Companies struggle to determine exactly who owns the proactive and reactive responses to fraud within their organizations. Here are some practical ways to determine “who owns fraud” and accelerate anti-fraud programs within any company.
|
Photo: Helen Pryor
|
Iron Works America (IWA) is a manufacturer of steel beams used in the construction of large commercial buildings. IWA’s internal audit director, George Franklin, is responsible for monitoring the company’s fraud hotline for allegations of misconduct made by employees. One day, Franklin received a hotline message from a sales manager in the Columbus, Ohio, office, who claimed he had proof that an employee in the Cleveland office had created a fake vendor scheme, received kickbacks from one of his suppliers, and was embezzling a significant amount of money through a complex revenue recognition scheme.
Franklin and his team quickly planned the initial stages of an investigation based on the allegations. However, Franklin soon received a call from IWA’s human resources manager who said she received a message from the sales manager in the Columbus office who reported a violation of the code of conduct to her. As a result of this message, her department launched an internal investigation with assistance from IWA’s general counsel’s office two days before Franklin received the hotline message.
Franklin and his internal audit team members believed that others in the company were encroaching on their responsibilities because IWA’s charter directed their department to manage all internal fraud examinations. Franklin became even more frustrated when he learned that IWA’s chief compliance officer was discussing, with the members of the audit committee, plans to conduct a companywide fraud awareness training campaign as the beginning of a comprehensive fraud risk assessment process. The chief compliance officer wanted to accomplish this training campaign in the upcoming year. However, he hadn’t discussed it with Franklin to get his perspective on how to structure the process because he thought the chairman of the audit committee had asked Franklin to include a fraud risk assessment in his internal audit plan for the year.
This fictitious example might seem extreme, but it’s not uncommon as companies struggle to determine exactly who owns the proactive and reactive responses to fraud within their organizations. In fact, nearly half of respondents to the 2010 Ernst & Young Global Fraud Survey said that their organizations didn’t have well-defined roles for different groups (internal audit, compliance, risk and legal) when responding to reports of possible fraud.
Multiple People, Multiple Concerns
Many companies struggle to determine who’ll be responsible for managing fraud examinations and fraud risks. In a perfect world, a company would designate one person to handle its anti-fraud program responsibility such as the chief financial officer, chief compliance officer or general counsel. However, often a company might not designate one person as the “owner” of its anti-fraud efforts. As a result, confusion can reign, causing a lack of trust in the proactive anti-fraud program for management and employees, a dangerous deficiency in sharing of knowledge, and inefficient responses to fraud.
Model For An Anti-Fraud Group
The good news is that many companies now realize that fraud challenges need to be addressed. The bad news is that those same companies might not be able to overcome inconsistencies, duplicative efforts, and a lack of communication because those responsible for anti-fraud efforts often operate independent of each other and not in a coordinated way.
We recommend that the “ownership” of anti-fraud efforts should be shared by a select group of individuals who each have, as part of their responsibilities, a role in addressing fraud proactively and reactively. The shared responsibilities of the overall anti-fraud program would ensure that the roles of the team members would be more effective to the overall group. Each individual would then have a specific goal and greater accountability to the group. This approach also would give comfort to the board or executive management within the company that the anti-fraud program was effective and efficient in its approach to fraud risk management.
The group should select a chairperson who will “shepherd” the group to the goals they want to establish and ultimately achieve. The chairperson’s overall role is to ensure that the elements established for the anti-fraud program are being met and the responsible individuals are working together to ensure that the elements are being implemented and monitored. The chairperson would also work with the group to determine any needed modifications to the overall anti-fraud program.
Tim Pearson, executive director of the Institute for Fraud Prevention, believes that a chief compliance or integrity officer is best suited to chair the team and meet regularly with the committee representatives to report anti-fraud coordination efforts.
“Fraud is more likely to go undetected when the responsibilities for education, monitoring and risk management are diffused across reporting lines so no one individual or group can truly get a handle on the fraud risks facing an organization,” Pearson said. “We want everyone in an organization to support anti-fraud initiatives, but someone must craft and share a vision on how fraud can best be prevented.”
We’ve found that this might vary from company to company depending on the corporate structure and the overall corporate governance model in place (i.e, internal audit charter, corporate compliance program, code of conduct) or the experience or expertise of the team members. This anti-fraud team should clearly define its overall ownership and responsibility of the implementation and continued oversight of the program.
The graphic “Who Owns Fraud?” below demonstrates this collective ownership model for an anti-fraud team and the recommended processes for proactive and reactive approaches to fraud risk management.
The team members must possess diverse skill sets to address the complexities of fraud cases and proactive fraud risk initiatives. Therefore, the team should include representation from executive management, the audit committee, the investigations group, the compliance department, the controllers’ group, the internal audit department, information technology, security, the general counsel’s office and the human resources department.
