by Melvyn Morrison
Frank Staelens is the President of European Institute of Fraud Auditors. This new Institute develops best practices for professional forensic practitioners in the public and private sectors. We recently spoke to Frank Staelens about the forensic auditing community.
Risk & Compliance Platform Europe: “Can you briefly explain the present objectives for auditing?”
Frank Staelens: “In terms of auditing, we are not presently focusing on general audits, but on audits on individuals, that are already subject to many regulations, e.g.
– Labour laws: more specifically, the 3-day rule for ‘dismissal with cause’ when proof of irregularities has been ascertained;
– Privacy & data protection regulations;
– Collective bargaining agreements relating to the use of certain audit techniques (e.g. CBA 81 relating to e-mail reviews, and CBA 68 relating to the use of cameras);
– Reporting obligations within the context of the corporate governance model (i.e. obligation to inform the statutory auditor and the Board);
– Reporting of suspected money laundering to the Financial Intelligence Unit (for professions and sectors subject to the Anti-Money Laundering (AML) laws);
– Law relating to security advisors (if an external advisor gives advice about preventive measures to combat fraud, he must be certified as a security advisor).”
Risk & Compliance Platform Europe: “To what extent will the law relating to private detectives impose limitations?”
Frank Staelens: “Unlike the law relating to security advisors, the law relating to private detectives is applicable to everyone, i.e. to external advisers, as well as to internal auditors and all of the personnel within a company. Moreover, the old law in Belgium relating to private detectives (dated 19th July 1991) states: The collection of proof or the ascertaining of facts which can result in conflicts between persons, or which can be used to end such conflicts can only be performed by certified private detectives. However, this old law, dating from 1991, was not clearly defined, included specific exceptions, and was open to various interpretations. For example, an exception could be when you receive the consent of the ‘interested party’, however this law does not accurately define who the ‘interested party’ is. In my opinion, this definition of an ‘interested party’ should be extended to include the employer or the company that bears the consequences for the wrongdoing, and should not just refer to the person who is the subject of an audit.”
Risk & Compliance Platform Europe: “Do you envisage any changes in the future?”
Frank Staelens: “If you read the press, you will no doubt have already discovered articles about how private detectives have been used in unethical ways by employers, and also about the new draft law relating to private detectives that was discussed in Parliament on the 18th of March. This new draft law is expected to be implemented within the next couple of months, and is the result of the ongoing work that has been conducted during the past 6 or 7 years. Moreover, this new draft law relating to private detectives will define the aforementioned three exceptions much more specifically, i.e.:
– The definition of an “interested party” will be limited to the individual who is the subject of the audit;
– Being part of a department or having a job description that refers to such audits will be sufficient to presume that it is no longer a “non-occasional” occupation;
– The exception for certain legally-recognized professions will be limited to the context of their core profession and activities (i.e. a statutory auditor will only be allowed to work with his own specific clients, and will only be able to use the methodologies that fall within the scope of his profession).
However, this new draft law will not only be confined to these three exceptions. I fully expect that this new law will have much wider implications, for example:
– Defence lawyers ‘will have a field day’, and will seize every opportunity they have to question the credibility and legality of audit reports that are not compiled by certified private detectives;
– Persons performing such audits who are not duly certified as private detectives could end up being sued or having complaints made against them;
– Antigoon jurisprudence will not allow judges to accept the evidence that has not been obtained in accordance with the rules, because the conditions in the new draft law are clearly formulated as ‘under penalty of being null and void’;
– The use of private detectives will result in early notifications to prosecutors (missions relating to audits of criminal acts or any other missions that lead to proof of criminal acts);
– Increased risk of such audits not remaining confidential because of external reporting obligations;
– External private detectives will not be able to provide recommendations for preventive measures because this statute cannot be combined with the certification as a security advisor;
– Increased risk of any investigation into potential wrongdoing causing irreparable damage to professional relationships because of the obligation to inform the interested party;
– Dilemma situations for companies: on the one hand, from a corporate governance perspective, they are supposed to provide a defence against wrongdoing by individuals, and to investigate suspected wrongdoing (e.g. to verify if dismissal with cause is justified from a labour law perspective, and to verify whether information reported by a whistleblower is correct), whilst on the other hand, companies are supposed to avoid reputational risk;
– Negative effect on Belgian competiveness index because we will be the only country in the world with such regulations;
– Example of international trends: the Dutch authorities are, to an increasing extent, allowing boards of directors in companies to investigate suspected fraud before deciding to file a complaint, as this is considered to be the management’s responsibility under corporate law.”
Risk & Compliance Platform Europe: “Will this new situation that you have outlined require changes to be made to the internal organization of banks and insurance companies, or can they just adapt and implement these changes within the existing models?”
Frank Staelens: “They will certainly have to adapt their internal organization. The new draft law relating to private detectives will be applicable to all personnel. You can start with a general audit, but once you detect unusual transactions relating to one or more individuals, and you want to investigate this in more detail, it quickly moves from a general audit to the auditing of individuals. If you decide to dismiss personnel, and the required proof is not backed up by a certified private detective, then you will no likely be faced with many potential issues.”
Risk & Compliance Platform Europe: “In this context, would a private investigator or an auditor be obliged to refuse a mandate if he felt that the mandate from the company did not meet the required standards of integrity?”
Frank Staelens: “Yes, because if he did not do this, then defence lawyers could later use this to their advantage. In other words, you are presumed to know the law, so are obliged to refuse the mandate if it does not comply with the law.”
Risk & Compliance Platform Europe: “You talked about the employer/employee relationship, but is there a chance that the law will be extended to cover the relationship with independent (self-employed) agents?”
Frank Staelens: “This law is equally applicable regardless of whether you are an internal employee or a self-employed external advisor.”
Risk & Compliance Platform Europe: “Doesn’t this conflict with the law for anti-money laundering that protects anonymity and avoids publicity at any cost?”
Frank Staelens: “It does not conflict in that way. Of course, the anti-money laundering laws relate to the money-laundering of potential revenues and suspected wrongdoing, so it all depends on how you look at this. Let’s take France as an example. In France, a statutory auditor is obliged to report wrongdoing and fraud issues to the prosecutor. They also have money-laundering obligations because it is a European directive that is similar to ours, so in fact, it is not contradictory because the reporting to the money-laundering authorities is done for the money-laundering of the revenues, while the offence itself needs to be reported to another authority, so there is no conflict, but this is certainly confusing.”
Risk & Compliance Platform Europe: “Can you briefly outline the proposed solutions from the point of view of the European Institute of Fraud Auditors ?”
Frank Staelens: “In addition to regularly organizing information campaigns to inform decision-makers and companies, we also propose changes to the law and promote working within the existing corporate governance model. We have already tried to talk to the authorities on several occasions, but….. We have also suggested the setting up of a Financial Intelligence Unit (FIU) for fraud matters, but only for notification of proven & material fraud cases. I am proud that the Belgian institute has taken the initiative to create a European Institute for Fraud Auditors to enable lobbying at European level.”
Photo: Pol Leemans