In one of the more unusual incidents being attributed to the new Wuhan COVID-19 or Coronavirus outbreak, a turf war between dozens of street monkeys and temple monkeys broke out in Thailand’s historic city of Lopburi (https://lnkd.in/eFuJhrp). According to city residents, the furry fracas likely resulted from a sharp dip in tourism to the 800-year-old city — and thus a dip in free food offerings to thousands of local monkeys. We doubt the local residents of Lopburi considered this risk when the COVID-19 story first broke.
So this begs the question, have you thought about how you assessed your supply chain, business continuity and crisis plan to account for critical dependencies and a variety of other possible impacts.
A business impact analysis is very helpful to identify risks and consequences organizations face as they try to navigate today’s high-risk business environment. Specifically, it should provide insight into physical, operational, and systemic risks. Identifying risks and managing them appropriately can give organizations competitive advantages.
Practice Pointer: Risks change! It’s critical to continuously evaluate the situation, because new risks may emerge and risk previously identified may have a different velocity and rhus the speed of impact might change – some may slow and some may increase.
Take the time now in order to avoid having the monkey on your back and suffering the negative impact of poorly managed risks!
This writing will highlight some of the more unusual bribery schemes described in 2019 Foreign Corrupt Practices Act (FCPA) enforcement actions and also consider their impact on compliance programs, what they mean for the compliance professional and how the government could potentially use these cases to require more effective compliance programs going forward.
Discounts to Distributors
The Microsoft Corporation FCPA enforcement action demonstrated a failure around the company’s policy on providing discounts to distributors and other third-party sellers. The company had a policy requiring a review of discounts above certain thresholds be approved by Microsoft’s Business Desk. But this approval required a valid business justification before the discount could be granted. Unfortunately, a cut and paste job was done by the local business unit, which included a “competition with competitors”, “customer price sensitivity” and the ubiquitous “possibility” of winning other work as justifications for the discount.
These business justifications were provided with no supporting documentation and were approved by the Business Desk. There was a time limit expiration on these discounts; however, there was no follow up by the Business Desk to determine if the discount was revoked or otherwise taken off the table after the time limit expired. You might think that after multiple requests for discounts from the same business unit, which included the same justifications of competition with competitors, customer price sensitivity and the possibility of winning other work someone, the Business Desk might have at least asked them to cut and paste a different business justification to support the discount.
There must be a comprehensive discount approval process for distributors, which must be followed, tested and include effective oversight. If a business submits multiple requests for a discount and each request includes the same business justification the approver should become suspicious and request proper supporting documentation before granting these requests. As far back as the BHP Billiton FCPA enforcement action, where the business justification for government travel to the 2008 Beijing Olympics became a cut and paste job, the regulators have made clear that there must be a substantive reason for the discount and that discount must be tested.
This testing also comes in the form of reviewing, with a critical eye, the backup documentation provided to demonstrate the business case for the discount. If there is no documentation, the discount request should not be approved. If there are conditions attached to the discount approval, such as a time limit expiration on the discounts; there must be follow up to determine if the discount was revoked or otherwise taken off the table.
Bribery Scheme-JV Formation
There were multiple bribery schemes employed by Fresenius Medical Care AG & Co. KGaA (FMC). One of these schemes included the setting up of joint ventures (JV) as a mechanism to pay corrupt doctors, employees of state-owned health care enterprises and government officials who were also medical officials. There was one JV in Angola and two in Turkey created for illicit purposes. In both bribery schemes, 35% of the JV interest was doled out to the corrupt officials. There was no capital contribution required from the employees of state-owned enterprises and government officials. The employees of state-owned enterprises and government officials all cashed out at some point for monetary values far above their individual monetary values in the JVs.
Bribery Scheme-Hidden Interests
Westport Fuels Systems, Inc. (Westport) and a Chinese state-owned enterprise were 50/50 owners in a JV. It was restructured so that a portion of the shares held by Westport and a privately held Hong Kong conglomerate would have to be transferred to the state-owned enterprise and a Chinese private equity fund in which senior Chinese government official held a significant financial interest. The Chinese government official sought and received a low valuation of the JV so he could make a quick turnaround of profitability outside the scrutiny of Chinese regulators. Westport’s Board of Directors authorized Westport’s management to complete the negotiations and execute the share transfer. The final deal agreed upon was a valuation of $70 million for the Chinese JV, with Westport agreeing to transfer its shares to the state-owned enterprise and the private equity fund in exchange for a long-term framework supply agreement.
Forming the JV
JVs provide many FCPA risks that other types of business relationships do not bring. For instance, the JV may interact with foreign government officials or employees of a state-owned enterprise; then leverage those relationships for an improper benefit relating to contracts, regulatory licenses, permits or customs approvals. It is difficult to regulate a JVs interaction with foreign government officials when your partner is a state-owned enterprise, or where your company is relying on the local company for its local contacts and expertise for business development and/or regulatory knowledge and experience.
The risks are compounded when the US Company does not exercise control over the JV. This is further compounded by the fact there is no minimum threshold for a FCPA enforcement action against a US company for the actions of a JV in which it holds an interest. If a company holds something less than majority rights, it must urge, beg and plead for the majority partner to adhere to anti-corruption compliance standards and controls. Often, these requirements are established in the JV agreement but the success in securing such contract protections depends on the importance of the global company to the JV itself. The government not only considers the percentage of ownership in the JV but also considers the company’s ability to influence and control the JV. Therefore, it is important to impart your compliance program requirements to the JV is the JV does not have its own compliance function and/or program, including relevant policies and procedures.
Knowing who your JV partners before entering the business relationship is critical. Therefore, a robust due diligence is something you must conduct from the start. Both the FMC and Westport enforcement actions demonstrate that if a government official has or even hides an interest in a JV; payments, distributions and buy-outs can be an avenue to make corrupt payments.
The JV Agreement
As a starting point, it is important to have compliance terms and conditions, these reasons can include some of the following: 1) to set expectations between the parties; 2) to demonstrate the seriousness of the issue to the non-US party; and 3) to provide a financial incentive to conduct business in compliant manner.
You must have an absolute prohibition of all forms of bribery and corruption. Many foreign JV partners may not understand that the FCPA applies to them if they partner in a business relationship with a US company. Further, they do not understand that they may be covered persons under the FCPA. This all must be spelled out for them. Audit rights are a key clause in any compliance terms and conditions and must be secured.
Managing the Relationship
A key tool in managing the affiliation with a JV post-contract execution is effective auditing techniques. Your compliance audit should be a systematic, independent and documented process for obtaining evidence and evaluating it objectively to determine the extent to which your compliance terms and conditions are followed. You should work to obtain, review, analyze and evaluate relevant data; and use the data as a basis to remediate any issues which have arisen in the operation of the JV.
In addition to monitoring and oversight of your JVs, you should periodically review the health of your JV management program. The robustness of your JV management program will go a long way towards preventing, detecting and remediating any compliance issue before it becomes a full-blown FCPA violation. As with all the steps laid out, you need to fully document all steps you have taken so that any regulator can review and test your metrics. The 2019 Evaluation of Corporate Compliance Programs (2019 Guidance) lays out what the Department of Justice (DOJ) will be reviewing and evaluating going forward for your compliance program. You should also use these metrics to conduct a self-assessment on the state of your compliance program for your JVs.
Sham Third Parties and Third Party Services
Sham Third Parties
In the FCPA enforcement action involving Quad/Graphics Inc., the bribes were paid through the tried and true method of sham third party vendors. While the bribery scheme was about as basic as you could get for “sham-ness” as the third-party vendors were all owned by the same individual, their basic corporate information was all the same as they were all registered in Lima, Peru, with the same address and with no real business operations. Needless to same Quad failed to perform any due diligence on them. The services performed by the Sham Vendors of course contributed to their “sham-ness” as while the Sham Vendors submitted invoices allegedly for pre-press, modulation and/or packaging services none of them performed any such services for the company. Indeed, all these services were performed on site by Quad Peru employees.
