Betrayal of trust
Featured Article

Betrayal of trust

Please sign in to save this to your favorites.
Written by: Robert Tie, CFE
Date: November 1, 2015
Read Time: 10 mins
Bribery and Corruption Contract and Procurement Fraud

"You can't be too careful about conflict of interest." — Gerry Zack, CFE, CPA, CIA, chairman of the ACFE Board of Regents, and a Washington, D.C.-based managing director in the global forensics practice of BDO USA, LLP, an international accounting and consulting firm.

Organizations' procurement of goods and services — through electronic bidding processes — can save money and increase efficiency. But it can also add risks plus inflict major fraud damage when staffs betray employers' trust. Here's how to overcome trust breaches and fight fraud in digital and human networks.

Every afternoon, BDO's COI (conflict of interest) team sends an email asking the firm's consultants, investigators and auditors to review a list of potential new client engagements and to report any possible conflicts with these companies. BDO's process is similar to those at many other professional services firms, which aim to identify conflicts before agreeing to perform services for new clients. Are conflicts of interest so potentially risky that they merit such effort? Consider the following three cases; then judge for yourself.

A persistent problem

Melvyn R. Paisley, the former assistant secretary of the U.S. Navy, won the Distinguished Service Cross — a U.S. combat decoration second only to the Medal of Honor — as a P-47 Thunderbolt ace with nine victories in Europe during World War II.

Overshadowing that achievement, though, is his violation of the trust the Reagan administration placed in him as a senior official.

Confronted with irrefutable evidence, Paisley admitted accepting hundreds of thousands of dollars in bribes for fraudulently helping his private-sector associates win defense equipment contracts worth hundreds of millions of dollars. (See Melvyn Paisley, 77, Figure in Scandal, Dies, by Christopher Marquis, The New York Times, Dec. 26, 2001.)

Paisley's conviction and four-year sentence formed the centerpiece of the FBI's Operation Ill Wind, a 1986-1989 investigation into the biggest procurement frauds in U.S. history.

Eight other government officials, 42 Washington consultants and executives, and seven military contractors also were jailed, heavily fined or both for exchanging payments for confidential information and fraudulent preference over legitimate bidders. In 1988, passage of the Procurement Integrity Act introduced measures to curb such abuses.

Yet more than 10 years later, rampant procurement-related conflicts of interest persisted.

In one typical case, James Lee Loman, a purchasing manager at Tinker Air Force Base in Midwest City, Oklahoma, began collecting kickbacks — totaling $838,000 from 2002 through 2006 — for repeatedly favoring the inflated bids of an unscrupulous supplier of aircraft parts.

Loman denied any wrongdoing, but a jury found him guilty in early 2014; his advanced age and poor health got him a lenient 30-month sentence. Tighter regulation hadn't stemmed the tide of procurement corruption and hadn't done much, if anything, to help detect and prevent betrayal of trust.

Meanwhile, the Internet's explosive growth spurred development of online procurement systems expected to boost efficiency, cut costs and improve fraud detection and prevention. Time would tell.

As the new millennium progressed, governments and non-governmental organizations (NGOs) around the world implemented electronic procurement systems, hoping to reap their widely touted benefits. Corporate giants soon followed suit. As expected, e-procurement systems proved to be more efficient and economical than their paper-based predecessors. But a nagging truth remained: anyone entrusted with e-procurement responsibilities still might be able to commit fraud and get away with it. It was only a matter of time before someone would try.

In 2014, a group of fraudsters did, and were caught. Late last year, prosecutors in Mumbai, the Indian megacity formerly known as Bombay, indicted more than 20 senior and mid-level civil service employees of the Brahminmumbai Municipal Corporation (BMC) for rigging bids in an e-procurement system designed to reduce fraud and expenses. Their take? $318 million in kickbacks, according to charges filed against them in the still pending case.

While court documents aren't publicly available, media accounts indicate that the primary question isn't whether the fraud took place, but rather how many dozens of bureaucrats with prohibited conflicts of interest took part in it. (See FIR lodged against 22 BMC staffers in e-tender scam, by Ahmed Ali, The Times of India, Nov. 20, 2014.) Thus, the BMC case effectively dashed any hope that technology, by itself, can adequately mitigate the enduring problem posed by betrayal of trust.

Zack has been watching the case with interest. "On several occasions the fraudsters at BMC opened its e-procurement system in the middle of the night for bids on open contracts — but only by favored vendors they conspired with," he says.

This effectively prevented legitimate vendors from bidding; they hadn't been able to access the system during normal business hours. BMC now ensures that its system is open for bidding only during normal business hours, and that bidding on open contracts is available to all interested parties.

Risk alert: Humans seen nearby!

"Organizations implementing an e-procurement module or other new system focus mostly on its expected rewards, not its potential risks," Zack says. "Everything's about how this'll make us faster, more efficient, more accurate." But, he adds, risk exposures too often capture management's 
attention only after fraudsters have capitalized on them.

"Because human behavior is so complex, betrayal of trust is perhaps the most difficult fraud risk to mitigate," Zack says. "Of course, it's important to train and encourage your employees and suppliers to be ethical. But never simply assume they will be." (See "Trust, but verify".)

