This article, the first in a two-part series, explores techniques and tools that veteran CFEs and other experienced fraud fighters use to detect and prevent C-suite-initiated fraud. Part 2, in the January/February 2015 issue, will present insights and best practice recommendations from additional CFEs and other experts on how to anticipate and respond to passive executive fraud, such as failing to prevent employees from engaging in illicit financial transactions. — ed.
Organizations urgently need to improve their employees' ability to report C-suite misbehavior without retribution. Here are ways that CFEs can help businesses do just that.
Tsuyoshi Kikukawa, former chairman of Japan's Olympus Corp., was a shortsighted leader. In the latter part of the last decade, he continued a scheme — initiated by his predecessors — to hide the company's losses by cooking the books until, they hoped, future profits would make further financial statement fraud unnecessary. Ultimately, Kikukawa's misguided managerial instincts and leadership deficiencies severely damaged the company's finances and reputation much more than if he had revealed the truth. He and his co-conspirators were found guilty of the $1.7 billion financial statement fraud and punished only with suspended sentences because their scheme didn't benefit them financially.
Olympus' fraud was fully exposed when 2012 ACFE Sentinel Award recipient Michael C. Woodford, then president of Olympus, blew the whistle on his C-suite colleagues. (See
The Real Cost of Choosing Truth Over Self, Fraud Magazine, March/April 2012.) Employees were afraid to report what they knew of the fraud.
Corporate leaders have always faced pressures, opportunities and rationalizations for actively perpetrating financial statement fraud and other malfeasance. Sometimes, they succumb to these temptations. But longstanding countermeasures, such as fraud hotlines and whistleblower protection programs, can help expose and even prevent executive fraud. However, only when such resources are well-designed, implemented and managed do employees have the confidence to use them.
THE RIGHT DIRECTION
Without full and active C-suite support, no organization's anti-fraud program can succeed. But rather than provide such backing, some executives commit or permit fraud, instead of fighting it. In response, many organizations — as dictated by good corporate governance and sometimes required by law — establish anti-fraud bodies plus policies and procedures, such as a board of directors and audit committee, internal and external audits, compliance and ethics offices and internal systems for reporting fraud. Nevertheless, a C-suite bent on wrongdoing will find ways to neutralize most, if not all, such anti-fraud measures.
According to the 2014 ACFE Report to the Nations on Occupational Fraud and Abuse, "Owners/executives accounted for less than one-fifth of all frauds, but the median loss in owner/executive cases was $500,000, approximately four times higher than the median loss caused by managers and nearly seven times that of employees." The median duration of fraud schemes perpetrated by employees was 12 months; by managers, 18 months; and by owners/executives 24 months, according to the report. (
ACFE.com/RTTN, page 41)
Clearly, organizations urgently need to improve their employees' ability to report C-suite misbehavior. CFEs can help businesses do that in two ways.
First, by offering guidance on making the most of what every business already has: employees — including executives — who'll help fight fraud if given access to anonymous, responsive hotlines and trustworthy whistleblower protection.
Second, by introducing businesses to what many need but don't understand: advanced analytics that reveal how the organization's management practices contribute to or mitigate fraud. Indeed, the ACFE Report to the Nations also says organizations that performed proactive data analysis cut their fraud-related median losses by 59.7 percent and fraud schemes' median duration by 50 percent. Those that provided hotlines saw median losses fall by 40.5 percent and median duration drop by 50 percent. Implementing these and other controls won't eliminate C-suite fraud. But it'll help organizations better protect themselves from unscrupulous leaders.
MADE, NOT BORN
An era ended on July 31 with the death of the scholar and management consultant Warren G. Bennis. With the exception of Peter F. Drucker, who died in 2005, no one person influenced contemporary thinking on the nature and optimal practice of leadership as deeply as Bennis did. One of his core beliefs was that good leaders are made, not born; their life experiences and open-minded collaboration with colleagues to benefit their enterprises and stakeholders shape their character and vision.
Bennis penned roughly 30 books on leadership, including the widely praised "On Becoming a Leader" (1989), in which he wrote, "A manager has a short-range view; a leader has a long-range perspective." (See
page 42.) He added that a manager surrenders to his or her context, while a leader masters it.