The billing by the Sham Vendors and the form of payment to the Sham Vendors was also evidence of their “sham-ness”. Several of the invoices submitted contained red flags, including having the same date and dollar amounts and consecutive invoice numbers. Other red flags included, whole and rounded dollar amounts, large invoice amounts that were disproportionate to the services described, invoices that were consecutively numbered with the same date and invoices without purchase orders or any supporting documentation.
Sham Third Party Services
Fresenius used another bribery scheme in Angola. It was the creation of fraudulent storage payments with a shell company owned by the sons of an Angolan government official, a Military Health Officer in charge of purchasing, to provide warehousing space for a warehouse which housed no FMC products. In or around December 2011, FMC Angola paid approximately $560,000 to this shell company for purported “Temporary Storage Services,” However, no FMC company products were ever stored at the warehouse. When the company’s internal audit function unearthed this scheme, the local business unit simply put a contract in place, executing a written contract with the Shareholder Company to provide temporary storage services for approximately $77,000 per month from January 2012 to January 2013. Once again, no company products were ever stored at the warehouse.
The steps in the lifecycle management of any third-party are mandatory for every compliance program. There should be a business justification which is reviewed by an appropriate level of compliance personnel. These forms are usually sent and collected by a business sponsor who governs the relationship with the third parties. The next step involves robust due diligence for any third parties, whether they are sales side representatives or provide goods/services to your organization through the Supply Chain. The level of due diligence is based upon the risk score assigned to each of the third parties. Quad/Graphics Inc. (Quad/Graphics) is the starkest in this area as a simple check on the corrupt third-parties would have revealed that they were all owned by the same individual, their corporate information was all the same as they were all registered in the same city, with the same address. This was topped off by the fact that they had no real business operations and any visual inspection of their stated business address would have revealed this.
Yet the most important step is managing the relationship after the contract is signed. This is the key lesson from Quad/Graphics and FMC. What does the information included in the invoice provide to you? Are the services delivered legitimate? For Quad/, the services described were performed by in-country Quad/Graphics employees. In the case of FMC, the services listed were for the non-existent storage of non-existent products. Other indicia of fraud and corruption found in invoices include multiple invoices with consecutive numbering’ with the same date and dollar amount, invoices with rounded dollar amounts, invoices with no supporting documentation and, finally, hand delivery of check so there was no bank to verify the accounts. A simple review by someone who knew what they were doing would have raised red flags and lead to further investigation.
I welcome you comments and thoughts and wish everyone a happy, healthy, and prosperous New Year!
On November 20th, 2019, The Department of Justice (“DOJ”) announced updates to its Foreign Corrupt Practices Act (“FCPA”) Corporate Enforcement Policy. While the changes were relatively minor, the modifications underscored important principles surrounding the FCPA Corporate Enforcement Policy.
This latest update followsextensive revisions made in March of this yearand the announcement that the FCPA Policy will apply as non-binding guidance for all criminal cases; all reflect DOJ’s continued efforts to promote self-disclosures and provide clarity on DOJ’s approach for companies deciding whether to self-disclose.
There is little doubt the DOJ has landed on a Corporate Enforcement Policy that took years to develop. The FCPA Corporate Enforcement Policy now applies to all corporate criminal prosecutions except Antirust Division criminal prosecutions that are guided by the Leniency Program. The DOJ is consistently applying the principles and appears to be very comfortable with the results.
At the same time, DOJ has increased transparency in its resolution of corporate enforcement actions. DOJ now publishes declination letters and provides specific descriptions of how factors are applied to a corporate resolution. Note: At the time of this writing there were six (6) corporate resolutions.
The Policy is intended to encourage corporations to self-report, cooperate and remediate – in exchange for a possible declination or significant reductions in penalties. The updated Policy tilts in favor of prosecution of responsible individuals and part of the DOJ’s commitment to seek out and punish wrongdoers.
The Policy now states that a company must disclose “all relevant facts known to it at the time of the disclosure.” DOJ added a footnote, stating that it “recognizes that a company may not be in a position to know all relevant facts at the time of a voluntary self-disclosure.” A company that makes a disclosure while continuing its investigation should make this fact known to DOJ.
Further, to encourage companies to make an early disclosure, the Policy now requires companies to disclose facts “as to any individuals” who played a substantial part in the “misconduct at issue.”
The previous Policy required companies to disclose “all relevant facts” regarding individuals substantially involved in a “violation of law.” A company making a disclosure no longer has to reach a determination (and inform DOJ) that a “violation” occurred at the beginning of an investigation.
Similarly, companies now need only alert DOJ of evidence of the misconduct when they become aware of it. Previously, in order to gain credit, where the company was or should have been aware of relevant evidence outside of its possession, the company had to identify such evidence to DOJ. The Policy has been updated to remove the conditional language, which should ease the burden on companies seeking to comply with the Policy.
Accordingly to Mike Volkov, the updates to the Policy highlight DOJ’s desire for self-disclosures that are both substantive and made at an early stage. They are also practical, in particular removing the requirement that a company identify evidence of which it “should be” aware. The changes are in line with other recent DOJ policy changes, seeking to recognize practical realities of the policies.
With the recent changes to the policy, companies now are obligated only to disclose relevant facts known “at the time of the disclosure” and to provide information regarding any — not all — “individuals substantially involved in or responsible for the misconduct at issue.”
Importantly, companies need not wait to determine that a violation of law has occurred and may report suspected misconduct. As stated in a footnote, this modification reflects the DOJ’s recognition that disclosing companies “may not be in a position to know all relevant facts at the time of a voluntary self-disclosure.” In that case, companies are urged to fully disclose suspected misconduct “based upon a preliminary investigation or assessment of information.”
Volkov further stated, these changes are important because DOJ has clarified the precise information that a self-disclosing company must provide to trigger the potential benefits possible under the policy. From a practical standpoint, companies faced a difficult choice — disclose a potential violation based on a cursory investigation subject to DOJ’s determination that the company failed to disclose “within a reasonably prompt time.”
The DOJ’s modification directs companies to report what they know upon discovery of a suspected violation, while making clear to the DOJ that the disclosure is based on a preliminary findings.
Under the recent revisions, companies are no longer expected to identify every piece of evidence of which they should have been aware or potential collection by the DOJ. Instead, companies now are obligated only to identify relevant evidence not in their possession of which they actually are aware.
The modifications eliminates some of the risk that DOJ could determine that a company was not entitled to cooperation credit when DOJ identifies evidence that a companyshould have known about.
DOJ’s recent revisions indicate that it is satisfied with its Policy and want to make it work even better. By addressing some theoretical concerns that may have caused companies not to disclose potential violations, DOJ is taking steps to encourage companies to step forward and disclose potential violations.
Since its introduction as a pilot program and subsequent adoption into the Justice Manual a few years back, the DOJ has continuously honed its FCPA Policy—each time encouraging prompt but thorough self-disclosures.
Boards of Directors and Senior Leadership should take notice of DOJ’s policy changes and DOJ’s attempts to encourage such disclosures and adjust their tactics and strategy accordingly.
Specifically, it becomes even more important to have experienced investigators that can “ring fence” issues early! This will help in deciding whether or not to self-disclose in order to maximize the potential benefits of the FCPA Policy.
Welcome to my site. I have spoken and been the keynote speaker for many conferences, including the ABA, ACC, ACFE, IIA, and IMA to name a few. I have designed customized training for the board, senior leadership, legal, compliance, internal audit, and others for some of the world’s largest organizations.
