Tag Archives: fraud response plan

First Steps to Prosecution

A recent study sponsored by the financial trade press indicated some haziness among assurance professionals generally about the precise mechanism(s) underlying the process by which the authorities make the initial decision to prosecute or not to prosecute alleged financial statement fraud.

In the U.S. federal system, a criminal investigation of fraudulent financial reporting can originate in all sorts of ways. An investigation may be initiated because of a whistleblower, an anonymous tip, information supplied by a conscientious or guilt-ridden employee, or facts discovered during a routine annual audit of the company’s financial statements. In addition, the company’s public disclosure of financial misstatements may itself lead to the commencement of a criminal investigation. However initially initiated, the decision to start a criminal investigation is entirely within the discretion of the United States Attorney in each federal district.

For the prosecutor, the decision whether to open an investigation can be difficult. The main reason is the need for the prosecutor to establish criminal intent, that is, that the perpetrator not only got the accounting wrong but did so willfully. Often, bad accounting will be the result of judgment calls, which can be defended as exactly that, executive determinations or judgement calls that, while easy to second guess with the benefit of hindsight, were made in good faith at the time. Thus, a prosecutor evaluating the viability of a criminal prosecution will be looking for evidence of conduct so egregious that the perpetrator must have known it was wrong. This is not to suggest that evidence of a wrongful intent is the only consideration. A prosecutor’s exercise of his or her prosecutorial discretion may consider all kinds of factors in deciding whether criminal inquiry is warranted. Those factors may include the magnitude and nature of the accounting misstatements, whether individuals personally benefited from the misstatements or acted pursuant to the directive of a superior, whether documents were fabricated or destroyed, the probable deterrent or rehabilitative effect of prosecution, and the likelihood of success at trial. The availability of governmental resources may also be a factor.

Where the putative defendant is a corporation, partnership, or other business organization, a more settled set of factors come into play:

–The nature and seriousness of the offense, including the risk of harm to the public, and applicable policies and priorities, if any, governing the prosecution of corporations for certain categories of crime;
–The pervasiveness of wrongdoing within the corporation, including the complicity in, or the condoning of, the wrongdoing by corporate management;
–The corporation’s history of similar misconduct, including prior criminal, civil, and regulatory enforcement actions against it;
–The corporation’s timely and voluntary disclosure of wrong-doing and its willingness to cooperate in the investigation of its agents;
–The existence and effectiveness of the corporation’s preexisting compliance program;
–The corporation’s remedial actions, including any efforts to implement an effective corporate compliance program or to improve an existing one, to replace responsible management, to discipline or terminate wrongdoers, to pay restitution, and to cooperate with the relevant government agencies;
–Collateral consequences, including whether there is disproportionate harm to shareholders, pension holders, employees, and others not proven personally culpable, as well as the impact on the public arising from the prosecution;
–The adequacy of the prosecution of individuals responsible for the corporation’s malfeasance;
–The adequacy of remedies such as civil or regulatory enforcement actions.

However, a prosecutor gets there, once s/he determines to commence a criminal investigation, there is no doubt that those who are its targets will quickly come to view it as a priority over everything else. The government’s powers to investigate are broad, and, once a determination to go forward is made, the full resources of the government, including the FBI, can be brought to bear. The criminal sentences resulting from a successful prosecution can be severe if not excessive, particularly considering the enhanced criminal sentences put in place by Sarbanes-Oxley.  The ACFE reports that one midlevel executive at a company who elected to proceed to trial was convicted and received a prison sentence of 24 years. The fact that the sentence was subsequently set aside on appeal does little to mitigate the concern that such a sentence could be imposed upon a first-time, nonviolent offender whose transgression was a failure to apply generally accepted accounting principles.

Typically, a company learns that it is involved in a criminal investigation when it receives a grand jury subpoena, in most instances a subpoena duces tecum, compelling the company or its employees to furnish documents to the grand jury. In an investigation of fraudulent financial reporting, such a subpoena for documents may encompass all the files underlying the company’s publicly disseminated financial information, including the records underlying the transactions at issue and related emails.

For a CFE’s client company counsel and for the company’s executives generally, the need to respond to the subpoena presents both an opportunity and a dilemma. The opportunity stems from the company’s ability, in responding to the subpoena, to learn about the investigation, an education process that will be critical to a successful criminal defense. The dilemma stems from the need to assess the extent to which active and complete cooperation should be pledged to the prosecutor at the outset. The formulation of a response to a criminal subpoena, therefore, constitutes a critical point in the investigatory process. Those involved are thereby placed in the position of needing to make important decisions at an early stage that can have lasting and significant effects.  The CFE can support them in getting through this process.

