From hacked vendors to corporate card fraud, there are surprises for merging companies around every corner. This former FBI special agent has seen them all.
“Reputation is going to affect your bottom line. It’s going to affect your share price, it’s going to affect whether you get investors, it’s going to affect how you deal with your suppliers and vendors, it’s going to affect how you can recruit good employees,” says former FBI special agent Sherine Ebadi.
Ebadi, who was also a lead case agent for the Special Counsel’s investigation and prosecution of Paul Manafort, spoke with FEI Daily about her new role at risk consulting firm Kroll, a division of Duff & Phelps; the biggest risks companies face as they go through a transaction; and the red flags she looks for when evaluating an organization.
FEI Daily: How does your background as a special agent for the FBI inform your role today?
Sherine Ebadi: That’s a great question. Clearly, I come from a law enforcement background. Generally, my mission would be to uphold the Constitution and to defend victims of violations of federal law. So, when I’m looking at a case, I’m following the facts, but through a lens of the criminal statutes, which is quite different. It’s much more black and white.
For example, I could come in on a due diligence matter and expose some form of fraud. Let’s say the CFO was indeed embezzling from the company to the tune of millions of dollars through this elaborate scheme of false vendors. What the company does with that will be based on a bunch of different factors. One, what requirements they have to disclose, whether it be to their investors or shareholders or the SEC? What does their continuity of operations look like? Just because they realize people are defrauding them doesn’t mean they go and fire everyone and decimate their business, because that’s not in the best interest of the shareholders either. They’re going to look at that through a really different lens. What do we need to do about this to remediate the issue? Legally, what do we need to do about it? And what do we need to do about this from a business standpoint so that we make sure that employee morale stays high and it doesn’t infect other business units? Things like that.
It’s definitely a different goal in the end. You want to provide the company with as much information as possible so that they can make the best decisions for their business and their shareholders and their investors.
FEI Daily: And then you have to step away and say, ‘Okay. Now you decide.’
Ebadi: Exactly. We’ll say, ‘Look, here are your risks. If you do something, or don’t do something, here are your options. And there are pluses and minuses to all of these options. You can go in and fire everyone, and that will take care of the issue, but then what are you going to do?’
FEI Daily: What are the biggest risks companies face as they go through a transition or transaction?
Ebadi: The risks are going to come from various places. Generally, when a company is entering into a merger or an acquisition or some sort of large transition, whether it be potentially a new service line or branching into a new geographical area, often there are legal components to that – the diligence and pre-transactional work that is done. And often there are financial audits that are done. If you’re acquiring a company, you want to make sure that their balance sheet makes sense and is what you think it is. If you’re a publically traded company, there are some SEC compliance issues.
Where we come in is that other aspect of risk that isn’t found in the books. It might not be found in the general ledger or on the balance sheet. It’s the risk that sometimes is not even tangible. And that risk can be broken down into a couple of different places, but mainly it’s reputational risk, that’s the biggest part of it. But then there’s the aspect of the cyber-risk. You want to know what you’re getting into as far as their cybersecurity profile and how robust it is.
And then there’s the financial risks, but not the financial risk that’s on the balance sheet. So, the risk to the company that ends up affecting their bottom line because of these other risks that they’re taking on that they may not know about. They’re not going to be in an SEC filing. No one’s going to know about them. Until you know about them, you’re not going to know how they might impact your business.
FEI Daily: Let’s talk about the before, middle, and end of a big transaction. How can senior-level financial executives guide the company through the stages?
Ebadi: Prior to a transaction is generally where the bulk of it happens, for obvious reasons. Because once they’ve gotten over that hurdle and understood what they’re getting into, generally the due diligence portion, at least, settles. And often what happens after a transaction is more of the organizational matters, where they’re trying to blend cultures and/or make sure all their processes line up and the technology is seamless and things like that. The aftermath isn’t so much the due diligence portion of it; that’s more the portion where they’re just trying to meld two lives together. It’s like people when they first move in together. ‘Nah, I don’t like your couch,’ and ‘We brush our teeth at different times,’ and whatnot, all of these sorts of matters.
But the pre-transaction and during the transaction, before it actually closes, are where the bulk of this happens. And that’s when the lawyers will come in. They’ll be looking at the actual transaction itself and the wording of the contracts. And the financial auditors will come in, and they’ll be looking at the balance sheets and the financial reporting. That’s where companies like mine would come in, and we would be doing the other aspect of the due diligence, where we’re looking at the board, we’re looking at the executives, we’re looking at their culture, we’re looking at their cybersecurity profiles, we’re looking at how they handle compliance matters, regulatory inquiries, employee disputes or employee complaints. Where are they on environmental regulations? Are they abiding by them or do they just toss their toxic waste in the nearby waterway? That may be a slight exaggeration, but those things actually happen. Those are the kinds of things that we’re looking at, which could be a great risk to the company, and they would maybe never know about them.
You would never go buy a company and not understand their sources and uses of revenue, right? You would never not understand what their P&L looks like and buy the company. Just go in blind [with the attitude], ‘Oh, we really liked the product. I’m sure they’re doing fine. It’s no big deal.’ You would want to know as much as possible about where the revenue is coming from. What’s the pattern of the revenue for the month, the year, and the lifecycle of the revenue, and what do their accounts receivable look like? Et cetera. You would want to know all of that.