“I have had the pleasure to hear Jonathan Marks speak on a number of occasions. …most recently at a Fraud conference sponsored by the Long Island Institute of Internal Audit. Jonathan gave a dynamic and engaging half day presentation on fraud in financial reporting. He engages his audience with his expertise and knowledge of risk management, fraud and internal audit. His ability to share his experiences in fraud investigations over the past thirty years coupled with his interactive approach with his audience made for a compelling and memorable presentation.” Chief Audit Executive
If you are interested in booking me for your next event or need customized training, please email me with the date or dates, location and address of presentation, the audience make-up, the subjects you would like covered, and the duration of the talk or training.
I have provided you with some Selected Training Programs (See below) and please peruse my blog posts for some additional topics and ideas. Keep in mind I speak and provide training on most anything related to governance, risk, and compliance, with a focus on fraud and forensics.
I will do my best to get back to you quickly.
Jonathan T. Marks, CPA, CFF, CITP, CGMA, CFE and NACD Board Fellow
Selected Training Programs
Management Override of Internal Controls
The risk of management override of internal controls to commit fraud exists in any organization. When the opportunity to override internal controls is combined with powerful incentives to meet accounting objectives, senior management might engage in fraudulent financial reporting. This session will examine management override, focusing on the differences between the override of existing controls versus other, more prevalent breakdowns. It will also explore actions to help mitigate the threat of management override, approaches to auditing for management override and the psychology behind management’s override of controls. You Will Learn How To:
Identify red flags of management overriding controls
Ascertain an approach to auditing for management override
Assess the latest trends and research regarding management override of controls
Develop a better fraud risk assessment that highlights areas and gatekeepers that might have a greater chance of overriding controls.
Operationalizing Compliance – Master Class with Tom Fox, Esquire
The Master Class developed by Tom Fox, provides a unique opportunity for any level of FCPA compliance practitioner, from the seasoned Chief Compliance Officer (CCO) and Chief Audit Executive (CAE), Chief Legal Counsel (CLO), to the practitioner who is new to the compliance profession.
If you are looking for a training class to turbocharge your knowledge on the nuts and bolts of a best practices compliance program going forward, this is the class for you to attend. Moreover, as I limit the class to 20 attendees, you will have an intensive focus group of like-minded compliance practitioners with which you can share best practices. It allows us to tailor the discussion to your needs. Mary Shirley, an attendee at the recent Boston Master Class said, “This is a great two-day course for getting new folks up to speed on what matters in Compliance programs.”
Tom Fox is one of the leading commentators in the compliance space partners with Jonathan T. Marks to bring a unique insight of what many companies have done right and many have done not so well over the years. This professional experience has enabled him to put together a unique educational opportunity for any person interested in anti-corruption compliance. Simply stated, there is no other compliance training on the market quite like it. Armed with this information, at the conclusion of the Doing Compliance Master Class, you will be able to implement or enhance your compliance program, with many ideas at little or no cost.
The Doing Compliance Master Class will move from the theory of the FCPA into the doing of compliance and how you must document this work to create a best practices compliance program. Building from the Ten Hallmarks of an Effective Compliance, using the questions posed from the Evaluation of Corporate Compliance Programs and the FCPA Corporate Enforcement Policy as a guide, you will learn the intricacies of risk assessments; what should be included in your policies and procedures; the five-step life cycle of third-party risk evaluation and management; tone throughout your organization; training and using other corporate functions to facilitate cost-effective compliance programs.
Highlights of the training include:
Understanding the underlying legal basis for the law, what is required for a violation and how that information should be baked into your compliance program;
What are the best practices of an effective compliance program;
Why internal controls are the compliance practitioners best friend;
How you can use transaction monitoring to not only make your compliance program more robust but as a self-funding mechanism;
Your ethical requirements as a compliance practitioner;
How to document what you have accomplished;
Risk assessments – what they are and how you can perform one each year.
You will be able to walk away from the class with a clear understanding of what anti-corruption compliance is and what it requires; an overview of international corruption initiatives and how they all relate to FCPA compliance; how to deal with third parties, from initial introduction through contracting and managing the relationship, what should be included in your gifts, travel, entertainment (GTE) and hospitality policies; the conundrum of facilitation payments; charitable donations and political contributions, and trends in compliance. You will also learn about the importance of internal controls and how to meet the strict liability burden present around this requirement of FCPA compliance.
Ethics and Governance Training
This session will cover how ethics is key to good governance and how governance fits into your anti-fraud program. Moreover, we will explore the components of a Sample Code of Ethics, the cost of ethical lapses, organizational situations that encourage bad behavior, the new ethics paradigm, and how to spot a moral meltdown.
Corporate Governance During a Crisis
We also discuss leading practices in crisis management and present several scenarios allow the participant(s) to work though mock crisis scenarios. For example, in your first week at your company, you just received information about an alleged massive fraud and you are now in a crisis. In this session, members of the audience will play different roles within the company (members of the board, legal department, managers, etc.) to have a discussion, including:
What type of crisis plan do you have, if any?
What to do and how to formulate a plan of action?
Who to call first, how to prioritize tasks, and where to prioritize resources?
Who (internal and external players) to get involved and when to get them involved
What data is needed when a crisis hits?
How to prepare for the media and when to reach out?
How to communicate with customers, vendors and suppliers, regulatory agencies, and other parties?
Fraud Risk Assessment Process and Guidance
Many professionals struggle with developing a fraud risk assessment that is meaningful. We discuss the objectives of a fraud risk assessment, the components of a fraud, and key considerations for developing an effective assessment. Then we explore the sources of risk, the fraud risk universe, and some of the key components of the assessment. Lastly, we walk through the key steps in the assessment process and walk through a sample fraud risk assessment that considers COSO’s Principle 8, which contains considerably more discussion on fraud and considers the potential of fraud as a principle of internal control.
FCPA (Bribery and Corruption): Building a Culture of Compliance
This session covers why compliance is important and the new guidance issues by the DOJ. We also explore current regulatory enforcement trends, whistleblowers Under Dodd-Frank, the U.S. Federal Sentencing Guidelines, risk-based third-party due diligence, way to thwart an investigation, differences and similarities between the FCPA and the U.K. Bribery Act, successor liability, and provides the participant with a proven 13-Step Action Plan.
Knowing what to do when an allegation of fraud is presented is critical. Failing to understand the process could jeopardize the ability to prosecute wrongdoers. This session discusses why investigations are important, inherent risk and exposures, the types of investigations: internal and independent, board considerations, triaging an allegation, investigative challenges, and keys to running a successful investigation, and why root cause analysis should be considered after completing the investigation.
Third Party Risk Management and Oversight
Third party risk is the biggest nemesis when it comes to FCPA violations. This session discusses the key components of a compliance program and why it needs to be evolving to meet the business and compliance challenges, which are constantly occurring across the globe. We explore the latest DOJ guidance on the evaluation of corporate compliance programs. We build our discussion on the foundation of the key steps to be included in a third-party risk management program and cover some of the red flags of agents and consultants.
Putting the Freud in Fraud: The Mind Behind the White Collar Criminal
To properly fight corporate fraud we need to understand how a fraudster’s normal differs, so executives, managers and board members can develop more effective anti-fraud programs that take into account the behavioral and environmental factors that are common in cases of white-collar crime. By establishing an environment in which ethical behavior is expected — and by understanding how white-collar criminals look at the world differently — it is possible to begin closing the gaps in internal controls, develop a proactive fraud risk assessment and response program and significantly reduce the financial and reputational risks associated with fraud.
In this session, we take a closer look at the personality traits of individual perpetrators of massive fraud.
Discuss the basics of profiling and identifying elements of behavior common among white-collar criminals.
Discover what role company culture plays in the commission of fraud.
Hear cutting-edge ideas and methods to help detect and deter fraud.