Once an initial review of the subpoena and its underlying substance is complete, one of the first steps in formulating a response is often for company counsel to make a phone call to the prosecutor to make appropriate introductions and, to the extent possible, to seek background information regarding the investigation. In this initial contact, the prosecutor will be understandably guarded. Nonetheless, some useful information will frequently be shared. A general impression may be gained about the scope and focus of the investigation and the timing of additional subpoenas and testimony. Thereafter, it is not unusual for an initial meeting to be arranged to discuss in greater detail the company’s response. One benefit of such a meeting is that some level of additional information may be forthcoming.

From the outset, company counsel will be undertaking a process that will be ongoing throughout the criminal proceedings: learning as much as possible about the prosecutor’s case. The reason is that, unlike a civil case, in which broad principles of discovery enable the defendants to learn the details of the adversary’s evidence, the procedural rules of a criminal investigation result in much greater secrecy. Less formal methods of learning the details of the prosecutor’s case, therefore, are critical. In these initial contacts, the establishment of a sound foundation for the company’s dealings with the prosecutor is an important aspect of the investigation. To state it simply, CFE’s should always support that those dealings be premised on a foundation of candor.

Although it may be appropriate at various stages to decline to discuss sensitive matters, counsel should avoid making a factual statement on any subject about which it may be incompletely or inaccurately informed. This admonition applies to subjects such as the existence and location of files, the burden of producing documents, and the availability of witnesses. It also applies to more substantive matters bearing on the guilt or innocence of parties. CFE’s should, again, counsel their clients that a relationship with the prosecutor based on trust and confidence is key.

The judgment regarding the extent of cooperation with the prosecutor can be a tough one. Unlike in a civil proceeding, where cooperation with regulatory authorities (such as the SEC) is generally the preferred approach, the decision to cooperate with the government in a criminal investigation may be much more difficult, insofar as a subsequent effort to oppose the government (should such a change of approach be necessary) would be impeded by the loss of a significant tactical advantage, the loss of surprise. In criminal cases, the government is not afforded the same broad rights of discovery available in civil proceedings. It is entirely possible for a prosecutor to have no significant knowledge of the defense position until after the start of a trial. On the other hand, the privileges available to a corporation are limited. There is, most importantly, no Fifth Amendment privilege against self-incrimination for companies.  Furthermore, almost any kind of evidence, even evidence that would be inadmissible at trial, except for illegal wiretaps or privileged material, can be considered by a grand jury. Therefore, the company’s ability to oppose a grand jury investigation is limited, and the prosecutor may even consider a company’s extensive zeal in opposition to constitute obstruction of justice. Moreover, the prosecutor’s ultimate decision about indictment of the company may be affected by the extent of the company’s cooperation. And corporate management may wish to demonstrate cooperation as a matter of policy or public relations.

One issue with which a company will need to wrestle is whether it is appropriate for a public company or its executives to do anything other than cooperate with the government. On this issue, it is useful for executives to appreciate that the U.S. system of justice affords those being investigated certain fundamental rights, and it is not unpatriotic to take advantage of them. As to individuals, one of the most basic of these rights is the Fifth Amendment privilege against self-incrimination. Insofar as, in fraud cases, guilt can be established through circumstantial evidence, executives need to keep in mind that it demonstrates no lack of civic virtue to take full advantage of constitutional protections designed to protect the innocent.

A challenge is that many of these judgments regarding cooperation must be made at the outset when the company’s information is limited. Often the best approach, at least as a threshold matter, will be one of courteous professionalism, meaning respect for one’s adversary and reasonable accommodation pending more informed judgments down the road. Premature expressions of complete cooperation are best avoided as a subsequent change in approach can give rise to governmental frustration and anger.

Following the initial steps of the grand jury subpoena and the preliminary contact with the prosecutor, CFE’s are uniquely positioned to assist corporate counsel and management in the remaining stages of the criminal investigation of a financial crime:

–Production of documents;
–Grand jury testimony;
–Plea negotiations (if necessary);
–Trial (if necessary).

After the Deluge

delugeFew events are more devastating to a firm’s reputation than a well-publicized fraud and even more so if the fraud extends to a circle of one or more trusted business partners.

The ACFE tells us that a fraud can impact an organization’s reputation in many ways; and that reputation is based on how well the firm meets the expectations of diverse stakeholders such as customers and investors. Events like a fraud that indicate the organization may have fallen short of such expectations can impact the bottom line directly in terms of sales, expenses, and capital availability.  Surviving and moving forward from such an event and, more importantly, restoring confidence and ensuring that reputational damage is not extended or repeated depends on the policies and people the organization has in place to manage its damaged reputation moving forward.

What’s essential is that every organization have some sort of formal plan in place, preferably prior to a fraud event, to manage the post event fall out; if it doesn’t have such a plan, it behooves every enterprise to develop one as a critical component of its overall fraud prevention program.

The nature of the reputational risk specific to the organization, its risk appetite, and its major reputational risk management activities are all important pieces of information used to craft the overall fraud response plan. Defining the focus and output of the response plan is a critical step not only to development of the plan itself, but also to craft the timing of effective communications to stakeholders, pre and post any fraud event, addressed by the plan. Determining these details up front will give management the substance needed to create a road map that yields compelling results both through the after-fraud period and into the future.

