Unlocking the Secrets of Enterprise Risk Management

Join us in this insightful episode as we sit down with Paul Zikmund, a renowned expert in enterprise risk management and forensic auditing. With years of experience in auditing and risk management, Paul shares his unique perspectives on:

• Implementing Robust Risk Management Programs: Learn how to develop and strengthen enterprise-wide risk management processes to meet escalating organizational demands.
• Conducting Successful Fraud Investigations: Gain insights into detecting and investigating financial statement fraud and understand the importance of professional skepticism and forensic procedures.
• Forensic Auditing Techniques: Explore the skill sets needed to uncover red flags of fraud using analytics procedures and data mining.

Whether you're an auditor, risk manager, or simply interested in the intricacies of organizational risk, this episode offers valuable takeaways to enhance your understanding and approach.

Click here to access the IOFM white paper discussed during this episode.

Paul Zikmund

Paul E. Zikmund serves as SVP Chief Risk, Compliance & Information Security Officer at Berkadia. He is responsible for managing the company’s enterprise risk management program, ethics & compliance, internal audit function, information security, data privacy, and corporate investigations. Prior to his role at Berkadia, Paul served as a Director of Baker Tilly’s Global Fraud and Forensic Investigations, Compliance and Security Services practice where he was responsible for helping clients develop, assess and administer ethics and compliance programs, conduct global and cross-border fraud and misconduct investigations, including, bribery, corruption and compliance matters and manage risks related to ethics and compliance failures. Prior to that, Paul served as Deputy CCO & Vice President Global Security, Bunge in White Plains, NY where he was responsible for development and implementation of Bunge’s fraud, ethics, compliance and security risk management programs and controls designed to protect company assets, mitigate fraud and misconduct, ensure compliance with federal and state laws, protect company assets, and promote adherence to Bunge’s core values.

Paul managed and conducted investigations of compliance matters, fraud and ethics violations. Paul assisted with the development and implementation of tools and techniques to mitigate enterprise security, fraud & compliance risk, manages the company’s third party risk management program, and administers security, compliance training and awareness programs. Prior to joining Bunge, Paul worked as the Senior Director Forensic Audit at Tyco International in Princeton, NJ and the Director Litigation Support Services at Amper, Politziner, & Mattia, LLP, in Philadelphia, PA where he was responsible for developing, implementing, and administering fraud risk management services to Tyco and to clients. He possesses nearly 28 years of experience in this field and has effectively managed global compliance and forensic audit teams at various Fortune 500 companies.

Grace Chlosta
Content Manager, IOFM

Grace Chlosta joined the Institute of Finance & Management (IOFM) in 2022 in a new role for the team as the Content Manager. She is responsible for the planning, organization, development, and implementation of all the content for IOFM’s digital products and (virtual and in-person) events. Grace is committed to ensuring that IOFM’s content stays timely, relevant, and actionable for all financial operations professionals, and works closely with a team of content developers, industry leaders, and subject matter experts to guarantee this happens.

Transcription

Grace Chlosta: Welcome to the IOFM podcast. This is a podcast for accounts payable and accounts receivable professionals who want to stay in the know with current AP and AR trends and ideas. We'll be interviewing professionals in this space on a wide variety of subjects, including automation, artificial intelligence, career growth, compliance, leadership, and much more.

Today we'll be interviewing Paul Zikmund. Paul serves as SVP Chief Risk, Compliance and Information Security Officer, at Berkadia. He is responsible for managing the company's enterprise risk management program, ethics and compliance, internal audit function, information security, data privacy, and corporate investigations.

00:00:48

Prior to his role at Berkadia, Paul served as a Director of Baker Tilly's Global Fraud and Forensic Investigations, Compliance and Security Services practice, where he was responsible for helping clients develop, assess, and administer ethics and compliance programs; conduct global and cross-border fraud and misconduct investigations, including, bribery, corruption and compliance matters; and manage risks related to ethics and compliance failures. He possess nearly 28 years of experience in this field, and has effectively managed global compliance and forensic audit teams at various Fortune 500 companies. He'll be interviewed by me, Grace Chlosta, Senior Content Manager at IOFM. 

