by Scott Moritz
Managing Director – Leader, Protiviti’s Fraud Risk Management Practice
In recognition of the 25th anniversary of the Association of Certified Fraud Examiners (ACFE) and International Fraud Awareness Week, Protiviti, whose practitioners include more than 100 members of the ACFE, is releasing a series of tips on fraud awareness to help raise awareness of the various ways that fraud can affect an organization and the proactive steps organizations can take to better position themselves in the ongoing fight against fraud.
There is a dizzying array of due diligence investigative options for organizations today. Moreover, there are an equally confusing number of categories of relationship that a company may need to subject to a background investigation. One size definitely does not fit all. So, where do you start?
Assess Where Your Risks Are and Their Severity
While the term “risk-based approach” may be overused, it’s a critically important concept. Before designing a due diligence process that is risk-based, organizations must have a firm grasp of the types of risk that their organizations may face across their different relationships, lines of business, activities and geographies. Broadly, due diligence can be applied to customers, business intermediaries, suppliers, venture partners and employees. When added together, the sheer numbers can be overwhelming, especially for very large organizations.
Performing an organizational risk assessment will bring into focus where risk comes from and where it’s most prevalent. Organizations should assess which categories of employee, company activities, business intermediaries and customers represent a disproportionate degree of risk – this will enable you to allocate due diligence resources on a risk basis.
By assigning risk levels across each of these categories of relationship, you can then focus your resources to performing due diligence of those higher risk relationships and do so in a way that is risk appropriate.
Risk Level Should Dictate Approach
Due diligence investigations cover a broad spectrum, from using watchlists to performing comprehensive field investigations comprising public records research, site visits and extensive human intelligence. After considering the potential risk that a relationship may represent, that risk needs to be counterbalanced with an investigation that is comprehensive enough to surface issues of concern.
For example, overseas sales agents who, on your behalf, are engaging directly with foreign government agencies and state-owned companies in high corruption risk countries are widely considered to represent the highest risk of potential violations of the U.S. Foreign Corrupt Practices Act (FCPA) and other anti-corruption statutes. As a result of this high degree of risk, regulators and law enforcement agencies that may sit in judgment as to the efficacy of your program have certain expectations as to what constitutes a risk appropriate investigation of this category of relationship. If your due diligence process consists entirely of checking watchlists and Google, no one is going to consider what you’re doing to be risk appropriate. Watchlists and the Internet are important tools, but both have significant limitations, particularly if the high-risk third party is a small company operating in a relatively undeveloped economy. You shouldn’t derive negative assurance from the fact that a high-risk third party didn’t appear on any watchlists and there were no negative references found via a Google search.
Some organizations utilize checklists to assist in the performance of due diligence investigations. While checklists can be useful, they invite a certain mindlessness if they are utilized by inexperienced, low-level personnel. The most important skill for investigators who perform due diligence investigations to have is critical thinking. Specifically, this involves being ever mindful of the potential risks of the third party and ensuring that the scope of the investigation is well aligned with that potential risk.
Perhaps the most important juncture at which critical thinking should be applied is in interpreting results. Any findings must be considered in the context of the contemplated relationship and whether the finding may impact the third party’s suitability as a commercial partner. It is hard to find a commercial entity above a certain size that hasn’t been involved in some form of dispute or controversy. As part of the critical thinking process, you need to weigh factors such as when the event happened, whether it is still going on, what steps have been taken to prevent a recurrence, how this may affect your company if it happens again, and whether you’ll ever get to a point at which you can be comfortable with the proposed relationship.
Consider the following two scenarios. Under scenario 1, a prospective distributor in Indonesia represents in a questionnaire that it has a 40,000 square foot warehouse in the Philippines and a fleet of 12 delivery trucks. A site visit performed of the address the company provided reveals that it is a residential apartment in a high crime neighborhood. Do you stop there and move to your next prospective distributor, or do you probe further?
Often, there is a disconnect between the questionnaire that a prospective third party completes and the subsequent investigative steps that may indicate you asked the wrong question rather than that the third party misrepresented itself. That is why it is helpful to ask in a questionnaire not only for the company’s legal address, but also the address from which it is operating. In this example, once this disconnect is ironed out, investigators do in fact observe what they expected to see – a large, active warehouse with delivery trucks coming and going.
In scenario 2, the initial background investigation of a prospective environmental consultant in India reveals that several of its senior executives were former high-level officials of the Ministry of Environment & Forests. Further, during their tenure with this ministry, there was a scandal wherein it was alleged that several officials, in exchange for cash and gifts, were “passing” environmentally impaired properties without requiring environmental remediation. While the environmental consulting firm’s executives weren’t among those charged in the criminal case, they reportedly resigned shortly after the scandal broke and immediately went to work at the environmental consulting firm.
The question: Is it possible to conclude that the company is a suitable business partner? Most people’s initial reaction would be “no.” in reality, it is important to first evaluate whether there are other options in that geography. Assuming there are, the prudent course of action would be to select a different environmental consultant – provided its background checks present fewer issues. If there are no other options in that region of India, what then? Some companies faced with such limited options elect to impose heightened controls around such particularly high-risk relationships, including enhanced contract language to include the right to audit.
In summary, the performance of background investigations should not be strictly checklist-driven, and the results are seldom black and white. Expect that most such investigations will raise as many questions as they do answers, and be prepared for the process to have several iterations, with some necessary interplay between the investigator, company and third party, until the chief compliance officer or other decision-maker has sufficient information on which to make an informed decision.
One important closing note is that background investigations are based upon available information as of a moment in time. Public records, watchlists, global media archives and the Internet are dynamic and these companies are actively engaged in the stream of commerce every day. The shelf life of an investigative report can be very short depending upon events that happen after the date the report was issued. Leading industry practices suggest the need for some form of continuous monitoring whereby these reports are refreshed periodically or news feeds with adverse search terms are monitored on a recurring basis. Following these steps will move you away from a checklist mentality and in the direction of a risk-based, critical thinking-driven investigative process.