DOJ Fraud Section Puts Boards of Directors on Notice Regarding “Conduct at the Top”

In February 2017, the U.S. Department of Justice (DOJ) Fraud Section published its latest guidance on corporate compliance programs with the release of the very useful document titled “Evaluation of Corporate Compliance Programs.”

While many legal and compliance scholars have rightly stated that this latest publication isn’t anything radically different than prior authoritative guidance issued by the DOJ and other organizations, what jumps out is the reframing of the well-worn expression, “tone at the top,” with the potentially more insightful, and arguably much scarier, “conduct at the top.” In a just-released Flash Report, we put forth questions and insights that illustrate the degree to which the DOJ is examining senior management and the board of directors while evaluating a corporate compliance program.

COSO Guide Seeks to Elevate and Evolve Fraud Risk Management Practices

Pamela Verick

By Pamela Verick, Director
Protiviti Forensic

 

 

For many organizations, fraud risk management consists of checking boxes and thinking positive thoughts:

“We hire good people.”
“We have a code of conduct.”
“We comply with Sarbanes-Oxley (SOX).”
“Our hotline does not ring (for serious things).”
“Fraud simply doesn’t happen here.”

Of course, as forensic professionals, we know that this is not enough. So does the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Recognizing the need to both elevate and evolve management thinking on the topics of fraud prevention, detection and deterrence, COSO released its Fraud Risk Management Guide (“COSO Guide”) in September 2016.

The COSO Guide provides a valuable blueprint of leading practices and user-friendly templates to help organizations not only correlate, but actively apply, the five fraud risk management principles first outlined in Managing the Business Risk of Fraud: A Practical Guide (jointly published by the AICPA, The IIA and ACFE in 2008) within the context of the 2013 COSO Framework.

These principles serve as a universal foundation for anti-fraud programs. They are:

  1. Fraud Risk Governance
  2. Fraud Risk Assessment
  3. Fraud Control Activity
  4. Fraud Investigation and Corrective Action
  5. Fraud Risk Management Monitoring Activities

Of these five principles, fraud risk assessment is perhaps the most widely recognized because the consideration of the potential for fraud was explicitly included within the 2013 COSO Framework. Since that time, the identification and assessment of fraud risk has been a focal point of inquiry for internal and external auditors. However, the scope of management’s fraud risk assessment is still often limited to fraud scenarios that would cause a material misstatement on an organization’s financial statements. In contrast, the COSO Guide encourages an elevated and evolved assessment of fraud risk in the context of the organization’s overarching fraud risk management program in order to achieve better support of, and greater consistency with, the overall 2013 COSO Framework.

The COSO Guide is both user-friendly and pragmatic in its design. Each chapter is organized to provide a clear snapshot of how individual fraud risk management principles align with the COSO 2013 Framework’s components and principles, and outlines unique characteristics for each fraud risk management principle within specific points of focus. These points of focus are structured similarly to those contained in the 2013 COSO Framework and are useful in considering the design and operating effectiveness of management’s own fraud risk management capabilities. Whether an organization is new to the topic of fraud risk management or seeking a more detailed view on the “how-to” of certain fraud risk management activities, the COSO Guide provides information that is both thorough and thoughtful, as well as applicable to a variety of audiences.

Whether an organization is in pursuit of a “best-in-class” fraud risk management program, or simply looking to enhance certain elements of its anti-fraud control activities, below are some suggestions for utilizing the information and templates included within the COSO Guide:

  • Map and analyze the fraud risk management process for improvement opportunities
  • Evaluate whether there is proper oversight and assignment of resources for fraud control activities
  • Create or update the organization’s fraud control policy
  • Conduct a fraud risk management survey
  • Expand documentation and visualization of the organization’s fraud risk and controls matrix
  • Assess the organization’s list of potential fraud exposures
  • Review the organization’s fraud response plan
  • Implement a data analytics framework
  • Enhance awareness of fraud risk through communication with various organizational constituencies

It is important to note that the COSO Guide offers insights into leading practices encompassing fraud prevention, detection and deterrence. It is not intended to create a prescriptive standard for either fraud risk management or fraud risk assessment. Furthermore, there is no “one size fits all” approach to fraud risk management and fraud risk assessment. Each process needs to be tailored to an organization’s operations, objectives, industry, people, geographies and technologies.