E-backfire?

"Buying goods and services is one of the most important functions in organizations," Zack says. "That's why they're so intent on converting to e-procurement; the potential benefits are very encouraging."

With online procurement, contract opportunities (often called tenders) are more visible to a broader range of vendors, and that fosters competition. It also speeds up and simplifies tasks, such as preparing and publishing tenders. And it reduces human error and boosts transparency, which lowers fraud risk. It's reasonable to expect such benefits from an e-procurement system an organization optimally designs and operates. Of course, many aren't, but their users don't know it — until fraud strikes.

In fact, Zack says, implementing an e-procurement system or another new technology can affect an organization's risk exposure in one or more of five ways. It can:

  • Eliminate a particular fraud risk.
  • Reduce the likelihood of a fraud risk.
  • Alter the characteristics of an existing fraud risk.
  • Increase the likelihood of an existing fraud risk.
  • Create a new fraud risk.

He offers an example of the last — and worst — possibility. "If a company were to convert its paper-based procurement system to an electronic one without adding adequate controls, it might inadvertently enable a corrupt employee to prevent a legitimate bidder from even registering to learn about contract opportunities and then bid on them," Zack says. "In a paper-based system, it's possible to fraudulently disqualify a valid bid, but very difficult to completely 'lock out' a potential bidder. An electronic system with weak controls will add risk, not reduce it. That's why fraudsters love nothing more than a system designed and implemented by people who don't understand the risk environment."

So don't implement an e-procurement module or any other software, he adds, without first conducting a fraud risk assessment and taking any remedial measures it indicates are necessary, such as adding or strengthening certain controls. One of the best ways to detect and mitigate new, changing or increased risk, Zack says, is to set up an ongoing, cyclical program of fraud risk assessments. (See Resources, ACFE Fraud Examiner's Manual, "Fraud Risk Assessment.")

Fraud risk assessments: who, what, when

"A fraud risk assessment team that doesn't include key client personnel isn't capable of achieving its objectives," Zack says. "Every system and organization has unique quirks known only by the people who interact with them daily."

Therefore, when assessing risk related to, for example, the procurement function, Zack augments his BDO team with staff from at least four client groups: first, whichever department buys the most; second, the procurement staff itself; third, finance; and last, IT. Another factor essential to a successful engagement, Zack says, is high-level, nonpartisan support.

"If the engagement's only sponsor is an in-house CFE or someone in finance, they likely don't have the authority to compel an uncooperative group to participate," Zack says. "That's why support from the board or its audit committee is crucial."

Further, Zack says, "Don't wait for people to abuse your client's procurement system. Advise them to hire a "tiger team" of "ethical hackers." Then, give the tigers a list of potential procurement frauds, and see how many they can perpetrate on the system in spite of its controls.

"That's truly taking the fraud risk assessment to a higher level," Zack says.

Pay to play

" 'Sharp practices' is a polite term for misrepresentations by the buyer that fall short of actual fraud," says Larry Giunipero, Ph.D, CPSM, CPSD, CPM, a professor of supply chain management at Florida State University in Tallahassee.

"Here's an example," he explains. "An unscrupulous purchasing manager feigns interest in a low bid from an inferior-quality supplier the manager would never actually buy from. Then the manager lets a desirable, high-quality supplier know about it, implying that only a very low bid will win the contract. Sometimes that's enough to make the better supplier cut its price.

"When trustworthy procurement professionals call that 'sharp,' they don't mean 'cutting edge,' " Giunipero says. "They mean 'unethical.' " Other examples of sharp practices, he adds, include knowingly deceiving a supplier to realize an advantage, taking advantage of a supplier's financial situation and sharing information on competitive bids.

CFEs might also see it as the purchasing manager's not-too-subtle demand for a kickback, with the desired supplier charging its originally planned price but paying the manager a bribe equal to some or all of the difference between the two suppliers' bids. In this case, the purchasing manager has a conflict of interest — his vs. the organization's — and is betraying his or her fiduciary duty to act in the best interest of the employer.

How can an employer detect such subtle but serious conflict? After all, someone fond of "sharp practices" isn't likely to reveal his infidelity when his organization's COI unit — if there is one — queries him.

The answer: by using two fraud detection tools that together cast a wide net for all signs of fraud. One, the fraud risk assessment (discussed above), is similar to a balance sheet; it provides a snapshot view of risk exposures at a specific date. The other, continuous control monitoring (CCM), resembles a cash flow statement; like a movie, it keeps running, reporting control violations as soon as they occur.

View from the dashboard

"CCM gives you access to 'live' documents and transactions as they execute," says Zachary Rosen, CFE, CIA, a compliance professional with more than 20 years of experience conducting operational audits and fraud investigations for manufacturing, IT and banking firms in the U.S. and worldwide.

"CCM was developed toward the end of the 1990s," Rosen says. "At the time, manual controls were patchy." But, he continues, the Sarbanes-Oxley Act and COSO's risk framework spurred the use of technology to proactively monitor fraud risk exposures in financial applications, including e-procurement systems.