In the Olympus case, Woodford, the company's former president and whistleblower, recognized the scheme's apparent illegality and betrayal of all legitimate Olympus stakeholder interests and refused to let the situation master him. Neither internal peer pressure to remain silent nor initially widespread external indifference to his reports about the fraud deterred him from demanding and finally obtaining an investigation by the authorities.
"Exposure — Inside the Olympus Scandal: How I Went from CEO to Whistleblower," (published by Penguin Portfolio) Woodford's 2013 memoir, chronicled his ultimately successful efforts to reveal and help end the long-hidden fraud. As Woodford explained in his book, Olympus' internal and external auditors, its board, audit committee, compliance office and institutional investors all failed to identify what had been going on.
So when an ethical employee from Olympus — whose identity hasn't been disclosed to the public — decided to speak out, he or she contacted an investigative journalist. The resulting story was published in FACTA, a small specialist Japanese journal. The country's mainline media notably ignored its tale of the most serious allegations of corporate misfeasance. However, Woodford — unlike most others — wouldn't dismiss it as sensationalist nonsense.
He began asking his C-suite colleagues probing questions. They totally deflected him, so he secretly commissioned an independent audit. Its findings revealed unmistakable signs of serious fraud. Woodford substantiated his profound concerns in six detailed letters that he sent to each of the directors, and he requested to bring in forensic accountants.
Extraordinarily, despite the overwhelming evidence that Woodford revealed, the board (including the three non-executive directors) voted unanimously for his dismissal. Woodford believed he now only had one option left: Within 60 minutes after Woodford's firing, he was meeting with the Financial Times correspondent for Japan. Within a few hours, the world knew about Olympus' transgressions.
Kikukawa, the former Olympus chairman, in contrast, surrendered to financial misfortunes that had befallen Olympus.
Woodford, for his part, had performed well, but he wasn't born a leader. Rather, reflecting the thought of Bennis, he became one by maintaining his integrity despite unrelenting pressure from his senior colleagues, who hadn't.
WHISTLEBLOWING CRISIS
"Because I was CEO of a large multinational corporation, it was much more likely that people would eventually hear me out," Woodford told Fraud Magazine in a recent interview. "The real concern is how you make it easier to report wrongdoing for, say, a junior management accountant with three children and a big mortgage."
Dan Barta, CFE, CPA, agrees. Barta is a financial crime specialist in the Dallas office of SAS Security Intelligence, a maker of advanced analytics systems.
"Fear of being fired or of other reprisals is the main reason employees don't report executives' unethical behavior," Barta says. "It's the biggest challenge we face. Even though tips are the most effective avenue for identifying fraud, they still come in too late, especially when executives are involved.
As Barta further explains later in this article, advanced analytics can help by complementing whistleblower programs with data-driven insights on potential C-suite fraud.
Woodford, to help drive improvements in reporting systems, spent much of 2013 deeply involved as a member of the U.K.'s Whistleblowing Commission. In November of that year, the commission in a report
gave 25 recommendations for strengthening the U.K.'s whistleblowing framework.
"Our recommendations seek to eliminate organizational cultures that discourage whistleblowing," Woodford says. "Those who speak up should be encouraged and protected, not condemned or silenced. Britain and the U.S. can clearly do better, but their whistleblower protection programs are among the world's best."
In March, many more American workers became eligible for such safeguards, when the U.S. Supreme Court ruled in
Lawson v. FMR LLC that the whistleblower protection provisions of the Sarbanes-Oxley Act (SOX) apply not only to public company employees, as has been understood since the act's passage in 2002, but also to those working for private companies. The court also ruled that SOX's whistleblower protections also apply to employees of contractors and subcontractors.
Unfortunately, many other nations, including most in the EU, lag far behind. According to
Whistleblowing in Europe, a 2013 report by Transparency International (TI), only four EU countries — Luxembourg, Romania, Slovenia and the U.K. — have advanced legal frameworks for whistleblower protection. Of the other 23 EU member states, 16 provide partial protection for employees who report wrongdoing. The remaining seven nations (Bulgaria, Finland, Greece, Lithuania, Portugal, Slovakia and Spain) offer whistleblowers little or no legal protection from reprisals. Moreover, TI says, many EU whistleblower provisions contain loopholes and exceptions. Thus employees could discover, after they've blown the whistle, that they have no legal protection.