Finally, it is critical to recognize that fraud is a highly dynamic event. There is no guarantee that an organization will be free from its occurrence or effect simply because it has implemented leading practices. The ability to prevent and detect fraud can — and should — evolve with the organization’s internal control framework, and the COSO Guide provides a clear roadmap that can help drive organizations toward excellence in fraud risk management.

The Princeling Problem: Is Your Company Avoiding Corrupt Hiring Practices?

November 13-19 is Fraud Awareness Week. Once again, we are celebrating by highlighting the perspectives of leaders in the Protiviti Forensic practice and other fraud and anti-corruption professionals. To learn more, visit Protiviti Forensic online.

 

scott-moritzBy Scott Moritz, Managing Director
Protiviti Forensic

 

 

 

One of the more interesting threads to come out of panel discussions at Protiviti’s inaugural Foreign Corrupt Practices Act and Anti-Kleptocracy Conference this summer was a discussion of the Securities and Exchange Commission’s (SEC) crackdown on hiring the offspring of foreign officials to gain business advantage. Chuck Duross, Head of the Anti-Corruption Practice at Morrison & Foerster, Matt Tanzer, Chief Ethics and Compliance Officer at Johnson Controls, and Raja Chatterjee, Chief Risk Officer at Tishman Speyer, discussed the topic during our FCPA Compliance Success Stories panel moderated by Protiviti Director Pam Verick. Below, I’d like to offer you a recap of the perspectives they provided, with which I, and many anti-corruption advisory practitioners very much agree.

Anyone with hiring authority has likely been approached by a friend, a customer, or an important business contact, seeking to leverage the relationship on behalf of a family member seeking a job or internship. In fact, employee referrals are often encouraged and even institutionalized since such recruiting channels are a much lower-cost alternative to the use of outside recruiters. Even when the identification of candidates through referrals is not programmatic, the practice is common. Thus, the old saying: “It’s not what you know, but who you know.”

The rules are different, however, when the person doing the asking is a foreign government official, and the employment offer could be construed as “something of value” that has been offered in exchange for an unfair business advantage. Such quid pro quo arrangements fall under rules of the Foreign Corrupt Practices Act (FCPA). The practice has come to be known as the “princeling” problem — because many of the beneficiaries, especially in China, are the offspring of senior Chinese government officials, often referred to as “princelings” — and the SEC has been particularly focused on the practice.

The FCPA prohibits companies from improperly influencing foreign officials with anything of value, including cash payments, gifts, or in this case, jobs or internships.

In one high-profile case, a telecom company agreed to pay almost $8 million to settle an FCPA enforcement action for hiring relatives of Chinese government officials. In another, a major financial holding company paid almost twice that for providing student internships to family members of foreign government officials affiliated with a Middle Eastern sovereign wealth fund. The latter case raised a lot of eyebrows, because two of the internships in question were unpaid. The SEC contended that the value was in the internship itself, which was a coveted and highly competitive position.

It’s easy to see how a company could get into trouble. Executives tend to be sales-focused when meeting with clients, so there’s a natural tendency to accommodate an important business contact when they mention that a family member needs help finding a job. The resulting internal efforts undertaken on behalf of the candidate most often occur by email. Resumes are communicated by email and then are forwarded along to someone in a recruiting role along with some context as to who the candidate is. It wouldn’t be unusual if that email overstated the importance of the relationship with the business contact asking for the favor in an effort to ensure that that the candidate gets the desired attention. Those emails, which may even include the original email from the foreign official who transmitted the candidate’s resume in the first place, can make it very difficult to deny a quid pro quo. The trouble is multiplied if the business contact making the request is a foreign official who wields influence over the company’s business and especially if the candidate is not someone who meets the company’s hiring criteria for the position. This is when the FCPA gets involved.

