Q&A: Fraud risk management: lessons learned in the COVID-19 era
July 2020 | SPECIAL REPORT: WHITE-COLLAR CRIME
Financier Worldwide Magazine
July 2020 Issue
FW discusses the fraud risk management lessons to be learned in the COVID-19 era with John Hanson at BDO and Ben Kaye-Smith at Novartis.
FW: How would you gauge the impact that coronavirus (COVID-19) is having on the levels of fraud risk facing companies? To what extent is the current crisis heightening the risk of fraud?
Hanson: A tool that fraud experts use to evaluate fraud risks within organisations is the fraud triangle, which opines that when risks within three particular areas – referred to as ‘causal factors’ – simultaneously increase, the risk of occupational and internal fraud increases. The three causal factors are: opportunity, rationalisation and motivation. Suffice to say, the impacts of coronavirus (COVID-19) have increased and will continue to increase the risks within each causal factor, therefore increasing the risks of people engaging in fraud and misconduct in the workplace. In the wake of COVID-19, I believe that the risk of fraud will reach unprecedented levels and companies need to be extra vigilant and prepared for it.
Kaye-Smith: The full extent of economic pressure as a result of the pandemic has not yet been realised, however it is reasonable to anticipate fraud risk will increase. The type of fraud observed is likely to change. For example, due to restrictions relating to travel and customer interactions, expense fraud will reduce, but with business models changing, and increased reliance on new technologies and platforms, exposure and vulnerabilities may exist in other areas.
FW: Could you provide some examples of the types of fraud that the current climate is engendering? What specific and unique dynamics does the COVID-19 crisis present, in terms of creating opportunities and exploiting vulnerabilities?
Kaye-Smith: With the increasing pressure on healthcare systems and strain on patients, criminals may increase efforts to proliferate falsified medicines within the marketplace. Given the dire consequences to patients, such fraud is of significant concern to all stakeholders throughout the healthcare industry. Also, given the increasing dependence on virtual tools, IT systems and infrastructure, companies must be acutely aware and adequately prepared to protect patient, employee, customer and company data against malicious cyber attacks, which have increased during the pandemic. Many companies’ ability to perform due diligence may be impeded and, as a result, fraudulent records or documentation may go undetected. Such cases may be encountered as part of basic employment screening exercises, or more significant instances, such as data manipulation in connection with the conduct of clinical trials, due diligence conducted in connection with third-party vendor selection, or assessment of business development and licensing (BD&L) or M&A opportunities. Within the pharmaceutical industry, it is often necessary to engage external specialists, such as healthcare professionals, to support in either the gathering of insights or the dissemination of important medical education among the medical community. Evidencing of service delivery can be made more difficult in a virtual setting and if not carefully managed may result in fraudulent service claims and expose an organisation to allegations of improper interactions with healthcare professionals. Where employees are required to register through electronic badge access in a physical office location, unsupervised remote working presents an opportunity for fraudulent claims of hours claimed by an associate. Finally, organisations must be wary of fraudulent goods or services specific to COVID-19 disease management, such as substandard personal protective equipment (PPE), fake or ineffective testing equipment and so on.
Hanson: One of the causal factors of the fraud triangle is ‘opportunity’, which means the ability of a person to commit a fraud. As companies have, among other actions, felt it necessary to remain in or ‘save’ their business, lay off or furlough employees and subcontractors, duties may no longer be segregated in such a manner as to reduce the opportunity for fraud. Similarly, internal controls may no longer be functioning as effectively, creating opportunities for employees to commit fraud. These are just a couple of examples intended to demonstrate the concept. In terms of types of fraud, it is unlimited. However, some common examples are misuse and misappropriation of company assets, embezzlement, bank fraud, false claims, including government contracting and healthcare, insider trading, bribery and kickbacks, antitrust schemes, and accounting and financial statement fraud.
FW: Given the unprecedented nature of COVID-19, how should companies go about adjusting their internal control environment to reduce risk? What should a company’s fraud monitoring and identification efforts entail?
Hanson: The natural tendency of management and owners of companies in a crisis is to cut back on ‘back-office’ operations, which do not directly contribute to revenue generation and therefore have a disproportionately negative impact on profits. Unfortunately, some of those back-office operations include compliance and ethics programmes, internal audit and other areas which are intended to prevent, detect and respond to misconduct and fraud. In these times, perhaps more than ever, companies should ensure that these areas remain funded and operating effectively, that duties remain adequately segregated, and that internal controls remain effective.
