of factors.  We will do our best to adhere to the agenda.

 

Posted on

Bribery Schemes and Their Compliance Responses

Bribery Schemes and Their Compliance Responses

This writing will highlight some of the more unusual bribery schemes described in 2019 Foreign Corrupt Practices Act (FCPA) enforcement actions and also consider their impact on compliance programs, what they mean for the compliance professional and how the government could potentially use these cases to require more effective compliance programs going forward.

Businessman working with the financial mechanism on blurred background .

Discounts to Distributors

Bribery Scheme

The Microsoft Corporation FCPA enforcement action demonstrated a failure around the company’s policy on providing discounts to distributors and other third-party sellers. The company had a policy requiring a review of discounts above certain thresholds be approved by Microsoft’s Business Desk. But this approval required a valid business justification before the discount could be granted. Unfortunately, a cut and paste job was done by the local business unit, which included a “competition with competitors”, “customer price sensitivity” and the ubiquitous “possibility” of winning other work as justifications for the discount.

These business justifications were provided with no supporting documentation and were approved by the Business Desk. There was a time limit expiration on these discounts; however, there was no follow up by the Business Desk to determine if the discount was revoked or otherwise taken off the table after the time limit expired. You might think that after multiple requests for discounts from the same business unit, which included the same justifications of competition with competitors, customer price sensitivity and the possibility of winning other work someone, the Business Desk might have at least asked them to cut and paste a different business justification to support the discount.

Compliance Response

There must be a comprehensive discount approval process for distributors, which must be followed, tested and include effective oversight. If a business submits multiple requests for a discount and each request includes the same business justification the approver should become suspicious and request proper supporting documentation before granting these requests.  As far back as the BHP Billiton FCPA enforcement action, where the business justification for government travel to the 2008 Beijing Olympics became a cut and paste job, the regulators have made clear that there must be a substantive reason for the discount and that discount must be tested.

This testing also comes in the form of reviewing, with a critical eye, the backup documentation provided to demonstrate the business case for the discount. If there is no documentation, the discount request should not be approved. If there are conditions attached to the discount approval, such as a time limit expiration on the discounts; there must be follow up to determine if the discount was revoked or otherwise taken off the table.

Signature area

Joint Ventures

Bribery Scheme-JV Formation

There were multiple bribery schemes employed by Fresenius Medical Care AG & Co. KGaA (FMC). One of these schemes included the setting up of joint ventures (JV) as a mechanism to pay corrupt doctors, employees of state-owned health care enterprises and government officials who were also medical officials. There was one JV in Angola and two in Turkey created for illicit purposes. In both bribery schemes, 35% of the JV interest was doled out to the corrupt officials. There was no capital contribution required from the employees of state-owned enterprises and government officials. The employees of state-owned enterprises and government officials all cashed out at some point for monetary values far above their individual monetary values in the JVs.

Bribery Scheme-Hidden Interests

Westport Fuels Systems, Inc. (Westport) and a Chinese state-owned enterprise were 50/50 owners in a JV. It was restructured so that a portion of the shares held by Westport and a privately held Hong Kong conglomerate would have to be transferred to the state-owned enterprise and a Chinese private equity fund in which senior Chinese government official held a significant financial interest. The Chinese government official sought and received a low valuation of the JV so he could make a quick turnaround of profitability outside the scrutiny of Chinese regulators. Westport’s Board of Directors authorized Westport’s management to complete the negotiations and execute the share transfer. The final deal agreed upon was a valuation of $70 million for the Chinese JV, with Westport agreeing to transfer its shares to the state-owned enterprise and the private equity fund in exchange for a long-term framework supply agreement.

Compliance Responses

Forming the JV

JVs provide many FCPA risks that other types of business relationships do not bring. For instance, the JV may interact with foreign government officials or employees of a state-owned enterprise; then leverage those relationships for an improper benefit relating to contracts, regulatory licenses, permits or customs approvals. It is difficult to regulate a JVs interaction with foreign government officials when your partner is a state-owned enterprise, or where your company is relying on the local company for its local contacts and expertise for business development and/or regulatory knowledge and experience.

The risks are compounded when the US Company does not exercise control over the JV. This is further compounded by the fact there is no minimum threshold for a FCPA enforcement action against a US company for the actions of a JV in which it holds an interest. If a company holds something less than majority rights, it must urge, beg and plead for the majority partner to adhere to anti-corruption compliance standards and controls. Often, these requirements are established in the JV agreement but the success in securing such contract protections depends on the importance of the global company to the JV itself.  The government not only considers the percentage of ownership in the JV but also considers the company’s ability to influence and control the JV.  Therefore, it is important to impart your compliance program requirements to the JV is the JV does not have its own compliance function and/or program, including relevant policies and procedures.

Knowing who your JV partners before entering the business relationship is critical. Therefore, a robust due diligence is something you must conduct from the start. Both the FMC and Westport enforcement actions demonstrate that if a government official has or even hides an interest in a JV; payments, distributions and buy-outs can be an avenue to make corrupt payments.

The JV Agreement

As a starting point, it is important to have compliance terms and conditions, these reasons can include some of the following: 1) to set expectations between the parties; 2) to demonstrate the seriousness of the issue to the non-US party; and 3) to provide a financial incentive to conduct business in compliant manner.

You must have an absolute prohibition of all forms of bribery and corruption. Many foreign JV partners may not understand that the FCPA applies to them if they partner in a business relationship with a US company. Further, they do not understand that they may be covered persons under the FCPA. This all must be spelled out for them. Audit rights are a key clause in any compliance terms and conditions and must be secured.

Managing the Relationship

A key tool in managing the affiliation with a JV post-contract execution is effective auditing techniques. Your compliance audit should be a systematic, independent and documented process for obtaining evidence and evaluating it objectively to determine the extent to which your compliance terms and conditions are followed. You should work to obtain, review, analyze and evaluate relevant data; and use the data as a basis to remediate any issues which have arisen in the operation of the JV.

In addition to monitoring and oversight of your JVs, you should periodically review the health of your JV management program. The robustness of your JV management program will go a long way towards preventing, detecting and remediating any compliance issue before it becomes a full-blown FCPA violation. As with all the steps laid out, you need to fully document all steps you have taken so that any regulator can review and test your metrics. The 2019 Evaluation of Corporate Compliance Programs (2019 Guidance) lays out what the Department of Justice (DOJ) will be reviewing and evaluating going forward for your compliance program. You should also use these metrics to conduct a self-assessment on the state of your compliance program for your JVs.

zoltar

Sham Third Parties and Third Party Services

Sham Third Parties

In the FCPA enforcement action involving Quad/Graphics Inc., the bribes were paid through the tried and true method of sham third party vendors. While the bribery scheme was about as basic as you could get for “sham-ness” as the third-party vendors were all owned by the same individual, their basic corporate information was all the same as they were all registered in Lima, Peru, with the same address and with no real business operations. Needless to same Quad failed to perform any due diligence on them. The services performed by the Sham Vendors of course contributed to their “sham-ness” as while the Sham Vendors submitted invoices allegedly for pre-press, modulation and/or packaging services none of them performed any such services for the company. Indeed, all these services were performed on site by Quad Peru employees.

The billing by the Sham Vendors and the form of payment to the Sham Vendors was also evidence of their “sham-ness”. Several of the invoices submitted contained red flags, including having the same date and dollar amounts and consecutive invoice numbers. Other red flags included, whole and rounded dollar amounts, large invoice amounts that were disproportionate to the services described, invoices that were consecutively numbered with the same date and invoices without purchase orders or any supporting documentation.

Sham Third Party Services

Fresenius used another bribery scheme in Angola. It was the creation of fraudulent storage payments with a shell company owned by the sons of an Angolan government official, a Military Health Officer in charge of purchasing, to provide warehousing space for a warehouse which housed no FMC products. In or around December 2011, FMC Angola paid approximately $560,000 to this shell company for purported “Temporary Storage Services,” However, no FMC company products were ever stored at the warehouse. When the company’s internal audit function unearthed this scheme, the local business unit simply put a contract in place, executing a written contract with the Shareholder Company to provide temporary storage services for approximately $77,000 per month from January 2012 to January 2013. Once again, no company products were ever stored at the warehouse.

Compliance Responses

The steps in the lifecycle management of any third-party are mandatory for every compliance program. There should be a business justification which is reviewed by an appropriate level of compliance personnel. These forms are usually sent and collected by a business sponsor who governs the relationship with the third parties. The next step involves robust due diligence for any third parties, whether they are sales side representatives or provide goods/services to your organization through the Supply Chain. The level of due diligence is based upon the risk score assigned to each of the third parties. Quad/Graphics Inc. (Quad/Graphics) is the starkest in this area as a simple check on the corrupt third-parties would have revealed that they were all owned by the same individual, their corporate information was all the same as they were all registered in the same city, with the same address.  This was topped off by the fact that they had no real business operations and any visual inspection of their stated business address would have revealed this.

