Insights

Tell Me Who You Work With and I’ll Tell You Who You Are!

Fikret Sebilcioğlu
Article

You must have heard the saying “Tell me who you go with, and I’ll tell you who you are.” It is an impressive proverb that means if one’s circle of friends is made of bad people, these bad people will eventually make you do bad things. Looking into the root causes of the “worst things” that can happen to a company including corruption, bribery, and other fraud schemes, we mostly find third parties, which shows us that this proverb easily applies to companies.

The leading actors of the bribery scandals that cost Siemens 1.6 billion USD and GlaxoSmithKline 490 million USD are “third parties.” Because of a number of corruption and bribery cases caused by the failure to manage third party risks, anti-bribery laws that have recently come into effect including FCPA and UK Bribery Act give extra importance to this issue.

Who are these third parties? It would not be wrong to define the universe of third parties as all the shareholders who are not the company’s employees and partners. Customers; suppliers who purchase goods; service providers from whom service is purchased including counselors, tourism agencies, and accountants; distributors; agencies; contractors; subsidiaries and joint ventures are some examples of third parties.

2016 Report of Association of Certified Fraud Examiners (ACFE) reveals a striking statistic. In 21% of corruption (bribery and conflict of interest) cases, the fraudster commits a fraud alone, whereas the rate of corruption cases that several people within a company are colluding is 37.4%. 72.9% of corruption cases occurred when fraudsters within a company partner up with third parties (customers and suppliers) of the company. These rates are generated from real 2.410 cases in the study. Even this percentage alone shows the extent of risks that may occur due to third parties.

The 2016 Third Party Risk Management Benchmark Report by Navex Global asks companies which areas related to third parties they consider the most risky in terms of their codes of conduct and compliance. The top three areas identified are Conflict of Interest, Bribery and Fraud, in order! Another question asks companies what their three objectives are in terms of third party risk management. The answers, in the order of importance, are: (a) Protecting the company against risks and damages (b) Obeying laws (c) Creating a transparent and accountable business culture.

The Most Common Third Party Fraud Risks

a) Third parties in creating slush funds (bribe money) and giving bribe to officials: Third parties are frequently used as a tool for creating bribe money and bribing officials. We hear such news as “The company bribed officials with the amount of …….” Do you think this bribe goes out of the pockets of company managers? Of course not. In corporate firms, in order to bribe someone bribe money or slush fund needs to be created. Here take the stage third parties who tend to fraud and with compromised business ethics. As per this method, third parties chosen as service providers generally submit fictitious invoices for services that have not really been purchased by the company. The company executives pay these invoices and thereby, a slush fund is created at third parties. Naturally, third parties with compromised business ethics receive commissions for the services rendered. Now the bribe money is available and this money can reach to anywhere bribe may be given via the third parties. It is also important to bear in mind that bribe is not only given by money, but also by gifts, trips, entertainment and in several other forms.

b) Third parties in commercial bribery: Bribery occurring between two private companies is called commercial bribery. This form of bribery is engaged via a very commonly encountered method in the world of business: kickbacks. In this method, the perpetrator working for the victim company conspires with the supplier of the said company. The supplier issues invoices at the inflated amounts than they should be to the victim company or submits fictitious invoices for goods not sold or services never rendered. The perpetrator abuses his position at the company for his personal interests and enables these invocies to be paid to the supplier. The supplier that collects the money pays a commission to the perpetrator. Here, the supplier (in other words, third party) plays a critical role in realizing a fraud.

c) Third parties in conflicts of interest: As per the ACFE Report, a conflict of interest occurs “when the professional role of an employee (deputy) in a company that is authorized to act on behalf of the employer (actual) is impacted by an undisclosed (confidential) personal or economic benefit against the employer.” A conflict of interest has a different scenario than bribery. In bribery, the perpetrator abuses his position for the benefit of a third party in exchange for a commission. Whereas in a conflict of interest, the employee that commits the fraud works for his own benefit, not a third party. Although the result is the same as bribery, now the “third party” is someone the employee has a direct interest from (e.g. a partner, a relative).

As you see, third parties act in different points of fraud.

