Governments worldwide are beginning to crack down on abuse of programs meant to protect businesses amid the COVID crisis. Forensic Risk Alliance’s Toby Duthie, Matt Bedan and William Mui offer five practical tips to aid organizations in managing this growing risk.
In response to COVID-19, governments across the globe have enacted substantial public sector stimulus programs to protect struggling businesses and employees. As countries begin to take steps to reopen to a post-COVID world, businesses are facing a new set of challenges: Enforcement agencies are preparing to aggressively crack down on abuse of those programs.
Most recently, furlough fraud has been top of mind in that respect, as new allegations in Europe point to extensive misappropriation within government furlough support programs. Recent studies in the U.K. and France indicate that as many as one in three furloughed employees have been asked to work during their furlough periods. As domestic agencies prepare to investigate, solicitors have anecdotally reported an “avalanche” of complaints that are likely to foretell significant public and private whistleblower activity.
Furlough fraud is just one example. In the coming months, the enforcement lens will widen significantly beyond furlough fraud and shift to larger businesses that received government bailouts. Although many of these direct-to-industry loan schemes have longer tails and have not yet made headlines with regard to fraud, they are no less risky for the organizations involved. Experience tells us that over time, these larger organizations will make for increasingly politically attractive and compelling targets, particularly if the perception arises that public stimulus funds were directed toward any use other than the preservation of rank-and-file jobs. For larger organizations, it will be critical to establish an unimpeachable “forensic” audit trail that demonstrates that all stimulus funds were used in accordance with their respective program’s obligations.
Given the changing landscape – economic, commercial and regulatory – this may not be as easy as it seems. In light of this, we offer five practical suggestions to help businesses measure and mitigate this risk exposure. It is worth considering how governments will enforce and how easy (or not) it will be for them to make their case. A lack of affirmative evidence can be very damaging, as companies will struggle to prove that any issues or clear abuse is not anomalous but systemic.
1. Understand Obligations and Prioritize Compliance
Organizations must carefully review eligibility requirements (which will likely evolve over time), certifications and use restrictions associated with every government loan or grant. Each program should have a carefully thought-out and documented end-to-end process, which includes checklists for regulatory/contractual obligations and maker/checker controls for payments utilizing government funds. As the obligations are determined, each should be translated into corresponding policies, standard operating procedures and trainings in order to facilitate compliance and prevent potential violations.
For example, companies should take proactive measures to ensure that furloughed employees are not asked or pressured to work and create and then maintain contemporaneous evidence to this effect. This includes promoting transparency around who is furloughed and when and what the protocols are for furloughed workers. Companies might additionally consider preventative IT controls, such as restricting network access to employees during their furlough periods.
HR training should be provided to managers and workers on their individual responsibilities to maintain compliance, and compliance teams should be thoroughly trained on the underlying obligations and corresponding rules to monitor compliance. They should understand:
- What constitutes an issue?
- What is a false positive?
- And finally, how can this information be cycled back into the compliance process to make it not only more efficient, but more importantly, more accurate and effective at managing and mitigating risk?
Larger businesses that have taken part in direct treasury loan schemes will have more comprehensive and longer-term obligations to account for. This will likely include establishing payroll and disbursement controls to ensure that loan requirements regarding, for example, executive pay or stock buy-back plans are adhered to.
2. Harness and Organize Data and IT Systems
The U.S. Department of Justice’s (DOJ) recent update to its “Evaluation of Corporate Compliance Programs” guidance makes it clear that organizations are expected to leverage data, metrics and other objective evidence to test that their compliance program is working effectively. Particularly for larger multinational companies, this process should go beyond simply tracking traditional compliance data (such as training and audit metrics) and encompass all of the various sources of operational data that could potentially be put to use.
For some companies, this may mean setting up additional general ledger accounts or cost centers to track and account for every cent tied to government stimulus requirements. Financial tracking in this manner should demonstrate a clear correlation between regulatory/contractual obligations and the sources of data that could potentially indicate compliance, or noncompliance, for each.
3. Utilize Data Analytics
By utilizing advances in data analytics, organizations can enhance conduct detection and replace and/or enhance extensive manual controls and verification activities. To do this effectively, businesses must leverage the data of all relevant sources, including sales and product data, performance-management data and customer/patient records. An inclusive data analytics model can give a view of risk across activities, business units and geographies. Companies should also consider creating specific sets of compliance reports built directly around government claims or government compliance and embedding them directly into their executive reporting portfolio.
Finally, companies should approach data sources (particularly outside sources) critically and perform the due diligence necessary to understand where the data comes from and how it was created. This includes validating using “golden source” data sets and exercising audit rights for vendors that could potentially impact compliance with relevant programs. This work could have added benefits to a company’s wider compliance program; the better a company knows its data, the more effectively it can be leveraged in adjacent internal monitoring, investigations and compliance analysis.
4. Bolster Internal Whistleblower Programs
An effective internal reporting mechanism is not only a key part of the DOJ’s Guidance, but also an essential element of a strong compliance culture. Studies have shown that strong internal whistleblower programs help foster an atmosphere of trust and open communication, which in turn increases the odds that an employee with a compliance concern will report internally, instead of through the government. Ultimately, companies with higher usage of whistleblower programs have statistically fewer lawsuits and enforcement actions. Thus, it is critical that organizations take internal whistleblower reports very seriously and remediate accordingly.
Implement or maintain a system and create management information to ensure that these complaints are followed up on and closed out as appropriate.
5. Monitor, Audit and Remediate Comprehensively
Companies should adopt stringent compliance and risk management oversight, focusing particularly on data monitoring and documentation, and maintain a clear and comprehensive audit trail in accounting and enterprise resource planning (ERP) systems. This includes documenting all system reviews, upgrades or enhancements undertaken in response to new government obligations.
For example, companies with furlough fraud risk should utilize data within the ERP and IT systems to monitor and review timesheets, expenses, email traffic and usage of firm assets such as computers, messaging and phones to detect anomalies. Once the necessary tracking and rules are implemented, the associated reporting should be systematic, transparent and insightful. In short, if monitoring mechanisms do not give clear insight into possible issues and escalate red flags to the appropriate stakeholders, then they are not adequately serving their intended purpose.