From a compliance perspective, the key to avoiding trouble is to have a structure in place to prevent such conflicts from developing. One of the best ways to do that is through segregation of duties — separating sales from hiring decisions. Taking executives out of the hiring loop allows them to be gracious in the moment, by agreeing, perhaps, to accept a resume, but with the understanding that they have no sway in the decision-making process. Empowering the Human Resource department to function independently helps to ensure that all hiring decisions are made based on objective qualifications, independent of any business dealings.

In addition, documented policies and procedures, and a clear paper trail, can ultimately serve as a backstop in the event of, say, a whistleblower compliant. If the company has a record, it can demonstrate to investigators that the position was open, the applicant was qualified, and the hiring followed normal vetting procedures.

By and large, human resources and recruiting personnel want what is best for the organization, and they understand the importance of compliance. Aligning an organization’s hiring practices with the anti-corruption program by communicating and applying proper hiring procedures that separate the recipients of backchannel candidates from the hiring decisions may look like unnecessary hoops to jump through but can mean the difference between being the latest example of “the princeling problem” or not.

Happy Cow vs. Hedgehog: Getting Straight on Principle 8

In conjunction with International Fraud Awareness Week, we will be running a series of blog posts by our Investigations & Fraud Risk Management practice leaders. For more on the topic, and to listen to our recorded webinars, visit www.protiviti.com/internalinvestigations.

Pam VerickBy Pamela Verick
Director, Investigations & Fraud Risk Management

 

 

 

International Fraud Awareness Week provides the opportunity to have meaningful dialogue on a topic that often seems difficult for many executives to freely talk about, unless it’s at a designated time for “awareness” or “assessment.”

The topic is fraud risk.

Many organizations are now well into the adoption of COSO 2013 as their integrated control framework in complying with Sarbanes-Oxley Section 404 (SOX) and for other purposes, but are still struggling with Principle 8 – a critical part of the Risk Assessment component of COSO 2013. Principle 8 focuses on four types of fraud – fraudulent reporting, corruption, asset misappropriation, and management override of controls – and the potential for each risk to occur.

Some management teams seem clouded by a “No Fraud Here” mentality, in which fraud is simply not possible within their organization. In these cases, management often views a fraud risk assessment as a mere afterthought, “check the box” exercise, or even a “necessary evil.” Others don’t want to “plant ideas” in the minds of their employees. However, it’s important to remember that fraud is an inherent risk within every organization. Principle 8 is not about rooting out hidden fraud, it’s about taking a realistic and objective look at where fraud could occur, the likelihood and impact a fraud risk event could have on the financial, operational and reputational well-being of the organization, and ensuring that there are appropriate controls either to prevent or detect such risk.

Some organizations simply place all fraud risks in the “green zone” – all good! No yellow caution flags, or red danger signs, just one big field of green. I call it the “Happy Cow” syndrome – big happy cows unwittingly grazing in a wide green field with not a care in the world.

However, that’s not the world organizations live in today. Sadly, the potential for fraud is woven into the fabric of everyday business. Jim Collins, in his book Good to Great, extolled the virtues of good planning and a strong survival instinct over a reactive, “we’ll cross that bridge when we come to it” mentality. He equated planners with “hedgehogs,” after the 1950s business parable by philosopher Isaiah Berlin — which told the story of a frenetic fox who exhausted himself running from a wolf, while his companion, a hedgehog, mitigated risk with the simple strategy of presenting himself as a spiky ball.