00:01:31

How's it going? 

Paul Zikmund: It's going well, Grace. How are you?

Grace Chlosta: I'm doing good. Great to chat with you. Happy spring.

Paul Zikmund: Happy spring, and it's great to chat with you as well.

Grace Chlosta: We're going to be talking a little bit today about fraud prevention and risk management. And I know you just published a whitepaper for us on IOFM.com, so it's a really timely topic all the time, but especially because of that new whitepaper that we have on the site.

00:01:57

Really, to get us started, could you give us a quick overview really of your background in fraud prevention and risk management, and what makes you the top person to talk to on this subject? 

Paul Zikmund: Sure. So I've been working in various roles with corporate America, in consulting, over the last 40 years now. I've designed and built anti-fraud programs and controls. I've managed numerous investigative teams investigating allegations of fraud and other types of misconduct, and I've conducted many, many risk assessments in the area of fraud risk related to specifically this topic, as well as others that fall under the category of fraud within companies. So I do have a lot of years of experience building, implementing, administering, and also on the investigation side in the area of fraud.

00:02:53                     

Grace Chlosta: That's awesome. That's great to hear. So you're the right person to talk to. Putting it back to AP, AP is very vulnerable to fraud; why is that?

Paul Zikmund: So when you think about accounts payable, when you think about the function in general, there's high volumes of transactions, multiple vendors. Sometimes there's complex approval processes. When you add a lot of those things together, that really elevates the risk, and so you think about a high volume of transactions. You think about large volumes, challenging to scrutinize. You can't always pay attention to detail. You think about some of these complex processes that are impacting accounts payable in multiple steps, various receipts, verification and approval processes. There's a lot of opportunity for manipulation and error.

00:03:51

You think about vendor relationships and you think about the heavy reliance on the vendors themselves. Do they have the right controls? Do they have individuals that may engage in certain types of fraud or misconduct, where the company might be vulnerable? And then you look on the internal control side, and you think about: Does every company have sufficient segregation of duties? Do they have sufficient review or potential override of controls? When you start putting all of these risk factors together, you can see clearly that the risk of fraud in accounts payable is quite high. 

Grace Chlosta: Oh, absolutely. It's getting more complex, I know, with the rise of AI and automation. So even just recently, what are some of the most common fraud schemes that you're seeing in AP right now, and really just in general?

Paul Zikmund: So when you think about the different types of fraud schemes that are impacting AP – and, historically, if you look at the fraud schemes that were present way back when and you look at today, you will see – you will find that many of the schemes are still very similar, but what we're finding is that the way that people perpetrate these types of frauds have changed a bit.

00:05:09

Certainly, the fraudster has become a little bit more sophisticated. You talk about AI, and you think about now, when people were sending emails years ago requesting changes to bank accounts, and you had business email compromise schemes, that's become a lot more common today. AI and just the sophistication of our fraudsters is making it more challenging to recognize some of those schemes because the emails, they look so authentic. The account information is there. The language – and this is where AI is starting to help detect fraud – not only perpetrate it (it's ironic), but it's also being helped to detect it. But we're still seeing the duplicate-invoicing schemes. We're still seeing fictitious invoices or inflated invoices. We're still seeing fraud on behalf of the vendor, like vendor collusion, where there's collusion between a vendor and an employee to submit fake invoices or inflate pricing, or bill for goods that are either not provided or services that are not provided, or [are] inferior. You're paying for a higher quality of product than you're receiving. 

00:06:20

So we're still seeing a lot of these very common schemes that we've seen way back when, but they're just being perpetrated a little bit differently. We're also still seeing a lot in the area of kickbacks. Some of those kickbacks do stem into – and that's what I think makes AP fraud so very interesting is that, while it's classified as AP fraud, it could be impacting the company in other areas. So a kickback scheme might not just be AP fraud, but it can also be used to violate the Foreign Corrupt Practices Act, or some other area that is impacting the company and ultimately resulting in a loss of assets.