The first step in crafting a reputational risk component of the fraud response plan is to determine the specific nature of this type of risk at the CFE’s client organization. For example, a company that produces consumer products may need to consider its reputation in terms of:

–Consumers. Perceived product quality, value, and safety.
–Investors. Perceived future returns on investment resulting from the company’s innovations, strategy, and execution.
–Suppliers/vendors. Perceived reliability of orders and timeliness of payment.
–Employees. Perceived fairness of the treatment they receive while manufacturing, selling, and supporting the company and its products.
–Online community. Perceptions of stakeholders, including consumers’ product opinions, media reporting on company activities, and competitors.
–Regulatory entities. Perception that the company’s products comply with laws.
–Local community. Perception of the company as a responsible corporate citizen.

CFE’s need to identify the key reputational risks, work with business process experts to prioritize those risks based on the extent to which they could impact the bottom line, and then determine which risks will be included in the final plan. A plan that tries to cover all aspects of reputational risk in the manner of a check list may be too broad to execute; the enterprise’s specific reputational risks to be covered need to be identified and pre-agreed to with management up front.  As the CFE and management work to determine the reputational risk scope, both need to understand the organization’s reputational risk appetite. Many organizations conceive risk appetite solely in terms of financial impact, sometimes further defining it based on financial drivers such as customer loss or asset value reduction. Facilitating a discussion of reputational risk appetite among the enterprises business process owners is a valuable CFE contribution that not only will assist in the development of the response plan, but also in its acceptance by the business. Quantifying reputational risk appetite helps management understand the tangible impact of the risk and thus how much reputational risk executives are willing to bear. In addition, it allows the CFE to communicate the impact of the reputational review work in the individualized value terms defined by the organization’s leadership.

The value added by the up-front work to understand the major vehicles the organization presently uses to manage its reputational risk will depend on the factors affecting that risk and the nature of the business itself.  Some mitigation activities may be proactive, such as establishing a product quality department or monitoring the organization’s social media presence. Others may be reactive, such as having a sales refund plan.  It’s important to remember successful reputation management following a fraud does not hinge upon one person or process (like having a hotline of public relations function), but rather on a series of controls and processes across the entire organization that work together to form a wide pattern of reputational defense. Being aware of existing activities will prepare CFE’s to include an evaluation of them in the fraud response plan. The focus of a fraud response plan can vary based on the nature of the risk and the maturity of the reputational risk management infrastructure. If there is no formal existing plan, then the CFE might prepare and present a best practice fact finding of the present state of the controls over reputational risk. If some kind of response program does exist, then the CFE might focus on control enhancement and process improvement. Financial implications, including reputational damage impact modeling and the cost of risk mitigation, also could be made part of an existing response plan, as could regulatory compliance processes such as the steps involved in the reporting of data breaches.

When one or more of the victim enterprise’s business partners are involved in a fraud against it, the reputational challenge in the post-fraud period is further complicated.  Important questions to ask concerning such third-party relationships during and after the investigative and prosecutorial phases of the fraud are complete include:

–Is there a formal business contract?
–What requirements and rights regarding compliance, possible fraud and anti-corruption does the contract contain?
–Does the contract include an audit clause?
–Who owns the business partner?
–Has the partner disclosed all relevant third-party relationships?
–Have all of the partner’s operating locations been disclosed?
–Does the partner have ongoing litigation or unique governmental relationships that might create an adverse impression among existing customers or external regulators?

Where information is needed involving client response to post-fraud reputational impact, CFE’s can visit partner organizations to gather the appropriate data.  Red flags impacting reputational risk for the CFE to be aware of include limited information about the respective entities, inconsistent data points, operations in politically charged locales, prior regulatory sanctions, and connections to or ownership by politically exposed individuals or environments with uncertain economic or commercial laws or regulations. And while examination of these items falls within the purview of compliance or legal departments, and ultimately management, some opportunity exists for CFE’s to assist with the review of due diligence reports to assess the completeness and adequacy of information in support of management’s general reputation evaluation process and decision-making.

While supporting the preparation and on-going management of client fraud response plans, CFE’s can provide additional value as the organization experiences changes over time. As the company grows, changes its sourcing and marketing strategies, and acquires other businesses, new third parties that provide products and services to and on behalf of the company will be identified and should be considered for inclusion in the company’s reputational planning.  The company’s reputational management efforts need to keep pace with the organization, and CFE’s can help evaluate the scope and breadth of that program by assessing alignment with the company’s changing business and operational fraud prevention profile.

Acting within the framework of their knowledge of the client organization, business risk assessment competency, and mandate to evaluate the adequacy of design and overall effectiveness of anti-fraud related internal controls, CFE’s can help facilitate any company’s fraud recovery/reputational repair due diligence efforts.