Yet the most important step is managing the relationship after the contract is signed. This is the key lesson from Quad/Graphics and FMC. What does the information included in the invoice provide to you? Are the services delivered legitimate? For Quad/, the services described were performed by in-country Quad/Graphics employees. In the case of FMC, the services listed were for the non-existent storage of non-existent products. Other indicia of fraud and corruption found in invoices include multiple invoices with consecutive numbering’ with the same date and dollar amount, invoices with rounded dollar amounts, invoices with no supporting documentation and, finally, hand delivery of check so there was no bank to verify the accounts. A simple review by someone who knew what they were doing would have raised red flags and lead to further investigation.

I welcome you comments and thoughts and wish everyone a happy, healthy, and prosperous New Year!

Best!
Jonathan Pic

Jonathan T. Marks, CPA, CFE

Posted on

Fraud Tip Friday: Lessons From Recent FCPA Enforcement Actions

Lessons From Recent FCPA Enforcement Actions

The United States government’s fiscal year ended September 30, 2019. Just as in the business world, where many companies try and clear out any unexecuted deals or open contracts, the Securities and Exchange Commission (SEC) cleared out three outstanding Foreign Corrupt Practices Act (FCPA) enforcement actions. The three enforcement actions involved Quad/Graphics Inc., a Wisconsin-based digital and print marketing provider and its Peruvian subsidiary, Quad/Graphics Peru S.A.; Barclays PLC; and a Canadian clean fuel company Westport Fuels Systems, Inc. and its former Chief Executive Officer (CEO), Nancy Gougarty of Leesville, South Carolina. The terms of each settlement agreement provide a different lesson for compliance practitioners.

sham concept.jpg

Quad/Graphics – Be Alert for Sham Vendors

According to the SEC Press Release and related order, Quad/Graphics’ actions violated the FCPA in several instances identified by the Commission from 2011 to 2016.  Their international troubles began with the 2010 merger of Canadian printing company World Color Press, Inc.  The merger introduced a significant international presence for Quad/Graphics, yet accounting controls, anti-corruption policies, and an FCPA compliance program were not in place.  Simply put, the compliance function was not preemptively prepared for the new influx of international issues.  The company was slow to prioritize attention to these issues, and equally slow to begin the process of introducing the necessary measures to combat them.  Consequently, Quad/Graphics’ Peruvian subsidiary, Quad/Graphics Peru S.A., was found to have deployed questionable business practices to win business contracts and to avoid penalties in tax litigation, using fraudulent third party vendors to carry out the bribes.  The company has agreed to pay $6,936,174 in disgorgement, $959,160 in prejudgment interest, and a $2 million civil penalty, for total monetary relief of nearly $10 million.

In addition to the challenges in Peru, following the merger of World Color, Quad/Graphics maintained the acquired business relationships with Cuban counterparts in spite of U.S. sanctions and export law restrictions.  In doing so, they concealed the transactions internally through written communication and by falsifying financial records which serve as proof of their illegal behavior.  It is also identified in the commission’s order that illicit payments to various Chinese officials and employees in Chinese companies were either promised or made in order to secure sales in an otherwise limited market.  Both instances further the argument that Quad/Graphics was not prepared for the international business which they took on.

In order to understand the key lesson in this case, we must consider the creation of, billing by, and payments made to the purported third party vendors or the “Sham Vendors”.  Regarding the billing, the Order stated, “two concerned managers in Peru approached him [Finance Director] about several suspicious invoices that had recently been submitted by two of the Sham Vendors. Several of the invoices contained red flags of bribery and corruption, including having the same date and dollar amounts and consecutive invoice numbers. Upon review, the new Senior Finance Manager agreed the invoices were problematic and declined to approve them.”  Other red flags present on the Sham Vendors invoices included “vendor invoices with rounded dollar amounts, large invoice amounts that were disproportionate to the services described, invoices that were consecutively numbered (sometimes with the same date) and invoices without purchase orders or other supporting documentation.” On the payment side, although there were some wire transfers made to the Sham Vendors bank accounts, a large number of invoices were paid “by checks that were hand delivered to the Sham Vendor’s principal or the Sham Vendor’s accountant in Peru.”  Upon inspection, the commission noted that 3 of the 4 Sham Vendors had the same address and none had any real business operations.

basics a to b.jpg

Barclays – Don’t Forget the Basics

Barclays is well known for its prior regulatory stumbles in the banking sector, and for the actions of its Chief Executive to unmask an anonymous whistleblower. Barclays experienced additional grief from an FCPA enforcement action, based upon hiring practices in the Asia Pacific Region (APAC).  According to the SEC Press Release, Barclays’ employees hired 117 candidates with connection to their non-government clients or to foreign government officials.  It was understood the hiring of these candidates was exchangeable for current or future business opportunities.  Barclays agreed to pay $6,308,726, consisting of disgorgement of $3,824,686, prejudgment interest of $984,040 and a $1.5 million civil penalty as a result of the SEC findings.

In addition to the instances of violations cited in the Order in which compliance employees acted knowingly in their unethical hiring practices, or where employees responsible for hiring were circumventing the compliance function, the Order also cites several instances in which blissful ignorance contributes to the company’s illegal actions.  Examples of senior executives who were not only unaware of the basic anti-corruption conduct prohibited by the FCPA, but also the specific prohibitions of hiring relatives of foreign officials “quid pro quo” are identified in the commission’s findings.  This lack of training on the very basics of the FCPA and also of elements of anti-bribery/anti-corruption compliance is something that every compliance professional needs to be reminded of.  Training is a foundational component of any well-designed compliance program and simply cannot be ignored.

The Barclays enforcement action presents some very (back to the) basics lessons for the compliance professional. First, you must consider the effectiveness of your compliance programs: Are they current?  How are they being tested?  Second, you must consider your corporate gatekeepers: When was the last time you tested gatekeeper roles performed by your compliance function to verify they are actually being performed correctly?  Are those gatekeepers aware of what is required of them? Maybe it’s time to start asking some questions.

trap.jpg

Westport Fuels Systems, Inc. – Control Fraud 

The third FCPA resolution involved Westport Fuels Systems, Inc., a Canadian clean fuel technology company headquartered in Vancouver, Canada, and its former CEO, Nancy Gougarty.

The unusual features of this corruption scheme were two-fold. The first was the bribery scheme itself. While there have been previous FCPA enforcements where the interest in an entity was the quid of the quid pro quo; this scheme was a more sophisticated operation.

For all of these FCPA violations, Westport also agreed to pay $2,546,000 in disgorgement and prejudgment interest and a civil penalty of $1,500,000, and Gougarty agreed to pay a civil penalty of $120,000.

The problem for Westport started when the company wanted to take the Chinese JV public through an IPO and were falsely informed that the newly formed public company had to be majority Chinese-owned in order to do so. During this process, it was uncovered that the Chinese Government Official who was working for the State Owned Entity (SOE) that was the largest shareholder of the IPO prospect company, had a financial interest in the private equity firm targeted to manage the IPO.  This fact was brought to Gougarty’s attention, utilized in the negotiation process, and intentionally concealed from Westport’s board of directors.  The deal called for shares of the joint venture to be transferred into the private equity fund in exchange for a dividend payment from the State Owned Entity.  Tight for cash due to a decline in sales, the CEO was eager to finalize this transaction.  Consequently, she allowed the shares of the JV go undervalued when transferring to the private equity firm.

Further, in addition to the dividend payment, Gougarty was eager to secure new business as a result of the transaction.  She at first suggested, and later demanded that a framework supply agreement be included in the terms of the deal.  The CEO “explicitly conditioned the share transfer on obtaining a long-term sales agreement” and instructed her team on the ground that “no component sales contract, no share transfer”. This about as quid pro quo as you can get.

After the bribery scheme was effectuated, Gougarty continued her fraudulent conduct by falsely identifying payments to another entity rather than the true counterparty, the private equity firm. She compounded this fraud, in connection with the filing of the Form 40-F, falsely executing a certification attesting “that Westport had disclosed all significant deficiencies and material weaknesses in the design and operation of its internal controls to the outside auditors”.  In reality, Gougarty was responsible for falsified transactional data in the financial reporting related to the bribery scheme.  She also failed to disclose the internal control weaknesses that allowed her to do so.

