Companies across the globe continue to grapple with the devastating and unprecedented economic effects of Covid-19. Fraudsters keen to exploit opportunities exposed by the pandemic have already perpetrated a number of multimillion-dollar frauds in relation to Personal Protective Equipment (PPE) and government stimulus schemes. Phishing and smishing scams are on the rise as cybercriminals target staff working from home in attempts to secure rushed transfers of cash. In addition, scammers are quickly establishing fake charities purporting to provide international Covid-19 relief, making it more challenging for the philanthropically minded to support recovery efforts without inadvertently falling victim to fraud.
As the Covid-19 economic “tide” continues to recede, expect to see large-scale cross-border fraud schemes uncovered and accounting irregularities exposed, in much the same way that serious misconduct came to light after the 2008 financial crisis and 2001 dot.com bubble burst.
For businesses looking to create long-term benefits from this crisis, a clear opportunity now presents itself to reevaluate and streamline compliance and investigations approaches. Governance and control frameworks have been stress-tested over the past few months and this has given rise, out of sheer necessity, to certain compliance protocols that were previously unheard-of. The key to protecting stakeholder value is leveraging the right tools and technology to implement permanent cost-effective enhancements that work regardless of whether oversight is remote or in-person.
Culture of Compliance in a Covid-19 World
Culture must be front-of-mind for organizations so that employees facing significant personal and professional challenges during the crisis are shown a clear, guiding light from both top and middle management to support ethical decision-making.
Revised internal controls for those working from home should be low-friction such as electronic rather than physical review, and include approval chains and retrospective reviews, if real-time monitoring is not possible.
Confidential information flows need to be protected, with controls around access, supervision, printing, storage, and transmission of such data adapted for home-working. A self-certification procedure declaring clear home desk policy compliance should also be considered.
Often informal conversations and information received through the grapevine act as an effective early warning system for compliance personnel. Clearly, this is not possible in the same way as it was before. But the conditions for such conversations can be re-invented for home-working through morning and evening virtual team “huddles” and frequent informal check-ins with the business via calls and online chats.
This is also the time to refresh risk assessments in light of the pandemic and economic crisis, re-visit bonus and incentive structures that may increase fraud risk, reinvigorate due diligence efforts, particularly on new suppliers, and renew training to include emerging fraud and regulatory risks.
Across industries, whistleblowing reports are increasing, both for Covid-19 related scams and non-related issues. Many would-be whistleblowers may be feeling more comfortable speaking up from home now that they are removed from an intimidating person or situation. In response, organizations should continue to encourage a speak-up culture and prepare for an increase in demand for investigative resources.
Of course, the most challenging aspect can involve executing a socially distant investigation once misconduct is detected.
Navigating a New Landscape—Socially Distanced Investigations
Like most professionals worldwide, investigative teams including in-house investigators, external counsel, and forensic accountants are now working remotely. This brings a unique set of challenges, as typical processes around evidence gathering and interviews have to be adjusted. In turn, we’ve seen the pandemic slow the pace and effectiveness of some investigations, but that does not have to be the case.
To conduct a successful remote investigation, consider the following steps and insights:
1. Planning, Preparation, and Prioritization
Careful thought should be given to prioritizing which investigations to continue/begin and which to pause/postpone. Factors such as regulatory implications, seniority of staff implicated, magnitude of loss, and reputational issues must be considered. Investigation scope should be tightly controlled and well-documented, and resources allocated accordingly.
2. Data Preservation
Top priority at the outset of any investigation is to lockdown the evidence. Despite the restrictions placed on investigators by international data protection laws, most electronic evidence can be forensically imaged and preserved remotely. If physical items such as hard drives, mobile phones or USB storage do need to be processed in-person, teams should consider secure transportation and decontamination before handling. Even for investigations that are to be paused or postponed, securing the evidence for future review should be undertaken as soon as possible to minimize the risk of data loss or tampering.
Difficult decisions on whom to interview remotely and whom to wait to interview in person are needed. Interviews with potentially uncooperative witnesses, which require significant rapport building better done in-person, should be delayed to the extent possible. For remote interviews, take the proper precautions to ensure that the discussion is conducted in a manner that complies with relevant internal policies and applicable legislation. At the very least, this means a secure line and private location for all participants, quiet setting, clear picture, good connectivity, etc., and as a result, may require more time than a traditional interview.
If the plan is to record the interview, review the laws and regulations to ensure protocol is followed. This is especially important as the remote interview is likely taking place across different jurisdictions. Another risk to address is the possibility of third parties being present, yet out of camera view. Be as thorough as possible when addressing confidentiality and privilege for all aspects of the interview.
4. Separate Fact-Finding and Remediation Workstreams
Despite the inherent challenges given the current environment and constrained resources, compliance leaders are well-served by activating two separate workstreams—one for fact-finding and one for remediation—rather than delay corrective action pending the outcome of the investigation. The stakes are high right now, and separate workstreams will help cover your bases should a regulatory inquiry arise.
The fallout from the pandemic has forced compliance and investigation teams to adapt quickly. Investigations cannot come to a screeching halt, especially in such a high-risk environment. Use this time to identify and iron out inefficiencies in your current compliance framework, and take the opportunity to improve relationships between compliance and the business. With some blue chip companies planning exits from expensive city center premises and moving towards permanent home-working, the once novel concept of off-site compliance teams watching over an entirely remote workforce, may become the norm.
This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.
Annabel Kerley, a partner with StoneTurn, qualified as a Chartered Accountant in 2004. She specializes in forensic accounting, and has built a considerable track record in leading criminal, regulatory and corporate investigations in the financial services, technology, media, retail, public sector and healthcare industries.