Category Archives: Corporate Counsel

Skilled for Success

Our Chapter is periodically contacted by human resource staff and others seeking CFEs for recruitment to both in-house staff and management positions. I took the opportunity afforded by one such call this last week to query the caller about what her ideal CFE candidate would look like. What attributes came to mind when she pictured the experienced CFE she was seeking? Technical ability? Investigative knowledge? Attention to detail?

All of those were certainly important, she said, but since this position would supervise others and deal directly with clients, she mentioned what she called ‘success skills’ (sometimes termed soft skills) as of over-riding importance. I asked her what she meant by success skills specifically and she said that for her and for many other human resource professionals, the culture of the organization she is recruiting for and the professional’s interpersonal behaviors and critical reasoning and judgment can frequently heavily outweigh technical skills and relevant experience. After I referred her to several folks who had furnished our Chapter with resumes for just this kind of enquiry, my caller pointed me to several sources where I could obtain information on the types of skills to which she was referring.

My somewhat cursory research revealed that some of the most common success skills employers look for and which they use to assess experienced employment candidate CFEs today include:

1. A strong work ethic — are they motivated and dedicated to getting the job done, no matter what? Will they be conscientious and do their best work?
2. A positive attitude — are they optimistic and upbeat? Will they generate good energy and good will especially with subordinates and clients?
3. Good communication skills — are they verbally articulate and good listeners? Can they make their case and express their needs in a way that builds bridges with colleagues, clients and team members?
4. Time management abilities – does the CFE candidate know how to prioritize tasks and work on a number of different projects at once? Will they use their time on the job wisely?
5. Problem-solving skills — are they resourceful and able to creatively solve problems that will inevitably arise during challenging investigations? Will they take ownership of problems or leave them for someone else?
6. Being a team player — will they work well in groups and teams? Will they be cooperative and take a leadership role when appropriate?
7. Self-confidence — do they truly believe they can do the job? Will they project a sense of calm and inspire confidence in others during investigative assignments? Will they have the courage to ask the questions that need to be asked and to freely contribute their ideas?
8. Ability to accept and learn from criticism — will they be able to handle criticism? Are they coachable and open to learning and growing as a person and as a professional no matter their present experience and authority level?
9. Flexibility/adaptability — are they able to adapt to new situations and challenges? Will they embrace change and be open to innovative ideas and investigative approaches?
10. Working well under pressure — can they handle the stress that accompanies investigative and reporting deadlines and crises? Will they be able to do their best work and come through for the employer in a pinch?

Armed with this information, I got back in touch with my caller and asked a few more questions; she was very forthcoming. It turns out that there is a wide range of questions interviewers can ask when trying to gauge the soft skills of a potential CFE hire. When it comes to interpersonal skills, my interviewee told me they may ask candidates to describe an unusual person they know and why the person may be different. Communication skills can be determined by having candidates relate their experiences with an angry or frustrated corporate counsel, client, coworker or interviewee. A popular question that is often asked to measure the ability of a candidate to work on a team is centered on the discussion of an investigative project that was not successful and how it was handled. The question of solutions to problems may also deal with negative situations and how they were overcome. Therefore, questions used to assess success skills often have an individual addressing the how and why, rather than what, where or who.

The next question I had for my respondent was regarding her opinion as to how a candidate CFE could go about acquiring and strengthening these skills since they really don’t involve the type of technical matters typically focused on in the everyday business school training curriculum. She replied that working with people who exhibit strong soft skills is an effective way of learning those skills. Many professional organizations like the ACFE run internal mentoring programs so that senior practitioners can pass on their knowledge and experience to newer professionals. Training events of local chapters of associations such as the ACFE are another good place to meet with experienced professionals who can assist with mentoring and soft skills.