00:07:01                     

Grace Chlosta: Yeah, that's scary stuff. You had mentioned before internal fraud versus external. So obviously there's different threats, coming from different places. If you are in AP right now, how should organizations approach those in a different way?

Paul Zikmund: Yeah, I think when you look at internal fraud risk, you are looking at fraud that is being perpetrated by employees, right? They're exploiting their access. They're exploiting the knowledge that they know of company processes, or they understand how simple it is to create to a vendor in the vendor master file. They're aware that there's not a lot of significant oversight and managerial control over the approval of adding new vendors, changing bank accounts, or perhaps there's not a very sophisticated of the three-way match. And so sometimes they can take advantage of that.

00:07:53

Where, on the external threat side, you're really looking at those bad actors that are looking to defraud the company. In any event, whether it's internal or external, having those strong internal controls, those segregation of duties, strong managerial control, policies, process, procedures – all of those things that help strengthen the AP process are very relevant and very necessary to help mitigate the risk. 

Grace Chlosta: Yeah, absolutely. Lots of different threats of fraud, ways that hackers can get in and also just can be right in your own company. Walk us through what you wrote for us on IOFM.com, this "Fraught Self-Assessment Report and Whitepaper." How is that – if folks could read that – designed to help our AP teams identify the risks, and what can they do about it?

00:08:46                     

Paul Zikmund: Yeah, so when you think about a risk assessment in general, when you are conducting a risk assessment, ideally you're looking to define sort of the ecosystem of whatever area you're looking at, whether it's AP risk, whether it's just an enterprise risk or a cyber risk, whatever that might be – what is that ecosystem, and what about that ecosystem is exposing it, whether it's fraud, whether it's breach, whether it's strategic or operational risk?

What I tried to present in the IOFM article is a specific focus on the AP process. So if you think about sort of developing the context, what about your AP process, both internal and external factors? Is it centralized or decentralized? Do you have strong governance? Do you have any previous cases of fraud? Are you using automation? Is it well controlled? 

00:09:46

When you gather information about the current process, that really defines sort of your risk environment. And then from there, what we're asking individuals to do is brainstorm. Look at that life cycle, look at that ecosystem, and brainstorm the various types of fraud that could be impacting that. If there are certain parts of that process that are weak, that obviously would increase the risk. If you're looking at your life cycle and you see that onboarding of new vendors, or the vendor master file is not well maintained, or you don't have strong oversight in the approval of payments, that's an area of potential weakness. The various types of fraud schemes that could be impacting that would be categorized.

Then you want to look at – just as with any risk assessment, you're always going to look at the likelihood and impact. What, ultimately, do we have to lose here? What types of assets, whether it's cash or other types of assets that could be at risk? And how likely is it to occur? There's some subjectivity and objectivity to that part of the risk assessment, realizing that it's not always an exact science. But there you're really coming up with a risk score. 

00:10:58

And then after that score, you want to categorize those frauds that are most relevant and prioritize those, and then decide: What is my actual risk response here? Am I going to control that risk? Am I going to ignore it and accept it? Or am I going to avoid it all together? Or am I going to transfer it? Meaning, am I going to engage the vendor to help manage that with me? Maybe we comanage that risk. And then, ultimately, the final piece of that is that risk-reporting strategy. Do you have a risk register, where you can define and compartmentalize these fraud schemes? Who's ultimately responsible? What controls do you have in place? And then what, ultimately, is the residual risk? And is that residual risk in line with your risk appetite statement? That's really an enterprise risk way of conducting an enterprise risk assessment specifically focused on AP.

00:11:54                     

Grace Chlosta: Yeah, that's fantastic advice. I feel like some folks might be listening to this and they're saying, "Well, we did do the risk assessment. We're conducting audits all the time, but fraud is still happening." So what are some things that you think that they could be missing in their organizations at any level that fraud is still occurring?