Gougarty’s conduct appears to be “control fraud”.

Control fraud occurs when a trusted person in a high position of responsibility in a company, corporation, or state subverts the organization and engages in extensive fraud for personal gain. The term “control fraud” was coined by William K. Black to refer both to the acts of fraud and to the individuals who commit them.

Subversion in this case refers to the circumvention or overriding of internal controls or policies and procedures.  This scheme was designed to create a “pot of money” to fund another type of fraud, bribery and corruption.

When you have the CEO herself engaging in this type of behavior you have to ask where was the board of directors? How was she selected?  What did senior management know?  This was a very expensive lesson.

Conclusion

These three SEC enforcement actions all provide important lessons for the compliance practitioner.  The actions should be not only studied by compliance professionals, but also the lessons passed along to business unit personnel to further alert employees of red flags of bribery and corruption schemes that may be present in the business operating environment. Finally, never forget the basics of the FCPA and the importance of proper education around the Act; what it mandates and more importantly, what it prohibits.

Management override of controls is a pervasive issue in practice – I encourage my readers to review your fraud risk assessment and ensure key gatekeepers and their roles and capabilities.

Look for my newly designed website coming soon!

I also welcome you thoughts and comments.

Best!
Jonathan Pic

Jonathan T. Marks, CPA, CFE

Special thanks to Tom Fox for contributing to this writing.

Posted on 1 Comment

Speaking and Training on Fraud, Compliance, Ethics, and More…

Welcome to my site. I have spoken and been the keynote speaker for many conferences, including the ABA, ACC, ACFE, IIA, and IMA to name a few. I have designed customized training for the board, senior leadership, legal, compliance, internal audit, and others for some of the world’s largest organizations.

“I have had the pleasure to hear Jonathan Marks speak on a number of occasions. …most recently at a Fraud conference sponsored by the Long Island Institute of Internal Audit. Jonathan gave a dynamic and engaging half day presentation on fraud in financial reporting. He engages his audience with his expertise and knowledge of risk management, fraud and internal audit. His ability to share his experiences in fraud investigations over the past thirty years coupled with his interactive approach with his audience made for a compelling and memorable presentation.” Chief Audit Executive 

If you are interested in booking me for your next event or need customized training, please email me with the date or dates, location and address of presentation, the audience make-up, the subjects you would like covered, and the duration of the talk or training.

I have provided you with some Selected Training Programs (See below) and please peruse my blog posts for some additional topics and ideas. Keep in mind I speak and provide training on most anything related to governance, risk, and compliance, with a focus on fraud and forensics.

I will do my best to get back to you quickly.

Thank you!

 

Jonathan Pic

Jonathan T. Marks, CPA, CFF, CITP, CGMA, CFE and NACD Board Fellow

Selected Training Programs

Management Override of Internal Controls

The risk of management override of internal controls to commit fraud exists in any organization. When the opportunity to override internal controls is combined with powerful incentives to meet accounting objectives, senior management might engage in fraudulent financial reporting. This session will examine management override, focusing on the differences between the override of existing controls versus other, more prevalent breakdowns. It will also explore actions to help mitigate the threat of management override, approaches to auditing for management override and the psychology behind management’s override of controls. You Will Learn How To:

  • Identify red flags of management overriding controls
  • Ascertain an approach to auditing for management override
  • Assess the latest trends and research regarding management override of controls
  • Develop a better fraud risk assessment that highlights areas and gatekeepers that might have a greater chance of overriding controls.

Operationalizing Compliance – Master Class with Tom Fox, Esquire

The Master Class developed by Tom Fox, provides a unique opportunity for any level of FCPA compliance practitioner, from the seasoned Chief Compliance Officer (CCO) and Chief Audit Executive (CAE), Chief Legal Counsel (CLO), to the practitioner who is new to the compliance profession.

If you are looking for a training class to turbocharge your knowledge on the nuts and bolts of a best practices compliance program going forward, this is the class for you to attend. Moreover, as I limit the class to 20 attendees, you will have an intensive focus group of like-minded compliance practitioners with which you can share best practices. It allows us to tailor the discussion to your needs. Mary Shirley, an attendee at the recent Boston Master Class said, “This is a great two-day course for getting new folks up to speed on what matters in Compliance programs.

Tom Fox is one of the leading commentators in the compliance space partners with Jonathan T. Marks to bring a unique insight of what many companies have done right and many have done not so well over the years. This professional experience has enabled him to put together a unique educational opportunity for any person interested in anti-corruption compliance. Simply stated, there is no other compliance training on the market quite like it. Armed with this information, at the conclusion of the Doing Compliance Master Class, you will be able to implement or enhance your compliance program, with many ideas at little or no cost.

The Doing Compliance Master Class will move from the theory of the FCPA into the doing of compliance and how you must document this work to create a best practices compliance program. Building from the Ten Hallmarks of an Effective Compliance, using the questions posed from the Evaluation of Corporate Compliance Programs and the FCPA Corporate Enforcement Policy as a guide, you will learn the intricacies of risk assessments; what should be included in your policies and procedures; the five-step life cycle of third-party risk evaluation and management; tone throughout your organization; training and using other corporate functions to facilitate cost-effective compliance programs.

Highlights of the training include:

  • Understanding the underlying legal basis for the law, what is required for a violation and how that information should be baked into your compliance program;
  • What are the best practices of an effective compliance program;
  • Why internal controls are the compliance practitioners best friend;
  • How you can use transaction monitoring to not only make your compliance program more robust but as a self-funding mechanism;
  • Your ethical requirements as a compliance practitioner;
  • How to document what you have accomplished;
  • Risk assessments – what they are and how you can perform one each year.

You will be able to walk away from the class with a clear understanding of what anti-corruption compliance is and what it requires; an overview of international corruption initiatives and how they all relate to FCPA compliance; how to deal with third parties, from initial introduction through contracting and managing the relationship, what should be included in your gifts, travel, entertainment (GTE) and hospitality policies; the conundrum of facilitation payments; charitable donations and political contributions, and trends in compliance. You will also learn about the importance of internal controls and how to meet the strict liability burden present around this requirement of FCPA compliance.

Ethics and Governance Training

This session will cover how ethics is key to good governance and how governance fits into your anti-fraud program. Moreover, we will explore the components of a Sample Code of Ethics, the cost of ethical lapses, organizational situations that encourage bad behavior, the new ethics paradigm, and how to spot a moral meltdown.

Corporate Governance During a Crisis

We also discuss leading practices in crisis management and present several scenarios allow the participant(s) to work though mock crisis scenarios. For example, in your first week at your company, you just received information about an alleged massive fraud and you are now in a crisis. In this session, members of the audience will play different roles within the company (members of the board, legal department, managers, etc.) to have a discussion, including:

  • What type of crisis plan do you have, if any?
  • What to do and how to formulate a plan of action?
  • Who to call first, how to prioritize tasks, and where to prioritize resources?
  • Who (internal and external players) to get involved and when to get them involved
  • What data is needed when a crisis hits?
  • How to prepare for the media and when to reach out?
  • How to communicate with customers, vendors and suppliers, regulatory agencies, and other parties?

Fraud Risk Assessment Process and Guidance

Many professionals struggle with developing a fraud risk assessment that is meaningful. We discuss the objectives of a fraud risk assessment, the components of a fraud, and key considerations for developing an effective assessment. Then we explore the sources of risk, the fraud risk universe, and some of the key components of the assessment. Lastly, we walk through the key steps in the assessment process and walk through a sample fraud risk assessment that considers COSO’s Principle 8, which contains considerably more discussion on fraud and considers the potential of fraud as a principle of internal control.

FCPA (Bribery and Corruption): Building a Culture of Compliance

This session covers why compliance is important and the new guidance issues by the DOJ. We also explore current regulatory enforcement trends, whistleblowers Under Dodd-Frank, the U.S. Federal Sentencing Guidelines, risk-based third-party due diligence, way to thwart an investigation, differences and similarities between the FCPA and the U.K. Bribery Act, successor liability, and provides the participant with a proven 13-Step Action Plan.

Fraud Investigations

Knowing what to do when an allegation of fraud is presented is critical. Failing to understand the process could jeopardize the ability to prosecute wrongdoers. This session discusses why investigations are important, inherent risk and exposures, the types of investigations: internal and independent, board considerations, triaging an allegation, investigative challenges, and keys to running a successful investigation, and why root cause analysis should be considered after completing the investigation.