It seems to me that success skill communication especially under-pin all aspects of the CFEs work. I can remember very early on in my auditing career reading that communication is not easy because something said doesn’t mean it was said correctly; something said correctly doesn’t
mean it has been heard; something heard doesn’t mean it was understood; something understood doesn’t mean it has been agreed upon; something agreed upon doesn’t mean it has been applied; something applied doesn’t mean it has been continually practiced. Communicating anything effectively as a professional is, therefore, an on-going continuous process that is almost never complete and seldom perfect.

The desire to grow professionally and develop a successful career is evident in most CFEs, as in all other professionals, and while the opportunity to be on the forefront of this challenge exists, it is not emphasized enough, hence what recruiters and human resource professionals have identified as the success skills gap. Critical success skills, such as interpersonal behavior, communication, report writing and presentation skills, that augment technical skills are important in developing a successful career. However, to the disadvantage of employees, especially young professionals, these skills are seldom even emphasized let alone actively taught in the typical workplace. Similarly, employees do not recognize the lack of or need for such skills and miss valuable opportunities to improve them.

In an increasingly information- and technology-driven society, success skills increasingly shape the structure of the workplace. This fact is found to be especially evident in the audit, investigative and information systems environments. Assurance professionals need to interact seamlessly with customers/clients, work in teams, communicate technical details and build relationships.

Managers hiring new and experienced CFEs will always ask: Is the candidate able to lead a team successfully, communicate effectively, make presentations or write an investigative report to management? These are key skills that determine promotions, raises and job success.

In summary, CFE job applicants are always weighed on their technical ability and, increasingly today, on their success skills. Employers often ask whether job candidates are the best fit for the organization or whether candidates will align well with the organization’s culture. Furthermore, as a number of headhunters have told me, employers can easily teach the technical skills. The success skills that make up a candidate’s character and demeanor are not so easily taught yet can have an enormous impact on whether a candidate eventually gets his or her dream job or the top-floor corner office. So, a mix of both cognitive and noncognitive skills, the latter such as motivation, self-esteem and perseverance, determine many life outcomes, including education, health and even involvement in crime.

To benefit from strong success skills and develop a long-term career, the foremost step for young professionals as for any other professional, is to own their career. The ability to direct and fill roles in opportunity areas highly depends on career ownership and effective personal management. Success skills are increasingly becoming the often-unrecognized element for career mastery; as recruiters tell me, the bottom line is that a full professional success depends on their mastery.

Read more »

Expert Witness or Consultant

One of our newer Chapter members submitted a comment on-line two weeks ago requesting information about the pitfalls involved in the CFE choosing to act as a consultant to a client attorney rather than as an expert witness. This is an important topic for CFEs in individual practice as well as for those serving as examiners on the staffs of private or public entities. The ACFE tells us that CFEs typically act as experts in the legal process by assisting attorneys with the financial details of a suit and testifying about these practices at trial. They analyze documents and transactions, showing how the fraud was accomplished and, when possible, who the most likely perpetrators were. The CFE is a guide and adviser for the attorney in assembling the case, and a major participant in explaining the details of a fraud scenario to a judge and jury.

In general, expert witnesses are typically brought in when required by law, as in malpractice suits where a member of a given profession must explain the infraction against professional by-laws or principles; when key points are deemed sufficiently technical or complex, such as in cooking-the-books schemes involving intricate accounting manipulations, or to assist a jury in making its decision. Federal Rule of Evidence 702 says that an expert witness with appropriate knowledge and credentials may testify in any proceeding where scientific, technical, or specialized knowledge will shed light on the dispute. Even in cases that don’t go to trial, experts may still be involved in mediation, arbitration, settlement conferences, or summary judgment motions.

Experts contribute to the trial process in numerous ways. They provide background information to guide and frame a case; during the discovery process they investigate, run tests, advise on depositions, prepare other witnesses, make exhibits, and respond to the opposition’s discovery requests; they file written opinions, which are entered as evidence into the court record; and they testify in actual proceedings should the case make it to a courtroom.

Once they accept a case, many experts immediately start assembling a narrative version of the events. This detailed summary of the facts of the case serves as the raw material for rendering an official opinion. As we’ve pointed out many times, it’s important that the text be written with care and professionalism because the text may (and probably will) have to be produced during discovery. Additionally, a well-written narrative helps the client attorney in preparing and executing the case at trial.