Kaye-Smith: While COVID-19 may have turned the world upside down, a company need not apply the same to its fraud monitoring programme. The same general concepts can continue to apply and instead it is a case of adapting and refining fraud monitoring efforts. For example, where spikes in expenditure occur, exposure may exist and so increased monitoring in these areas is advisable. In response to a crisis, there is often a need to move fast, and under such pressure situations an individual may consciously or unconsciously miss, circumvent or disregard key controls established to mitigate the risk of fraud. If instances of rapidly accelerated approvals or release of payments are observed, or increased rates of exception requests noted, this may signal an area where greater vulnerabilities exist. For the monitoring or assurance function itself, it is important to constantly develop and refresh capabilities to ensure they can keep up with the pace of change where new technologies or business practices are introduced.
FW: With the COVID-19 pandemic causing upheaval across supply chains, what steps should be taken to vet and screen third-party business partners – both existing and new – for potential fraud?
Kaye-Smith: The pandemic situation may result in increased pressure to accelerate the onboarding of new vendors or suppliers in situations where, for example, critical third parties may close or are unable to supply or satisfy increased production demand. However, it is important to ensure the correct level of rigour is consistently applied when performing due diligence in order to avoid entering into agreements with third parties that are unable to satisfy required compliance standards. Various checks may be performed that provide insights into potential fraud risk, such as screening local corporate registries, credit reports, social media and social networking searches and so on. Results of the due diligence may identify red flags that trigger further assessment of the third party prior to engagement, for example ambiguous or missing information in business or financial references, unusual payment terms, poor credit ratings, or records of a criminal charge or conviction related to a third-party employee.
Hanson: These are areas that have traditionally borne a great deal of risk already for companies and one would hope those risks have been addressed by, among other things, effective due diligence and monitoring. During these times, it is imperative that companies continue those efforts and not cut them back to reduce costs. I would also recommend gaining an understanding of how those third parties have reacted to the COVID-19 crisis themselves. For example, did they reduce costs by consolidating functions, reducing their own due diligence efforts, cutting compliance and ethics department personnel, or funding and reducing internal controls? Remember, fraud is by definition and nature, hidden. You really need to be actively looking for it all the time.
FW: As economic conditions deteriorate, could this create an environment where desperate, opportunistic employees might be incentivised to commit fraud? How important is staff training to raise awareness and encourage reporting of potential wrongdoing?
Hanson: I will use an example to illustrate the concern that employees may be incentivised to commit fraud at this time. Joe is an accounts payable clerk at ABC Company. Joe’s wife, Susan, was laid off from her job due to COVID-19. As a two-income family, Joe is now faced with significant financial strain and is becoming more and more desperate each month. If an opportunity presents itself – or can be made because of Joe’s experience and training in accounts payable – do you think the risk of Joe taking advantage of it has increased? It has. One way to help address this is training and awareness, as well as encouraging reporting. A company with a good compliance and ethics programme should already be doing that, but this would be a good time to emphasise and encourage it. If a company does not have an anonymous hotline, that would also be a good step.
Kaye-Smith: Increased economic pressure will certainly create an environment where potential for fraud increases. Enabling ‘speak up’ remains a critically important element of an ethics, risk and compliance programme, and now given these challenging times, reinforcing training and awareness on this topic is well justified. Beyond misconduct reporting, promoting a culture to speak up where associates have opportunities to bring alternative perspectives or new ideas can bring much broader benefits. With new technologies and business models being introduced in response to the pandemic, diversity of thought from within and outside the assurance functions can result in far more impactful and effective process or control improvements being realised.
FW: What essential advice would you offer to companies looking to nurture an ethical culture supported by robust governance processes to help minimise fraud losses and associated reputational damage?
Kaye-Smith: There are a number of key elements to consider. First, companies should adopt clear principles-based policies that bring transparency and clarity to the organisation as to what can and cannot be done, and, crucially, why. Second, companies must ensure strong tone from both the top and the middle. It is imperative that managers and leaders role model desired behaviours. Third, companies must reward and reinforce desired behaviours to further drive the culture change, and actively course correct those that are disruptive or harmful. Fourth, companies should develop capabilities and provide meaningful resources and tools that allow associates to exercise and apply ethical judgement. Fifth, in light of the pandemic situation, companies should reassess and, if necessary, adapt incentive programmes, particularly for associates who are measured on external stakeholder engagement to reduce, as far as possible, further financial pressure. Finally, companies must foster a culture of speak up. In these unprecedented times, managers and the broader organisation must balance carefully, and apply with sound judgment, flexibility to ensure the health and wellbeing of associates, patients and customers, with the need to retain necessary rigour and good governance over processes critical to ensuring the ongoing success and sustainability of the business.