When it comes to Principle 8, a hedgehog would:

  • Recognize that considerations of fraud are part of the overall risk assessment process, which also includes Principle 6 (defining risk objectives) and Principle 7 (identifying and analyzing risk)
  • Prioritize both inherent and residual risk
  • Consider various types of fraud (COSO Points of Focus 31), along with those which align with Cressey’s Fraud Triangle:
    • Fraud incentives and pressures (COSO Point of Focus 32)
    • Opportunities (Point of Focus 33)
    • Attitudes and rationalizations (Point of Focus 34)
  • Respond to fraud risk with a balanced approach to prevention and detection controls

In a world driven by SOX compliance in the United States and similar compliance regimes in other countries concerned with internal control over financial reporting, there is a tendency to focus fraud risk assessment activities on financial fraud. But recent events, such as allegations of fraudulent environmental impact statements, and the reputational damage caused by inflated resumes of top executives, illustrate the need for a clear-eyed evaluation of fraud risk beyond activities which specifically impact financial reporting.

From a practical standpoint, that means expanding the types of fraud considered within a risk assessment, greater inclusion of personnel from all departments, business units and locations, and the use of multiple techniques (brainstorming sessions, fraud risk workshops, interviews and employee surveys) to identify and validate potential vulnerabilities arising from fraud.

As we celebrate Fraud Awareness Week, let’s put to rest the defensive and dangerous doctrine of “No Fraud Here.” It’s time we all positively embraced the responsible and necessary action of a well-planned fraud risk assessment. And it’s time we stopped being happy cows with a comfortable but unrealistic outlook and became more like hedgehogs, who have considered the danger and are suitably prepared for it. Because that’s how, I think, we get not simply from good to great, but from good to exceptional!

Who Are Your Customers, Business Partners and Employees? Information Drives an Effective Anti-Corruption Program

In conjunction with International Fraud Awareness Week, we will be running a series of blog posts by our Investigations & Fraud Risk Management practice leaders. For more on the topic, and to listen to our recorded webinars, visit www.protiviti.com.

scott-moritzBy Scott Moritz
Managing Director, Leader of Protiviti’s Investigations & Fraud Risk Management practice

 

 

The difference between high-performing anti-corruption programs and those that aren’t often comes down to the information that the organization collects and analyzes in the execution of its anti-corruption vigilance. Such information provides the basis for informed decisions across a wide range of anti-corruption activities: background investigations of customers; controls and prohibitions over gifts, travel and entertainment; the review and approvals of requests to make charitable donations; and hiring decisions, among others.

Effective anti-corruption programs are tailored to fit a company’s unique size, product mix and customer base and take into consideration the Hallmarks of Effective Compliance Programs as outlined in A Resource Guide to the U.S. Foreign Corrupt Practices Act (the Guide), published by the U.S. Department of Justice and the Securities and Exchange Commission (2012), as well as other authoritative guidance. The Guide provides detailed information on what the U.S. government views as an effective compliance program; however, companies that are not collecting the right information on which to make critical compliance decisions risk violating the Foreign Corrupt Practices Act (FCPA) just the same.

Below, we outline the three most critical areas for which companies need to collect the right information, in order to deem their anti-corruption programs effective.

1. Customer Information and Categorization

Most companies are ill-prepared to answer even the most basic questions about their customers – for example, whether the customer is a government or private enterprise. These companies must collect sufficient information (e.g., the identity of majority shareholders, directors and key executives) that would allow them to readily identify the category of customer they are engaging with. Employees of government agencies, state-owned companies or public international organizations, such as the World Bank, the International Red Cross or the United Nations, are very likely to meet the definition of “foreign officials,” and interaction with foreign officials in a commercial context needs to be conducted with careful scrutiny to avoid violating anti-bribery statutes.

The risk comes into play most often where gift-giving and charitable contributions are involved. If your organization is not collecting that type of information that would allow it to distinguish foreign officials from regular customers easily, classifying them into risk categories, and educating company personnel on the risks of providing gifts, paying for travel or entertainment of these individuals, either directly or through your retained intermediaries, sooner or later you will find yourself offering “something of value” to gain “an unfair business advantage” – which together form the basis of a bribe payment and a violation of the FCPA.

