An August 2009 study (the Stern study) released by NYU’s Stern School of Business looked at 444 due diligence reports from a major hedge fund due diligence firm. In these reports, a significant number of fund managers (21%) were found to have misrepresented past legal and regulatory problems. An even higher number (28%) made incorrect or unverifiable statements about other topics.
This newly documented study of fraud echoes a disturbing trend of high-profile fraud in the broader investment industry, from insider trading scandals to far-reaching Ponzi schemes and prominent hedge fund closures. Wary investors at all levels — whether individuals, institutions, or funds of funds — should consider fraud risks that might occur not only in the course of due diligence, but also in the day-to-day operations of their investment targets.
To mitigate fraud risk, solve for fraud
To their credit, investors are growing increasingly wary. A survey by Advent Software of 360 investment professionals reveals that due diligence inquiries are on the rise: 82% of research directors reported an increase in investor inquiries over the previous 12 months. In addition, almost half the respondents (48%) believe that showing evidence of exhaustive due diligence is the best way to restore investor confidence. But what should such due diligence include?
A common assumption on the part of both investors and investment managers is that controls put in place to mitigate risks in areas such as investment management, operations, compliance, financial reporting, and the like are sufficient to protect against fraud. They generally are not. Mitigating fraud risk also includes having anti-fraud programs and controls (AFPC) in place aimed specifically at combating fraud, and this is where hedge fund due diligence should focus directly.
Two questions you may wish to ask are: Do such controls exist at all, and are they sufficient in design and effective in operation? Simply asking a potential investment target if it has addressed the issue of fraud is likely not probing deeply enough. In our experience, companies may believe they have addressed fraud when they actually have not, instead relying on indirect controls in other areas. Better practice, for example, would be to inquire specifically what controls the target has in place to mitigate fraud risk. Many such controls are at the entity level, meaning they address the issue of fraud prevention through the environment and culture of the organisation. For example, do company leaders set the “tone at the top” that fraud, in particular, and unethical behavior, in general, will not be tolerated? Is there a culture of always doing the right thing? In evaluating performance of individuals and business units, do they measure and value “how” something is achieved as importantly as “what” is achieved?
Given the Stern study finding that 21-28%of hedge fund managers have misrepresented information during due diligence, an investor might also wish to inquire about specific process-level controls in place to prevent the spread of misleading information during due diligence. For example, controls to mitigate fraud in due diligence might include the practice of requiring any information given to a potential investor to go through an internal review in which others in the company must sign off on it to verify it is complete, accurate, and honest. The first question, however, should be whether or not the investee has established a comprehensive program to address fraud.
Establishing anti-fraud programs and controls
The process of establishing AFPC generally involves the following four steps, as shown in Fig.1. Organisations should consider revisiting the process regularly (typically annually) to confirm that fraud risk is being addressed and the appropriate controls are in place.
1. Identify Fraud Risk Factors: Understanding the environment in which the hedge fund operates and the areas where fraud could potentially be perpetrated. Are there incentives or pressures to commit fraud? Are there opportunities to carry out fraud? Are there attitudes or rationalisations to justify fraud?
2. Identify Fraud Risks: Understanding the risks fraud imposes on the organisation. What could happen to the entity if fraud were to occur? For example, fraudulent financial or regulatory reporting or insider trading could lead to regulatory or criminal investigations, which could be extremely expensive, distract from operations and damage reputation. Misrepresentations during due diligence should raise red flags for investors considering fraud risks and reflect poorly on fund management.
3. Identify Fraud Schemes: Understanding how fraud could potentially happen in the organisation. If employees at different parts and levels of the company wanted to commit fraud, how would they do it? What controls exist to prevent such schemes from occurring?
4. Design and Execute Response: Remediating those areas where the potential for fraud exists but no corresponding preventive or detective controls are in place. This includes assessing the pervasiveness and likelihood of various types of fraud, and the design and effectiveness of AFPC.
Prevention, not cure
As with most business risks, it is not possible, or economically feasible, to erase fraud risk completely. Rather than eliminating fraud risk, effective and efficient AFPC generally seek to reduce that risk to levels that investment managers, investors and regulators may be willing to accept. Strong anti-fraud measures can also demonstrate a fund’s commitment to preventing fraud — a practice not only important for gaining and maintaining investor and regulator confidence, but also important given the myriad of legislation that hasbeen introduced and debated to regulate hedge funds, including provisions for SEC registration and reporting. Proactive steps, both on the part of hedge funds to mitigate fraud risk and on the part of investors to evaluate the risk management and fraud detection programmes in place, can go a long way toward avoiding reputational and financial damage and safeguarding assets.