Paul Zikmund: It's a great question. I think back to the thousands of investigations that I've conducted. In the end, you're always interviewing, that admission-seeking interview, where people are telling you the things that they don't really want you to know. But after it's all said and done, you sit down with management and you a root cause analysis, and you say, "Hey, what happened here? How did we allow this to happen?" What I have found over the years is that companies tend to overlook a couple of different things. Number one: Companies always assume that controls are properly designed and really achieving the intended goals and objectives. That's not always the case.

00:12:52

We all also underestimate the creativity of employees. Employees are very creative. They can craft new ways to perpetrate fraud within the company. And because of that, we underestimate the human risk, right? We talk about the fraud triangle: the opportunity, pressure, and the ability to rationalize your behavior. We often underestimate that human risk. The human risk really revolves around those three things.

Also, when you look at the AP process, sometimes people assume that other people are actually doing their jobs when they're not; [that] they're properly setting up the vendor when they're not; they're properly managing the vendor master file, when they're not; or they're properly doing the three-way match and reviewing and approving. And we often underestimate management overrides and controls. 

00:13:42

The last thing I'll say is that a lot of times people will have said to me at the end of an investigation, "I sensed something was wrong," but we don't trust our intuition. That's really an opportunity for us to trust ourselves. If it looks like a duck, it probably is, right? So people need to really trust themselves and ask more provocative questions when they don't feel right about the process. 

Grace Chlosta: Absolutely. That's fantastic advice. You mentioned a little earlier that AI is obviously one of the biggest reasons that fraud could be happening, but could also play a really big role in detecting fraud and helping you reduce risks. I know a lot of folks in AP and AR are a little bit hesitant to embrace AI for a lot of different reasons, but how could they be using AI to help reduce and detect fraud risk?

Paul Zikmund: It's the flavor of the day, right? Everyone's talking about AI and it's still really in its infancy. We're still learning all the capabilities that it has and the benefits, but it really does enhance the efficiency and accuracy of fraud-detection processes. There's a lot of ways to use AI. We can look at it from an anomaly-detection process. We call it pattern recognition. Looking at large volumes of transactional data to identify patterns, detect anomalies that might be indicative of fraudulent activity, like unusual payment amounts or frequencies of payments that are changing.

00:15:16

So if you're paying a vendor historically once a month, the third week of the month, 12 payments/year, and all of a sudden you're paying that vendor three times in a week, that could be a red flag. So you could look at real-time monitoring as well to detect suspicious activity that could be flagged immediately. We could look at AI for predictive analytics, so scoring transactions based on historical data or known fraud indicators or other high-risk transactions that would be cause for concern. And that predictive analytics also includes looking at trends and behaviors. When we see things that are somewhat anomalous, then there's an opportunity for us to follow through. 

00:16:01

We also look at AI around – what we look at is automated invoice verification. So can we extract and validate data from the invoices, cross-reference with purchase orders, delivery receipts, to look at accuracy and legitimacy? Can we look at duplications, so duplicate invoices, like key attributes? Invoice numbers, dates, amounts. We've talked about some of those processes long, long ago, but AI can really help us analyze this in more real time and with a lot more accuracy. 

When we think about natural language processing and we think about machine learning, we can get into unstructured data as well: email communications, contract terms, inconsistencies or suspicious language in an email or a message or a contract. 

00:16:53

There's a lot of opportunities for AI to provide some tremendous value to those folks in the AP world. The problem is working with your data teams, working with your IT teams, to set up these types of detective analytics. Then having some available to respond when those things come in. So the problem with a lot of this is that when they do generate alerts, we don't always have a team in place to respond quickly enough. And so when you are using AI, keep in mind that you're going to need someone (or more than one person) to help you review these alerts. 

Grace Chlosta: Yeah. Like you said, we're really just scratching the surface, but good to hear that – I feel like if you put the right time and effort into it, it could be really beneficial for teams.