Companies with well-developed anti-corruption programs, on the other hand, not only have this type of knowledge about their customers but they also anticipate the need to provide a gift, entertainment or contribution and have a control process in place through which they ensure the propriety of the interaction. The process may include submitting a written request, setting forth the details of the proposed business courtesy or contribution, the nature of the relationship with the receiving customer or agency, and the business case supporting the need. This enables a supervisor to evaluate whether the gift is reasonable and appropriate from an anti-corruption compliance perspective, and positions the company to better defend itself if a law enforcement or regulatory agency were to question the transaction later on.

2. Focus on Intermediaries

Another common lack of knowledge relates to third-party business partners and the subset of those that can act as intermediaries for the company and as such give rise to liability under anti-bribery laws. To protect itself from being held liable for violations by a third party, a company must have complete transparency and control over its non-U.S. intermediaries’ practices, including sales and payment practices, record-keeping, and the extent of anti-corruption training of the intermediary’s employees – especially those likely to interact with foreign officials.

Some intermediaries may be designated as “high risk” and held to a heightened standard of care if they meet certain criteria. The criteria used to risk rank intermediaries often includes whether they are operating in a country designated as representing high corruption risk by the Transparency International Corruption Perceptions Index; whether they are paid by a sales commission, contingency fee or success fee; and whether the nature of their business activities puts them in regular interaction with government agencies and state-owned companies. In this last category, sales agents, distributors, freight forwarders, customs brokers, environmental consultants, tax advisers, lawyers, accountants and consultants are most commonly among the types of business intermediaries that represent heightened corruption risk.

It is also important that intermediaries apply the same standard of care with regard to gift-giving as the company. This is especially true for distributors, since companies often have little knowledge about the distributors’ customer base. Distributors should be classifying customers themselves and submitting planned gifts for approval, similar to the company’s own anti-corruption practices.

3. Employment and Internship Candidates

Recent investigations and enforcement actions have brought into focus certain illegal hiring practices and have exposed the fact that many companies do not really know whether a candidate is a family member or close associate of a government official with whom the company does business. While hiring the family member of a government official isn’t necessarily illegal, these are potential high-risk hires, and companies need to be careful to ensure that a new hire or intern does not represent either a conflict of interest or the appearance of quid pro quo.

The problem is that most companies are not collecting the type of information about their potential hires that would enable them to make this risk-based decision. The most important things to know are whether any of the candidate’s family members are foreign officials and whether anyone within the company was asked by a foreign official to assist the candidate in securing employment. The company also needs to determine whether it has had any prior business with the government or state-owned agency to which the prospective hire is connected, to avoid accusations of quid pro quo (hiring a relative of a government official in exchange for a government contract, for example). By understanding upfront the candidate’s political connections, the company can take steps to ensure that the candidate meets all of the company’s hiring criteria, there is no business before the candidate’s family members at the time of his or her candidacy, and no other factors exist that would result in contravention of the law.

At the end, it all comes down to knowing the vital information needed in the appropriate circumstances and asking the necessary questions to obtain that information. While an effective anti-corruption program involves more than learning about your customers, intermediaries and employees, companies that understand the critical significance of the above three areas and are serious about improving the quality of the data they collect and analyze to support their decision-making processes will significantly reduce their risks of violating the Foreign Corrupt Practices Act, the UK Bribery Act or other anti-corruption statutes.

Vendor Fraud — Scott Moritz Answers Your Questions

Scott Moritz - Protiviti NY 2013 (hi res)Scott Moritz, Managing Director
Leader, Protiviti’s Fraud Risk Management Practice

 

 

Our webinar series on internal investigations is generating lots of good questions from participants. The series kicked off in November 2014 with Internal Investigations for Non-Investigators, which offered a broad overview of the topic. The second webinar, Misplaced Trust: Investigating Vendor Fraud, was held in March 2015.