According to our most experienced members, perhaps the thorniest challenge for CFEs, once they’re engaged to work on a case, is setting a value on the specific business losses due to a fraud. Depending on the facts, there may be several methods for evaluating net worth/net loss, each rendering a different number at the end. And regardless of the numbers, there’s always the human element. Calculating business loss is a challenging task in a complex case because the examiner has to consider the amount of business being done, try to reconstruct the market conditions, think about competitors, and then calculate the amount of direct personal benefit; all of these factors being intertwined. In such cases, the examiner must consider a variety of points, prepare an estimate of loss, and then, most often, try to work out a compromise.

Article V. of the Association of Certified Fraud Examiners Code of Professional Ethics states:

A fraud examiner, in conducting examinations, will obtain evidence or other documentation to establish a reasonable basis for any opinion rendered. No opinion shall be expressed regarding the guilt or innocence of any person or party.

The rule that prohibits opinions regarding the guilt or innocence of any person or party is a rule of prudence. Clearly, it’s prudent for a Certified Fraud Examiner to refrain from usurping the role of jury. In a courtroom, no good attorney would ask a CFE for such a conclusion, and no alert judge would allow such testimony.  The fraud examiner’s job is to present the evidence in his or her report. Such evidence might constitute a convincing case pointing to the guilt or innocence of a person. But a clear line should be drawn between a report that essentially says, “Here is the evidence” and one that steps over the line and says “S/he is the guilty (innocent) person.” Nevertheless, there is a fine line between recommending action, forwarding the evidence to a law enforcement agency or filing a complaint or lawsuit, and giving an opinion on guilt or innocence. CFEs may make such recommendations because they think the evidence is strong enough to support a case. They might even have a conclusion about whether the suspect committed a crime. The rule does not prohibit the CFE, under the proper circumstances, from accusing the person under investigation. However, the ultimate decision of whether a person is “guilty” or “innocent” is for a jury to determine. The CFE is free to report the facts and the conclusions that can be drawn from those facts, but the decision as to whether a person is guilty of a crime is a decision for the judge or jury.

Caution is the by-word for every expert witnesses at every step of the legal process. According to discovery rules governing expert testimony, everything the expert says or writes about the case after being hired is subject to discovery by opposing counsel. That means everything: narrative versions of the case, comments to the press or law enforcement, hypothetical reconstructions, even notes can be demanded and used by the opposing party. A shrewd attorney can use an expert’s preliminary notes containing drafts of an opinion and other purely deliberative information to call the witness’s testimony into question. The only exception is when the expert is hired by the attorney purely on a consulting basis. An expert witness has no privilege. The principle of privilege exists to protect certain core societal relationships (attorney-client, husband-wife), but the expert witness’s relationship with clients is not among those protected. If the expert’s opinions will be presented in court, everything related to the expert’s opinion is discoverable by the defense.

There is an exception. The CFE expert may consult on the client attorney’s work product, i.e., materials the attorney prepares as background for a case. While performing background work, the expert is said to be working as an associate of the attorney, so the exchange is protected; they are two professionals conferring. However, once the expert is hired as a witness, and begins entering opinions as part of the attorney’s case, there is no privilege for any contribution the expert makes. The distinction is something like this: when acting as “witnesses,” experts are bringing official information to the court, and so must disclose any contact with the case; when experts act as “consultants” or “associates” for attorneys or law enforcement, they are only assisting the attorney, and do not have to disclose their involvement in the case. However, if a testifying expert reviews the work of the consultant expert, then the work of the consultant expert will be discoverable. Remember this; if a CFE is hired to testify at trial, anything he or s/he used to form his or her opinion will be subject to review by the opposing party. This includes notes from other experts, documents received from the plaintiff or defendant, and any documents or notes from the attorney. CFEs should be sure to consult with the client attorney before reviewing anything. If the attorney has not given the document to you, then ask before you read. Otherwise, you may inadvertently destroy the confidentiality or privilege of the material.