Paul Zikmund: Absolutely.

Grace Chlosta: You had mentioned something your last – right at the beginning, when you started talking about red flags. You mentioned it a little bit, but what are some signs to watch for in your own employees that you work with on a daily basis, or even vendors, that may indicate fraudulent activity? You might feel that gut feeling, but just to be able to back it up and talk to your leadership team that you think things might be happening. What are some signs to look out for?

00:18:08                     

Paul Zikmund: Yeah, the red flags are very, very helpful to be educated on what to look for, those discrepancies and duplications or unexplained adjustments. When I think about red flags, I look at invoice and payments. You look at duplicates. You look at round dollar amounts, unusual patterns of the invoice. Missing documentation or incomplete documentation. I've seen cases where the documents have been altered as well. So those are some red flags on the invoice and payment.

On the vendor side, I'm always saying: Pay attention to those new or unfamiliar vendors, those vendors that are added to the vendor master file and all of a sudden, within a brief period of time – three, six, twelve months – the total spend on these vendors has increased exponentially. Addresses that are – the old P.O. box. It's been a red flag for decades, but it's still a red flag. 

00:19:11

Those frequent vendor changes – changes to address, bank account details, contact information. Inactive vendors – a lot of companies don't do a great job of managing those dormant vendors. Those are potential red flags. When you had a vendor that is inactive for a period of 6 to 12 months, and then all of a sudden there's a flurry of activity with that vendor – it goes back to the AI could pick something like that up. 

But then you also have to look at the employee red flags. These are individuals that are refusing to take leave, rapid changes in lifestyle, people that are very protective in their role. Some of the frauds I've investigated people were offered promotions and they didn't take it. People were offered to move out of accounts payable into something else, and they refused. 

00:20:02

Those unusual relationships with vendors. I've had a few cases where the employee was very close with the employees of the vendor, wining and dining, sporting events. I've seen one employee wearing a very expensive gold watch with the vendor's name engraved in the middle. 

Grace Chlosta: Wow. [chuckles]

Paul Zikmund: Exactly. And that was during an interview where the person realized that I could see their watch, and then they took their sleeve and pulled it down to cover it, but it was too late by then.

Grace Chlosta: Yeah, that's a big one. That one, trust your gut, I feel.

Paul Zikmund: Absolutely. And then you look at some of the transactional red flags, the payment patterns, the high volume of credit memos or unexplained adjustments, or those transactions that weren't approved by anyone.

00:20:51

When you start adding all of those up, if you add in weaknesses of the internal controls – like a lack of segregation of duties, or bypassing controls, or failure to reconcile accounts. You add all these things together and it goes back to your very original question of what makes accounts payable so prone to fraud and abuse. It's all the things that we just discussed. 

Grace Chlosta: Yeah, absolutely. Talking a little bit – I hear a lot from AP teams that they have a really hard time advocating for themselves or getting a seat at the table, and saying, "Fraud might be happening." Or it could be a number of things that they have trouble communicating. So what role do you think leadership should play? Or how could IT be brought into this to help? What are some things that AP managers or teams can go to leadership, to IT, to tell them, "These are the things that we need to be implementing"? How can they help? How should these teams all be working together?

00:21:45                     

Paul Zikmund: Yeah, I think leadership sets the tone at the top. We talk about it. These are words that are used quite often. I think they've probably lost a little bit of their meaning because they're so overused, but leadership really has to set the tone. They have to be committed to ethics. They have to have clear communication and expectations and really establish that strong – not only control the environment itself, but strong ethical control [of] environment also.

When you go to leaders and talk about fraud and abuse and all the things that need to be done, it's really aligning a lot of what we talked about, whether it's technology controls, AI. It's working with your technology folks to say, "Look, we've done a risk assessment. We believe that we are prone to these types of fraud. And we also believe that stronger technology can help us deter and detect these types of fraud. Here's an opportunity for you to work with us and help us improve our control environment." 

