One of the largest PR firms in the world is going through its own minor PR crisis this week, with its former CFO pleading guilty to embezzling $16 million from the firm over the course of nearly a decade.
Frank Okunak, who ran financial operations at PR firm Weber Shandwick from 2009 to 2019, pleaded guilty in federal court on Wednesday to charges that he falsified invoices and evaded other corporate internal controls; embezzled funds pretty much every year he was a senior executive at the firm; and used the money for personal expenses such as luxury suites at sports stadiums and funding side businesses he owned.
Compliance professionals should give this case a close read, since it offers useful lessons about fraudsters, the design of internal controls, and the limits of such controls in the face of a determined fraudster.
So what happened? As described in the complaint filed against him by the Securities and Exchange Commission, Okunak used various bits of accounting chicanery to have Weber Shandwick work with vendors in which he secretly had an ownership stake (and typically those vendors didn’t deliver the promised services anyway); and to divert company money to pay for personal expenses.
For example, on one occasion Okunak cooked up fake purchase orders so that Weber Shandwick paid $2.5 million to an e-sports entertainment company that Okunak actually owned. The money went to cover that e-sports company’s operating expenses, rather than to perform any services for Weber.
On another occasion, a Weber Shandwick vendor had billed the firm $77,000 for services that vendor had provided to a third company — a company where Okunak had an ownership interest. The invoice specifically referenced that third company. Before sending along the invoice for payment, Okunak scrubbed all mentions of the third company. On multiple occasions, the SEC said, “requested that invoices be provided in a format that would permit his further editing.” Yikes.
His scams to cover personal expenses were no better. In 2012, Okunak submitted false documentation so that Weber would pay $20,000 to Rutgers University, ostensibly for Rutgers to conduct a research survey. In reality, the money paid for classes Okunak was taking there — and then he got a refund from the school, and kept the $20,000 for himself.
For whatever it’s worth, Okunak is now sorry for his misconduct. In a statement provided to trade publication PR Week, his lawyer Paul Krieger said Okunak “has accepted full responsibility for his conduct, deeply regrets his wrongdoing and is doing all he can to move forward in a positive manner.”
Where Internal Control Went Wrong
One issue here for compliance and internal control professionals is how Okunak committed his frauds — like, the mechanics of paperwork and approval processes — and what measures a company should implement to prevent such shenanigans.
First are the fundamental controls that every company should have in place, no matter what.
- Conflict of interest disclosures. All directors, officers, and senior executives should be required to disclose any ownership stakes or other financial interests they might have in the company’s vendors. This should be a written attestation done at least annually.
- Code of Conduct attestations. Seems obvious, but have all employees read the Code of Conduct and certify that they understand and will abide by it.
- Vendor onboarding procedures. These procedures should include due diligence to confirm the identities of all owners and controllers, and to identify potential conflicts with your own business.
- Payment approval processes. The company should have written policies for how payments to vendors are issued. Typically, all payments should first require a purchase order, and then a detailed invoice listing services rendered. Plus, the person approving the payment should not be the same person who created the original PO.
All this may seem basic to many readers, but that’s precisely the point. Your company needs to be doing all of the above because they are fundamental to effective internal controls. Even if your internal controls don’t work as intended — and we’ll get to Okunak’s particular misconduct momentarily — they do need to exist. Otherwise your company is a sitting duck for audit firms to declare a material weakness in the 10-K or, worse, regulators take enforcement action against your company.
Now back to Okunak. He circumvented all those internal controls in two ways.
First, sometimes he lied. For example, Weber Shandwick had all senior executives submit conflict of interest forms every year, where they had to certify whether they did or didn’t hold any substantial financial interest in the firm’s third parties. Okunak falsely said he didn’t, when in fact he did. He also lied on certifications senior executives had to submit about the accuracy of Weber’s internal controls and financial reporting.
Second, Okunak abused his authority as CFO to subvert vendor onboarding and invoice approval processes. For example, go back to that part where he requested that all invoices be submitted in a format that he could edit — in hindsight, a huge red flag. In the moment, however, when the CFO of a large company tells the accounting minions or vendors to do something, they often just do it.
To my thinking, this demonstrates the need for strong documentation policies and regular testing or audits of internal controls. That’s how you can combat a threat as dangerous as a corrupt senior executive, who usually has immense power to override internal controls.
Establish policies requiring extensive documentation and multiple approvals for large purchases, or for deviation from standard payment procedures. Then conduct anti-fraud audits on a regular basis. You won’t necessarily catch a rogue CFO right away, and perhaps not at all — but it’s still your best shot at catching him or her at all. (For the record, Weber Shandwich apparently discovered the frauds in early 2020 after internal reviews, and fired Okunak shortly thereafter.)
Motivations for Fraud
I chatted with a few PR people this week about Okunak’s case, and inevitably they all voiced that age-old question about fraudsters: “Why on earth did he do that?”
One excellent answer to that question comes from my friend and fellow traveler in corporate compliance, Jonathan Marks, a fraud investigator at Baker Tilly. Marks has written extensively about fraud. His big idea: to understand the mind of the high-level fraudster, you need to expand the Fraud Triangle’s traditional concepts of pressure, rationalization, and opportunity.
The better model, he says, is a Fraud Pentagon that adds arrogance and competence:
Marks is right. For executives who already have so much, pressure to find more money isn’t nearly as much of a motivating factor. Arrogance is, and when you couple that with the competence to carry out sophisticated schemes — well, we end up with posts like this.
Food for thought as you plan your own anti-fraud controls and programs.