This session is a “nuts and bolts” discussion about fraud and responding to fraud in an effort to reduce the incidence of fraud and white-collar crime. We go into the characteristics of fraud, who commits fraud, the fraud triangle and Pentagon™, the components of fraud, the regulatory environment & the focus on increased personal responsibility, internal controls to deter and detect fraud, and anti-fraud programs.
Triaging a Whistleblower Allegation
As corporations continue to adopt whistleblower programs, many find themselves struggling to manage burgeoning caseloads. As a result, serious internal fraud investigations can be delayed (with mounting losses) while less consequential complaints are being investigated. The lack of a timely, systematic and repeatable process for evaluating and prioritizing whistleblower tips, which can also expose an organization to increased regulatory risk. While there is no single, “right” method for following up on whistleblower complaints, this session discusses Why Investigating allegations or tips are important, why timeliness matters, investigation challenges, and provides the participant with a sample approach.
Skepticism: A Primary Weapon in the Fight Against Fraud
What happens when we don’t ask why? Professional skepticism occurs when those responsible for fighting fraud take nothing for granted, continuously question what they hear and see and critically assess all evidence and statements. This session we discuss the role of independent reviewer or inspector, particularly of your own assumptions, whether you are placing undue weight on prior risk assessments or discounting evidence inconsistent with your expectations, and pressures placed on you to truncate procedures or make unwarranted assumptions to beat time constraints.
Root Cause Analysis
The regulators are expecting more today and want to know that your remediation efforts are not treating the symptoms), but rather the root cause(s).
Root cause analysis is a tool to help identify not only what and how an event occurred, but also why it happened. This analysis is a key element of a fraud risk management program and is now a best practice or hallmark of an organizations compliance program. When able to determine why an event or failure occurred, it is then possible to recommend workable corrective measures that deter future fraud events of the type observed. It is important that those conducting the root cause analysis are thinking critically by asking the right questions (sometimes probing), applying the proper level of skepticism, and when appropriate examining the information (evidence) from multiple perspectives.
This program is designed to introduce the common methods used for conducting root cause analysis and to develop an understanding of how to identify root causes (not just causal factors) using proven techniques. In addition, we will demonstrate how to initiate a root cause analysis incident exercise and work with senior management, legal, compliance, and internal audit on an appropriate resolution. We also introduce the “spheres” acting around the “meta model of fraud” and how to use those “spheres” in the root cause process. Finally, this program will present the “three lines of defense”, which provides the audit committee and senior management with a better understanding where the break downs occurred.
It has been highlighted by some studies that Procurement fraud is the second most frequently reported form of economic crime behind asset misappropriation.
Procurement fraud is the act of gaining a dishonest advantage by abusing a position of decisive power in the procurement process; either by the individual responsible for this position in his or her own action, or by those seeking to win the opinion of that individual, resulting in a decision of benefit to themselves. Procurement fraud may be committed by procurement officers, vendors, or subcontractors, but always involves the act of collusion in order to obtain the unmerited advantage. Fraudsters use the procurement process as part of their scheme to further their own interests in lieu of serving the interests of the procuring company.
Consider the internal risk of this type of fraud: ill-gotten financial gains come in the form of kickbacks to the Fraudster who in this example is the buyer, for selecting the suppliers’ bid which is often not in the best interest of the company. Procurement fraud is also an external risk. Vendors may work together to create the illusion of competition, thus fooling the procurement officers into accepting a bid above fair market value. The scope of procurement fraud is widespread, global and not limited to certain categories, companies, or geographies.
Some report that approximately 30% of organizations have experienced procurement fraud, and that it was most common during the solicitation phase. During this time, vendors may collude with each other or with procurement officers in various ways that compromise the fairness of the bidding process and potentially result in improperly awarded contracts and/or higher contract costs. Those “holding all the cards” during the solicitation phase, make the process extremely susceptible to unethical behavior.
It is important to remember that even after the contract has been awarded, the potential for fraud is ever-present. For example, a vendor could:
Charge more than the contractually agreed price and hope the overcharge goes unnoticed.
Submit duplicate invoices in the hopes that both invoices are processed.
Deliver non-conforming goods or services of lower value, quantity or quality than specified in the contract.
Exploit the change order process to perform services not specified in the contract or to artificially inflate the contract value over time.
Work in collusion with an insider to submit bogus invoices for goods not delivered or services not provided by the vendor.
According to a Global Economic Crime survey, the sectors reporting the most procurement fraud were state-owned enterprises (SOE’s), followed by the energy, utilities and mining; engineering and construction; and transport and logistics industries.
More likely than not, factors driving the increase in procurement fraud schemes include an increase in public tender processes, companies changing and expanding their global supply chains, and a rise in outsourcing.
On November 5th, the Department of Justice announced the formation of the new Procurement Collusion Strike Force (PCSF) “focusing on deterring, detecting, investigating and prosecuting antitrust crimes, such as bid-rigging conspiracies and related fraudulent schemes, which undermine competition in government procurement, grant and program funding”.
The Strike Force is an inter-agency partnership comprised of prosecutors from the Antitrust Division, and prosecutors from thirteen (13) U.S. Attorneys’ Offices. Aiding in the prosecutors’ efforts are investigation partners such as the Offices of Inspector Generals from the Department of Justice, Department of Defense, U.S. Postal Service, and General Services Administration Office. The Department of Justice’s announcement proclaimed that investigating and prosecuting those who “cheat, collude and seek to undermine the integrity of government procurement” will have more to concern themselves with when executing their crimes. Prosecutors and investigators alike expressed enthusiasm to be working as a part of this new team.
Bribery and Antitrust
An effective method to detect bribery schemes is to analyze contract awards for unusual patterns or anomalies. For example: correlating contract awards to financial transactions may identify instances where fraudsters attempt to conceal their behavior. You may not see a check cut from the organization directly to the person they’re bribing, but a closer look may uncover patterns like excessive meetings, gifts, meals, and entertainment during the time period of awards. Data analytics can also be used to detect instances of price-fixing, bid-rigging, and/or market division or allocation fraud schemes.
In simple terms, bid rigging is a fraud scheme which involves intentional manipulation of the bidding process. It often involves an agreement among competitors as to who will be awarded the contract. The bidders may agree in advance who will submit the winning bid. The purchaser is then provided with a bid amount higher than what the competitive market generally produces, which results in an overpayment for goods or services. There are four basic schemes involved in most bid-rigging conspiracies:
Bid Suppression: In this type of scheme, one or more competitors agree not to bid, or withdraw a previously submitted bid, so that a designated bidder will win. In return, the non-bidder may receive a subcontract or payoff.
Complementary Bidding: In this scheme, co-conspirators submit token bids which are intentionally high or which intentionally fail to meet all of the bid requirements in order to lose a contract. “Comp bids” are designed to give the appearance of competition.
Bid Rotation: In bid rotation, all co-conspirators submit bids, but by agreement, take turns being the low bidder on a series of contracts.
Customer or Market Allocation: In this scheme, co-conspirators agree to divide up customers or geographic areas. The result is that the co-conspirators will not bid or will submit only complementary bids when a solicitation for bids is made by a customer or in an area not assigned to them. This scheme is most commonly found in the service sector and may involve quoted prices for services as opposed to bids.
Note: Subcontracting arrangements are often part of a bid-rigging scheme. Competitors who agree not to bid or to submit a losing bid frequently receive subcontracts or supply contracts in exchange from the successful low bidder. In some schemes, a low bidder will agree to withdraw its bid in favor of the next low bidder, in exchange for a lucrative subcontract that divides the illegally obtained higher profits between them.
Almost all forms of bid-rigging schemes have one thing in common: an agreement among some or all of the bidders which predetermines the winning bidder and limits or eliminates competition among the conspiring vendors. Indicators of collusive bid-rigging schemes include:
Be aware of bids for goods or services for which the pool of qualified prospective bidders is small but maintains a large control of the market share. These bids are at higher risk for vendor collusion.