In summary, the best way to protect the confidentiality of information is to keep good files. Any materials which serve as the basis for an expert’s opinion must be in the file. Notes, documents, or tests that serve as background, or that represent unfruitful lines of investigation, don’t have to be included, and probably shouldn’t be. The attorney trying the case doesn’t want an expert having to answer about investigative dead ends or exploratory side lines; a shrewd cross-examiner can turn a hastily scribbled hypothetical into reasonable doubt, just enough to avert a conviction. So, in the best-case scenario, an expert presents to the court an opinion and its basis, nothing more nothing less.

Tailoring Difficult Conversations

We CFE’s and forensic accountants, like other investigative professionals, are often called upon to be the bearers of bad news; it just goes with the territory.  CFE’s and forensic accountants are somewhat unique, however, in that, since fraud is ubiquitous, we’re called upon to communicate negative messages to such a diverse range of client types; today the chairman of an audit committee, tomorrow a corporate counsel, the day after that an estranged wife whose spouse has run off after looting the family business.

If there is anything worse than getting bad news, it may be delivering it. No one relishes the awkward, difficult, anxiety-producing exercise of relaying messages that may hurt, humiliate, or upset someone with whom the deliverer has a professional relationship. And, what’s more,  it often proves a thankless task. This was recognized in a Greek proverb almost 2,500 years ago, “Nobody loves the messenger who brings bad news.”

Physicians, who are sometimes required to deliver worse news than most CFE’s ever will, often engage in many hours of classwork and practical experience studying and role-playing how to have difficult conversations with patients and their families They know that the message itself, may be devastating but how they deliver it can help the patient and his or her family begin to process even the most painful facts.   CFE’s are in the fortunate position of typically not having to deliver news that is quite so shattering.  Nevertheless, there is no question that certain investigative results can be extremely difficult to convey and to receive.  The ACFE tells us that learning how to prepare for and deliver such messages can create not only a a better investigator but facilitate a better investigative outcome.

Preparation to deliver difficult investigative results should begin well in advance, even before there is such a result to deliver. If the first time an investigator has a genuine interaction with the client is to confirm the existence of a fraud, that fact in itself constitutes a problem.  On the other hand, if the investigator has invested time in building a relationship before that difficult meeting takes place, the intent and motivations of both parties to the interaction are much better mutually understood. Continuous communication via weekly updates to clients from the moment irregularities are noted by examination is vital.

However, despite best efforts in building relationships and staying in regular contact with clients, some meetings will involve conveying difficult news. In those cases, preparation is critical to accomplishing objectives while dealing with any resultant fallout.  In such cases, the ACFE recommends focusing on investigative process as well as on content. Process is professionally performing the work, self-preparation for delivering the message, explaining the conclusions in meaningful and realistic ways, and for anticipating the consequences and possible response of the person receiving the message. Content is having the right data and valid conclusions so  the message is correct and complete.

Self-preparation involves considering the type of person who is receiving the difficult message and in determining the best approach for communicating it. Some people want to hear the bottom line first and the supporting information after that; others want to see a methodical building of the case item by item, with the conclusion at the end. Some are best appealed to via logic; others need a more empathetic delivery. Discussions guided by the appropriate approach are more likely to be productive. Put as much effort as possible into getting to know your client since personality tends to drive how he or she wants to receive information, interact with others, and, in turn, values things and people. When there is critical investigative information that has to be understood and accepted, seasoned examiners consider delivery tailored specifically to the client to be paramount.