In the same way, you should go in and ask, ‘What does their cybersecurity profile look like? How are they handling invoices to vendors? Do they have a huge accounts receivable remaining on their tab every month, and are they invoicing them? How are they treating their employees? Do the executives all go to strip clubs at lunch and get drunk?’ I mean, these are things that actually happen. We’ll find that employees have been complaining about the same thing over and over again and the person doing HR is doing it part-time and is really actually the procurement person. And so they never do anything about these complaints, which, as you can imagine, opens up the company’s legal risk, in terms of litigation. And then think of morale, right? Do you want to become one with a company that has that type of culture? Those are the things that we’re looking at.
FEI Daily: How are all of these factors measured? How is morale measured, for instance?
Ebadi: One type of due diligence is called a culture check. You have your general methods of doing it, looking at public records and open source information. A great way to do it is scrubbing social media. People tend to air their dirty laundry on the Internet, and that doesn’t go away easily, so it’s often quite easy to find. Once you have that understanding, often patterns will emerge. There will be patterns of various types of complaints and/or rumors and things like that. That’s when you have a direction. You think, ‘Oh, these might be problems. These are indicators. Let’s go find people that are going to have more information about these indicators.’
Those people could be vendors, suppliers, temporary employees who worked there at one time, former employees, the former owner of the company. You’re going to try to find people who can give you a better picture of what’s actually going on at the company. And does the acquirer or the partner or the merger or the investor, whoever it is that needs to know about this, are there things that they should be concerned about? Because not every complaint on the Internet is in fact true. Often, it’s a disgruntled employee or someone who’s trying to get a lot of followers. And if you’re trying to fit responses into the box that you’ve created, that’s not a very effective way to do these things.
You want to make sure you’re going in with open-ended questions and trying to understand what it’s actually like to work there, to do work with that company. How they handle various different types of matters like time and attendance? Are they writing it down on a piece of paper, but no one really cares? How are they handling HR? When you complain to HR, what happens next? Is it just blown off, are you told to keep quiet, or do they actually do an investigation? Or when they get a subpoena from the government, what do they do with it? Do they just toss it in a drawer somewhere? Do they reply to it?
These are the kinds of things that, once you have background information, you gather more information by doing selected, targeted, very on-the-down-low interviews.
FEI Daily: Shifting gears a little bit to cybersecurity and fraud risk. What is the role of financial leaders in those types of investigations?
Ebadi: Generally, we’re hired by chief compliance officers or CEOs or maybe even the board or general counsel, something like that. The CFO is not generally the person who is targeting this type of investigation. But as I think about it, the reason we do this is because all of this affects the bottom line.
The company isn’t doing due diligence just because they want to know if the CEO of the company is a drunk. But they’re doing it because it exposes them to risk, and whether that be a financial risk, like they’re sexually harassing their employees and there will be litigation, which will cost them money, or a different kind of risk. A great example is that more than 400 executives have been fired since 2017 in the Me Too movement, and the type of upheaval that causes for a company when that happens, that’s reputational.
Reputation is going to affect your bottom line. It’s going to affect your share price, it’s going to affect whether you get investors, it’s going to affect how you deal with your suppliers and vendors, it’s going to affect how you can recruit good employees. So all of that ultimately affects your bottom line, as does really every aspect of risk, including cyber.
A great example of that is the Target breach. One of their vendors had been hacked, and through the course of communications with that vendor, that hack infiltrated Target’s system, which ultimately ended up costing over $200 million. I’m sure a CFO is really concerned with the cybersecurity profile of their partners, with their subsidiaries, etc. Because $200 million, even for Target, costs a lot of money just to remediate an issue.
And just an aside, it comes to my mind that a CFO and executives on the board have a fiduciary responsibility to their investors and shareholders. Along with that comes potential risks for them personally, if they haven’t done the due diligence, and they enter into a transaction that exposes the company. So obviously they’re going to want to care about that.
FEI Daily: Tell me more about the financial risks that are related to a transaction.
Ebadi: We were hired on a pre-transactional due diligence matter where an accounting firm had already come in and done the accounting audit. One of the things we did was to peer review it to give ourselves a barometer of what we were looking at.
And through the course of that review, we noted something that was interesting in and of itself. It wasn’t the line item on the general ledger that was interesting. As we spoke to people in the company, no one had heard of that vendor. They’d never seen that vendor, they didn’t know what that vendor did. Through the course of our investigation, we learned that the vendor was not in fact a vendor, but it was a means of paying bribes. It was a third party to which bribes were being paid. Clearly there is a financial aspect of that, but then there’s also a legal aspect, as you’re opening yourself up to various types of anti-bribery statutes here and abroad.
Another example, we were hired to look at the use of corporate credit cards. And as we began that investigation, we noted a prolific misuse of the company credit cards by top-level senior officials and trickling down even the lower-level officials, because it was a top-down culture.
Financial people are looking at dollars and cents, and they’re used to looking at the balance sheets, right? I think one of the things companies and/or executives don’t always realize in advance is how things that aren’t in the books and records are actually just as impactful and necessary to understand before they take the leap of either entering into a transaction or a new business line or a new location. And just like you wouldn’t do your own financial audit, you shouldn’t do your own due diligence. Get professionals to do that.
There are many reasons for that. One, we’re going to do it cheaper, we’re going to do it better. It’s not like you’re going to have a staff of people that do due diligence on hand. It’s very time consuming, and ultimately it will be very costly for the company. And I liken it to insurance. Yes, you can get insurance for $15 a month. But you better hope you never get in an accident because the insurance is not going to do you very much good. You don’t realize the value of this being done adequately and professionally and appropriately until you’re in a pickle, and often then it’s too late.
For more on GRC best practices, see the “Controls and Risk Management” series.
This article originally appeared on FEI Daily and is republished by permission.