00:22:51

It's also important for leadership to support a lot of training and awareness – not only training and awareness for AP, but training and awareness for the entire company. When you look at the life cycle of AP, you look at all the various individuals, the key stakeholders and functions, that are part of that. Those are individuals that should be trained on those red flags. They need to be educated. They need to understand what to look for, and they also need to understand what to do when they see those red flags: who to call, what to report, what evidence to document, and what information to provide. There's a lot of opportunity for collaboration with leadership and technology to really help strengthen the environment and really reduce the risk. 

Grace Chlosta: I agree. It's a win/win for everyone. Even if you have a little hesitancy, you're trusting your gut; it's only going to benefit the whole company by speaking up and saying something.

00:23:49                     

Paul Zikmund: Absolutely.

Grace Chlosta: I think, just to end on, if an AP professional is listening today and they really want to start, what is a good place and a first step for them to take, and a good place for them to start, to start protecting themselves against fraud on their teams?

00:24:06

Paul Zikmund: Well, for me, I think a great place to start is to really educate yourself about fraud that is impacting accounts payable. So when you think about AP fraud, you think about all the different types of fraud schemes that we've discussed today, a great place to start is to just really learn a little bit more about those frauds impacting the environment. Another place to start is reaching out to internal audit, having a conversation with them, "Have you done any audits in the AP world? Have you seen any control weaknesses?" And if you are then moving to a risk assessment, that's a conversation you're going to have as part of that anyway. You think about education, then you move into the self-assessment. There, you're going to highlight those areas that you need to prioritize.

00:24:55

Once you're done with that and you decide to respond to those various types of risk, the next step is to go out and design some proactive steps to go out and look for any of those potential red flags. Oftentimes, we conduct a risk assessment – a very large, million-dollar fraud that I worked years and years ago, the control weaknesses were actually discovered by an internal audit team six months prior to when we were called in to investigate the fraud. They identified the control weaknesses, but there was nothing done after the audit to go and determine if any of those weaknesses were being exploited. And in fact, they were. 

So if you think about all the things that we can do to not only educate ourselves, we have to also take the steps to go out and determine if there's anything happening within that environment. Education, risk assessment, and then proactive measures to see if there's any fraud within the environment now. 

Grace Chlosta: That's fantastic advice. Paul, it's always so great to talk to you. Thank you so much for joining us today. Such a critical topic all the time, but it's really clear that fraud prevention in AP is not just about implementing the right tools; it's really about staying vigilant. And I feel like this has really given folks a great starting place. And if you haven't checked out Paul's new whitepaper on IOFM, it really only digs deeper into what we chatted about today. I really appreciate your time, and I look forward to speaking with you again soon.

00:26:25                     

Paul Zikmund: Thank you, Grace. It's always great talking with you as well. I'll look forward to seeing everybody at the conference in May.

Grace Chlosta: Yeah, likewise.

Thank you so much for listening to the IOFM podcast. Remember to head on over to the Member Forum to discuss today's episode and provide ideas for our next one. And to stay up to date on IOFM's current events, both in-person and virtually, head on over to IOFM.com.

Continuing Education Credits available:

Receive 1 CEU per hour of listening time towards IOFM programs:

Receive 1 CEU per hour of listening time towards maintaining any AP and P2P related program through IOFM! These programs are designed to establish standards for the profession and recognize accounts payable and procure-to-pay professionals who, by possessing related work experience and passing a comprehensive exam, have met stringent requirements for mastering the financial operations body of knowledge.

Continuing Education Credits available:

Receive 1 CEU per hour of listening time towards IOFM programs:

Receive 1 CEU per hour of listening time towards maintaining any AP and P2P related program through IOFM! These programs are designed to establish standards for the profession and recognize accounts payable and procure-to-pay professionals who, by possessing related work experience and passing a comprehensive exam, have met stringent requirements for mastering the financial operations body of knowledge.