Third Party Risk Management and Oversight

Third party risk is the biggest nemesis when it comes to FCPA violations. This session discusses the key components of a compliance program and why it needs to be evolving to meet the business and compliance challenges, which are constantly occurring across the globe. We explore the latest DOJ guidance on the evaluation of corporate compliance programs. We build our discussion on the foundation of the key steps to be included in a third-party risk management program and cover some of the red flags of agents and consultants.

Putting the Freud in Fraud: The Mind Behind the White Collar Criminal

To properly fight corporate fraud we need to understand how a fraudster’s normal differs, so executives, managers and board members can develop more effective anti-fraud programs that take into account the behavioral and environmental factors that are common in cases of white-collar crime. By establishing an environment in which ethical behavior is expected — and by understanding how white-collar criminals look at the world differently — it is possible to begin closing the gaps in internal controls, develop a proactive fraud risk assessment and response program and significantly reduce the financial and reputational risks associated with fraud.

In this session, we take a closer look at the personality traits of individual perpetrators of massive fraud.

  • Discuss the basics of profiling and identifying elements of behavior common among white-collar criminals.
  • Discover what role company culture plays in the commission of fraud.
  • Hear cutting-edge ideas and methods to help detect and deter fraud.

Fraud Overview

This session is a “nuts and bolts” discussion about fraud and responding to fraud in an effort to reduce the incidence of fraud and white-collar crime. We go into the characteristics of fraud, who commits fraud, the fraud triangle and Pentagon™, the components of fraud, the regulatory environment & the focus on increased personal responsibility, internal controls to deter and detect fraud, and anti-fraud programs.

Triaging a Whistleblower Allegation

As corporations continue to adopt whistleblower programs, many find themselves struggling to manage burgeoning caseloads. As a result, serious internal fraud investigations can be delayed (with mounting losses) while less consequential complaints are being investigated. The lack of a timely, systematic and repeatable process for evaluating and prioritizing whistleblower tips, which can also expose an organization to increased regulatory risk. While there is no single, “right” method for following up on whistleblower complaints, this session discusses Why Investigating allegations or tips are important, why timeliness matters, investigation challenges, and provides the participant with a sample approach.

Skepticism: A Primary Weapon in the Fight Against Fraud

What happens when we don’t ask why? Professional skepticism occurs when those responsible for fighting fraud take nothing for granted, continuously question what they hear and see and critically assess all evidence and statements. This session we discuss the role of independent reviewer or inspector, particularly of your own assumptions, whether you are placing undue weight on prior risk assessments or discounting evidence inconsistent with your expectations, and pressures placed on you to truncate procedures or make unwarranted assumptions to beat time constraints.

Root Cause Analysis 

The regulators are expecting more today and want to know that your remediation efforts are not treating the symptoms), but rather the root cause(s).

Root cause analysis is a tool to help identify not only what and how an event occurred, but also why it happened. This analysis is a key element of a fraud risk management program and is now a best practice or hallmark of an organizations compliance program. When able to determine why an event or failure occurred, it is then possible to recommend workable corrective measures that deter future fraud events of the type observed. It is important that those conducting the root cause analysis are thinking critically by asking the right questions (sometimes probing), applying the proper level of skepticism, and when appropriate examining the information (evidence) from multiple perspectives.

This program is designed to introduce the common methods used for conducting root cause analysis and to develop an understanding of how to identify root causes (not just causal factors) using proven techniques. In addition, we will demonstrate how to initiate a root cause analysis incident exercise and work with senior management, legal, compliance, and internal audit on an appropriate resolution. We also introduce the “spheres” acting around the “meta model of fraud” and how to use those “spheres” in the root cause process. Finally, this program will present the “three lines of defense”, which provides the audit committee and senior management with a better understanding where the break downs occurred.

Posted on

Fraud: Department of Justice (DOJ) Announces Procurement Collusion Strike Force

Background

It has been highlighted by some studies that Procurement fraud is the second most frequently reported form of economic crime behind asset misappropriation.

Procurement fraud is the act of gaining a dishonest advantage by abusing a position of decisive power in the procurement process; either by the individual responsible for this position in his or her own action, or by those seeking to win the opinion of that individual, resulting in a decision of benefit to themselves. Procurement fraud may be committed by procurement officers, vendors, or subcontractors, but always involves the act of collusion in order to obtain the unmerited advantage.  Fraudsters use the procurement process as part of their scheme to further their own interests in lieu of serving the interests of the procuring company.

Consider the internal risk of this type of fraud: ill-gotten financial gains come in the form of kickbacks to the Fraudster who in this example is the buyer, for selecting the suppliers’ bid which is often not in the best interest of the company.  Procurement fraud is also an external risk.  Vendors may work together to create the illusion of competition, thus fooling the procurement officers into accepting a bid above fair market value.  The scope of procurement fraud is widespread, global and not limited to certain categories, companies, or geographies.

Deeper Dive

Some report that approximately 30% of organizations have experienced procurement fraud, and that it was most common during the solicitation phase.  During this time, vendors may collude with each other or with procurement officers in various ways that compromise the fairness of the bidding process and potentially result in improperly awarded contracts and/or higher contract costs.  Those “holding all the cards” during the solicitation phase, make the process extremely susceptible to unethical behavior.

It is important to remember that even after the contract has been awarded, the potential for fraud is ever-present. For example, a vendor could:

  • Charge more than the contractually agreed price and hope the overcharge goes unnoticed.
  • Submit duplicate invoices in the hopes that both invoices are processed.
  • Deliver non-conforming goods or services of lower value, quantity or quality than specified in the contract.
  • Exploit the change order process to perform services not specified in the contract or to artificially inflate the contract value over time.
  • Work in collusion with an insider to submit bogus invoices for goods not delivered or services not provided by the vendor.

According to a Global Economic Crime survey, the sectors reporting the most procurement fraud were state-owned enterprises (SOE’s), followed by the energy, utilities and mining; engineering and construction; and transport and logistics industries.

More likely than not, factors driving the increase in procurement fraud schemes include an increase in public tender processes, companies changing and expanding their global supply chains, and a rise in outsourcing.

On November 5th, the Department of Justice announced the formation of the new Procurement Collusion Strike Force (PCSF) “focusing on deterring, detecting, investigating and prosecuting antitrust crimes, such as bid-rigging conspiracies and related fraudulent schemes, which undermine competition in government procurement, grant and program funding”.

The Strike Force is an inter-agency partnership comprised of prosecutors from the Antitrust Division, and prosecutors from thirteen (13) U.S. Attorneys’ Offices.  Aiding in the prosecutors’ efforts are investigation partners such as the Offices of Inspector Generals from the Department of Justice, Department of Defense, U.S. Postal Service, and General Services Administration Office. The Department of Justice’s announcement proclaimed that investigating and prosecuting those who “cheat, collude and seek to undermine the integrity of government procurement” will have more to concern themselves with when executing their crimes. Prosecutors and investigators alike expressed enthusiasm to be working as a part of this new team.

gavel and money

Bribery and Antitrust

An effective method to detect bribery schemes is to analyze contract awards for unusual patterns or anomalies. For example: correlating contract awards to financial transactions may identify instances where fraudsters attempt to conceal their behavior.  You may not see a check cut from the organization directly to the person they’re bribing, but a closer look may uncover patterns like excessive meetings, gifts, meals, and entertainment during the time period of awards.  Data analytics can also be used to detect instances of price-fixing, bid-rigging, and/or market division or allocation fraud schemes.

In simple terms, bid rigging is a fraud scheme which involves intentional manipulation of the bidding process. It often involves an agreement among competitors as to who will be awarded the contract.  The bidders may agree in advance who will submit the winning bid. The purchaser is then provided with a bid amount higher than what the competitive market generally produces, which results in an overpayment for goods or services. There are four basic schemes involved in most bid-rigging conspiracies:

  • Bid Suppression:  In this type of scheme, one or more competitors agree not to bid, or withdraw a previously submitted bid, so that a designated bidder will win. In return, the non-bidder may receive a subcontract or payoff.
  • Complementary Bidding: In this scheme, co-conspirators submit token bids which are intentionally high or which intentionally fail to meet all of the bid requirements in order to lose a contract. “Comp bids” are designed to give the appearance of competition.
  • Bid Rotation: In bid rotation, all co-conspirators submit bids, but by agreement, take turns being the low bidder on a series of contracts.
  • Customer or Market Allocation: In this scheme, co-conspirators agree to divide up customers or geographic areas. The result is that the co-conspirators will not bid or will submit only complementary bids when a solicitation for bids is made by a customer or in an area not assigned to them. This scheme is most commonly found in the service sector and may involve quoted prices for services as opposed to bids.