Also be mindful of bids for standardized goods or services. If there are no differentiating factors among the various proposals aside from price, there is a much greater risk of collusion.
When vendors collude with one another, similarities may exist in the bids submitted to the procuring company. For example, pay attention to similarities in the mailing addresses, email address domains, or courier account numbers. Take a look at the properties of an electronic document to see if similar authors appear.
Observe the behavior of vendors when undergoing the procurement process. The communication or action of the bidding vendors can be very telling. Remember social engineering is a tool available to both sides!
Price Fixing schemes often impact the procurement process when business is conducted through purchase orders or direct purchases. Price fixing occurs when competitors agree to raise or fix their prices for their goods or services, set a minimum price that they will not sell below, or reduce or eliminate discounts. Indicators of these types of schemes include:
Look for situations where competitors always announce their price increases at the same time for the same amount, or staggered price increases with an established pattern or frequency, often times creating the appearance of who is going to be first to increases prices.
Look for competitors reducing or eliminating discounts at about the same time.
Generally, be alert to situations in which all prices seem to be uniform and all suppliers refuse to negotiate those prices.
Methods to Deter & Detect Procurement Fraud
An effective way to deter and detect fraud is to develop a thorough understanding of the business environment, the risks impacting the achievement of the business’ strategic goals, and the implementation of a holistic fraud risk management program. Once the risks are identified, I would also strongly encourage the use data analytics, combined with proper training, internal audits, and compliance reviews to support and supplement the fraud risk management program.
Other practices that could help detect fraud include, but are not limited to:
Ensuring transparency from everyone and apply the right amount of skepticism, always!
Maintaining, restricting access to, and auditing a valid master vendor list.
Performing proper due diligence during supplier onboarding.
Referring to debarment sources of blacklisted suppliers.
Performing peer grouping to determine if a supplier fits an appropriate profile for a contract.
At Baker Tilly we can assist any organization with your fraud risk management and anti-fraud programs and controls. This includes services to detect, deter, respond, and remediate instances of fraud. Our team of experts is well positioned to investigate and remediate suspected instances of procurement fraud, which includes the ability to conduct a root cause analysis to determine the cause of the misconduct. The DOJ has deemed a company’s efforts to properly remediate and identify root cause as a best practice and often provides credit to those companies who engage in such activities in the event of a criminal prosecution resulting from procurement fraud. The DOJ also looks highly upon companies with robust third party risk management programs, which can also be used to mitigate the risk of procurement fraud.
Our team of highly-skilled professionals use advanced analytics, such as predictive modeling, to help identify attributes or patterns that are highly correlated with known fraud, even complex and emerging patterns of fraud. Moreover, we use text mining as an effective tool to identify red flags of procurement fraud or antitrust violations.
I often say, “Analytics can answer questions that manual or ad hoc methods would generally miss – it’s the ‘silent whistleblower!’”
Many organizations miss the mark when it comes to managing the procurement process. Some are quite good!
It’s starts with a well-written code of conduct, and includes strong policies, proper internal controls (note: segregation of duties is a pervasive issue), robust third party risk management program, training, and monitoring.
I’m not surprised by the DOJ’s initiative and commend them in the fight against public procurement crimes. We recommend organizations review their compliance program, supply chain, and procurement process for risks and opportunities for enhancements.
Compiling a list of thought leaders in ethics and compliance is fun, but so challenging. There are simply too many thoughtful people in this field — which is itself enormous and wide-ranging — to call out everyone worth following. So below is a small slice of the thinkers in corporate ethics and compliance that I try to follow.
How should we define a thought leader, exactly? I define it literally. First, someone whothinksabout corporate compliance issues, and puts those thoughts into words. Some bloggers and tweeters, for example, do a superb job passing alongwhathappened, but notwhyorhowit happened.
Second, thought leaderslead.They raise questions about what should or could happen in ethics and compliance, even if practical obstacles today make achieving those goals difficult right now. Thought leaders provide context around the events of today to suggest what might be possible tomorrow.
Compliance Thought Leaders You Should Be Following
Without further delay (and in no particular order), here are a handful who fit that description.
Hui Chen, the former Justice Department compliance counsel who left that role in 2017. Since then Chen has been a consultant and prolific thinker about how compliance programs should work.For example, Chen often says a modern compliance function should have data analysts, auditors, and organizational behavior experts, rather than a fleet of lawyers. Does that make logical sense? Yes. Is it the case in most companies, with budgets of maybe $1 million tops? No. Butshouldcompliance officers ponder how to achieve that by, say, 2025, given the way business risk are evolving? Absolutely.
Kristy Grant-Hart, a former compliance officer now hanging her own shingle at Spark Compliance Consulting, who gives great career advice for compliance officers. Grant-Hart has written three books on how to succeed both in your job and in your career — and all of her advice hinges upon time management, building alliances, considering new options. Over the long course of a career, that’s much more valuable wisdom than news of the latest FCPA enforcement action.
John Reed Stark, the Securities and Exchange Commission’s first cybersecurity enforcement specialist in the 1990s, who now runs his own consulting firm on all things cybersecurity and compliance. He writes and talks often about incident response plans, disclosing cybersecurity risks, regulatory enforcement around cybersecurity issues, and the like. Even when you disagree with his analysis (as I sometimes do), Stark always makes you think.
Cydney Posner, special counsel at the Cooley law firm and author of the firm’sCooley PubCo blog. Posner does a great job watching corporate governance and securities issues: everything from reform of proxy advisory firms to climate change disclosure, to trends in SOX compliance reporting. Her posts can sometimes run long, but they are worth it. The “Sidebar” posts within larger posts are worth your time, too.
Jonathan T. Marks, a partner in the global forensic investigations and compliance practice at Baker Tilly and superb thinker on issues around fraud, internal control, and financial reporting. Let’s be honest: most compliance officers are lawyers, so they know the law and investigations; but few are auditors, and even fewer understand the forensics involved in tracing financial misconduct through bogus invoices, shoddy corporate payment systems, poor whistleblower hotlines, and they like. Marks, who is not a lawyer,doesmake those connections. He shares his thoughts on his own blog,BoardAndFraud.com, several times a week.
Tom Fox, long-time FCPA commentator and author of theFCPA Compliance & Ethics Report blog. Honestly, however, these days Fox churns out more content, on more issues, through theCompliance Podcast Networkthat he runs. That’s where you can get a weekly run-down on FCPA compliance issues; discussion of good board governance practices; analysis of innovation in compliance, and more. (Disclosure: Fox and I host a “Compliance Into the Weeds” podcast weekly where we take deep dives into compliance news of the day.)
Francine McKenna, a writer for Marketwatch about financial reporting and corporate governance news, andtweeter extraordinaireon the same subjects. After a first career in auditing, McKenna began a second career in the 2000s writing about the audit industry, which eventually brought her to Marketwatch. She does an outstanding job showing exactly how corporate or regulatory moves connect to financial reporting, and vice-versa.
And while I am reluctant to place myself among such esteemed company, some people do praise my own blog atRadicalCompliance.comandmy Twitter feedas pretty thoughtful. I just think I’m very funny.
CCO’s Are True Thought Leaders
Of course, this list is by no means comprehensive. I excluded anyone from compliance vendors to avoid the appearance of playing favorites, but some astonishingly bright minds work in the vendor world. The intellectual wattage among audit firms, law firms, and consulting firms is amazing. Most firms run their own blogs; I follow those too.
