Tag Archives: Corporate Counsel

Expert Witness or Consultant

One of our newer Chapter members submitted a comment on-line two weeks ago requesting information about the pitfalls involved in the CFE choosing to act as a consultant to a client attorney rather than as an expert witness. This is an important topic for CFEs in individual practice as well as for those serving as examiners on the staffs of private or public entities. The ACFE tells us that CFEs typically act as experts in the legal process by assisting attorneys with the financial details of a suit and testifying about these practices at trial. They analyze documents and transactions, showing how the fraud was accomplished and, when possible, who the most likely perpetrators were. The CFE is a guide and adviser for the attorney in assembling the case, and a major participant in explaining the details of a fraud scenario to a judge and jury.

In general, expert witnesses are typically brought in when required by law, as in malpractice suits where a member of a given profession must explain the infraction against professional by-laws or principles; when key points are deemed sufficiently technical or complex, such as in cooking-the-books schemes involving intricate accounting manipulations, or to assist a jury in making its decision. Federal Rule of Evidence 702 says that an expert witness with appropriate knowledge and credentials may testify in any proceeding where scientific, technical, or specialized knowledge will shed light on the dispute. Even in cases that don’t go to trial, experts may still be involved in mediation, arbitration, settlement conferences, or summary judgment motions.

Experts contribute to the trial process in numerous ways. They provide background information to guide and frame a case; during the discovery process they investigate, run tests, advise on depositions, prepare other witnesses, make exhibits, and respond to the opposition’s discovery requests; they file written opinions, which are entered as evidence into the court record; and they testify in actual proceedings should the case make it to a courtroom.

Once they accept a case, many experts immediately start assembling a narrative version of the events. This detailed summary of the facts of the case serves as the raw material for rendering an official opinion. As we’ve pointed out many times, it’s important that the text be written with care and professionalism because the text may (and probably will) have to be produced during discovery. Additionally, a well-written narrative helps the client attorney in preparing and executing the case at trial.

According to our most experienced members, perhaps the thorniest challenge for CFEs, once they’re engaged to work on a case, is setting a value on the specific business losses due to a fraud. Depending on the facts, there may be several methods for evaluating net worth/net loss, each rendering a different number at the end. And regardless of the numbers, there’s always the human element. Calculating business loss is a challenging task in a complex case because the examiner has to consider the amount of business being done, try to reconstruct the market conditions, think about competitors, and then calculate the amount of direct personal benefit; all of these factors being intertwined. In such cases, the examiner must consider a variety of points, prepare an estimate of loss, and then, most often, try to work out a compromise.

Article V. of the Association of Certified Fraud Examiners Code of Professional Ethics states:

A fraud examiner, in conducting examinations, will obtain evidence or other documentation to establish a reasonable basis for any opinion rendered. No opinion shall be expressed regarding the guilt or innocence of any person or party.

The rule that prohibits opinions regarding the guilt or innocence of any person or party is a rule of prudence. Clearly, it’s prudent for a Certified Fraud Examiner to refrain from usurping the role of jury. In a courtroom, no good attorney would ask a CFE for such a conclusion, and no alert judge would allow such testimony.  The fraud examiner’s job is to present the evidence in his or her report. Such evidence might constitute a convincing case pointing to the guilt or innocence of a person. But a clear line should be drawn between a report that essentially says, “Here is the evidence” and one that steps over the line and says “S/he is the guilty (innocent) person.” Nevertheless, there is a fine line between recommending action, forwarding the evidence to a law enforcement agency or filing a complaint or lawsuit, and giving an opinion on guilt or innocence. CFEs may make such recommendations because they think the evidence is strong enough to support a case. They might even have a conclusion about whether the suspect committed a crime. The rule does not prohibit the CFE, under the proper circumstances, from accusing the person under investigation. However, the ultimate decision of whether a person is “guilty” or “innocent” is for a jury to determine. The CFE is free to report the facts and the conclusions that can be drawn from those facts, but the decision as to whether a person is guilty of a crime is a decision for the judge or jury.

