[authors: Karyl Van Tassel and Ryan Pisarik]
The material in this interview was researched, compiled, and written by J.S. Held. It was originally published by Financier Worldwide in March 2024. The full interview article can be viewed here.
To what extent are boards and senior executives in your country of focus taking proactive steps to reduce incidences of fraud and corruption from surfacing within their company?
Over the past several years, there has been greater emphasis by boards and senior executives in taking pro-active measures to combat fraud and corruption. This comes in various shapes and sizes but includes more prominent seats at the table from ethics and compliance departments and internal audit groups. Receiving direct feedback from the frontline personnel who are focused on fraud and corruption daily is critical in understanding the prevalent issues, how the issues are being tested and ultimately how the company is mitigating risks. We have also seen senior executives become more comfortable with the use of data analytics and artificial intelligence tools that can better detect instances of fraud and corruption much earlier than could be done historically. The use of data analytics is an important component given the regulatory scrutiny in this area.
Have there been any significant legal and regulatory developments relevant to corporate fraud and corruption in the US over the past 12-18 months?
In early 2023, the US Department of Justice (DOJ) updated its guidance related to corporate compliance programmes. Although the update covered several areas, two key new takeaways included the need for appropriate compliance policies for use of personal communication devices and communication programmes, including ephemeral messaging, as well as clawback in compensation in cases, as appropriate. This guidance is critical for companies to consider in evaluating their compliance programmes. In late 2023, the DOJ introduced its Safe Harbor Policy for Voluntary M&A Self-Disclosures, marking a clearer delineation of current compliance standards for companies navigating mergers and acquisitions. While anti-corruption due diligence has been a familiar concept in compliance, the department’s comprehensive policy now provides explicit guidance on when to report any misconduct. Further, the new policy emphasises the importance of companies promptly recognising significant risks associated with the target and performing transaction-level due diligence to assess the possibility of any potential breaches. The policy further enhances corporate expectations on how and when it should be conducting diligence and further reinforces the regulators’ commitment to enforcing ethical business practices.
When suspicions of fraud or corruption arise within a firm, what steps should be taken to evaluate and resolve the potential problem?
One critical step that should be taken by companies but is oftentimes overlooked is immediately securing data related to the potential problem. Initial data mapping for all relevant possible sources that could be used during an investigation is often key to successful investigations. Sometimes those critical hours immediately after a problem is identified are the most crucial in making sure there is as little spoilation as possible. Another critical step is engaging outside counsel and forensic personnel (including forensic accountants and forensic technology) at the outset of an investigation, even if only to brainstorm next steps and develop a sound investigation plan, including ensuring any privilege issues are adhered to from the outset.
Do you believe companies in the US are paying enough attention to employee awareness, such as training staff to identify and report potential fraud and misconduct?
Although training has evolved over the years and become more dynamic, companies often still revert to training programmes that are stagnant and have not been updated to reflect a company’s current business practices. More dynamic training involving case studies, demonstrations and real-life situations are oftentimes more effective in raising employee awareness. Companies also tend to stick with more formal web-based training which easily documents the training participants for tracking purposes, whereas more ad-hoc and informal training that is administered throughout the year and in different forums, such as online, via email or in-person, tends to be more impactful and successful. Customising training so that it is specific to employee’s job duties and position makes the training more real and focused, and increases effectiveness.
How has the renewed focus on encouraging and protecting whistleblowers changed the way companies manage and respond to reports of potential wrongdoing?
With additional whistleblower protections and rewards that are being provided by regulators to whistleblowers, companies need to take all complaints more seriously than they have in the past. Recently, the DOJ announced a new whistleblower programme to further incentivise reporting of misconduct. Although this will mean more costs to organisations, the potential risks for not undertaking thorough investigations and protecting whistleblowers are extensive. The potential risks are not only financial in nature, but the reputational risks can be even greater if it is determined that companies are not investigating the root cause of the issues that are identified and remediating those issues timely by increased policies, procedures, internal controls and testing.
Could you outline the main fraud and corruption risks that can emerge from third-party relationships? In your opinion, do firms pay sufficient attention to due diligence at the outset of a new business relationship?
An examination of some of the largest settlements and deferred prosecution agreements reflect that third-party relationships are often the highest risk areas of a company’s risk profile. This is due to several factors, although the general lack of control over third parties’ actions and lack of visibility into the inner workings and financial transactions are two key factors. Although we have seen an increased focus on third parties, more can still be done to adequately manage the risks. Two ways companies are mitigating this risk are through third-party audits, assuming audit rights have been built into the contracts and agreements, and conducting more robust due diligence and know your customer screening at the outset of the relationship. Further, it is important to not only conduct due diligence at the outset of the relationship, but also to have a system in place to risk rank those third parties and update the diligence on a regular basis.
What advice can you offer to companies on implementing and maintaining a robust fraud and corruption risk management process, with appropriate internal controls?
The biggest piece of advice for companies is to be flexible in their approaches to managing risk. Fraud and corruption schemes change over time, and companies must be willing to think outside of the box and adapt to evolving threats. Additionally, the business itself changes over time, as do the resulting risks. Maintaining the status quo when it comes to policies and procedures, or using traditional transaction testing and forensic auditing measures are typically not enough to maintain controls that will mitigate fraud and corruption risks as they evolve. Additionally, with the growth of data globally, companies need to lean into the use of alternative tools that can more quickly and efficiently mine that data for answers and uncover potential issues sooner. Following recommendations made by regulatory agencies as to compliance controls and procedures will help mitigate the risks and potential financial ramifications if an investigation does occur.