Once the ground work has been laid, it’s time to have the discussion. It’s important, regarding the identified fraud, to remember to …

–Seek opportunities to balance the discussion by recognizing the client’s processes that are working well as well as those that have apparently failed;

–Offer to help or ask how you can help to address the specific issues raised in the discussion;

–Make it clear that you understand the client’s challenges. Be precise and factual in describing the causes of the identified irregularity;

–Maintain open body language. Avoid crossing your arms, don’t place your hands over your mouth or on your face, and keep your palms facing each other or slightly upwards instead of downwards. Don’t lean forward as this appears extra aggressive. Breathe deeply and evenly. If possible, mimic the body language of the message recipient, if the recipient is remaining calm. If the recipient begins to show signs of defensiveness or strong aggression, and your efforts to calm
the situation are not successful, you might suggest a follow-up meeting after both of you have digested what was said and to consider mutually acceptable options to move forward.

–Present the bottom-line message three times in different ways so your listener has time to absorb it.

–Let the client vent if he or she wishes. The ACFE warns against a tendency to interrupt the client’s remarks of explanation or sometimes of denial; “we don’t hire people who would do something like that!” Allowing the client time to vent frees him or her to get down to business moving afterward.

–Focus on problems with the process as well as on the actions of the suspect(s) to build context for the fraud scenario.

–Always demonstrate empathy. Take time to think about what’s going through your hearer’s mind and help him or her think through the alleged scenario and how it occurred, what’s going to happen next with the investigation, and how the range of issues raised by the investigation might be resolved.

Delivering difficult information is a minefield, and there are ample opportunities to take a wrong step and see explosive results. Emotional intelligence, understanding how to read people and relate to them, is vital in delivering difficult messages effectively. This is not an innate trait for many people, and it is a difficult one to learn, as are many of the other so-called soft skills. Yet they can be critical to the successful practice of fraud examination. Examiners rarely get in trouble over their technical skills because such skills are generally easier for them to master.  Examiners tend to get in trouble over insufficient soft skills. College degrees and professional certifications are all aimed at the technical skills. Sadly, very little is done on the front end to help examiners with the equally critical soft skills which only arise after the experience of actual practice.  For that reason, watching a mentor deliver difficult messages or deal with emotional people is also an effective way to absorb good practices. ACFE training utilizes the role-playing of potentially troublesome presentations to a friendly group (say, the investigative staff) as another way to exercise one’s skills.

Delivering bad news is largely a matter of practice and experience, and it’s not something CFEs and forensic accountants have the choice to avoid. At the end of the day, examiners need to deliver our news verbally and in writing and to facilitate our clients understanding of it. The underlying objective is to ensure that the fact of the alleged fraud is adequately identified, reported and addressed, and that the associated risk is understood and effectively mitigated.

First Things First

About a decade ago, I attended a training session at the Virginia State Police training center conducted by James D. Ratley, then the training director for the ACFE. The training session contained some valuable advice for CFE’s and forensic accountants on immediate do’s and don’ts if an examiner strongly suspects the presence of employee perpetrated financial fraud within a client’s organization. Mr. Ratley’s counsel is as relevant today as it was then.

Ratley advised that every significant employee matter (whether a theft is involved or not) requires thoughtful examiner deliberation before any action is taken, since hasty moves will likely prove detrimental to both the investigator and to the client company. Consequently, knowing what should not be done if fraud is suspected is often more important to an eventual successful outcome than what should be done.

First, the investigator should not initially confront the employee with his or her suspicions until the investigator has first taken several important preliminary investigative steps.  Even when those steps have been taken, it may prove necessary to use a different method of informing the employee regarding her status, imminent material harm notwithstanding. False (or even valid) accusations can lead to defamation lawsuits or at the very least to an extremely uncomfortable work environment. The hasty investigator or management could offend an innocent person by questioning her integrity; consequently, your client company may never be able to regain that person’s trust or prior level of commitment. That downside is just one example of the collateral damage that can result from a fraud. Even if the employee is ultimately found to be guilty, an investigator’s insinuation gives him or her time to alter records and conceal the theft, and perhaps even siphon off more assets. It takes only a moment for an experienced person to erase a computer’s hard drive and shred documents. Although, virtually all business records can be reconstructed, reconstruction is a costly and time-consuming process that always aggravates an already stressful situation.