Hanson: The ‘ethical culture’ part of this question actually hits the third causal factor of the fraud triangle – rationalisation – nicely. About 92-94 percent of human beings have a conscience and a person with a conscience needs to rationalise ‘bad’ behaviour – such as fraud – psychologically. One of the main ways those who engage in fraud rationalise their misconduct is when the company they steal from has a poor ethical culture. Or, worse, a culture that encourages unethical business and personal choices. Irrespective of COVID-19, I always encourage companies to promote a culture that values and rewards good ethical behaviour, zero-tolerance of unethical behaviour, a trustworthy and effective system for reporting unethical behaviour and safeguards against retaliation. The sad truth, however, is that changing ethical tone is more akin to turning an aircraft carrier group than flipping a switch – it takes time, coordination and effort. If a company had a poor ethical culture prior to COVID-19, it certainly needs to work on changing that, but it also should expect that significant damage may already have been done or be occurring.
FW: Although there is no definitive roadmap for navigating the current COVID-19 climate, how do you envisage the crisis shaping the fraud risk landscape in the months to come? Do companies need to act now to review and enhance their fraud risk management practices?
Hanson: The COVID-19 crisis has had and will continue to have a significant effect on the three causal factors of the fraud triangle, setting the stage for a proverbial tsunami of fraud over the course of the next few years. Most frauds average 14 months from the time they start until they are discovered, and the longer they continue, the more harm they usually cause. Also, officials will have zero tolerance for companies that use cutbacks to internal controls and corporate compliance and ethics programmes due to COVID-19 as an excuse for why misconduct was not prevented more effectively. On the contrary, they are more likely to be asking why more was not done knowing that the risk of fraud is greater now than ever. My advice is to be vigilant. Do not cut losses by reducing compliance programmes and internal controls. Set and demonstrate a positive ethical tone and zero tolerance for misconduct. Encourage reporting. Do not tolerate retaliation and take active measures to prevent it. Make it easy for people to report concerns anonymously. And do not think fraud will not happen in your organisation.
Kaye-Smith: The pandemic crisis will certainly increase the risk of fraud as a result of the current and future economic hardship. Companies must act now to adapt and refine fraud risk management practices to ensure, where possible, they can reduce pressure on individuals, and introduce additional safeguards as new technologies or platforms are leveraged to sustain business continuity. Change management should be carefully considered when introducing or adapting such controls in order to reduce, as much as reasonably possible, any additional strain on the organisation. With every crisis there presents opportunity and with many organisations leveraging further digital and virtual platforms as a result of social distancing and quarantine, companies may explore more automated, data-driven monitoring techniques which can, in turn, result in more efficient and effective fraud detection methods.
John Hanson is a managing director in BDO’s forensic investigation and litigation services practice. With nearly 30 years of experience in fraud investigations, forensic accounting, corporate compliance and ethics and auditing, he has helped organisations prevent, detect, respond to and resolve issues of misconduct, fraud and corporate integrity. He has also served as a special agent with the Federal Bureau of Investigation (FBI), specialising in white-collar crime and investigating complex fraud schemes and financial crimes. He can be contacted on +1 (202) 590 7702 or by email: john.hanson@bdo.com.
Ben Kaye-Smith is the senior vice president ethics risk & compliance at AveXis, a Novartis company. He has extensive experience in establishing and strengthening ethics, risk & compliance (ERC) programmes across the globe, including performance and oversight of investigations. He has worked in various countries, managing ERC across multiple geographies, including Asia Pacific, the Middle East and Africa, and most recently was responsible for managing the global Novartis Pharmaceuticals risk & resilience programme from Novartis headquarters in Basel, Switzerland. He can be contacted on +41 (79) 771 4238 or by email: ben.kaye-smith@novartis.com.
© Financier Worldwide
Q&A: Fraud risk and enforcement in the UK
Maintaining an effective compliance programme through COVID-19
COVID-19, the CARES Act and the need for robust compliance
Fraud investigations in a technologically connected but physically distant world
How regulatory enforcement in the UK and US is shifting during the pandemic
How is COVID-19 affecting white-collar crime risks and enforcement?
Fines, account freezing and forfeiture orders used to disrupt money laundering in the UK
Prosperity at the National Crime Agency
Q&A: Fraud risk management: lessons learned in the COVID-19 era