Businessman reviews report data
Article

COVID-19: be alert to fraud, compliance and integrity risk during the crisis

While worldwide crises like the COVID-19 pandemic can bring out generosity and support in some, it can unfortunately bring out the worst in others – including those who take advantage of confusing situations in order to perpetrate frauds.

Some of the most brazen fraudsters during the coronavirus crisis have already generated headlines. Con artists who peddle bogus online cures and identity thieves who lure victims into clicking on phony links to access government benefits have drawn public scrutiny – and well-deserved public scorn.

But less flagrant, low-profile fraudsters are equally active during uncertain times, and the damage they can inflict is no less malicious. White collar criminals – including dishonest employees, managers and executives – are notoriously adept at exploiting crises. They recognize vulnerabilities and opportunities, and adapt their schemes to take advantage.

Today’s unprecedented business volatility and the distractions associated with massive public health and economic disruptions make it imperative that companies develop and adapt their anti-fraud strategies and deploy appropriate tactics to manage the rapidly increasing – and always evolving – fraud risks.

Fraud in a “normal” crisis environment

People behave differently during a crisis; their individual behaviors do not always correspond to way they would behave during everyday life. They are motivated by different emotions and follow lines of reasoning that are unlike those they normally apply.

During the 2008 financial crisis, for example, anxiety, fear, confusion and disbelief pushed some in the financial industry to make poor decisions about how they managed loan portfolios. Some crossed ethical boundaries. Others – including many investors – made unwise decisions, driven in part by panic and uncertainty.

Crises also tend to inhibit fraud detection activities. It is generally recognized that the most common scenario for uncovering an internal fraud scheme begins with a tip from a suspicious employee. During a crisis, however, those employees are more likely to either overlook ethical violations, or simply not bother reporting questionable behaviors because they are distracted by other concerns that they perceive to be more urgent.

It is no surprise that bad actors will use a crisis to delay, shortcut or skip control procedures. But under pressure of a crisis, even generally trustworthy employees can be tempted to override or circumvent controls "just this one time," knowing the likelihood of getting caught is decreased. This is particularly true when can justify their actions in their own minds as being a necessary, one-time response to an unforeseen emergency.

In many instances, a crisis also increases the pressure on senior management and sales personnel to meet their performance and sales targets. This pressure can make them more likely to resort to inaccurate reporting or other obfuscations, or to override necessary controls to produce satisfactory results.

Clearly, companies and their boards need to recalibrate their oversight – and in most cases, increase it – during a crisis. Moreover, continued vigilance will be essential in the months subsequent to the immediate crisis, as management and employees turn their attention from the day-to-day struggle to maintain operations and begin looking for ways to make up for lost opportunities.

What makes this crisis different?

The pressures and fraud concerns that are common to all crises are certain to happen during the COVID-19 crisis. In addition, however, the healthcare and economic disruptions brought on by the COVID-19 pandemic also present some unique challenges that can further inhibit the effectiveness of anti-fraud efforts.

One particularly relevant concern is the way in which this crisis is restricting live human interactions. As noted earlier, employee tips are the impetus for most successful fraud investigations. Employees working from home are likely to have far fewer opportunities to observe others’ questionable behaviors and raise the alarm.

Self-isolation and social distancing also inhibit the ability to conduct investigations and make it much more difficult to maintain compliance programs, perform internal audits and carry out other well-established risk management practices. There is also the risk that some key audit and anti-fraud personnel and executives will be incapacitated by the virus, opening up new fraud opportunities that might not otherwise occur.

Bad actors are always lurking, so vigilance is important. In addition to being alert to those who use the crisis as an excuse for not performing key tasks, here are some other areas that merit particular attention and consideration from board members and senior executives during the COVID-19 crisis. Obviously, there is no such thing as a complete or all-inclusive list of risks, but it can be helpful to begin thinking about the issues by organizing them into the following broad categories:

Management and financial reporting issues:

  • Compensation models that reward based on financial performance
  • Management override or circumvention of controls
  • Revenue recognition schemes
  • Opportunities for bribery to assist in obtaining or retaining business
  • Pressure to comply with bank covenants or other contractual obligations
  • Insider trading schemes
  • Fair disclosure (Regulation FD) violations

Vendor, supply and asset management issues:

  • Shortages of critical products, supplies or services that could present opportunities for bribery or collusion with vendors
  • Inferior, substandard or counterfeit products used to offset shortages of supplies or equipment
  • Reduced or lack of due diligence when onboarding a vendor or customer
  • Side agreements involving either suppliers or customers
  • Loss of physical control over assets

Technology issues:

  • Requests by users for IT system access to modules, folders or applications that had previously been denied or deemed unnecessary
  • Granting of system access with inadequate risk assessment including the theft of intellectual property
  • Phishing schemes
  • Reliance on technology with missing or inadequate quality control procedures
  • Leaks of confidential internal information

Employee and personnel issues:

  • Gaps created when employees’ roles and responsibilities change; overreliance on others’ skills and capabilities to fill the void
  • Overworked employees who are tempted to take shortcuts or skip necessary controls
  • Translation loss when meetings are done over a video conference or telephone
  • Shortcutting of hiring practices to meet immediate needs
  • Employee terminations or furloughs made without adequate security and system safeguards
  • Time and billing fraud involving remote workers
  • Expense-manipulating schemes
  • Reduced or no time to monitor key risks or follow up on remediation activities

In addition, the numerous (and still expanding) federal and state programs designed to alleviate the financial consequences for businesses also present new areas of risk. These include programs such as employee retention tax credits, the Paycheck Protection Program (PPP), Economic Injury Disaster Loans (EIDL), and tax credits for sick pay and paid family leave benefits, among many others.

All these programs – and the additional initiatives that are sure to follow – offer new opportunities for abuse or compliance failures, some of which could be exploited by managers who are struggling to keep their businesses operational during the crisis.

Tools for an effective response

Just as there is no comprehensive list of crisis-related fraud risks, there also is no all-encompassing list of fraud risk management or remediation tools. In fact, any attempt to devise such a list must necessarily incorporate the full range of today’s recognized fraud detection and deterrence tools.

Although a conclusive checklist is an impossible goal, we can identify a few anti-fraud practices that merit special mention in the current crisis:

  • Reviewing, reassessing and updating all relevant crisis plans
  • Continuing with ongoing ethics and compliance training, even in remote-working environments
  • Avoiding delays to time-sensitive internal investigations
  • Adapting and updating security protocols for electronically stored data
  • Continuing with established compliance reviews, including both internal and third-party audits
  • Conducting ongoing monitoring of physical inventory

Close collaboration among the company’s legal, compliance and internal audit functions is also important. In addition, the board’s audit committee should explore with senior management its plans for monitoring and dealing with fraud risks during the crisis.

Finally, it is important to bear in mind that most employee frauds are not carefully planned, ingenious schemes. Rather, most fraudsters are opportunists – they rush to exploit a weakness as soon as they identify it.

During a crisis – and particularly during the current crisis – the rapid pace of change and the constantly changing risks mean that new opportunities to commit fraud will continue to emerge throughout the duration of the event. As the health and economic impacts of the COVID-19 virus spread, recognizing the risks and staying vigilant will continue to be essential functions for boards, senior executives and fraud deterrence professionals.

For more on compliance and crisis management from Jonathan Marks, download his e-book “The continued evolution of best practices for compliance programs” here.

Jonathan T. Marks
Partner, CPA/CFF, CITP, CGMA, CFE
Next up

Corporate governance during a crisis: board responsibilities and areas of focus