The series is co-presented by Scott Moritz, global lead of Protiviti’s Investigations & Fraud Risk Management practice, and Peter Grupe, a director in that group. Scott has 28 years of investigative experience, including nearly 10 years as an FBI special agent. Peter, a former assistant special agent in charge of the FBI’s white collar crime program in New York, has over 25 years of experience investigating financial crime.

In this blog entry, Scott answers some great caller questions that came up in the Vendor Fraud session.

Q: What is a best practice to validate new vendors?

A: Historically, companies collected information from vendors in order to set up payments. This basic data falls far short of what is required to make informed risk-based decisions — for regulatory compliance and fraud risk management, among other things.

Today, companies need to be able to readily segregate upstream suppliers from those empowered to act on the organization’s behalf (often referred to as “intermediaries”). If a company acts on your behalf, Protiviti recommends collecting richer data — including the names of executives, owners, and whether the company is public, private, or government-owned; how long the company has been in existence, revenue (if disclosed), and whether the client is the vendor’s largest customer.

Q: If you are performing a typical vendor audit (i.e., no initial suspicion of fraudulent activity), what are the best techniques to identify fraud, such as vendor kickbacks?

A: Just because you don’t suspect vendor fraud, doesn’t mean it’s not going on. Vendor fraud is the most common type of fraud and accounts for 18 percent of fraud losses — particularly at large organizations.

Top of mind:

  • Compare vendor master data with personnel data. Look for addresses in common. (Be mindful of privacy restrictions in certain jurisdictions such as the EU).
  • Vendors of almost any size will leave some sort of footprint in the public domain – social media presence, etc. You would expect any commercial entity to have some record of its existence in the public domain. Entities that exhibit little to no footprint warrant closer scrutiny.
  • It is also prudent to search global watch lists, such as by the Office of Foreign Assets Control (OFAC), which tracks international trade violators and sanctions; the U.S. General Services Administration’s (GSA) System for Award Management (SAM) list, which includes a list of companies that have either failed to perform or have committed fraud against the U.S. government and have been debarred; and the U.S. Department of Commerce Bureau of Industry and Security list, which includes companies that have violated U.S. boycott laws.
  • Look for red flags. Kickbacks are a type of fraud that may raise very specific red flags. Compare contracts for a vendor suspected of paying kickbacks to those of comparable vendors – is unit pricing or aggregate spend out of line? Did your investigation reveal that one or more employees are unusually close to someone at the suspect vendor?

Q: Can you give some examples of the types of background checks you perform on new or existing vendors?

A: First, let me distinguish between a background check and the watchlist matching process (sometimes referred to as “screening”) we were discussing earlier. Screening deals primarily with vendor-supplied information and comparing it to one or more lists of debarred parties. Background investigations use publicly available information, beyond the watch lists I’ve mentioned, to bring to light past bad behavior by vendors that may cast doubt on their character and the veracity of self-reported data. Public information includes things such as regulatory actions, pending or prior criminal actions, lawsuits, bankruptcies, liens, judgments, affiliated companies, companies with common ownership, etc.

If the public record shows that somebody has done something improper or illegal in the past, there’s a good chance they’re going to do something similar in the future. Not a lot of people (or companies) wake up one day and decide to embark on a life of white collar crime. Most people involved in fraud or corruption have been involved in similar crimes for many years and very few of them find redemption.

Q: In doing a standard, cyclical vendor audit, what are some things we should look for to identify vendor-related fraud? Presumably, the vendor itself in all these cases is legitimate as we are doing business with them.