Note: Subcontracting arrangements are often part of a bid-rigging scheme. Competitors who agree not to bid or to submit a losing bid frequently receive subcontracts or supply contracts in exchange from the successful low bidder. In some schemes, a low bidder will agree to withdraw its bid in favor of the next low bidder, in exchange for a lucrative subcontract that divides the illegally obtained higher profits between them. 

Almost all forms of bid-rigging schemes have one thing in common: an agreement among some or all of the bidders which predetermines the winning bidder and limits or eliminates competition among the conspiring vendors.  Indicators of collusive bid-rigging schemes include:

  • Be aware of bids for goods or services for which the pool of qualified prospective bidders is small but maintains a large control of the market share.  These bids are at higher risk for vendor collusion.
  • Also be mindful of bids for standardized goods or services.  If there are no differentiating factors among the various proposals aside from price, there is a much greater risk of collusion.
  • When vendors collude with one another, similarities may exist in the bids submitted to the procuring company.  For example, pay attention to similarities in the mailing addresses, email address domains, or courier account numbers.  Take a look at the properties of an electronic document to see if similar authors appear.
  • Observe the behavior of vendors when undergoing the procurement process.  The communication or action of the bidding vendors can be very telling.  Remember social engineering is a tool available to both sides!

Price Fixing schemes often impact the procurement process when business is conducted through purchase orders or direct purchases. Price fixing occurs when competitors agree to raise or fix their prices for their goods or services, set a minimum price that they will not sell below, or reduce or eliminate discounts.  Indicators of these types of schemes include:

  • Look for situations where competitors always announce their price increases at the same time for the same amount, or staggered price increases with an established pattern or frequency, often times creating the appearance of who is going to be first to increases prices.
  • Look for competitors reducing or eliminating discounts at about the same time.
  • Generally, be alert to situations in which all prices seem to be uniform and all suppliers refuse to negotiate those prices.

dominoes and red one.jpg

Methods to Deter & Detect Procurement Fraud

An effective way to deter and detect fraud is to develop a thorough understanding of the business environment, the risks impacting the achievement of the business’ strategic goals, and the implementation of a holistic fraud risk management program.  Once the risks are identified, I would also strongly encourage the use data analytics, combined with proper training, internal audits, and compliance reviews to support and supplement the fraud risk management program.

Other practices that could help detect fraud include, but are not limited to:

  • Ensuring transparency from everyone and apply the right amount of skepticism, always!
  • Maintaining, restricting access to, and auditing a valid master vendor list.
  • Performing proper due diligence during supplier onboarding.
  • Referring to debarment sources of blacklisted suppliers.
  • Performing peer grouping to determine if a supplier fits an appropriate profile for a contract.

At Baker Tilly we can assist any organization with your fraud risk management and anti-fraud programs and controls.  This includes services to detect, deter, respond, and remediate instances of fraud. Our team of experts is well positioned to investigate and remediate suspected instances of procurement fraud, which includes the ability to conduct a root cause analysis to determine the cause of the misconduct.  The DOJ has deemed a company’s efforts to properly remediate and identify root cause as a best practice and often provides credit to those companies who engage in such activities in the event of a criminal prosecution resulting from procurement fraud.  The DOJ also looks highly upon companies with robust third party risk management programs, which can also be used to mitigate the risk of procurement fraud.

Our team of highly-skilled professionals use advanced analytics, such as predictive modeling, to help identify attributes or patterns that are highly correlated with known fraud, even complex and emerging patterns of fraud. Moreover, we use text mining as an effective tool to identify red flags of procurement fraud or antitrust violations.

I often say, “Analytics can answer questions that manual or ad hoc methods would generally miss – it’s the ‘silent whistleblower!’”

plan miss

Closing

Many organizations miss the mark when it comes to managing the procurement process. Some are quite good!

It’s starts with a well-written code of conduct, and includes strong policies, proper internal controls (note: segregation of duties is a pervasive issue), robust third party risk management program, training, and monitoring.

I’m not surprised by the DOJ’s initiative and commend them in the fight against public procurement crimes.  We recommend organizations review their compliance program, supply chain, and procurement process for risks and opportunities for enhancements.

We welcome your thoughts and comments.

Now, for tomorrow!

Best,

Jonathan T. Marks, CPA, CFE | Firm Leader

Paul Zikmund

Melissa Dardini

Members of Baker Tilly’s Global Fraud and Forensic Investigations, Compliance, & Security Services

Our team focuses on the intersection of where strategy meets execution, so that we can  enhance and protect our clients’ value.”

trio jonathan paul melissa.PNG
Copyright 2019
Posted on 2 Comments

Reputation Risk Management Doesn’t Have a Start or End Date!

Background

How can we protect our brand? What are we doing to protect our brand? Questions all board members should be constantly asking.  Reputational risks can damage the most well-crafted business strategies and is a growing challenge that companies around the world are still learning how to manage.

By definition, reputational risk refers to the potential for negative publicity, public perception, or uncontrollable events to adversely impact a company’s reputation, thereby affecting its revenue.

Board directors covet their company’s reputation because it’s their most valuable asset. A study by Deloitte and Forbes affirmed this conviction, but should not surprise anyone.  Senior-level executives also agreed that their company’s reputation presented the greatest risk to the company’s ability to achieve business strategies.

gettyimages-1059494628-170667a.jpg

Survey

The Red Flag Group recently conducted a survey, which asked business decision makers 20 questions to determine the importance of protecting reputation.  Highlights of the survey questions include:

  • The biggest perceived threats vs. the biggest actual threats
  • The relationship between reputational risk and legal risk
  • Risk-related attitudes of external stakeholders (consumers, investors and the media)
  • The relationship between risk ownership and risk mitigation

I have highlighted some of the results below.  I encourage you to read the entire survey.

Highlights of Survey

According to the survey, the majority believe that legal and reputational risks are of approximately the same importance.

graphic 1

When looking at the survey results, the most commonly flagged and biggest reputational risks were identified as follows:

graphic 2

What’s also interesting is the survey revealed that a current employee’s actions cause the most harm to reputation.  Alternatively, the threat is from within.

grpahic 3

As previously mentioned, current employees present the highest risk to the company’s reputation.

However, it is interesting that third parties such as distributors, suppliers and former employees are ranked so low given recent headlines about data breaches caused by suppliers handling data of large, international companies. Similarly, if we look at the top five risks previously identified as potentially impacting the company’s reputation, we find that these are some areas that typically involve the use of third parties to perpetrate the misconduct:

  1. Data security breaches
  2. Corruption (FCPA/UKBA)
  3. Fraud
  4. Antitrust and competition
  5. Business continuity

While companies are typically faced with the actions of their own employees for these risk areas, many of the risks above involve a high degree of interactions with outside third parties such as distributors, service providers and vendors. In this sense, the identified problematic groups, perceived top risks and recent examples of reputational risk failures aren’t in congruence. Although it can be more practical to control the existing workforce at a company, there needs to be a focus on external parties who also pose a risk to the company’s reputation..

Mitigation

The strategy of mitigating risks often falls on the shoulders of the department(s) or individuals who own the risks.  Based upon the survey responses, the legal and compliance functions are often identified as owning or providing oversight for some of these risks. This is a slippery slope, because the business or management should own the risks – not legal or compliance!

We have been battling this same issue with internal audit over the years, so let’s set the record straight.

TLD

Internal Audit’s (3rd Line of Defense) objective is essentially to provide independent assurance that risk management, governance and internal control processes are operating effectively.

The Compliance function (2nd Line of Defense) is there to reasonably ensure that the company is complying with all applicable laws, rules and regulations, as well as internal codes of conduct, policies and procedures.  There objective is predominantly operational.

It is management’s job to identify the risks facing the organization and to understand how they will impact the delivery of objectives if they are not managed effectively.  Moreover, management is responsible for establishing and maintaining internal control to achieve the objectives of effective and efficient operations, reliable financial reporting, and compliance with applicable laws and regulations.

graphic 4 who owns it

Data Analytics Can Help Boards Understand

Many boards fear that the lack of control over reputational risk makes it impractical or improbable to manage these risks.  Managing reputational risk requires managing internal and external stakeholders such as customers, employees, vendors; however mitigating reputational risk is a challenging and worthwhile endeavor as this creates and preserves value for any organization.  Boards must acquire and utilize the right set of tools to measure, monitor and analyze reputational risk.  The use of data analytics, if done properly, is a powerful tool that can help identify and quantify market and media response and in some instances unveil new risks that have been hidden or lurking in plain sight.  For example, an uptick in negative social media posts could signify the emergence of a risk such as a possible product recall, negative customer experience, or other risk that could negatively impact the company’s reputation or possibly the reputation of a competitor, which could lead to new opportunities.