After what appears to be a 73 month investigation, as part of an internal administrative order, Juniper Networks, Inc. – NYSE: JNPR (“Juniper”, or “the Company”) will pay $11.7 million as part of a settlement with the Securities and Exchange Commission (“SEC”); however, in an 8-K filed on February 9, 2018, Juniper disclosed that the Department of Justice (“DOJ”) had completed its investigation and, citing Juniper’s cooperation, decided to take no further action against the company – no criminal charges. Apparently the DOJ had sent the letter closing its investigation in the fourth quarter of 2017.
The SEC settlement is broken down as follows: $6.5 million civil penalty; $4 million in disgorgement—representing the amount of profit the company made as a result of the conduct; and, about $1.2 million in interest.
From 2008 to 2013, sales employees in Russia agreed to increase discounts on sales made by third-party partners, according to the settlement. The discounts were funneled into an off-book funds or referred to as “common funds” (in the fraud space called “slush funds”) which were directed partially by Company sales representatives and used to pay for customer trips, including travel for foreign officials to various locations where there were no Juniper facilities or industry conferences related to Juniper’s business – the trips had little to no business purpose.
The trips “were predominantly leisure in nature and had little to no educational or business purpose.” That would include trips to places where there were no Juniper facilities, nor any industry conferences related to Juniper’s line of work.
During a similar period, sales employees at the Company’s Chinese subsidiaries paid for excessive travel and entertainment of customers, including foreign officials. Certain local marketing employees falsified trip agendas to understate the amount of entertainment offered on the trips. These sales employees submitted the falsified and misleading trip agendas to Juniper’s Legal Department to obtain event approval, apparently subsequent to the event taking place and without adequate review.
Juniper learned of the “common funds,” which were against corporate policy, in late 2009. However, diverting funds and using them to pay travel expenses continued through 2013.
The crux of this matter focuses on Juniper’s overseas subsidiaries who appear to have exploited weak oversight of accounting policy and the apparent override of weak internal controls to create “off book “common fund accounts” or slush funds used to pay bribes.
The SEC’s order states the bribery happened from 2008 to 2013. Juniper’s subsidiary in Russia, JNN Development Corp., worked with local partners in that country to increase discounts those partners would supposedly offer to customers — except, of course, those discounts never actually reached Juniper’s customers. Instead, the local partners diverted that money into a slush fund to cover travel and marketing expenses for customers, including foreign government officials. Those customers received free trips which, to use the SEC’s words, “were predominantly leisure in nature and had little to no educational or business purpose.” That would include trips to places where there were no Juniper facilities, nor any industry conferences related to Juniper’s line of work.
At least some of these trips were directed by JNN executives, which is not surprising. More disturbing is that Company executives allegedly knew about this behavior as early as 2009, and told JNN stop — but the funneling of monies into the “common funds” and the improper trips continued into 2013.
Meanwhile, from 2009 through 2013, roughly the same four years, sales employees at Juniper’s Chinese subsidiaries were busy falsifying trip and meeting agendas for customer events in an attempt to conceal the real value of entertainment involved on the trips. Apparently, falsified agendas were submitted to Juniper’s legal department for approval. Against Juniper’s travel policies, the legal department approved numerous trips without adequate review and after the events had taken place.
Key Best Practices
Fraud detection and prevention is not a hobby. Ensure you have the proper skills on your team!
Check your allegation triage process and escalation protocols.
Conduct risk based ethics and compliance training.
Revisit your risk assessment continuously, not a prescribed periods. Remember achieving strategy equals risk management, plus, effective internal controls!
Russia and China are inherently high-risk countries and markets for bribery.
Ensure Fraud controls are properly designed to deter, detect, or prevent unethical behavior or worse fraud.
Discounts and rebates have historically been a source of consternation by many organizations. Ensure procedures are designed to test both the design and effectiveness of the controls surrounding any discount or rebate program. \
Monitor customer sales activities for suspicious activity-follow the money!
Revisit your policies and procedures and determined if they address pertinent issues, such as what constitutes acceptable behavior by employees.Ensure your internal audit plan is truly risk based.
Assess the skills of internal audit. If there is a deficiency in skills related to fraud and FCPA, strongly consider augmenting your internal audit team with outside professionals who can “tuck in” and provide those skills.
Review your third-party risk management program.
Have your compliance program reviewed at a minimum every three (3) years by a outside independent professionals to ensure that it is not stale.
Seek to understand communication protocols and the escalation process-
Review the allegation log frequently, but no less than every 60 days, to ensure investigations are being done timely. Question investigations that have stopped or have lingered on beyond 60 days;
Ensure the board (audit committee) is being briefed timely on all serious matters by the chief audit executive and chief compliance officer; and,
Question the discipline applied to the bad actors and whether the risk assessment, compliance and ethics training, and monitoring protocols need to be modified.
Challenge your Chief Compliance Officer to provide evidence of the existence of a strong ethics and compliance program
In Juniper they never mention what if any discipline was applied to those that ignored the “cease and desist”. In addition, they also don’t mention internal audit, which seems odd.
Cooperation and Remediation
According to the SEC, Juniper cooperated by disclosing facts in a timely way and “voluntarily produced and translated documents” to the agency during the investigation. They also “provided the [SEC] staff presentations regarding its investigation.”
As part of its remedial action, Juniper instituted a compliance preview and required pre-approval of non-standard discounts. It also now requires pre-approval for third-party gifts, travel, and entertainment, channel partner marketing expenses, and some operating expenses in high-risk markets.
Governance, risk, and compliance are no joke – get in the game!
Having an appropriate compliance structure that collaborates and works in harmony with internal audit and the legal function is a must to ensure risks are handled appropriately.
We just confirmed our first awesome speaker Niki A. den Nieuwenboer, Assistant Professor of Organizational Behavior and Business Ethics at The University of Kansas School of Business.
You all should know that leadership matters in fostering ethical conduct at work. However, the focus is often on top level managers and their “tone at the top.” The role of middle managers has remained somewhat of a mystery until now.
Niki den Nieuwenboer will lead a robust and enlightening discussion on her recent study that examined a case where middle managers, in response to upper management pressures, coerced front-line employees to deceive upper management about their performance.
She plans on spotlighting the creative role that middle managers played in finding ways to cheat, and discuss implications for ethics management and fraud prevention.
Stay tuned for more announcements about the symposium line-up and registration information as we round out the day!
As the use of whistleblower programs continues to grow, many organizations find themselves struggling to manage burgeoning caseloads. As a result, serious fraud investigations can be delayed (with mounting losses) while less consequential complaints are being investigated. The lack of a timely, systematic and repeatable process for evaluating and prioritizing whistleblower tips that contain allegations of ethical breaches can also expose an organization to increased regulatory risk. While there is no single, “right” method for following up on whistleblower complaints, the most effective approaches often resemble the medical triage programs that hospitals and first responders use to allocate limited resources during emergencies, or a crisis situation. Here are some useful guidelines for designing and implementing a fraud triage system.
The Growing Use of Whistleblower Programs
Despite extensive fraud detection measures, closer management scrutiny, and increasingly sophisticated technology, the most common fraud detection method is still the simplest: somebody notices something suspicious and decides to speak up. According to the Association of Certified Fraud Examiners’ (ACFE) 2018 Report to the Nations on Occupational Fraud and Abuse, 40.0% of the cases reported in their study were uncovered as the result of tips (usually from an employee, supplier, or customer) —more than internal audit 15% and management review 13% combined. The ACFE study also demonstrates that dedicated reporting hotlines are particularly effective. In organizations where such hotlines were in place, 46.0 % of the cases reported were uncovered through tips, compared with only 30.0% percent of the cases in organizations without hotlines. These results are consistent with patterns that have been recorded in the ACFE’s biennial survey since its inception 20 years ago. On a broader scale, as a matter of best practice, the COSO Internal Control–Integrated Framework, along with various other enterprise risk management (ERM) frameworks and guidance from Institute of Internal Auditors (IIA), also emphasize the importance of establishing and maintaining effective whistleblower programs.
