Q&A: Fraud due diligence
February 2013 | SPECIAL REPORT: CORPORATE FRAUD & CORRUPTION
Financier Worldwide Magazine
FW speaks with Zafar I. Anjum at Corporate Research and Investigations LLC, Gregory E. Wolski at Ernst & Young LLP, and Ben Hobby at RGL Forensics about fraud due diligence.
FW: In your opinion, do companies place enough emphasis on detecting fraud in today’s business environment? Has the proportion of companies carrying out due diligence for fraud, bribery or corruption increased in recent years?
Wolski: In our experience, most companies acknowledge fraud risks exist in their organisation and understand that such risks should be addressed. However, the nature and extent of the policies, processes and controls employed by companies to identify and mitigate fraud risks varies greatly based on the attitude of the leadership of each specific company and its assessment of the level of perceived risk. In recent years, with continued Department of Justice (DOJ) and Securities and Exchange Commission (SEC) enforcement actions related to bribery and corruption, we are seeing an increased willingness on the part of acquiring companies to perform due diligence procedures related to such risks. Our private equity firm clients and our acquisitive corporate clients are typically more advanced in their understanding of the need for anti-bribery and anti-corruption (ABAC) due diligence procedures than companies that only complete an occasional acquisition. Overall, we are seeing many companies beginning to perform ABAC due diligence on transactions where the target has cross-border operations or sales. Based on both the perceived risk and professional advice, companies are also beginning to perform such ABAC due diligence earlier in the transaction process. However, as with other fraud risks, the extent of the diligence companies are willing to perform varies.
Anjum: Companies are placing a great emphasis on due diligence. After the most recent serious regulatory actions, it has been mandatory for every company, regardless of jurisdiction, to undertake rigorous integrity due diligence on third parties and intermediaries associated with their business operations to ascertain their legal compliance, financial viability, and integrity levels. There is a significantly increased willingness to undertake due diligence as a pre-emptive measure against fraud and corruption across industry sectors, specifically after the financial crisis.
Hobby: The emphasis on detecting fraud has historically increased in the recession as a by-product of costs and expenditure being reviewed more rigorously in order to protect overall profitability. Any increase in fraud detection in today’s environment will generally result from this, rather than a sustained improvement in internal controls and fraud detection. Businesses need to consider how their internal monitoring controls can be improved and augmented by appropriate continuous monitoring tools that ensure that fraud risks are addressed throughout the economic cycle. These types of continuous monitoring controls, if all employees see they are operating, can also act as a preventative control, as well as detective, thereby assisting management in creating a zero tolerance culture regarding fraud.
FW: Could you outline any legal and regulatory developments over the past 12 months that may affect the fraud due diligence process going forward?
Anjum: The UK Bribery Act 2010 advanced the material scope of due diligence, making it an indispensable tool in establishing issues such as legal compliance, financial sustainability, and the integrity levels of outside partners, suppliers and customers seeking to affiliate with your business.
Wolski: In connection with the increased focus by the SEC and the DOJ on FCPA issues, in mid-November, the Criminal Division of the DOJ and the Enforcement Division of the SEC issued much anticipated guidance regarding the FCPA. The jointly issued A Resource Guide to the U.S. Foreign Corrupt Practices Act (the FCPA Guide) provides, among other topics, information specifically related to ABAC considerations in merger and acquisition transactions. The FPCA Guide does not have the force of law but it details the approach and priorities of the DOJ and SEC in FCPA enforcement related to mergers and acquisitions and provides fact patterns and hypothetical examples to illustrate the interpretation and application of the commonly faced corruption issues in mergers and acquisitions. The FCPA Guide also provides some clarity in certain areas that have caused confusion, including successor liability in mergers and acquisitions. Specifically for mergers and acquisitions, the FCPA Guide underscores the expectation that pre-acquisition ABAC due diligence should be conducted on deals. The FCPA Guide also highlights how appropriate ABAC due diligence and post-acquisition compliance efforts can contribute to the decision not to prosecute a successor company for a pre-acquisition violation. This is particularly important to acquirers given that successor liability prevents companies from avoiding liability by reorganising. The FCPA Guide provides ‘hallmarks’ or elements of an effective compliance program. These hallmarks should be considered when evaluating a target company’s compliance program pre-close and in designing and implementing the compliance program post-close.
