Some Reminders on Fraud Risk
Last week a former employee of Takeda Pharmaceuticals was sentenced to prison for a multi-million dollar embezzlement scheme against the company. The case is a good reminder that companies will always need strong internal accounting controls no matter what regulatory changes might happen in Washington, so let’s take a look.
The ex-employee at the center of the case is Priya Bhambi, 40, who in the early 2020s had been a senior person in Takeda’s technology operations group. Starting in early 2022, Bhambi cooked up a scheme with her then-boyfriend Samuel Montronde to swindle Takeda of more than $2.3 million. First, she had Montronde incorporate a business called Evoluzione Consulting, which supposedly offered consulting services to cutting-edge companies. Then Bhambi created a purchase order at Takeda for Evoluzione to provide $3.5 million worth of consulting services.
Over the next eight months, Montronde submitted five invoices to Takeda worth $460,000 a pop. Takeda paid the money, which Bhambi and Montrode then used to buy a Mercedes-Benz and a diamond engagement ring and to put down deposits on a luxury condo in Boston and a diamond engagement ring.
Takeda eventually discovered the fraud (although we don’t know how), and Bhambi was promptly fired. Federal prosecutors indicted her and her boyfriend last year, and Bhambi pleaded guilty to fraud charges over the summer. She was sentenced last week to four years in prison and ordered to pay $2.6 million in restitution. Montronde is scheduled to go to trial later this year. The couple broke up, although (alas) we don’t know who dumped whom.
So what lessons should compliance and internal audit executives ponder here? Several.
Fraud Risk Is Corruption Risk
What grabs me so much about this case is its striking resemblance to an FCPA corruption scheme. Bhambi worked with an outsider to create a sham consulting firm, which then billed the company for services never provided, and the company paid those invoices. Like, if the boyfriend had next diverted that cash into the back pocket of some greedy minister somewhere instead of a Mercedes dealership and a jewelry store, this would be a textbook FCPA violation.
Poor due diligence on a new third party (Montronde)? Check. Incomplete documentation from the third party on services provided? Check. An employee (Bhambi) able to cook up a multi-million dollar purchase invoice apparently without a counter-signature from someone else? Check.
In so many ways, fraud risks unfold in the same way that corruption risks do. They involve the same failures of internal controls and the same poor segregation of duties. I’m glad Takeda did catch this scheme eventually, but you know the internal audit and anti-fraud teams were kicking themselves when this mess finally came to light.
The lesson here for others is that compliance and internal control teams need to work together hand-in-glove to develop policies, procedures, and controls that work against fraud. That includes thorough due diligence on vendors, as well as policies and procedures for employees who deal with outside vendors (“all purchase orders over this amount need two signatures,” for example). Then you need controls that confirm whether those policies were followed, plus regular testing of those controls to confirm that they work as intended.
I suspect this point is more a reminder to companies rather than a lesson, but whatever we want to call it, it’s an important one. Internal audit teams shouldn’t push the compliance department’s anti-corruption concerns down the food chain because audit has bigger worries with internal fraud; at the level of control activities, anti-corruption risks and fraud risks are the same thing, and often need the same solutions. (COSO and the Association of Certified Fraud Examiners do have some useful anti-fraud guidance if you need to boost your internal controls.)
A Word on Due Diligence
We should also call out the due diligence that’s necessary for consulting services, since it can be relatively easy to invent a consulting firm out of thin air.
For example, when Bhambi and Montronde conjured up Evoluzione, they had no trouble incorporating the business and securing a legitimate tax ID number. Bhambi then cooked up a fake website for the firm, which purported to be “a connection between tool enablement and change management,” whatever that means. Bhambi even stuffed the Evoluzione website with fake blog posts to give it more credibility. She created two email accounts, one for Montronde and another for “Jasmine” (who was in fact Bhambi herself) to give the appearance of multiple employees communicating with Takeda.
The question is how to devise due diligence procedures that can sniff out scams like Bhambi’s. That’s not easy for a company as large as Takeda: $27 billion in revenue, 50,000 employees worldwide, and lord only knows how many third parties.
Clearly you can begin by defining broad categories for your third parties according to risk, and consulting services should be on the higher end of that pecking order. But remember that Montronde’s fictional firm was based here in the United States, not some high-risk jurisdiction; and Bhambi worked in technology operations rather than sales, where employees might face more temptations. So simply declaring, “All agreements with overseas business agents are subject to enhanced due diligence” wouldn’t catch something like this.
Success will depend on (a) a strong sense of skepticism even for third-party relationships that might seem to pose lower risk, but still could be avenues for fraud; and (b) an ability to monitor and review those seemingly lower-risk relationships on a regular basis.
You might be able to fulfill the latter point with clever use of contract management and audit technology. The first point, however, depends on all your anti-fraud teams (compliance, internal audit, finance, accounting) all working together with a high sense of commitment to rooting out fraud. Takeda’s black eye reminds us just how important that is.