Once again a multi-billion euro industry seems to have fallen foul of the US Foreign and Corrupt Practices Act and the UK Bribery Act 2010. Recently the media has been reporting on the start of a criminal investigation into the sales practices of Airbus. It has been reported that the SFO have arrested a number of current and former Airbus employees as part of a long running investigation into alleged corruption operating in Saudi Arabia.
The practice of using third party sales agents or consultants and “facilitation payments” is not new and only the most naïve and innocent company executive would be surprised by the sales tactics used by their agents. There is a good reason why they are “third party and external” and that is the old excuse of “plausible deniability”. Airbus’ own website states that it has a 40 year relationship in Saudi Arabia, so one has to ask the question why is it not using its own controlled and ethical sales force to close deals instead of apparently relying on local independent agents as deal fixers.
What is interesting in the press coverage, and I’m enough of a cynic not to believe everything that is published, are the sub texts beneath the eye catching headlines. These are worth exploring in some detail as they may indicate a change in the risk appetite of multinational organisations.
Relying on External Audits
A quick google search into this case indicates that concerns were raised as far back as 2007 and that Airbus retained one of the Big 4 to conduct an internal review to discover whether improper payments were made. It is reported that they found no such evidence and this report was passed to the SFO in 2012, who apparently commenced their own criminal investigation despite this “clean bill of health”. Clearly the Big 4 report did not convince the SFO that there was no case to answer. Most organisations, both small and large, seem to operate under the misguided belief that an external audit will both discover active frauds and confirm that internal controls are robust enough to detect fraud. The reality is that while a senior audit partner will approve the external report, it will be the most junior audit trainee who will be given a “tick box” questionnaire to complete. Detailed analysis of the accounts will depend on the agreed level of “materiality”, which in a multi-billion euro industry could be single transactions of 500,000 euro or more. Of greater concern is the lack of any independent “Cradle to Grave” process reviews, which would identify the critical high risk areas. Once a Cradle to Grave review has been carried out then every single transaction is verified at each stage of the payment cycle. However, most audits only look at a representative sample of transactions to see whether the controls have been followed, they do not check all transactions as it would be too expensive and time consuming to do so. It would be interesting indeed to see whether the contract between Airbus and its local sales agents in Saudi Arabia included a “Right to Audit” clause and if the Big 4 audit firm included this high risk area in their audit scope.
Haymarket, with over 20 years’ fraud investigation experience, is often retained by clients to investigate hitherto unexplained anomalies. We are repeatedly told by our clients that they recently had a clean bill of health from both their Internal and External Auditors. They can’t believe that no-one spotted the fraud or the numerous warning signs.
The various media reports in the Airbus case state that it was an internal compliance review which discovered “errors and omissions” in the applications for export financing. Perhaps someone had realised that this was a high risk area and required more than just a cursory glance of the policy and procedures but a more critical approach to look behind the documented procedure and test what actually happened.
External Audits vs Critical Point Analysis and Investigations
Neither internal nor external audits are designed to detect fraud. The objective is generally to test and confirm that the existing policies and procedures are operating within established parameters. If the organisation has a fraud policy statement, a pre-employment screening policy, and an ethics or whistle-blowing hotline it may be deemed to have a good counter-fraud strategy, but this gives little or no indication as to how effective these procedures are. If the organisation has not experienced a significant fraud it may take this as a practical affirmation that the controls work, hence the “control delusion” dilemma. Consequently, it comes as a huge shock to the organisation when a fraud is discovered, usually by accident, and senior management ask “How did this happen”?
Figure 1: Why Internal Audit fails to discover fraud
There is a huge difference between conducting an internal audit of control mechanisms and a critical point analysis (“CPA”) which focuses on:
- How to bypass internal controls;
- What means would be used to avoid such controls;
- Who would be in the best position to understand how the controls can be circumvented;
- What level of system of physical access would be required; and
- When would be the best time to strike.
As fraud investigators, thinking like a fraudster becomes almost second nature and the CPA methodology gives a framework to build around. The experience of conducting fraud investigations across the spectrum of private and public companies in multiple jurisdictions provides invaluable insight into the areas of weakness which will be exploited.