FW: Uncovering fraud post-deal can have extremely damaging consequences for an acquirer. What steps should buyers take to increase the likelihood of identifying fraudulent activity before a deal is closed?
Hobby: Analysis of the effectiveness of the target’s internal control environment is invariably not performed in detail prior to completing an acquisition. Consequently, internal control weaknesses that may exist, which in turn may lead to an increase in the risk of fraud, are not identified at this stage, but are invariably only identified during the post acquisition integration process. Buyers may therefore want to consider performing elements of the post acquisition review before the deal is completed. As a minimum, the acquiring company should obtain as much transactional data as can be obtained from the target’s accounting system. This can then be analysed in a data mining tool to identify potential anomalies in the operation of internal controls, but, also, unusual transactions that may be evidence of fraudulent activity.
Wolski: To increase the likelihood of identifying fraudulent activity pre-close, buyers should perform sufficient ABAC due diligence procedures, focused on areas of perceived risk. Such procedures could include interviews, analysis of the anti-bribery and anti-corruption policies of the target company, understanding the nature and extent of any internal audit or other monitoring of compliance, and testing of a sample of transactions in accounts with the highest potential risk based on the operations of the target company. We typically perform such procedures in a phased approach with ever increasing focus on red flags and areas of perceived risk based on the procedures performed in the preceding phase. When issues surface as a result of an acquisition, the recently released FCPA Guide indicates that an assessment will be performed of the acquirer’s pre-acquisition ABAC due diligence procedures. This assessment will evaluate whether the acquiring company conducted pre-acquisition ABAC due diligence and whether the acquiring company promptly integrated the acquired company into its compliance program, including implementing policies, requiring training, and performing audits.
Anjum: Successful risk management begins with scrutinising the individuals and organisations with whom you will be conducting business. It also requires compliance with international laws, which can be complex and subject to change. Investigative due diligence before any transaction is a proactive countermeasure against fraud, and an economical approach to reducing vulnerabilities in the deal process. It safeguards the interests of the buyer and investors.
FW: What are some of the recurring themes that appear in corporate fraud cases? What steps can companies take to detect red flags?
Wolski: Related to M&A transactions, bribery and corruption issues are often identified related to gifts, travel, and professional services – for example, consulting. A company can increase the likelihood of identifying red flags in such areas by performing ABAC due diligence procedures, including interviews of target personnel, analysis of the target’s anti-bribery and anti-corruption policies, and testing of a sample of transactions in accounts that are typically higher risk for issues such as travel expenses, gifts, entertainment, consulting or other professional services.
Hobby: What constitutes a red flag for one company may not apply to another. A recurring theme in our experience is that red flags existed prior to the discovery of a fraud but were not identified or adequately followed up on. Companies need to consider where they are exposed to a fraud risk, identify the data that is available to monitor this risk and what would represent an anomaly or red flag within this data. Specific individuals need to be tasked with performing this monitoring, but also be given the freedom to investigate any potential issue. It is important to emphasise that a data anomaly may not automatically be evidence of fraud, as it could result from a legitimate change in the way the business is operating. Identifying these changes, as well as reviewing appropriate responses, also provides opportunities for companies to maintain and improve profitability.
FW: In their efforts to tackle fraud, do companies place enough emphasis on background checks and screening potential new employees? How should they undertake this process?
Anjum: Many organisations still don’t have proactive fraud risk-management measures implemented, thus compromising workplace security and increasing the organisation’s vulnerability towards employee fraud and malfeasance. Verifying employee’s past histories will reduce exposure to fraud and theft, identity fraud, drug abuse and workplace violence. The background check process can start at the candidate’s interview to where the CV and other credentials can be checked, specifically previous employment history and litigation record checks. This process should be consent-based and the applicant should know that a rigorous background check will be in place during his or her application. Similar activities can be put in place for outside vendors, suppliers and outside partners and affiliates.
Hobby: A lot more emphasis is being placed on background checks and pre-employment screening. Companies realise that the good practice of screening across all levels will help mitigate their risk and safeguard their assets. Long gone is the adage ‘if the face fits’, as companies need to know that the person they are hiring is properly qualified with nothing in their past that could damage the company’s reputation or more importantly cause losses to occur. A company can complete its own checks but this can be time consuming and so an external agency may be used instead. Key points to consider include confirmation of qualifications, criminal record checks, credit checks, as well as an audit of the employment history on their CV.