GlaxoSmithKline Case

The British pharmaceutical company GlaxoSmithKline (GSK) was blamed to bribe Chinese officials and doctors via travel agencies to increase its sales. The report states that GSK transferred a bribe of 3 million Yuans (489 million US Dollars) via 700 travel agencies and consulting companies (namely, took the company’s money out) for 6 years starting from 2007. The scheme used is the following: GSK signed secret contracts with travel agencies to purchase fake “conference services.” These travel agencies issued invoices to GSK for such fake services. GSK paid the travel agencies and recorded the respective amounts as expenses in the profit and loss accounts. The travel agencies transferred the slush fund created to doctors and government officials as per the instructions of the GSK executives.

Liang Hong, one of the executives who were blamed, said something quite interesting: Travel agencies were used more and more frequently in creating slush funds and travel agencies started to compete each other to work with GSK due to the appeal of the commission to be earned.

 

How To Manage Third Party Risks?

Anti-corruption and anti-bribery laws consider third party risks as the company’s own risk and expect companies to take precautions against such risks. On the other hand, we see a number of cases of fraud that occur in private companies involving third parties. At this point, what actions can minimize (even if not eliminate) such risks come to minds. This article will dwell on the two most effective anti-fraud controls: Due diligence and tips.

a) Due diligence against fraud and corruption risks involving third parties

Due diligence is conducted to assess the risks of fraud and corruption by third parties to be formed a partnership with. It would not be favorable to conduct the same scope of due diligence for all parties in terms of using resources efficiently. Therefore, a risk-based due diligence is of critical significance. In other words, a more detailed due diligence is inevitable for third parties that pose a relatively higher risk of fraud and corruption. Due diligence can be conducted in four phases as detailed below. According to the risk assessment carried out in the first phase, the scope of the remaining phases may be determined.

Phase I- Risk assessment

  • General understanding of the operations of the third party
  • Understanding the anti-corruption policies and procedures of the third party
  • Background check using the open souce data related to the third party
  • Company’s shaerholders and senior executives
  • Affiliates and subsidiaries
  • News search on the internet
  • Lawsuits opened against the third party and bankruptcy/ suspension of bankruptcy
  • Reputation analysis on company’s shareholders and executives
  • Meetings with the company’s executives
  • Details of operations
  • All kinds of connections with public companies and government officials
  • Third parties used
  • Culture of giving gifts
  • Cash resources, trade payables, reporting of expenses by employees and paying for these expenses, payroll, gifts or donations to political and charity causes
  • FCPA, other anti-bribery laws compliance programs and procedures
  • Identification of red flags. The followings can be given as examples to red flags:
  • Ties to public companies and government officials
  • Request to work without a contract
  • Reluctance to sign certifications on compliance with anti-bribery and anti-corruption laws
  • Using a high amount from petty cash
  • Requesting a high amount of advance money at the start as a working condition
  • Lack of transparency in certain processes
  • Unexplained turnover and profit increases
  • Collections from abroad or payments to overseas bank accounts
  • Expenses without a commercial basis paid to clients, especially government officials
  • Donations to institutions that have ties to the government
  • Indirect or unusual payment or billing requests

Phase II- Due diligence procedures

  • Detailed meetings with the third party executives
  • Detailed review on high risk areas (by using forensic accounting techniques)
  • Inspecting client/supplier files and respective accounting records
  • Transactions with public companies
  • Transactions / business relations with the customs, taxation and regulatory authorities
  • Petty cash and bank activities
  • Travel, gifts and entertainment expenses
  • Donations
  • Control environment regarding the payment from petty cash and bank

Phase III- Approval process and post-approval risk management

  • Deciding on approving the candidate as a third party to work with
  • Documenting the process
  • Approval process
  • Post-approval risk management and minimization (items to be added in the contract)

Phase IV- Actions to take, once you start working with a third party

  • Supervision measures

b) Tips

One of the most effective methods of detecting corruption and fraud committed via third parties is tips. ACFE’s 2016 Report states that the rate of detecting fraud throughs tips is approximately 40%, while the rate by the second most effective method, internal audit, is 16%. This difference in percentage shows how effective tips are. Bear in mind that tips can be done in various ways (hotline, e-mails or other communication media). However, when a company has a systematic tips mechanism in place, detection of fraud becomes much easier. ACFE Report shows that in institutions with a tips mechanism in place, 47% of fraud is detected via tips, while in institutions without a tips mechanism, this rate decreases to 28%. In short, an environment that is created with a tips mechanism and respective policies and procedures encourages employees to report fraud.

In order to minimize the risk of fraud and corruption in our company, we need to consider the third party risks as our own due to changing legal obligations, which requires us to know very well the companies we do business with.

However, I want to know you… Could you tell me who you work with?

Related Insights