Some Keys to Managing Reputation Risk

  1. Include reputation risk as part of the overall risk management strategy
  2. Ensure your enterprise risk assessment proactively identifies, prioritizes and manages key risks – don’t boil the ocean
  3. Ensure policies, procedures, and controls are in place and operating effectively
  4. Train employees and external parties appropriately
  5. Understand your stakeholders expectations
  6. Communicate prioritized risks and risk management strategies effectively
  7. Have a crisis management plan in place and conduct regular simulations or “red ball drills” to properly prepare for the occurrence of a risk event.

Closing

Reputation risk is real, which means companies should continue to improve their capabilities for managing this risk.  Leading organizations already treat reputation risk as a strategic risk, which is an accelerating trend and a tactic that leads to the creation and preservation of value.

An effective approach to managing reputation risk requires a sustained effort — before, during, and after a crisis. Reputation risk management does not have a start or end date!

Baker Tilly provides services to help manage reputational risk.  Our data analytics capabilities, cultural surveys, and crisis management advisory services provide the tools and strategies to help organizations manage this risk.

I welcome your thoughts and comments, but know that Baker Tilly can help!

Best!

Jonathan Pic
Jonathan T. Marks, CPA, CFE
Posted on

FCPA: CEO Overriding/Circumventing and Exploiting Internal Controls, and Issuing False Certifications

Background

The Securities and Exchange Commission (“SEC”) announced that Westport Fuels Systems, Inc. (Westport”), a Canadian clean fuel technology company headquartered in Vancouver, Canada, and its former chief executive officer, Nancy Gougarty (“Gougarty”), age 64 of Leesville, South Carolina, have agreed to pay more than $4.1 million to resolve charges that they violated the Foreign Corrupt Practices Act (“FCPA”) by paying bribes to a foreign government official in China.

SEC’s Order

According to the SEC’s order, beginning no later than 2016, Westport, acting through Gougarty and others, engaged in a scheme to bribe a Chinese government official to obtain business and a cash dividend payment by transferring shares of stock in Westport’s Chinese joint venture to a Chinese private equity fund in which the government official held a financial interest.  The SEC order states that Westport concealed the identity of the Chinese private equity fund in its public filings, as well as in its books and records, by falsely identifying a different entity as the counterparty to the transaction. Gougarty caused Westport’s violations by circumventing Westport’s internal accounting controls and signing a false certification concerning the sufficiency of those controls.
“A company’s commitment to compliance is only as strong as the effort put in by senior management,” said Charles Cain, Chief of the SEC Enforcement Division’s FCPA Unit. “Here, the chief executive exploited weaknesses in the company’s controls to engage in bribery, undermining shareholder interests.

The SEC’s order finds that Westport violated the anti-bribery, books and records, and the internal controls provisions of the Securities Exchange Act of 1934 and that Gougarty caused certain of Westport’s violations. 

Westport violated, and Gougarty caused Westport’s violation of, Section 13(b)(2)(B) of the Exchange Act which requires every issuer with a class of securities registered pursuant to Exchange Act Section 12 to devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that (i) transactions are executed in accordance with management’s general or specific authorization; (ii) transactions are recorded as necessary (I) to permit preparation of financial statements in conformity with generally accepted accounting principles or any other criteria applicable to such statements, and (II) to maintain accountability for assets; (iii) access to assets is permitted only in accordance with management’s general or specific authorization; and (iv) the recorded accountability for assets is compared with the existing assets at reasonable intervals and appropriate action is taken with respect to any difference

Outcome

Without admitting or denying the SEC’s findings, respondents consented to a cease-and-desist order. Westport also agreed to pay $2,546,000 in disgorgement and prejudgment interest and a civil penalty of $1,500,000, and Gougarty agreed to pay a civil penalty of $120,000. In determining to accept Westport’s offer, the SEC considered remedial acts undertaken by Westport concerning its anti-corruption and financial reporting compliance programs, and its cooperation afforded SEC staff.

Practice Considerations

Revisit your Code of Conduct. The SEC cited the fact Westport’s Code of Conduct omitted any reference to due diligence when engaging in a transaction with a third party in which a government official may have a financial interest.

Regarding overriding or circumventing internal controls, The PCAOB states that Management is in a unique position to perpetrate fraud because of its ability to directly or indirectly manipulate accounting records and prepare fraudulent financial statements by overriding established controls that otherwise appear to be operating effectively.

By its nature, management override of controls can occur in unpredictable ways. The PCAOB outlines several procedures to specifically address the risk of management override of controls. I highly recommend reviewing the procedures.

I welcome your comments and suggestions.

Best,

Jonathan T. Marks, CPA, CFE

Attribution: PCAOB, SEC, WSJ

Posted on 5 Comments

Skepticism – A Key Tool in the Fight Against Fraud

What is wanted is not the will to believe, but the will to find out, which is the exact opposite.” – Bertrand Russell, “Skeptical Essays,” 1928

Questions about professional skepticism – how to define it, how much is enough, what policies support it, and what practices diminish it – are perennial topics of concern among auditors and accountants. These topics also should be of concern to all stakeholders, including a company’s management, board of directors, and audit committee.

In any discussion of fraud detection and prevention, the phrase “trust but verify” is almost certain to come up. Regardless of how apt that concept might have been in the context of Cold War diplomacy, it could be argued that “trust but verify” is actually bad advice when it comes to deterring fraud in general.

In fact, “trust but verify” could be a downright dangerous approach when applied to audit procedures in particular. A much better slogan for fraud deterrence would be, “Trust is a professional hazard.”

Skepticism: It’s Everyone’s Job

Recently, the necessity of professional skepticism has been emphasized repeatedly. For example, in August 2013, Jeanette M. Franzel, board member of the Public Company Accounting Oversight Board (PCAOB), said, “Our inspection results all    too often show that substantial progress is needed in order to more consistently achieve the appropriate application of professional skepticism throughout the audit process and across audits. Additional efforts are needed to better understand how the framework of professional skepticism applies across varying audit situations.”

Months earlier, the PCAOB issued a staff audit practice alert on the topic, which included this cautionary note: “Observations from the PCAOB’s oversight activities continue to raise concerns about whether auditors consistently and diligently apply professional skepticism. Certain circumstances can impede the appropriate application of professional skepticism and allow unconscious biases to prevail, including incentives and pressures resulting from certain conditions inherent in the audit environment, scheduling and workload demands, or an inappropriate level of confidence or trust in management. Audit firms and individual auditors should be alert for these impediments and take appropriate measures to assure that professional skepticism is applied appropriately throughout all audits performed under PCAOB standards.”

It is not just auditors who must be concerned with maintaining appropriate professional skepticism. This point was stressed during a roundtable convened in April 2013 by the Anti-Fraud Collaboration, which comprises the Center for Audit Quality (CAQ), Financial Executives International (FEI), The Institute of Internal Auditors (IIA), and the National Association of Corporate Directors (NACD). The author participated in this program, which had the objective of bringing together some key players – corporate directors, financial executives, external auditors, and internal auditors – from all along the financial reporting supply chain to discuss each group’s expectations and understanding of the various players’ roles in deterring and detecting financial reporting fraud.

Boards, particularly audit committee members, must take care to exercise a skeptical approach to financial reports and supporting information.

A portion of the discussion focused on an initial survey of the four organizations’ members, which produced a number of surprising findings about the attitudes and opinions of the various stakeholders. The roundtable’s summary concluded, “A large majority of survey respondents believe that financial management has primary responsibility in deterring financial reporting fraud, with a smaller majority believing financial management is responsible for detecting financial statement reporting fraud.”

The implication is that because financial management plays a leading role in detecting financial fraud, it is incumbent on executives – not just auditors – to exercise appropriate levels of professional skepticism. Board members and particularly audit committee members also must take care to exercise a skeptical approach to financial reports and supporting information.

1 skept.JPG
Exhibit 1 – Trust vs. Skepticism

Source: “Closing the Expectation Gap in Deterring and Detecting Financial Statement Fraud: A Roundtable Summary,” Anti-Fraud Collaboration, 2013, p. 15

Tellingly, 42 percent of the internal auditors said that their organization exhibits more trust than skepticism. This is a particularly troubling admission considering the paramount role that professional skepticism – not trust – must play in auditors’ performance of duties.The Anti-Fraud Collaboration’s survey also revealed that the various stakeholders’ expectations and opinions about their organizations’ effectiveness in deterring and detecting fraud vary widely. When asked to rate his or her organization’s overall performance, an internal auditor was much less likely to say that his or her organization exhibits the appropriate balance between trust and skepticism. As shown in Exhibit 1, only 46 percent of those affiliated with the IIA said that their organization exhibits the appropriate balance of trust versus skepticism, compared to 58 percent of the financial executives (members of FEI), 70 percent of the external auditors (CAQ members), and 79 percent of the board members (affiliates of NACD) who responded.