Second, as a rule, never terminate or suspend the suspect employee until the preliminary investigative steps referred to above have been taken.  The desire on the part of management to take decisive action is understandable, but hasty actions may be detrimental to the subsequent investigation and to the company. Furthermore, there may be certain advantages to continuing the person’s employment status for a brief period because his or her continued status might compel the suspect to take certain actions to your client’s or to the investigation’s benefit. This doesn’t apply to government employees since, unlike private sector employees, they cannot be compelled to participate in the investigation. There can be occasions, however, where it is necessary to immediately terminate the employee. For example, employees who serve in a position whose continued employment could put others at risk physically, financially, or otherwise may need to be terminated immediately. Such circumstances are rare, but if they do occur, management (and the CFE) should document the entire process and advise corporate counsel immediately.

Third, again, as a rule, the investigator should never share her initial suspicions with other employees unless their assistance is crucial, and then only if they are requested to maintain strict confidentiality.  The CFE places an arduous burden on anyone in whom s/he has confided. Asking an employee to shoulder such responsibilities is uncharted territory for nearly anyone (including for the examiner) and can aggravate an already stressful situation. An examiner may view the confidence placed in an employee as a reflection of his and management’s trust. However, the employee may view the uninvited responsibility as taking sides with management at the expense of his relationship with other employees. Consequently, this step should be taken only if necessary and, again, after consultation with counsel and management.

Regarding the do’s, Ratley recommended that the instant that an employee fraud matter surfaces, the investigator should begin continuous documentation of all pertinent investigation-related actions taken. Such documentation includes a chronological, written narrative composed with as much specificity as time permits. Its form can take many shapes, such as handwritten notes, Microsoft Word files, spreadsheets, emails to yourself or others, and/or relevant data captured in almost any other reproducible medium. This effort will, of course, be time consuming for management but is yet another example of the collateral damage resulting from almost any employee fraud. The documentation should also reference all direct and related costs and expenses incurred by the investigator and by the client company. This documentation will support insurance claims and be vital to a subsequent restitution process.  Other collateral business damages, such as the loss of customers, suppliers, or the negative fiscal impact on other employees may also merit documentation as appropriate.

Meetings with corporate counsel are also an important do.  An employee fraud situation is complex and fraught with risk for the investigator and for the client company. The circumstances can require broad and deep expertise in employment law, criminal law, insurance law, banking law, malpractice law, and various other legal concentrations. Fortunately, most corporate attorneys will acknowledge when they need to seek additional expertise beyond their own experience since a victim company counsel specializing in corporate matters may have little or no background in matters of fraud. Acknowledgment by an attorney that s/he needs additional expertise is a testament to his or her integrity. Furthermore, the client’s attorney may contribute value by participating throughout the duration of the investigation and possible prosecution and by bringing to bear his or her cumulative knowledge of the company to the benefit of the organization.

Next, depending on the nature of the fraud and on the degree of its fiscal impact, CFEs should meet with the client’s CPA firm but exercise caution. The client CPA may be well versed in their involvement with your client through their work on income taxes, audit, review, and compilations, but not in forensic analysis or fraud examination. Larger CPA firms may have departments that they claim specialize in financial forensics; the truth is that actual experience in these matters can vary widely. Furthermore, remember that the situation occurred under your client CPA’s watch, so the firm may not be free of conflict.

Finally, do determine from management as early as possible the range of actions it might want to take with respect to the suspect employee if subsequent investigation confirms the suspicion that fraud has indeed occurred.  Deciding how to handle the matter of what to do with the employee by relying upon advice from management and from the legal team can be quite helpful in shaping what investigative steps are taken subsequently. Ratley pointed out that the level and availability of evidence often drive actions relating to the suspect. For example, the best course of action for management may be to do nothing immediately, to closely monitor and document the employee’s activities, to suspend the employee with pay, or immediately terminate the suspect’s employment. There may be valid reasons to exercise any one of these options.

