In this Q&A with Financier Worldwide, Mark Pulvirenti shares his insights into the latest trends in corporate fraud & corruption in Australia including recent regulatory developments, key steps to addressing suspicions of fraud or corruption in an organisation and tips on implementing robust fraud and corruption risk management processes at your company.
Q. To what extent are boards and senior executives in Australia taking proactive steps to reduce incidences of fraud and corruption from surfacing within their company?
PULVIRENTI: There is a mixed appetite across Australian corporates for proactive fraud and corruption risk management. While some typically larger, more sophisticated companies proactively work on compliance programmes and devote senior resources to overseeing efforts internally, most could best be described as ‘works in progress’. Few companies address fraud and corruption effectively as an operational risk or take the time to identify and articulate the many fraud and corruption risks in a fraud and corruption risk register. These companies typically have certain anti-fraud and corruption procedures in place, for example they have a code of conduct, may engage in training employees and have a whistleblower hotline. However, these procedures are not typically tailored to identified fraud and corruption risks, they lack appropriate leadership and resources and they are often inadequate. Our observations have been that boards are generally reluctant to invest in fraud and corruption risk management in the absence of a previous significant fraud or corruption incident. However, with foreshadowed legislative amendments and the need for ‘adequate procedures’, boards will need to reassess their companies’ positions.”
Q. Have there been any significant legal and regulatory developments relevant to corporate fraud and corruption in Australia over the past 12-18 months?
PULVIRENTI: From 1 July 2019, protections for whistleblowers contained in the Corporations Act were expanded. Further, from 1 January 2020, public companies, large private companies and superannuation corporate trustees are now required to have a whistleblower policy. In December 2019, the federal government tabled the Crimes Amendment (Combatting Corporate Crime) Bill 2019 in the Senate. Around the same time, the government also issued related draft guidance. The bill is similar to a 2017 bill of the same name, which lapsed due to the federal election. Broadly, among various other legislative amendments, the bill proposes the introduction of a new, strict liability corporate offence for the ‘failure to prevent’ foreign bribery and to introduce a deferred prosecution agreement (DPA) scheme. If passed, Australia’s foreign bribery laws will be considerably strengthened while DPAs will bring Australia into line with the US and UK in terms of the ability to resolve serious corporate crime.
Q. When suspicions of fraud or corruption arise within a firm, what steps should be taken to evaluate and resolve the potential problem?
PULVIRENTI: There are various factors to consider when allegations or suspicions of fraud or corruption are raised, such as the nature of the allegations, the identity of the alleged or suspected perpetrators, whether alleged or suspected conduct may be ongoing, whether the issue presents legal jeopardy to the company, and so on. Properly planning an investigation is essential. Knowledge of the allegations needs to be restricted as much as possible. However, internal functions including legal counsel, internal audit, human resources (HR) and IT should be informed. Steps will need to be taken to understand the risks facing the company and to identify, preserve and ultimately collect digital and other evidence in a forensically sound manner to preserve chain of custody integrity. Decisions will need to be made as to whether external counsel should separately be engaged to protect and preserve legal privilege and whether the investigation will utilise internal or specialist external investigative resources. Either way, independence will need to be maintained; adequate numbers of sufficiently skilled resources will need to be deployed; and a legally sound work plan will need to be agreed.
Q. Do you believe companies are paying enough attention to employee awareness, such as training staff to identify and report potential fraud and misconduct?
PULVIRENTI: Training is prevalent in Australian corporations, covering issues such as bribery and corruption awareness, general ethics, conflicts of interest and cyber or data security. While more is always possible, companies need to find a balance between adequately equipping their employees and overloading them to the point of disengagement. While training is a common element of overall compliance programmes, it is often one of the only elements visible within a company. Companies often fall into the trap of thinking training is all they need to do. The introduction of ‘adequate procedures’ as the only defence to a potential ‘failure to prevent’ offence will require boards to sharpen their focus as to what an overall compliance programme looks like and the part that training plays in that programme. It cannot be a standalone issue.
Q. How has the renewed focus on encouraging and protecting whistleblowers changed the way companies manage and respond to reports of potential wrongdoing?
PULVIRENTI: There is a deep-seated culture across corporate Australia of ‘no dobbing’. For many years, whistleblowers have faced enormous difficulties after having blown the whistle, including termination of employment, litigation and significant difficulties in finding further employment. The introduction of enhanced whistleblower protections in the Corporations Act last year is, however, an essential tool in the government’s fight against corporate crime and will change the dynamics around whistleblowers. We have seen the benefits of whistleblower protections and incentives in the US, through the Securities and Exchange Commission’s (SEC’s) Office of the Whistleblower. With financial incentives on offer in the US and no credible protections in place in Australia for at least half of 2019, 28 reports were submitted from Australia to the SEC last year regarding corporate behaviour, making Australia the fifth- highest source of matters reported to the SEC from outside the US. This would indicate that whistleblowers have credible information as to companies’ misdeeds and, in an environment in which they feel protected, may be more inclined to report wrongdoing.
Q. Could you outline the main fraud and corruption risks that can emerge from third-party relationships? In your opinion, do firms pay sufficient attention to due diligence at the outset of a new business relationship?
PULVIRENTI: Risks posed by third-party intermediaries are significant and feature in many reported corporate crime matters. There is often an incorrect perception that if a third- party does something wrong, it has no bearing on the corporate engaging them. However, the concept of ‘wilful blindness’ is not a defence to the actions of third parties. Many organisations have longstanding relationships with legacy third parties and, in most instances, virtually no ‘integrity’ due diligence has been performed. Where new relationships are formed, in an era of greater awareness of the need to conduct due diligence, however, there is an increasing focus on integrity due diligence, in addition to the focus already placed on standard legal and financial issues.
Q. What advice can you offer to companies on implementing and maintaining a robust fraud and corruption risk management process, with appropriate internal controls?
PULVIRENTI: Effective fraud and corruption management needs to be risk-based. An organisation needs to understand what its risks are and where those risks lie in order to deploy its limited resources to higher risk areas. Having a code of conduct and staff training alone does not constitute an effective risk management programme. While a programme will be tailored according to risks, there are various core pillars that will, collectively, establish an effective fraud and corruption risk management framework.These pillars include adequate policies, procedures and controls, effective communication and training, adequate oversight and monitoring, investigations, discipline and reporting and dealings with third parties. Once a risk-based programme is in place, companies should not ‘set and forget’. When key elements of a business change and at regular intervals, companies should refresh their risk assessments and update their programmes so that they continue to provide a critical foundation for the entity.
“ The introduction of enhanced whistleblower protections in the Corporations Act last year is an essential tool in the government’s fight against corporate crime and will change the dynamics around whistleblowers. ”