Defining the Issue

An obvious early step in helping executives, boards, and auditors decide the appropriate balance between trust and skepticism in their organizations is to come  to a general agreement on what professional skepticism really means. The auditing profession, as one might expect, has devoted considerable effort to defining the term.

The IIA, representing the internal audit profession with approximately 180,000 members worldwide, defines professional skepticism as “the state of mind in which internal auditors take nothing for granted; they continuously question what they hear and see and critically assess audit evidence.” PCAOB standards define professional skepticism as “an attitude that includes a questioning mind and a critical assessment of audit evidence.” It requires an emphasis on the importance of maintaining the proper state of mind throughout the audit.

Over the past 10 years, researchers have developed a theoretical model that views professional skepticism as a function of six fundamental characteristics, including a recognition that individuals might have different perceptions of the same information.

Defining skepticism and identifying its primary traits have also been the subjects of considerable academic and professional research in recent years. In November 2013, the Standards Working Group of the Global Public Policy Committee (GPPC), a consortium of large accounting firms, published a research paper on the topic. The publication, “Enhancing Auditor Professional Skepticism,” was written by professors Steven M. Glover and Douglas F. Prawitt of Brigham Young University. The paper’s stated purpose was to develop “a shared understanding of what professional skepticism is, how it should be applied, the threats to professional skepticism and the safeguards that may be cost effective.”

The authors noted at the outset that “the term ‘professional skepticism’ is widely used but may mean different things to different organizations and individuals.” The writers went on to suggest that “to move the dialogue on improving the consistent appropriate application of professional skepticism forward, it is important that a shared understanding be developed regarding what professional skepticism is, how it should be applied and documented in various situations, and how threats to professional skepticism manifest themselves at different structural levels.”

Businessmen is thinking in front of blackboard

The GPPC research, like many other efforts, draws partly from academic work by Kathy Hurtt, Martha Eining, and R. David Plumlee. In a series of papers over the past 10 years, these researchers developed a theoretical model that views professional skepticism as a function of six fundamental characteristics:

  1. A questioning mind: Not accepting information at face value but instead looking for evidence or proof to justify the information
  2. Suspension of judgment: A propensity to withhold acceptance or rejection until all information has been found and considered
  3. A search for knowledge: As evidenced by genuine curiosity and enjoyment of learning
  4. Interpersonal understanding: Recognizing that individuals might have different perceptions of the same information
  5. Self-confidence: Valuing one’s own insights and being willing to challenge the assumptions of others
  6. Self-determination: The personal initiative to take action based on the evidence

This multidimensional view and a related 30-question survey the authors developed to provide an empirical measure of individual auditors’ relative skepticism have formed  the basis of much of the academic research on professional skepticism over the past decade. This view also provides a useful explanation of characteristics and behavior that can be inherently difficult to measure objectively.

Ninety-four percent of board members were confident or highly confident that they exercise sufficient skepticism

Skept 2.JPG
Exhibit 2 – Confidence That Each Party Exercises Sufficient Skepticism

Source: “Closing the Expectation Gap in Deterring and Detecting Financial Statement Fraud: A Roundtable Summary,” Anti-Fraud Collaboration, 2013, p. 15

Complacency: The Big Challenge

An objective of all this research on professional skepticism is to help identify factors that prevent or discourage auditors – and others in the financial reporting supply chain – from developing and maintaining the appropriate level of skepticism. One of the most prevalent factors is simple complacency – as demonstrated by another response to the Anti-Fraud Collaboration’s survey.

As shown in Exhibit 2, survey respondents were asked to assess their confidence that the various groups responsible for deterring and detecting fraud in their organization were exercising a sufficient level of skepticism.

Of all the groups, board members (NACD members) were most complacent about the performance of responsible parties in their organization. They were almost unanimous (98 percent) in expressing confidence that their company’s internal and external auditors exercise sufficient skepticism. Ninety-four percent of board members were confident or highly confident that they exercise sufficient skepticism themselves.

On the other hand, external auditors (CAQ members) were much less confident in others’ performance. Only 73 percent of the CAQ’s respondents were confident or highly confident that financial executives exercise sufficient skepticism of financial results. External auditors viewed board members and audit committees almost identically to executives.

Internal auditors (IIA members) had roughly the same view of financial executives and even less confidence that board members and audit committees demonstrate appropriate skepticism in reviewing financial information. In other words, the views of internal and external auditors differ significantly from the views of executives and board members.

Other Impediments to Appropriate Skepticism

Complacency is only one attitude that could cause an executive, board member, or auditor to exercise insufficient skepticism when considering financial information. The GPPC’s research paper points out several natural tendencies that can lead to faulty judgment or weakened skepticism:

  • Overconfidence. Decision-makers must be careful not to overestimate their abilities and understanding of issues. Overconfidence can lead them to challenge statements, assumptions, and procedures insufficiently.
  • Confirmation bias. It’s natural to give more weight to information that confirms our opinions. This inclination can bias a wide variety of auditor judgments and cause executives and board members to see what they expect to see.
  • Anchoring. Anchoring is the tendency to start with initial values and data that are familiar. An auditor can be influenced inappropriately by the previous year’s account details, for example.
  • Availability. Information that is easily accessible (or available from memory) is often considered less relevant to a decision than information from alternative sources. As a result, auditors unconsciously might not apply the most relevant information to the audit.

In addition to personal biases, other challenges can inhibit skepticism. For example, an external auditor’s conflicts of interest and less-than-thorough understanding of the business are areas of legitimate concern.

One of the most significant challenges is deadline pressure. An auditor is naturally under substantial pressure to complete the work and issue the report promptly. A cunning fraudster can take advantage of the situation by initially diverting the auditor’s time and attention to areas that are unlikely to raise concerns and saving problematic areas until the engagement’s end, when time is short. Recognizing and resisting this tactic requires the application of professional skepticism – not only on the part of the external auditor but by the others involved in the process as well.

Beyond Audit: What Other Stakeholders Can Do

Although the GPPC’s research focused on auditors, the same observations – and the same potential weaknesses – apply to everyone in an organization who has the responsibility to detect or deter fraud, from executives with financial reporting responsibilities to the board of directors in general and members of the audit committee in particular. Ultimately, all these individuals have a direct interest in detecting fraud or misstatement and a responsibility to be on guard against complacency or other impediments.

The GPPC study’s authors noted, “While auditors can and must do better in their central role, we believe that a complete solution to the problem of enhancing auditor professional skepticism requires an approach that addresses threats at all structural levels and that involves all of the key stakeholders that share responsibility in enhancing the reliability of the financial reporting process.”

It is essential for all organizations to encourage clear, open communication among all parties concerned. The Anti-Fraud Collaboration’s report noted, “For the roles to operate well together, communication is critical.” The authors went on to advocate “open and candid conversation among the internal and external audit functions, financial management, and the audit committee, allowing for audit committees to perform their governance role with necessary transparency and realistic expectations.”

Beyond this general effort, all stakeholders can take a number of specific steps to encourage appropriate levels of professional skepticism, including the following –

  • Self-criticize each significant judgment. Make it a point to play the role of the independent reviewer or inspector, particularly of your own A professional skeptic continuously challenges his or her beliefs and belief-based risk assessments. Critical self-assessment is necessary to demonstrate to others why and how beliefs and assessments are justified.
  • Make an effort to resist complacency and other natural tendencies such as confirmation bias. Question whether you are placing undue weight on prior risk assessments or discounting evidence inconsistent with your with your expectations.
  • Be alert to Pressure. Pay particular attention to pressure to truncate risk assessment procedures or make unwarranted assumptions to beat time constraints. This step is especially important as deadlines approach.
  • Understand the sources of evidence.  Identify and assess audit risks from multiple perspectives, using multiple sources of evidence,
  • Be aware of the relative reliability of various types of evidence. In general, documentation from internally generated documents – particularly those that are generated manually or not linked to other reporting systems – is less reliable as evidence than documents generated by external sources such as banks or suppliers.  See graphic below.

If, as asserted at the outset, trust is indeed a professional hazard for auditors, then it follows that informed, knowledgeable skepticism is a professional asset. That principle applies not only to auditors but also to the board members and financial executives responsible for detecting and deterring fraud of  all  types,  specifically  financial reporting fraud. By challenging their own assumptions – and creating an environment in which such challenges are encouraged and supported – companies will not just   deter fraud but make its detection more likely.