The team must clearly articulate each member’s role and responsibilities to avoid duplication of effort and ensure that the process will achieve the desired outcomes.
Developing An Effective Anti-Fraud Program
Once the right team is in place, it should develop an effective anti-fraud program. The objective of this program, as shown in the “Who owns fraud?” graphic, is to provide the framework for an organization to prevent, detect, report and investigate internal and external fraud. As we’ve worked with companies in various industries to develop programs, we’ve used a wide array of approaches to unify companies’ fraud teams. To illustrate this point, we’ll continue with our case study from the beginning of the article. Due to George Franklin’s frustrations, IWA put into place a fraud task force made up of compliance, general counsel, internal audit, human resources and the controllers’ group to create, implement and monitor its anti-fraud program.
Based on numerous meetings to design the process and assess the skill sets of the task force members, the group determined that internal audit and compliance would be responsible for the companywide fraud risk assessment. The controllers’ group would be responsible for controls monitoring to address the fraud risks identified from the fraud risk assessment. General counsel, human resources and internal audit would be responsible for ensuring that any fraud investigations were handled properly. All task force members would be responsible for creating effective elements to develop the tone and culture within IWA. As you can see, these elements of the program build upon each other and the entire anti-fraud program framework is more effective because of the collaboration of the members of the task force.
That framework, of course, can’t provide absolute assurance that fraud won’t occur within a company or that all fraud will be identified proactively. However, a strong anti-fraud
program will provide management and employees with opportunities, guidance and support to:
- Understand the expectations of the company and practice them every day
- Recognize unacceptable behavior and encourage that action be taken
- Prioritize fraud risks and determine those risks that warrant attention
- Install controls to mitigate identified risks or suspected fraud risks
- Formulate actions to take once fraud is detected
- Ensure that these actions are followed if an investigation begins
- Share leading practices across business functions and segments
In other words, a strong and well-conceived anti-fraud program helps place a greater emphasis on the company’s oversight and provides a framework for responding when issues arise.
We’ve identified seven elements of an effective anti-fraud program, which fall into three overall categories: setting the proper tone, proactive steps and reactive steps. The elements to set the proper tone include: the code of conduct or code of ethics, fraud prevention policies, and communication and training. The proactive elements include: a fraud risk assessment and monitoring controls. The reactive steps include: a fraud response plan and ownership over the entire anti-fraud program. (see pdf, “Seven Elements of an Effective Anti-Fraud Program”)
Setting the Tone With a Code Of Conduct, Policies and Training
When setting the proper tone, management must go beyond stating that “we hire good people,” or “we operate our company with integrity.” It must demonstrate how these principles are tactically embedded into the company’s daily operations to create a culture of constant integrity.
A code of conduct or code of ethics establishes the guiding principles of a company. Among other things, it should promote honest and ethical conduct, compliance with applicable laws and regulations, and prompt reporting of violations of the code.
Clearly establishing fraud policies and procedures helps employees understand acceptable conduct and how to report suspected violations. Fraud awareness training – another significant and often overlooked aspect of an anti-fraud program – is a key element in setting the proper tone within an organization.
Companies that have anti-fraud training often spend too much time focusing on occupational fraud, such as stealing assets from the company (i.e., inventory and petty cash), because participants can easily visualize and understand these crimes. However, they often overlook other important areas such as corruption, financial statement fraud, vendor due diligence, misconduct and fraud when dealing with third parties, and theft of intellectual property and sensitive data.
One size doesn’t fit all. Companies are creating fraud awareness training programs for all employees on a general level and then providing more specific, comprehensive training dealing with relevant risks for different groups or business areas. Another overlooked aspect of an effective fraud awareness training program is ensuring that the training reaches these different business areas within the company. It’s important that employees understand why the training is relevant and that they comprehend the information presented. Post-training assessments can assist with determining this comprehension by making sure the employees captured the information and the objectives of the training were met.
All employees should receive annual fraud awareness training as part of the new-hire orientation process and as a component of the integration process for newly acquired companies, joint ventures or subsidiaries. Sophisticated training includes modules taught by the company’s internal audit, technology, compliance and security professionals. The emphasis should be on detecting schemes such as fake vendor schemes, bribery and corruption issues, and accounting fraud and revenue recognition awareness. This is another way to encourage synergies from the results of the fraud risk assessment by creating training programs to address the specific risks identified.
Employees, vendors, customers and other stakeholders who don’t learn a company’s anti-fraud policies and procedures, compliance and ethics programs, reporting protocols, and fraud risks won’t know the organization’s acceptable behavior. They can expose the company to major problems because they don’t know how to effectively report suspected fraudulent activities.
