Evaluating the Fraud Prevention Program Performance of a Contracted Entity

HammerA practicing CFE member of our Chapter, currently based in San Francisco, is in process of conducting a performance review of the fraud prevention program of a major Silicon Valley software developer.  The client firm outsources many of its critical activities; among them numerous IT services, infrastructure, help desk support and various types of financial transaction processing (to name but a few).  All these arrangements appear to be delivering significant value for her client company which, however,  has little or no control over the internal processes of its suppliers, a fact that originally emerged in a fraud risk assessment performed for the client by our member several years back.

The key to the successful performance of the fraud prevention program of a heavily contracted entity lies in defining every outsourced relationship carefully before it even begins and then in actively managing the relationship once it’s been established.  As our member forcefully pointed out to her client a full year before undertaking the present review, to thoroughly evaluate the performance of its fraud prevention program it would be necessary to determine that the client’s relationship requirements for every vendor have been adequately defined and that they continue to reflect the needs of the organization.  It’s vital to the fraud prevention effort that service level agreements have been documented and agreed to by both parties defining financial, business, ethical, legal, privacy and security requirements.  In addition, for the client to have adequate control, all service level agreements must include monitoring, reporting, escalation and conflict resolution clauses to ensure that any fraud related issue can be addressed speedily and appropriately as it arises.

It’s amazing to me how often the issue of business insurance is overlooked in vendor relationships, especially insurance to adequately cover the risk associated with initiating the outsourcing relationship but also continuing coverage in areas that apply to the supported processes on an on-going basis.  Which brings me to the issue of subcontractors; our member indicates that it’s important to confirm as part of the performance evaluation process that all client vendors have a management program in place to ensure compliance with those anti-fraud measures specifically stipulated by the client’s fraud prevention program.

Conflicts of interest, which can be an issue with any vendor and are especially important to the effectiveness of fraud prevention programs,  should be thoroughly researched before entering into any support contract.  This same concern exists for vendor use of the client’s intellectual property and regarding the business stability of the vendor and for ensuring that safeguards exist to cover the privacy and security of any of the client’s data in the vendor’s possession.

With the suite of vendors selected and the outsourcing relationships implemented and in actual operation, our member says it’s important for fraud prevention performance that the outsourcing client continually manage the outsourced business processes to see that its fraud prevention requirements continue to be met.

All organizations, but especially those required to comply with regulatory requirements, should have in hand a mature vendor management program.  The CFE evaluating the performance of the fraud prevention program will need to find evidence of a defined vendor selection process including a definition of the data and client materials over which the vendor(s) is to have control.  The vendor management program should contain a full set of defined business objectives that the vendor is required to meet and a set of contractually defined responsibilities and service level agreements with a mechanism for regular client management oversight to guarantee compliance.  Every vendor agreement should contain a right to audit clause and specify the performance of a periodic fraud risk assessment to address and respond to the emerging fraud risks the client faces.  There must also be 1) vendor support for on-site client audits of vendor procedures controlling client assets, 2) periodic rating of the services provided against contract defined objectives, 3) regular assessment of the adequacy and cost effectiveness of the services provided and 4) last but not least, regular, proactive reporting to the client that ensures vendor compliance with defined requirements.

Just as we recognize that each of our client organizations is responsible for developing and implementing a comprehensive fraud prevention program, a strong program is especially critical for contracted entities because, whether the client chooses to perform critical business processes with internal or external resources, the client is still fully responsible for adequate performance.  Fraud prevention program performance evaluations of contracted entities conducted by fraud examiners need to be at least through enough to assure management of adequate performance since lenders and regulatory and standards bodies will not relieve management  of its responsibility to ensure outsourced services meet stated fraud prevention requirements.

In summary, as a component of the fraud prevention program every organization needs to develop generalized, mature vendor management programs to ensure that any outsourced services are operating effectively and securely, including specifying agreement requirements before finalizing and monitoring the service during the contract period.

Thanks from all of us to our San Francisco member for sharing key elements of her performance review experience with us!

Comments are closed.