In addition to their demonstrated effectiveness, whistleblower programs have also been promoted through recent regulatory actions. For example, one section of the Dodd-Frank Wall Street Reform and Consumer Protection Act directs the Securities and Exchange Commission to make monetary awards to individuals who voluntarily provide information leading to successful enforcement actions that result in monetary sanctions over $1 million. A few years earlier, the Sarbanes-Oxley Act of 2002 required the audit committees of publicly traded companies to establish procedures to enable employees to submit confidential, anonymous information regarding fraudulent financial reporting activities. Dodd-Frank and Sarbanes-Oxley are only two examples out of a broad range of laws that encourage – and often mandate – whistleblower programs. A 2013 study by the Congressional Research Service found no fewer than 40 federal whistleblower and anti-retaliation laws, designed to protect employees who report misconduct. Eleven of those 40 laws were enacted after 1999. On February 21, 2018, the U.S. Supreme Court issued an opinion in Digital Realty Trust, Inc. v. Somers, a long-anticipated case that clarifies who is protected as a “whistleblower” under the Dodd-Frank Act’s anti-retaliation provisions. It states that to qualify as a “whistleblower” under Dodd-Frank, individuals now have a clear incentive to report all sorts of observations to the SEC before reporting those observations through their company’s internal reporting infrastructure. Now under Dodd-Frank an individual is only protected from retaliation if he or she has reported a potential violations to the SEC before he or she separates from the company. Such laws not only make whistleblower programs more common, they also make the timely resolution of tips even more critical, as we are about to explain.
There is momentum today to correct Dodd-Frank.
On July 9, 2019, the U.S. House of Representatives passed H.R. 2515, also known as the Whistleblower Protection Reform Act of 2019 (“WPRA”). The WPRA is designed to address a gap in the whistleblower protections afforded under the Dodd-Frank Consumer Protection and Wall Street Reform Act of 2010 (“Dodd-Frank”), as interpreted by the Supreme Court in Digital Realty Tr., Inc. v. Somers, 138 S. Ct. 767 (2018). Specifically, the Supreme Court in Digital Realty Trust ruled that the anti-retaliation provision of Dodd-Frank does not extend to protect employees who only make reports concerning violations of securities laws internally, as opposed to individuals who made a report to the U.S. Securities and Exchange Commission (“SEC”). The WPRA is designed to amend Dodd-Frank to ensure the statute’s protections extend to individuals who make internal reports of securities violations.
Responding to Tips – Why Timeliness Matters Dodd-Frank, Sarbanes-Oxley, and the various regulatory structures that were established to implement them are helping to mold a corporate environment where undervalued and underappreciated compliance professionals and in-house counsel are incentivized to “blow the whistle.” Such incentives can be helpful in creating a self-regulating environment, but they also make it essential that corporations establish a timely and effective process for remediating complaints. For example, to carry out its mandate under Dodd-Frank, the SEC established a separate Office of the Whistleblower, which has paid out more than $160 million to 46 whistleblowers in connection with 37 covered actions, as well as in connection with several related actions since it was founded in 2011. Three of the ten largest whistleblower awards were made by the SEC during FY 2017.
Under this program, there are exceptions if at least 120 days have passed either since the auditor (excluding external auditors who obtained the information during the audit of an issuer) or accountant properly disclosed the information internally (to their supervisor or to another person in the organization who is responsible for remedying the violation (i.e., the audit committee, chief legal officer, chief compliance officer, or their equivalents), or since they obtained the information under circumstances indicating that the entity’s officers already knew of the information. Then they can report the lapse directly to the SEC and be eligible for a sizable whistleblower award – from 10 percent to 30 percent of any fines or sanctions that are collected. The program’s website prominently features headlines such as “SEC Issues $17 Million Whistleblower Award” and “SEC Awards More Than $5 Million to Whistleblower,” to cite only two of many recent examples.Since the program’s inception, the SEC has ordered wrongdoers in enforcement matters involving whistleblower information to pay over $975 million in total monetary sanctions, including more than $671 million in disgorgement of ill-gotten gains and interest, the majority of which has been, or is scheduled to be, returned to harmed investors .With incentives like that, it should be no surprise that whistleblower complaints are on the rise. Yet in most cases, such awards would not have been available if the companies involved had resolved the initial fraud complaints within 120 days.Unfortunately, our experience indicates that, while many companies invest in tips hotlines and similar whistleblower programs, a large portion of them fail to invest adequately in an allegation review process for promptly evaluating, prioritizing, and responding to the whistleblowers’ tips in a systematic, repeatable, and defensible manner. As the number of tips grows and investigators’ caseloads expand, complaints end up sitting in a queue waiting to be investigated, while the company remains vulnerable to the risks the tipsters were warning about, and the SEC timeline is running.
A 2018 study of customers of the compliance software company NAVEX Global found that case closure times have blipped to 44 days and has dropped to 40 days according to their 2019 study. This metric is important given that, under certain agency whistleblower provisions, an organization will have limited time to complete an internal investigation.
Moreover, when the various categories of fraud are compared, cases involving suspected accounting, auditing, and financial reporting fraud took the longest to resolve by far – 55 days! In other words, the average case closure time for cases of suspected financial fraud was almost halfway to the 120-day deadline – the point at which employees are incentivized to report the case directly to the SEC and expose the company to additional, sizable sanctions.
Hidden and Direct Costs of Delayed Response Even setting aside potential SEC sanctions, delays in investigating whistleblower tips are costly in other ways. Delayed responses to tips can cause employees and other potential sources to lose confidence in the hotline or other whistleblower program, undermining the effectiveness of the the compliance and ethics program and adding further complexity to the risk management effort. Most companies expend considerable time, effort, and resources in creating compliance and ethics programs. Failing to establish a system for dealing with allegations or tips in a timely manner can mean those expenditures are probably wasted. There are also direct costs associated with delays in handling tips. The losses resulting from a fraud scheme are directly related to how long the scheme goes on. The ACFE’s 2018 Report to the Nations found that the median losses for frauds that were uncovered in six months or less was $30,000. But at the other end of the scale, schemes lasting more than five years caused a median loss of $715,000. Simply put, the longer perpetrators are able to continue, the more financial harm they are able to cause. Clearly, the absence of an effective program for handling whistleblower complaints promptly and effectively can have a significant and direct financial impact – in addition to the regulatory, employee relations, and reputational risks such a shortcoming entails.
A Triage Approach While there is no single, one-size-fits-all method for following up on whistleblower complaints, the most effective approaches are similar in many ways to medical triage programs, such as those implemented by hospitals and first responders during emergencies to help medical professionals prioritize the treatment of patients. In medical triage, those with serious, life-threatening injuries are treated ahead of those whose conditions are less severe. In the same way, a fraud triage program helps risk, audit, and fraud professionals prioritize the investigation of tips and whistleblower complaints. Those that indicate serious, material risks are addressed differently and more aggressively than those that reflect mere misunderstandings, minor errors, personal grievances, or false tips, all of which could tie up investigators unnecessarily. Under a fraud triage program, the same principles apply. Hotline tips or complaints that do not indicate fraudulent behavior can be delegated to human resources, IT, or other line or support functions that are capable of handling them more efficiently. Meanwhile, complaints that involve suspected fraud, but which are less significant in terms of financial losses, control failures or other risks, may be set aside temporarily while larger, more material cases receive immediate attention.