Let’s say the CFE is advised by management to merely monitor and document the employee’s activities since the CFE currently lacks sufficient evidence to suspend or terminate the employee immediately. The CFE and the client’s IT operation could both be integral parts of this option by designing a plan to protect the client from further loss while the investigation continues behind the scenes. The investigation can take place after hours or under the guise of an “efficiency audit,” “business planning,” or other designation. In any case, this option will probably require the investigator to devote substantial time to observe the employee and to concurrently conduct the investigation.  The CFE will either assemble sufficient evidence to proceed or conclude there is inadequate substantiation to support the accusation.

A fraud is a devastating event for any company but Mr. Ratley’s guidance about the first steps in an investigation of employee perpetrated financial fraud can help minimize the damage.  He concluded his remarks by making two additional points; first, few executives are familiar by experience with situations that require CFE or forensic accountant expertise; consequently, their often-well-meaning actions when confronted with the actuality of a fraud can result in costly mistakes regarding time, money and people. Although many such mistakes can be repaired given sufficient money and time, they are sometimes devastating and irrecoverable.  Second, attorneys, accountants and others in the service professions frequently lack sufficient experience to recognize the vast differences between civil and criminal processes.  Consequently, these professionals often can provide the best service to their corporate clients by referring and deferring to more capable fraud examination specialists like certified fraud examiners and experienced forensic accountants.

Vendor Assessment – Backing Corporate Counsel

Pre-emptive fraud risk assessments targeting client vendor security are increasingly receiving CFE attention. This is because in the past several years, sophisticated cyber-adversaries have launched powerful attacks through vendor networks and connections and have siphoned off money, millions of credit card records and customers’ sensitive personal information.

There has, accordingly, been a noticeable jump in those CFE client organizations whose counsel attribute security incidents to current service providers, contractors and to former partners. The evolution of targets and threats outside the enterprise are powerfully influencing the current and near-future of the risk landscape. CFEs who regard these easily predicted changes in a strategic manner can proactively assist their client’s security and risk leadership to identify new fraud prevention opportunities while managing the emerging risk. To make this happen enterprises require adequate oversight insight into vendor involved fraud security risk as part of a comprehensive cyber-risk management policy.

Few managements anticipated only a few years ago that their connectivity with trusted vendors would ever result in massive on-line exploits on sister organizations like retailers and financial organizations, or, still less, that many such attacks would go undetected for months at a time. Few risk management programs of that time would have addressed such a risk, which represents not only a significant impact but whose occurrence is also difficult to predict. Such events were rare and typically beyond the realm of normal anticipation; Black Swan events, if you will. Then, attackers, organized cyber-criminals and some nation-states began capturing news headlines because of high-profile security breaches. The ACFE has long told us that one-third (32 percent) of fraud survey respondents report that insider crimes are costlier or more damaging than incidents perpetrated by outsiders and that employees are not the only source of insider threat; insider threat can also include former employees, service providers, consultants, contractors, suppliers and business partners.

Almost 500 such retailer breaches have been reported this year alone targeting credit card data, personal information, and sensitive financial information. There has, accordingly, been a massive regulatory response.  Regulators are revisiting their guidelines on vendor security and are directing regulated organizations to increase their focus on vendor risk as organizations continue to expand the number and complexities of their vendor relationships. For example, the US Office of the Comptroller of the Currency (0CC) and the Board of Governors of the US Federal Reserve System have released updated guidance on the risk management of third-party relationships. This guidance signals a fundamental shift in how retail financial institutions especially need to assess third-party relationships. In particular, the guidance calls for robust risk assessment and monitoring processes to be employed relative to third-party relationships and specifically those that involve critical activities with the potential to expose an institution to significant risk. CFEs and other assurance professionals can proactively assist the counsels of their client enterprises to elevate their vendor-related security practices to keep pace with ever-evolving fraud threats and security risk associated with their client’s third-party relationships.