I welcome your thoughts and comments.

Best!

Jonathan Pic

 

Attribution:

Jeanette M. Franzel, “Auditor Objectivity and Skepticism – What’s Next?” American Accounting Association Annual Meeting, Aug. 5, 2013, http:// pcaobus.org/News/Speech/Pages/08052013_AAA. aspx

“Staff Audit Practice Alert No. 10: Maintaining and Applying Professional Skepticism in Audits,” Public Company Accounting Oversight Board, Dec. 4, 2012, http://pcaobus.org/Standards/QandA/12-04- 2012_SAPA_10.pdf

“Closing the Expectation Gap in Deterring and Detecting Financial Statement Fraud: A Roundtable Summary,” Anti-Fraud Collaboration, 2013, p. 3, https://na.theiia.org/standards-guidance/Public%20 Documents/Anti-Fraud%20Collaboration%20Report. pdf

“IIA Chapter 10,” “Quizlet” online study guide, 2014, http://quizlet.com/15259935/iia-chapter-10-flash- cards/

“Staff Audit Practice Alert No. 10.”

Steven M. Glover and Douglas F. Prawitt, “Enhancing Auditor Professional Skepticism,” Global Public Policy Committee, November 2013, p. i, http://www. thecaq.org/docs/research/skepticismreport.pdf

Ibid.

Ibid, p. ii.

The Hurtt Skepticism Scale is summarized in Rosemary Fullerton and Cindy Durtschi, “The Effect of Professional Skepticism on the Fraud

Detection Skills of Internal Auditors,” Social Science Research Network, Nov. 11, 2004, http://ssrn.com/ abstract=617062

“Enhancing Auditor Professional Skepticism,” p. 18.

“Closing the Expectation Gap in Deterring and Detecting Financial Statement Fraud,” p. 10.

skept 8
Evidence

Posted on 3 Comments

Slush Funds and the Juniper Networks FCPA Settlement

juniperOverview

After what appears to be a 73 month investigation, as part of an internal administrative order, Juniper Networks, Inc. – NYSE: JNPR (“Juniper”, or “the Company”) will pay $11.7 million as part of a settlement with the Securities and Exchange Commission (“SEC”); however, in an 8-K filed on February 9, 2018, Juniper disclosed that the Department of Justice (“DOJ”)  had completed its investigation and, citing Juniper’s cooperation, decided to take no further action against the company – no criminal charges. Apparently the DOJ had sent the letter closing its investigation in the fourth quarter of 2017. 

The SEC settlement is broken down as follows: $6.5 mil­lion civil penalty; $4 mil­lion in dis­gorge­ment—rep­re­sent­ing the amount of profit the com­pany made as a re­sult of the con­duct; and, about $1.2 mil­lion in in­ter­est.

What Happened?

From 2008 to 2013, sales em­ploy­ees in Rus­sia agreed to in­crease dis­counts on sales made by third-party part­ners, ac­cord­ing to the set­tle­ment. The dis­counts were fun­neled into an off-book funds or referred to as “common funds” (in the fraud space called “slush funds”) which were directed partially by Company sales representatives and used to pay for cus­tomer trips, including travel for foreign officials to various locations where there were no Juniper facilities or industry conferences related to Juniper’s business – the trips had lit­tle to no busi­ness purpose

The trips “were predominantly leisure in nature and had little to no educational or business purpose.” That would include trips to places where there were no Juniper facilities, nor any industry conferences related to Juniper’s line of work.

Dur­ing a sim­i­lar pe­riod, sales em­ploy­ees at the Company’s Chi­nese subsidiaries paid for ex­cessive travel and en­ter­tain­ment of cus­tomers, in­clud­ing for­eign officials. Certain local mar­ket­ing em­ploy­ees fal­si­fied trip agen­das to un­der­state the amount of en­ter­tain­ment of­fered on the trips. These sales employees submitted the falsified and misleading trip agendas to Juniper’s Legal Department to obtain event approval, apparently subsequent to the event taking place and without adequate review. 

Juniper learned of the “common funds,” which were against corporate policy, in late 2009. However, diverting funds and using them to pay travel expenses continued through 2013. 

Deeper Into the Weeds

The con­duct by the Company’s Russ­ian and Chi­nese sub­sidiaries violated the FCPA’s in­ter­nal con­trols and record-keep­ing pro­vi­sions.

The crux of this matter focuses on Juniper’s overseas subsidiaries who appear to have exploited weak oversight of accounting policy and the apparent override of weak internal controls to create “off book “common fund accounts” or slush funds used to pay bribes. 

The SEC’s order states the bribery happened from 2008 to 2013. Juniper’s subsidiary in Russia, JNN Development Corp., worked with local partners in that country to increase discounts those partners would supposedly offer to customers — except, of course, those discounts never actually reached Juniper’s customers.  Instead, the local partners diverted that money into a slush fund to cover travel and marketing expenses for customers, including foreign government officials. Those customers received free trips which, to use the SEC’s words, “were predominantly leisure in nature and had little to no educational or business purpose.” That would include trips to places where there were no Juniper facilities, nor any industry conferences related to Juniper’s line of work.

At least some of these trips were directed by JNN executives, which is not surprising. More disturbing is that Company executives allegedly knew about this behavior as early as 2009, and told JNN stop — but the funneling of monies into the “common funds” and the improper trips continued into 2013.

Meanwhile, from 2009 through 2013, roughly the same four years, sales employees at Juniper’s Chinese subsidiaries were busy falsifying trip and meeting agendas for customer events in an attempt to conceal the real value of entertainment involved on the trips. Apparently, falsified agendas were submitted to Juniper’s legal department for approval. Against Juniper’s travel policies, the legal department approved numerous trips without adequate review and after the events had taken place.

best practice.jpg

Key Best Practices

Fraud detection and prevention is not a hobby. Ensure you have the proper skills on your team!

  • Check your allegation triage process and escalation protocols.
  • Analyze your governance framework and ensure business practices and ethics are key component of the framework.
  • Conduct risk based ethics and compliance training.
  • Revisit your risk assessment continuously, not a prescribed periods. Remember achieving strategy equals risk management, plus, effective internal controls!
  • Russia and China are inherently high-risk countries and markets for bribery.
  • Ensure Fraud controls are properly designed to deter, detect, or prevent unethical behavior or worse fraud.
  • Discounts and rebates have historically been a source of consternation by many organizations. Ensure procedures are designed to test both the design and effectiveness of the controls surrounding any discount or rebate program. \
  • Monitor customer sales activities for suspicious activity-follow the money!
  • Revisit your policies and procedures and determined if they address pertinent issues, such as what constitutes acceptable behavior by employees.Ensure your internal audit plan is truly risk based.
  • Assess the skills of internal audit. If there is a deficiency in skills related to fraud and FCPA, strongly consider augmenting your internal audit team with outside professionals who can “tuck in” and provide those skills.
  • Review your third-party risk management program.
  • Have your compliance program reviewed at a minimum every three (3) years by a outside independent professionals to ensure that it is not stale.

Board Members

  • Seek to understand communication protocols and the escalation process-
  • Review the allegation log  frequently, but no less than every 60 days, to ensure investigations are being done timely.  Question investigations that have stopped or have lingered on beyond 60 days;
  • Ensure the board (audit committee) is being briefed timely on all serious matters by the chief audit executive and chief compliance officer; and,
  • Question the discipline applied to the bad actors and whether the risk assessment, compliance and ethics training, and monitoring protocols need to be modified.
  • Challenge your Chief Compliance Officer to provide evidence of the existence of a strong ethics and compliance program

In Juniper they never mention what if any discipline was applied to those that ignored the “cease and desist”. In addition, they also don’t mention internal audit, which seems odd.

Cooperation and Remediation

According to the SEC, Juniper cooperated by disclosing facts in a timely way and “voluntarily produced and translated documents” to the agency during the investigation.  They also “provided the [SEC] staff presentations regarding its investigation.”

As part of its remedial action, Juniper instituted a compliance preview and required pre-approval of non-standard discounts. It also now requires pre-approval for third-party gifts, travel, and entertainment, channel partner marketing expenses, and some operating expenses in high-risk markets. 

Closing

Governance, risk, and compliance are no joke – get in the game! 

Having an appropriate compliance structure that collaborates and works in harmony with internal audit and the legal function is a must to ensure risks are handled appropriately.

I welcome your thoughts and comments!

Best!

Jonathan Pic

Jonathan T. Marks, CPA, CFE

 

Attribution:  SEC, DOJ, Stanford, WSJ