A: The GSA produces a blacklist of companies that have either consistently failed to perform their obligations under government contracts, or have defrauded the government. If a vendor has no qualms about defrauding the federal government and facing those kinds of sanctions, they’re going to have no qualms about defrauding you. Debarments are a sign you want to pay attention to, as past behavior is a good predictor of future behavior. There is a wide array of debarment lists maintained by the federal, state and local government as well as several of the larger, multilateral banks (World Bank, European Bank for Reconstruction and Development, Inter-American Bank, etc.)

We’ve seen a significant uptick in demand for master vendor file audits. Not sure what is contributing to this, but a lot of organizations are finding that the volume of vendor contracts requiring auditing is overwhelming and are seeking to leverage electronic tools to detect undisclosed conflicts of interest, fictitious vendors and any vendors who have pending or historical sanctions against them.

Protiviti will continue to promote an ongoing dialogue on fraud, fraud risk, financial crime and corruption through its thought leadership and continuing its webinar series on internal investigations.

Preventing Money Leaks: Vendor Fraud and How to Fix It

One of the most common ways organizations are victimized is through vendor fraud.

Though frauds can be perpetrated in a variety of ways, vendor fraud is the most pervasive, and typically occurs through manipulation of a company’s accounts payable and payments systems for illegal personal gain. Billing schemes, check tampering, bribery and extortion are all examples of the crime that occurs all too frequently – sometimes, siphoning company funds for years without detection.

As with other forms of fraud, taking preventative measures is an effective deterrent to vendor fraud. Similarly, developing investigative protocols that can be implemented quickly when crisis strikes can minimize damage and help protect brand reputation.

Recently, Scott Moritz, Protiviti’s managing director and global leader of the Investigations and Fraud Risk Management practice, and Peter Grupe, a director in the same practice with more than 20 years of experience in the fraud division of the FBI, hosted a webinar discussing ways to investigate vendor fraud, including how to avoid tipping off the fraudsters and when to call in third-party help.

Fraud investigation teams are typically engaged under one of two scenarios: Either there’s a strong suspicion that an individual or a group is conducting illicit activity, or unusual transactions have been detected, warranting additional investigation.

The first step in identifying vendor fraud is reviewing vendor master files and scrutinizing business partners. For example:

  • Look for unknown company names
  • Compare mailing addresses against the employee address database
  • Investigate vendors with PO boxes for addresses

These steps are critical in discovering “shell companies” that may have been created to divert and accept unwarranted payments. A vendor address that appears to be a residence may be a red flag indicating an illicit company formed to provide cover for perpetuating fraudulent schemes.

Indeed, proper maintenance and periodic reviews of the vendor master file are preventive measures that can go a long way toward curbing vendor fraud. Negligence on this front makes it all too easy for criminals to infiltrate a company and perpetrate fraud. Moritz recommends establishing a thorough vendor-acceptance process that includes vetting prospective business partners with background checks and confirming ownership with state business registration databases. He also advises segregation of duties between receipt of goods and payment of invoices.

Once suspicious activity is identified, companies often are too anxious to begin interviewing witnesses and suspects. But demonstrating restraint at this stage is critical to avoid giving fraudsters time to cover their tracks.

What you do in the first 48 hours is critical. Accurate and thorough documentation of any investigation is essential, especially if civil or criminal litigation is to follow. It is thus vital to have an investigation plan in place before the need for it arises.

An investigation plan should cover the following:vendor fraud,

  • Defining the scope of the investigation
  • Selecting investigation participants
  • Establishing communication protocols for progress reports
  • Preserving evidence
  • Conducting interviews
  • Documenting and providing deliverables

The planning process allows companies to assign internal investigative resources and identify external service providers for critical elements, such as forensic investigations, crisis communications and legal advice. Note that contracts with such providers should be negotiated in advance so they can be activated immediately.

The bottom line is, attempts at vendor fraud inside companies will not go away in any foreseeable future, however, proper preparation – from careful vendor approval to established investigation processes – is the best means companies have for thwarting vendor fraud and/or reducing its effects on the organization.

Jim