Proper Staging of the Allegation – the Critical First Step A swift and thorough triage process leads directly to a more appropriate and timely response. The specifics of that response will vary, of course depending on the nature and severity of the case, but the fundamental elements of the treatment include forming the right team to investigate, understanding root causes, and providing timely disclosure to all constituencies. Before such a response can be planned and executed, however, the tip or allegation must be evaluated or “staged” based on a consistent set of criteria. Navigant’s fraud governance framework identifies five such stages:
Stage 1 Stage1 allegations have a low threat level and do not suggest a breakdown of internal controls. Tips that get grouped into this stage do not have a financial or reputational impact. These may include employee-to-employee disputes, isolated cases of small-scale employee theft, and the normal policy complaints, misunderstandings, and personal disagreements that are often raised through a whistleblower program. In most cases, these complaints are best handled by human resources or management personnel.
Note: Human Resources and management should be trained on proper investigation protocols, including the escalation process. A basic level of review should be performed and documented to corroborate that no further investigation is warranted. This review and documentation could be performed by a branch or office manager. For an employee who is the target of such a complaint, management should consider placing such employee on a temporary legal hold which triggers the retention of email and other documents until the risk of retaliatory litigation has passed.
Stage 2 These allegations are more serious in nature, and often indicate some deficiency in the design of internal controls. Examples include business rule violations such as recurring employee theft or patterns of falsifying expense reports. If the allegation is substantiated, then the result of the remediation process is a change to a business process or business rule, followed by an enhancement of the company’s preventive or detective internal controls. Because they indicate a deficiency in internal controls, such allegations are escalated to the internal audit function in order to obtain a deeper understanding of the control environment. Internal audit should evaluate what controls are currently in place, and determine where the breakdown in internal controls occurred. It is also important to assess if the allegations are signs of a bigger problem or if they could have an impact on financial reporting. If financial reporting is affected, sensitivity testing must be performed to calculate the low case, medium case, and worst case financial impact. Internal audit’s review also might identify multiple violations. Again, the employees affected should be put into a legal hold which triggers the retention of email and other documents until the risk of litigation passes. In some cases, employee termination may be warranted.
Stage 3 These allegations are serious in nature, generally involve an override of internal controls, and thus are at a minimum a serious deficiency. But they have only a minimal impact on the financial statements or the company’s reputation. More serious allegations in this category include fraud, embezzlement, and bribery involving employees or mid-level management. Such cases require the same level of investigation as Stage 2 cases, along with an internal investigation that usually is conducted under the direction of the general counsel, involving compliance and internal audit as well. In some instances, the investigation might need to be performed independently by a function or person who is not directly involved in the control environment.
Stage 4 These are serious allegations that could have an impact on the completeness and accuracy of the audited financial statements, and that could indicate a material weakness in internal controls. They do not, however, appear to involve any member of the senior management team. Such cases are generally addressed through an internal investigation, usually under the direction of outside counsel operating under privilege. The investigation often involves the use of independent, outside experts as well.
Stage 5 These are serious allegations that involve one or more members of the senior management team, or are serious enough to damage the company’s reputation. The receipt of allegations in this stage usually place the company into crisis management mode, and could result in the restatement of audited financial statements or added regulatory scrutiny. In such instances, the board generally should engage outside counsel and forensic investigation experts to initiate a privileged and confidential fact-based investigation. The external auditors may also be involved and a disclosure to the SEC may be required. It’s important to note that, in both Stage 4 and Stage 5, engaging outside experts is generally necessary. Other critical elements of the Stage 4 and Stage 5 responses include having a qualified and experienced investigation team, along with a time-phased work plan that is minimizes disruptions to the organization’s day-to-day business as much as possible. The investigators will begin with fact-finding interviews to help them evaluate who else to interview and when. The investigators will also help the company identify a list of custodians who will be interviewed to understand where their data was being saved (for example, on email servers, mobile phones or other devices, flash drives, cloud servers, and network folders). Generally, a large-scale data collection effort will then ensue in order to search and preserve all potentially relevant information. The goal is to determine who knew what and when, and how high up the chain the knowledge went. The investigation will also assess if the audited financial statements be relied upon, so that counsel and board members can determine what disclosure requirements might apply. In addition, where internal control issues are noted, outside counsel can also recommend and assist in recommending new or enhanced policies, procedures, and controls.
Ownership, Responsibility and Follow-Up Obviously, the triage staging system described here is not the only plausible methodology an organization can use for evaluating allegations of wrongdoing and planning appropriate responses. Other thought leaders in the field have proposed evaluating tips according to various other criteria such as the severity of the allegation, the specificity of the information it contains, and similar factors. Ultimately, whatever triage process and framework is chosen it will need to be customized to reflect the company’s particular situation and its particular industry. In many instances, boards may choose to combine elements from several approaches.
Regardless of the specific criteria upon which the system is based, the importance of maintaining written policies and procedures cannot be overstated. Moreover, but in all cases it is important in all cases that the responsibility for developing, implementing, and maintaining the triage response system be clearly defined. The assignment of this responsibility will vary as well, depending on the size and nature of the organization, its governance structure, the volume of whistleblower complaints and other factors. It could fall to internal audit, the corporate general counsel, a board committee, a designee of the CFO, or some other person or group – but in all cases it’s essential to have a designated individual or business function that is responsible for initially capturing complaints and performing the triage o the allegation(s). Once the framework is set and data is being collected, it’s also important to step back and periodically assess what the data is saying. For example, if the complaint hotline is bombarded with a high frequency of inconsequential complaints related to minor personnel disputes uniform violations or employees complaining about having to work a holiday, then it may be time to provide additional training on how the complaint hotline is to be used. An increase in sexual harassment complaints or complaints related to substandard working conditions could be provide an early warning of a potential leading indicator for a class action lawsuit. Similarly, an increasing number reports of low dollar employee theft are usually signs of a larger cultural problem. Evaluating the data and trends captured in your complaint system can help you make decisions that could prevent the next “big event.” In that sense, an effective, well-designed, and consistently executed fraud triage effort can pay even bigger dividends that go beyond the direct benefit of helping you evaluate and prioritize tips and complaints more efficiently.
Lastly, as facts come to light, there might be a need to escalate the allegation. If an investigation starts with human resources or internal audit, they should be trained on what to do if the matter intensifies!
Matters that generally require escalation include, but are not limited to:
Violation of law – antitrust and competition, anti-bribery and corruption, employment discrimination and harassment, fraud against third parties by employees
Accounting, books and records – public financial reporting, internal financial reporting and disclosure, insider trading, SOx, Dodd-Frank
Environmental, healthy, safety
Any employee theft, misappropriation, or fraud against the organization in excess of $$$$$$$
Code of Conduct Violations of the Executive Leadership team
Misconduct by Legal, Ethics and Compliance employees – failing to investigate or stopping an investigation
Third party frauds against, or thefts from, the organization
Care should be taken and consultation with legal counsel and compliance is wise move, unless they are or appear to be involved, then go directly to the Board of Directors
Board members, I would seek to understand the escalation process and I would review the allegation log to ensure investigations are being done timely, you are being briefed on all serious matters, proper discipline has been applied, and internal controls are installed or enhanced to try to prevent and detect possible future bad or “carryover” behavior!
I welcome your comments and suggestions.
Jonathan T. Marks
This material is protected by Copyright Laws and may not be reproduced in any form without my express written permission.
This e-book is intended as a guide for Chief Compliance Officers (CCOs) and those responsible for developing and implementing compliance policies and procedures for an organization. Compliance, when done properly and embraced fully, should be seen as a necessary business process.
It is our vision that companies have more than a best-in-class compliance program going forward.
The time is now for companies to take the next step up to make compliance a part of the business process of the organization. This would not only allow companies to meet the Department of Justice’s requirement that compliance programs be more fully operationalized, but it is our firm belief, that a more effective compliance program will make the company’s internal controls operate more efficiently and enable it to operate more profitably. With the increased efficiencies for compliance offered by data analytics and AI, a robust compliance program can demonstrate internal commercial inefficiencies which can be remediated for greater return from assets.