Caution is the by-word for every expert witnesses at every step of the legal process. According to discovery rules governing expert testimony, everything the expert says or writes about the case after being hired is subject to discovery by opposing counsel. That means everything: narrative versions of the case, comments to the press or law enforcement, hypothetical reconstructions, even notes can be demanded and used by the opposing party. A shrewd attorney can use an expert’s preliminary notes containing drafts of an opinion and other purely deliberative information to call the witness’s testimony into question. The only exception is when the expert is hired by the attorney purely on a consulting basis. An expert witness has no privilege. The principle of privilege exists to protect certain core societal relationships (attorney-client, husband-wife), but the expert witness’s relationship with clients is not among those protected. If the expert’s opinions will be presented in court, everything related to the expert’s opinion is discoverable by the defense.

There is an exception. The CFE expert may consult on the client attorney’s work product, i.e., materials the attorney prepares as background for a case. While performing background work, the expert is said to be working as an associate of the attorney, so the exchange is protected; they are two professionals conferring. However, once the expert is hired as a witness, and begins entering opinions as part of the attorney’s case, there is no privilege for any contribution the expert makes. The distinction is something like this: when acting as “witnesses,” experts are bringing official information to the court, and so must disclose any contact with the case; when experts act as “consultants” or “associates” for attorneys or law enforcement, they are only assisting the attorney, and do not have to disclose their involvement in the case. However, if a testifying expert reviews the work of the consultant expert, then the work of the consultant expert will be discoverable. Remember this; if a CFE is hired to testify at trial, anything he or s/he used to form his or her opinion will be subject to review by the opposing party. This includes notes from other experts, documents received from the plaintiff or defendant, and any documents or notes from the attorney. CFEs should be sure to consult with the client attorney before reviewing anything. If the attorney has not given the document to you, then ask before you read. Otherwise, you may inadvertently destroy the confidentiality or privilege of the material.

In summary, the best way to protect the confidentiality of information is to keep good files. Any materials which serve as the basis for an expert’s opinion must be in the file. Notes, documents, or tests that serve as background, or that represent unfruitful lines of investigation, don’t have to be included, and probably shouldn’t be. The attorney trying the case doesn’t want an expert having to answer about investigative dead ends or exploratory side lines; a shrewd cross-examiner can turn a hastily scribbled hypothetical into reasonable doubt, just enough to avert a conviction. So, in the best-case scenario, an expert presents to the court an opinion and its basis, nothing more nothing less.

Vendor Assessment – Backing Corporate Counsel

Pre-emptive fraud risk assessments targeting client vendor security are increasingly receiving CFE attention. This is because in the past several years, sophisticated cyber-adversaries have launched powerful attacks through vendor networks and connections and have siphoned off money, millions of credit card records and customers’ sensitive personal information.

There has, accordingly, been a noticeable jump in those CFE client organizations whose counsel attribute security incidents to current service providers, contractors and to former partners. The evolution of targets and threats outside the enterprise are powerfully influencing the current and near-future of the risk landscape. CFEs who regard these easily predicted changes in a strategic manner can proactively assist their client’s security and risk leadership to identify new fraud prevention opportunities while managing the emerging risk. To make this happen enterprises require adequate oversight insight into vendor involved fraud security risk as part of a comprehensive cyber-risk management policy.

Few managements anticipated only a few years ago that their connectivity with trusted vendors would ever result in massive on-line exploits on sister organizations like retailers and financial organizations, or, still less, that many such attacks would go undetected for months at a time. Few risk management programs of that time would have addressed such a risk, which represents not only a significant impact but whose occurrence is also difficult to predict. Such events were rare and typically beyond the realm of normal anticipation; Black Swan events, if you will. Then, attackers, organized cyber-criminals and some nation-states began capturing news headlines because of high-profile security breaches. The ACFE has long told us that one-third (32 percent) of fraud survey respondents report that insider crimes are costlier or more damaging than incidents perpetrated by outsiders and that employees are not the only source of insider threat; insider threat can also include former employees, service providers, consultants, contractors, suppliers and business partners.

Almost 500 such retailer breaches have been reported this year alone targeting credit card data, personal information, and sensitive financial information. There has, accordingly, been a massive regulatory response.  Regulators are revisiting their guidelines on vendor security and are directing regulated organizations to increase their focus on vendor risk as organizations continue to expand the number and complexities of their vendor relationships. For example, the US Office of the Comptroller of the Currency (0CC) and the Board of Governors of the US Federal Reserve System have released updated guidance on the risk management of third-party relationships. This guidance signals a fundamental shift in how retail financial institutions especially need to assess third-party relationships. In particular, the guidance calls for robust risk assessment and monitoring processes to be employed relative to third-party relationships and specifically those that involve critical activities with the potential to expose an institution to significant risk. CFEs and other assurance professionals can proactively assist the counsels of their client enterprises to elevate their vendor-related security practices to keep pace with ever-evolving fraud threats and security risk associated with their client’s third-party relationships.