Wolski: It is important to know who you are hiring to work for your company, and background checks are one way to identify whether a potential employee has had issues of concern in the past, including criminal history or personal financial issues. As a result, many companies currently do perform background checks of some type for new employees.
FW: What is your advice to companies on protecting themselves against exposure to fraud from third-party business parties?
Hobby: With regard to supplier fraud, there is often too much emphasis placed on agreeing a supply contract, with insufficient consideration then being given to monitoring the delivery of the service or product. Suppliers can therefore take advantage of lax procedures to breach agreed contractual terms or, worst case, defraud their customer. Companies therefore need to make certain that they have adequate processes and controls in place to manage this risk. It is also possible under some legislation for a trading partner to be considered an agent. In this case, the company can be held liable for the actions of their partner and is therefore reliant on the quality of the partner’s fraud risk management processes. Where this occurs, the company needs to ensure that it has audited these processes and that they are fit for purpose.
Wolski: More than 90 percent of reported FCPA cases involved the use of third-party intermediaries such as agents or consultants. Appropriately, this is a central focus of many anti-corruption efforts, but the degree of due diligence performed for each third-party should be commensurate with the risks posed by that third-party. A potential buyer needs to understand the extent of the third-party relationships of the target company and the extent of the due diligence, if any, performed by the target company on third-parties. In addition, a buyer should understand whether contracts with third-parties contain any anti-bribery or anti-corruption provisions and the target company’s process for monitoring compliance with such provisions. Finally, additional due diligence procedures related to third-parties should be performed, including background searches and analysis of a sample of transactions with third-parties. All of these procedures can be completed through ABAC due diligence procedures. Performing such procedures is critical.
Anjum: Fraud in business organisations can be undertaken by three main groups of people: those charged with management, employees and third-parties. Current regulatory compliance legislations require organisations to make it mandatory to undertake ‘integrity due diligence’ to ascertain the legal compliance and fraud risk assessments of third-parties, suppliers and customers. Businesses are required to ensure they understand how their intermediary partners do business, in order to ascertain risks associated with third-parties and identify proactive measures.
FW: How have new technologies and techniques, such as forensic data mining, improved and altered the due diligence process? How are such techniques being employed?
Wolski: If utilised properly, employing data analytics as a part of an ABAC due diligence plan can assist in identifying red flags for further analysis. This is especially true in terms of selecting transactions for testing during ABAC due diligence. While a randomly selected sample of transactions for testing can yield some results, data analytics can provide a ‘road map’ for selecting transactions of certain types with certain parties based on frequency, amount, volume, and so on, that are most relevant as determined by the due diligence team. By doing so, all of the transactions testing should be from ‘red flag’ accounts, customers or vendors, rather than selected at random.
Anjum: Many jurisdictions still lack modern investigative research and due diligence techniques. There are no centralised database systems in most countries across the Middle East and Asian regions – however, the use of modern techniques to ascertain the facts is a top level decision within the organisation. If management is committed to anti-fraud and anti-corrupt business transactions, this is an economical solution.
Hobby: Data mining tools are often used for exploratory analysis to identify anomalies where there is no clear hypothesis. Reviewing and understanding the output of this analysis, particularly when it is presented in a tabular fashion, may not assist in establishing if anomalies do indeed exist. In these cases, visualisation software can be used to present data mining results and can assist in highlighting relationships between different data parameters, as well as further, more refined, data mining exercises. In the case of payments to fictitious employees, this may be between bank accounts, addresses, tax and social security numbers and irregular bonus payments, for example. Due to the increased use of social media platforms, a number of tools have been developed to more effectively analyse this content, the use of which will become more prevalent in future fraud investigations.
FW: What issues and challenges can multinational companies expect to face when rolling out an anti-fraud program across different jurisdictions?
Anjum: First, the local legal compliance challenges of each jurisdiction should be taken into consideration. Legislation and local anti-fraud regulatory requirements, privacy and data protection laws, and the operational and reputational risks associated with the business in question are important considerations that can impact the implementation of anti-fraud programs.