Figure 2: How CPA succeeds in identifying weakness and fraud
So what is a “facilitation payment”, how does it work and how would a company know if it had used them? Simply put, a facilitation payment is a payment to a third party to assist an organisation in getting the job done, or securing a contract. For example, this could be the payment of a fee (cash) to a customs official who is delaying clearance as the “paperwork” needs an additional approval fee or agreeing to process an invoice for “special projects ” to a third party. That is the party that get its hands dirty and sweetens the deal in a number of ways. Let’s break this down a little more; in the case of a cash payment the money must have come from somewhere in the organisation. The accounts will contain a record buried somewhere in an imprest or miscellaneous account. It is highly unlikely that the general ledger accounts will have a code for “slush funds and bribes”, but there may be codes for special projects, incentives or contract negotiation fees.
The recent computer hack and publication of data from the Panamanian company Mossack Fonseca shows how convoluted the paper trail can be to “Follow the Money”, and there have been many corporate scandals over the years centred on “slush” funds held off-shore.
The most relevant attribute of a facilitation payment is that it is approved by theorganisation at some level. This is not the innocent payment of a fraudulent invoice, but a conscious decision to pay a third party to assist in facilitating a contract. Historically, this may have been the only way to do business in certain parts of the world, and as they say, some old habits die hard. In the current economic and regulatory climate, organisations are more concerned about the regulatory fines and the adverse publicity that past facilitation payments could inflict on the organisation. Consequently, they are investing in compliance and not investigation departments. The difference between compliance and internal audit may be a bit blurred, but if you consider that Internal Audit verifies adherence to internal policies and procedures and compliance ensures that all the external AML sanctions checking and other regulations are complied with, then you can see a clear internal /external split of responsibilities. Both these internally and externally focused operations are looking at current practices, so who should be tasked with the responsibility to turn over historical practices, look under stones and unearth long buried skeletons? Will any Board of Management really approve an open ended brief to have access to all areas and full authority to interview current and past employees? A practical approach would be to appoint one of the Non-executive Directors, a “clean pair of hands”, to control and manage the investigation into past practices. This should not be a publicised as an open “Compliance Audit”, but a “Covert Compliance Investigation” which will require the skills and techniques of an experienced fraud investigation team.
Figure 3: Covert Compliance Investigation
The Magic 5 Steps
This paper is not designed to be a “how to manual” as each organisation and investigation will be unique and the individual circumstances will dictate what course it will take. However here are five key steps which will be of use.
- Stay covert as long as possible, remember there will be individuals who will want you to find nothing and may actively hinder the process. To avoid conflicting loyalties consider using an external team;
- Map out the operational processes and organisations involved. There may be Head Office financial accounting based in the UK running the latest SAP suite of programmes, but the local system in the emerging market could be 20 years old and home grown. Fully document how financial and management information is transferred and imported into the UK Head Office system. Don’t accept what you may be told, go back to original sources and verify them independently. In the lead up to the collapse of Barings Bank in 1995 both internal and external auditors reviewed Nick Leeson’s operation in Singapore and found nothing wrong. What they failed to detect was that the Singapore back office system produced a number of reports which were transferred to the London systems. They didn’t check to see whether the number of reports produced in Singapore was the same number of reports received in London, there was one report missing, the “five-eights” report, which contained details of all Nick Leeson’s losses.
- Remember that in some countries to set up a company the major shareholder, owner, and principal will have to be a national. Conduct a full conflict of interest review, mapping out all family relationships, declared and undeclared, extending beyond the immediate family to take into account uncles, in-laws (remembering that certain religions allow a husband to have several wives), cousins etc. In some cultures all members of a particular ethnic community may need to be included.
- Let data analytics do the hard number crunching, but remember that data comes in all shapes and sizes. Sometimes it is not what the data is telling you, but it is what’s missing. Generally, you would expect to see some sort of pattern due to repeated activities. For example, the standard supplier payments run always takes place on the 15th of the month. If that pattern is missing or disrupted it may because the data has been sanitised or a process altered. Be very wary of missing backups, system upgrades and any deviations from normal working practices. Create legally acceptably forensic images to produce a comprehensive data index. This will enable raw data to be analysed to produce actionable intelligence. Different analysis tools such as Haymarket’s own Investigative Data Analytics applications and other link analysis tools can be used to diagrammatically represent relationships without being overloaded with too much information. This will ensure that the results can be presented to the Board, and more importantly, Financial Regulators and Law Enforcement, without overwhelming them with too much raw data.
- Don’t take anything for granted: test, re-test, re-verify and think outside the box.
At the start of this article I mentioned a possible changing risk appetite. Are current multinational boards prepared to look at their own organisation’s dark and scary past? Only time will tell.
For more information about how to detect bribery and corrupt facilitation payments contact Haymarket.