Many companies are taking anti-fraud training programs a step further by educating their top executives and then evaluating them on their character development. Vincent Higgins, president of the Institute for Effective Leadership, a company that provides training to C-suite executives, says organizations are increasingly hiring his firm to help evaluate executives’ leadership abilities and train them in understanding integrity issues. While companies or recruiters can’t predict who might engage in fraud, they can limit their exposure by enhancing the training of their highest executives on such important issues.
“We find that the best anti-fraud strategy is creating an integrity culture,” Higgins says. “Processes follow culture, not the other way around. And culture is determined primarily by the leaders’ attitudes and choices. Therefore, the integrity component must be an essential part of the equation in executive search; it must be developed constantly at the individual and executive team levels, and it must be rewarded as a requisite for advancement and compensation. Otherwise an organization is treating symptoms rather than causes.”
Proactively Assessing Fraud Risk And Monitoring Controls
Execution of a robust fraud risk assessment is the first proactive step management can undertake. The assessment’s purpose is to identify and prioritize areas that pose a higher risk of fraud. Keep in mind that individuals commit fraud, not IT systems or business processes. Therefore, when executing a fraud risk assessment, management must understand the reasons people commit fraud – pressure, opportunity and rationalization – as well as direct or indirect vulnerabilities.
The next proactive step is to identify and monitor internal controls to mitigate the risks. Action plans should be developed to document and evaluate the controls that mitigate any fraud risks found during the assessment. These plans should specify who’ll be responsible for monitoring and testing the controls, and who’ll review the results of their work.
Being Prepared to React to Fraud and Defining Roles and Responsibilities
Of course, fraud will still occur even though management sets the proper tone, trains their people on spotting problems, executes a robust fraud risk assessment, and designs internal controls to prevent and detect fraud. Therefore, the anti-fraud team has to establish reactive elements for the anti-fraud program.
The cornerstone of any reactive element in an anti-fraud program is a timely response to the suspected fraud with the right team. The team should establish, review, approve, and maintain policies and procedures regarding the company’s responses to fraudulent activities. The fraud response plan should encompass investigations, remediation and uniform disciplinary processes.
The team also should establish an investigation protocol’s framework for management. The protocols should state that all suspected frauds, regardless of sources, will be reviewed and investigated. The team will determine who’ll lead the investigations if external assistance is needed, such as outside forensic assistance with fraud experience, and the results of the investigations will be communicated to the audit committee in a timely manner.
To illustrate our points on how paramount the success of the fraud response plan is to the overall fraud risk assessment, we continue our example with George Franklin and IWA. In previous years, Franklin had a concern about the effectiveness of the fraud response plan. His team would identify a fraud issue during the course of its internal audits and raise this issue to management, but his team would never receive updates on what happened or where the control breakdown occurred. This truly represented a breakdown in the effectiveness of the anti-fraud program. The internal audit team would be much more effective on future audits if they were updated on identified and investigated issues. In addition, the fraud awareness training program and the fraud risk assessment process could benefit from this knowledge.
For an effective fraud response plan to work, it has to communicate those who’ll work on specific tasks from the moment the allegation is identified to the point of reporting the results. The anti-fraud program oversight team will be responsible for reviewing the allegations and then determining, based on their assessment, who should get involved, and to whom the results should be reported. The team will do this on a case-by-case
basis, but the fraud response protocol will guide the team toward a documented, consistent process.
The Ultimate Success Is Through Synergy
The team’s key to success is to produce synergy among the team members by developing excellent communication. The team members should share a common goal and approach to fraud detection and response, which results in greater accountability in executing a task.
In our opening scenario, Franklin’s frustrations escalated when he became aware that other groups were involved in proactively and reactively dealing with fraud without his knowledge. This dysfunctional atmosphere creates an environment of inefficiencies and a lack of knowledge transfer, and impacts the ability to effectively deal with fraud.
Fraud is an extremely complex issue, and an oversight committee – such as an anti-fraud program oversight team – that’s committed to a common goal is often the best method to deal proactively and reactively with these complexities. The team’s anti-fraud program can then become the channel for the dissemination of messages from the top of the organization to all employees. This new environment will help reinforce an atmosphere of constant integrity throughout the company that will allow the company to more effectively deal with fraud.
Companies that have built anti-fraud programs, which include setting the proper tone, forming proactive and reactive measures, and clearly defining roles and responsibilities, will stand the best chance of mitigating risks and effectively
addressing fraud.
The views expressed here are those of the authors and don’t necessarily reflect the views of Ernst & Young LLP.
Dan Torpey, CPA, and Mike Sherrod, CFE, CPA, are members of Ernst & Young LLP’s Fraud Investigation & Dispute Services practice.
The Association of Certified Fraud Examiners assumes sole copyright of any article published on www.fraud-magazine.com or www.ACFE.com. ACFE follows a policy of exclusive publication. Permission of the publisher is required before an article can be copied or reproduced. Requests for reprinting an article in any form must be e-mailed to: FraudMagazine@ACFE.com