Hobby: The main challenge is different cultures, as one country will have different ideas of what is acceptable behaviour compared to another. For example, we have seen payments being made to local police. These payments were authorised in accordance with the internal control manual, with local senior management also being aware of the payments, accepting that this was part of the cost of business in that jurisdiction. However, this kind of payment clearly has the potential to cause issues under the Bribery Act. At a practical level, these payments may be unavoidable and may therefore continue to be made. However, this then creates an issue for companies in educating local employees as to what is acceptable and unacceptable behaviour as part of any anti-fraud program.
Wolski: Implementing compliance programs in foreign countries poses real issues that must be considered by a company to increase the effectiveness. A compliance program roll-out should include a detailed compliance program, it should involve some type of compulsory live or web based training, and it should require written acceptance of the compliance program by each employee, third-party and vendor. When rolling out a compliance program to a newly acquired company, the policies and the training should be tailored to the acquired company based on several factors including: the locations of the acquired company; the existence, or lack thereof, of anti-corruption policies; any history of bribery or corruption issues; and a risk assessment of the acquired company. For each foreign location of an acquired business, the compliance program and the training may need to be tailored to address local risks and specific considerations for local anti-corruption regulations. A program that just covers FCPA issues is not sufficient for a company with operations in the US, the UK, China and Brazil.
FW: What additional measures can companies operating in high risk jurisdictions take to reduce the risk of fraud within their organisation?
Hobby: The existence of appropriate monitoring controls in an organisation will help to ensure that fraud can be detected. However, these controls must vary to reflect the different risk profile that exists in each country and business unit. Companies need to make sure that they understand each risk profile and how specific threats can be identified from the data that is available. However, in a high risk jurisdiction, the risk profile is likely to change more quickly than would be the case in a lower risk environment. The key, therefore, is adaptability, to ensure that new risks, as well as changes to existing risks, are promptly identified and any corresponding changes to the internal control environment are then implemented on a timely basis.
Wolski: Developing an extensive anti-corruption compliance policy is a great start, and many companies we deal with have well developed compliance polices. However, many companies fall short in creating an anti-corruption compliance program that includes the education of employees and monitoring of compliance with policies. These are two areas, especially for high risk jurisdictions, that can be improved to help reduce the risk of fraud. Annual training related to compliance policies should be mandatory for all employees. This is especially true for higher-risk countries where bribery and corruption are often a way of life. In the context of a newly acquired company, the buyer may be faced with needing to change the culture of the acquired company from what may have been acceptable in the local country to one that is compliant with anti-corruption regulations. Sending out a companywide email with a compliance policy or delivering training one time is not sufficient to change the culture. Regular monitoring of compliance with anti-corruption policies is a key to reducing fraud risks and identifying red flags earlier.
Anjum: Due diligence is especially critical when dealing with businesses or governmental organisations in developing markets. In this environment it is essential that businesses become completely familiar with the operations of international clients, business partners, distributors, agents, consultants and individuals, before conducting offshore transactions, establishing formal corporate partnerships or committing to international investments.
As a certified fraud examiner, Zafar I. Anjum is an expert in the investigation of multifaceted business crimes and the management of fraud prevention and detection across the Middle East. With 21 years’ experience of corporate investigation, Mr Anjum is proficient in the development of investigation strategies and the provision of solutions to the most challenging assignments including fraud, theft of intellectual property and serious organisational misconduct, forensic accounting, and integrity due diligence.
Greg Wolski is a partner and certified public accountant in Ernst & Young’s Fraud Investigation & Dispute Services (FIDS) practice. Mr Wolski has over 32 years experience in due diligence, litigation, accounting and auditing, and other advisory services. He is the firm’s practice leader for the Transaction Forensics practice, which includes purchase price disputes, Foreign Corrupt Practices Act (FCPA) and anti-corruption due diligence, private equity anti-corruption compliance, transaction fraud and forensic due diligence.
Ben Hobby has been involved in Forensic Accounting in London since 2004. Prior to this, he worked extensively in internal audit and investigative roles in industry, where he gained significant experience in the review of operational processes and internal controls. Mr Hobby has handled losses and investigations of various scopes and sizes for insurers and lawyers worldwide. His insurance expertise focuses on commercial crime, business interruption, loss of profits and product liability in various sectors.
© Financier Worldwide
Zafar I. Anjum
Corporate Research and Investigations LLC
Gregory E. Wolski
Ernst & Young LLP