"By making it possible to analyze literally all transactions, CCM greatly improves anti-fraud controls," Rosen says, offering a detailed example: "If a manufacturer operates a fully implemented enterprise resource planning (ERP) system containing electronic bills of lading for incoming raw materials, purchase orders for supplies and invoices to be paid, the ERP's CCM module can perform a three-way comparison of them, and automatically issue an alert if there are any conflicts among these records."

Vendors of large ERP systems offer CCM modules they can customize to match customers' business environment and internal control needs, Rosen says. (See "A CCM Buying Guide".)

How do you interact with the CCM system to manage its settings, receive alerts and share data? That's where the dashboard comes in. (See "CCM Dashboard Tracks Fraud Risks".)

If you see (or hear) something … 

"A proactive corporate client I consulted for wanted its employees to have a way to report anything they came across that didn't seem quite right," says Giunipero. He supported his client's decision to start a multimedia hotline, which would allow employees to conveniently report concerns by phone, web and email to guarantee anonymity, if they desired it.

"Once the hotline was in place, employees used it to report things they'd heard or seen, in their department or outside it," Giunipero recalls. "The variety of tips and leads was impressive."

On one occasion, an employee anonymously reported that a colleague belonged to the same country club as a salesperson for one of the company's suppliers. The kicker was that the colleague allegedly was trying to steer business to the supplier. That was worth looking into to see whether such a conflict of interest existed or was simply the product of gossip or misinterpretation of an innocent social relationship.

Another communication to the hotline, Giunipero says, reported an overheard conversation in which a supplier's salesperson allegedly said his or her company hadn't paid him or her in weeks — a potential sign of financial problems that, if true, could increase the risk of fraud by that vendor.

In each case, a vendor relationship — an important fraud risk factor — was a key element in what could have been a red flag of procurement fraud. While Giunipero wasn't privy to the outcomes of the two inquiries, he knows his client did the right thing for its employees and itself by making it easy and confidential to report what might be — and often is — a betrayal of trust.

Two kinds of clients

Experienced CFEs have had some of each: the ones who have been victimized by apparently trustworthy people, and those who will be victimized unless you focus them on prevention. Explain the advantages of an ongoing fraud risk assessment program and continuous control monitoring. And don't hesitate to cite that Russian proverb ("Trust, but verify"); it worked just fine for President Reagan.

Robert Tie, CFE, CFP, is a New York business writer and a contributing editor for Fraud Magazine. His email address is: robertxtie@gmail.com.

The late former president, Ronald Reagan, knew a good tagline when he heard it. In negotiating strategic arms limitations with the Soviet Union, he shrewdly adopted the most effective one possible: Doveryai no proveryai, a Russian proverb meaning Trust, but verify. When Premier Mikhail Gorbachev observed that Reagan repeated this mantra every time they met, the president candidly replied, "I like it." With good reason. Reagan was making it clear he wouldn’t expose the U.S. to a surprise betrayal of trust. In much the same way, business leaders can deter employee fraud in their organizations by letting it be known that "someone is watching." (Source: President Reagan's remarks when the U.S. and the U.S.S.R signed the Intermediate-Range Nuclear Forces Treaty on Dec. 8, 1987.)

Articles

Seminar

Online self-study

Fraud Examiners Manual

"Fraud Risk Assessment":

  • Sections 4.703-4.727 define fraud risk assessments and how to prepare for, execute, report the results of and maximize the impact of them.
  • Sections 4.728-4.769 describe the "ACFE Fraud Risk Assessment Tool,” a collection of 15 modules, each containing a series of questions designed to help organizations zoom in on areas of risk. Modules 1 ("Employee Assessment"), 2 ("Management/Key Employee Assessment"), 8 ("Purchasing and Billing Schemes"), 11 ("Theft of Inventory and Equipment"), 13 ("Corruption") and 14 ("Conflicts of Interest") are particularly useful in detecting signs of actual or potential procurement fraud.
  • "Conducting Background Checks," sections 3.523-3.525.

Fraud Prevention Check-Up, an affordable, easy way to identify gaps in an organization’s fraud prevention processes.

A CCM dashboard can display output from several modules that track fraud risks such as the examples below.

  • General Ledger module: Checks for conflicts of interest.
  • A/P module: Checks for three-way match-up of purchase order, delivery notes and invoices. Checks for links between suppliers and employees.
  • A/R module: Searches for customer invoices booked without a tax code.
  • Master Data module checks for duplicate customers or vendors, missing critical customer or vendor data, customers or vendors with invalid VAT numbers, and transactions booked for unknown customers or vendors.
  • Payment module: Searches for payments to customers or from vendors.
  • FCPA module checks for customers and suppliers on lists of known criminals and payments to customers in sensitive regions.
  • Fraud module: Compares employee data with customer and supplier master lists.
Ad

Begin Your Free 30-Day Trial

Unlock full access to Fraud Magazine and explore in-depth articles on the latest trends in fraud prevention and detection.

Learn More Already a member? Sign In

You May Also Like