Vendor risk oversight from a security point of view demands a program that covers the entire enterprise, outlining the policy and guidelines to manage and mitigate vendor security risk, combined with clearly articulated vendor contracts negotiated by the corporate counsel’s function. Such oversight will not only help organizations improve cybersecurity programs but also potentially advance their regulatory and legal standing in the future. What insights can CFEs, acting proactively, provide corporate counsel?

First, the need for executive oversight. Executive alignment and business context is critical for appropriate implementation throughout the organization. Proper alignment is like a command center, providing the required policies, processes and guidelines for the program. The decision to outsource is a strategic one and not merely a procurement decision. It is, therefore, of the utmost importance that executive committees provide direction for the vendor risk management program. The program can obtain executive guidance from:

–The compliance function to provide regulatory and other compliance requirements that have specific rules regarding vendor risk management to which the vendor organizations must adhere;

–The IT risk and control function to determine the risk and the risk level, depending on the nature of access/data sensitivity shared with the vendor(s). The vendor risk management program should utilize the key risk indicators provided by this function to address risk during vendor assessments;

–The contract governance function and corporate counsel to ensure that vendor contracts adequately address the need for security assessments and define vendors’ obligations to complete these assessments.

Most larger organizations today deal with a considerable amount of third parties and service providers. Missing contact information, responsibility matrices or updated contracts are typical areas of concern about which risk managers might have engaged CFEs initiate fraud risk assessments. This can pose a significant challenge, especially, when there are multiple teams involved to carry out the procurement business process. A vendor and contract database (VCD) ensures that an accurate and complete inventory of vendors is maintained, including other third-party relationships (e.g., joint ventures, utilities, business partners, fourth parties, etc.).

In effectively assessing a vendor risk management program, the CFE can’t conduct the same type of fraud risk assessment for all vendors. Rather, it’s necessary to identify those vendor services deemed to carry the greatest risk and to prioritize them accordingly. The first step is to understand which vendors and services are in the scope from an active fraud risk management perspective. Once this subset of vendors has been identified and prioritized, due diligence assessments are performed for the vendors, depending on the level of client internal versus vendor-owned fraud prevention and detection controls. The results of these assessments help establish the appropriate trust-level rating (TLR) and the future requirements in terms of CFE assisted reassessments and monitoring. This approach focuses resources on the vendor relationships that matter most, limiting unnecessary work for lower-risk relationships. For example, a vendor with a high TLR should be prioritized over a vendor with a low TLR.

Proper control and management of vendor risk requires continuous re-assessment. It’s important to decide the types of on-going assessments to be performed on vendors depending on the level of their TLR and the risk they represent.

Outsourced relationships usually go through iterations and evolve as they mature. As your client organizations strategize to outsource more, they should also validate trust level(s) in anticipation of more information and resources being shared. With technological advancements, a continuously changing business environment and increased regulatory demands, validating the trust level is a continuous exercise. To get the most rational and effective findings, it’s best to use the results of ongoing assessments. In such a reiterative process, it is necessary to continuously monitor and routinely assess vendors based on the trust level they carry. The program should share information about the vendor security posture and risk levels with corporate counsel or other executive sponsor, who can help the organization progress toward the target profile. Clearly communicating the fraud risk from a business perspective can be an additional feature, especially when reports are furnished to inform internal stakeholders, internal audit functions, lines of business and the board of directors, if necessary.

Vendor fraud risk management elevates information security from a technical control business process to an effective management business process. Regular fraud risk security assessments of vendors give organizations the confidence that their business is aware of the security risk involved and is effectively managing it by transferring, mitigating or accepting it. Comprehensive vendor security assessments provide enterprises with insight on whether their systems and data are being deployed consistently with their security policies. Vendor fraud risk management is not a mere project; it is an ongoing program and requires continuous trust to keep the momentum going. Once the foundational framework has been established, our client organizations can look at enhancing maturity through initiatives such as improving guidelines and procedures, rationalizing assessment questionnaires, and more automation. Awareness and communication are key to ensuring that the program is effective and achieves its intended outcome, securing enterprises together with all their business partners and vendors.