Vendor risk oversight from a security point of view demands a program that covers the entire enterprise, outlining the policy and guidelines to manage and mitigate vendor security risk, combined with clearly articulated vendor contracts negotiated by the corporate counsel’s function. Such oversight will not only help organizations improve cybersecurity programs but also potentially advance their regulatory and legal standing in the future. What insights can CFEs, acting proactively, provide corporate counsel?

First, the need for executive oversight. Executive alignment and business context is critical for appropriate implementation throughout the organization. Proper alignment is like a command center, providing the required policies, processes and guidelines for the program. The decision to outsource is a strategic one and not merely a procurement decision. It is, therefore, of the utmost importance that executive committees provide direction for the vendor risk management program. The program can obtain executive guidance from:

–The compliance function to provide regulatory and other compliance requirements that have specific rules regarding vendor risk management to which the vendor organizations must adhere;

–The IT risk and control function to determine the risk and the risk level, depending on the nature of access/data sensitivity shared with the vendor(s). The vendor risk management program should utilize the key risk indicators provided by this function to address risk during vendor assessments;

–The contract governance function and corporate counsel to ensure that vendor contracts adequately address the need for security assessments and define vendors’ obligations to complete these assessments.

Most larger organizations today deal with a considerable amount of third parties and service providers. Missing contact information, responsibility matrices or updated contracts are typical areas of concern about which risk managers might have engaged CFEs initiate fraud risk assessments. This can pose a significant challenge, especially, when there are multiple teams involved to carry out the procurement business process. A vendor and contract database (VCD) ensures that an accurate and complete inventory of vendors is maintained, including other third-party relationships (e.g., joint ventures, utilities, business partners, fourth parties, etc.).

In effectively assessing a vendor risk management program, the CFE can’t conduct the same type of fraud risk assessment for all vendors. Rather, it’s necessary to identify those vendor services deemed to carry the greatest risk and to prioritize them accordingly. The first step is to understand which vendors and services are in the scope from an active fraud risk management perspective. Once this subset of vendors has been identified and prioritized, due diligence assessments are performed for the vendors, depending on the level of client internal versus vendor-owned fraud prevention and detection controls. The results of these assessments help establish the appropriate trust-level rating (TLR) and the future requirements in terms of CFE assisted reassessments and monitoring. This approach focuses resources on the vendor relationships that matter most, limiting unnecessary work for lower-risk relationships. For example, a vendor with a high TLR should be prioritized over a vendor with a low TLR.

Proper control and management of vendor risk requires continuous re-assessment. It’s important to decide the types of on-going assessments to be performed on vendors depending on the level of their TLR and the risk they represent.

Outsourced relationships usually go through iterations and evolve as they mature. As your client organizations strategize to outsource more, they should also validate trust level(s) in anticipation of more information and resources being shared. With technological advancements, a continuously changing business environment and increased regulatory demands, validating the trust level is a continuous exercise. To get the most rational and effective findings, it’s best to use the results of ongoing assessments. In such a reiterative process, it is necessary to continuously monitor and routinely assess vendors based on the trust level they carry. The program should share information about the vendor security posture and risk levels with corporate counsel or other executive sponsor, who can help the organization progress toward the target profile. Clearly communicating the fraud risk from a business perspective can be an additional feature, especially when reports are furnished to inform internal stakeholders, internal audit functions, lines of business and the board of directors, if necessary.

Vendor fraud risk management elevates information security from a technical control business process to an effective management business process. Regular fraud risk security assessments of vendors give organizations the confidence that their business is aware of the security risk involved and is effectively managing it by transferring, mitigating or accepting it. Comprehensive vendor security assessments provide enterprises with insight on whether their systems and data are being deployed consistently with their security policies. Vendor fraud risk management is not a mere project; it is an ongoing program and requires continuous trust to keep the momentum going. Once the foundational framework has been established, our client organizations can look at enhancing maturity through initiatives such as improving guidelines and procedures, rationalizing assessment questionnaires, and more automation. Awareness and communication are key to ensuring that the program is effective and achieves its intended outcome, securing enterprises together with all their business partners and vendors.