A VETERAN'S GOOD GOVERNANCE TIPS
"Companies pay me well to advise them," Woodford says. "Sometimes they want me to help them change the ‘tone at the top.' And I ask them if they really think they can instill ethics in 40- and 50-year-old men if they don't already have it by now."
Rather, Woodford says, companies need to be watchful and skeptical because people can "go bad" at any time. So, it's not enough to simply have a whistleblowing program; it has to inspire trust in employees that they'll be shielded from reprisals and that their reports will be impartially investigated.
"One of our recommendations on the commission was that the whistleblower function should report to senior non-executive staff, ideally, to the chairman of the audit committee," Woodford says. "There's no point in having it report to the executives. If it does, it'll be compromised and ineffective."
Woodford also says that employees and vendors should know who's in charge of the whistleblowing function and what that person's background is.
"These non-executives [i.e., board members] should come from independent backgrounds that encourage detachment, not socializing with the execs," he says. "And it's important to have women on the board. Men's macho nature is not usually conducive to a culture of openness."
Woodford recalled that 20 years ago in the U.K., a board chairman's annual compensation was £100,000 (an amount equal to $166,000 in 2014)."
People ‘collected' such positions after they retired," he says. "They'd come in for lunch four times a year, review board paperwork during the meeting and then play a round of golf. Those days are over."
Now, he noted, if you're chairman of the board for a Dow, NASDAQ or FTSE company and things go wrong — and you haven't demonstrated oversight and scrutiny — you could be personally charged in both civil and criminal actions. As a result, he says, today's board chairmen are people who've had distinguished careers and don't serve on a board for the money or the perks. They want to be actively involved in meaningful matters and expect to work hard and to be held accountable for their performance.
"Imagine you were an audit committee director responsible for overseeing the whistle-blowing facility," Woodford says. "And a whistleblower alleged the finance director or the company is committing fraud. Even if you had no moral compass, you'd want to protect your own reputation. That would make you have that report independently evaluated instead of merely forwarding it to the C-suite for review and resolution."
Woodford has similar feelings about another key form of oversight.
"Strong audits are essential to a company's health," he says. "Perhaps an employee, maybe even an internal auditor, thinks her tip or finding wasn't properly evaluated by company executives. Or say the auditor or other employee mistrusts the executive that received the report, or mistrusts that person's boss. That whistleblower should have the option to bring her concern to a specific, named senior non-executive board member, who's independent of the executive."
Woodford also believes companies should regularly rotate their external auditors.
"When I started out, external audits were much more forensic," he says. "They literally counted the widgets on the production line, and checked transactions. Now, it's all very high level and abstract."
At the same time, in his view, company executives and external auditors often have a much too cozy, back-slapping relationship.
"If you go to Wimbledon, you'll find all the auditing firms there, smooching and schmoozing with their clients," he says of his native England's venerable tennis tournament.
He readily acknowledges it's perfectly natural for people to bond with each other. But that doesn't make for effective audits, he says. That's why prudent companies rotate their auditing firms on a regular basis — to inhibit the formation of inappropriately close relationships.
"External auditing would, in general, be much more effective if every senior auditing partner knew that in five to 10 years, someone from another firm will be coming in to inspect the work he or she has done," he says.
BIG DATA: HOT AND SWEET
"When a forceful and unethical senior officer wants to cook the books," says SAS's Barta, "he'll order a subordinate to ‘Just do it!' But the specific tactic that implements that fraud strategy happens far below the financial statement level."
To find the hidden "hot spots" where such fraud takes place, Barta applies advanced analytics to the data that feed the financial statements.
"I take it down a level or two," he says. "Lots of transactions, general ledger accounts, roll up to the income statement, balance sheet and cash flow statement. When you drill down, you see that the essence of the fraud takes place not in the C-suite, but in a particular business unit by means of journal entries and other basic bookkeeping functions. Executives don't just change the numbers on a financial statement. The C-suite gives the order to commit the fraud, and the business unit carries it out."
Barta cited, as an example, the 1990s financial statement fraud perpetrated by the executive officers of Waste Management Inc., an environmental services company.
"To make the financials look better, their management drastically increased the expected useful life of each of the company's many garbage trucks," he says. "That reduced the yearly depreciation expense on each truck. And on top of that, they increased each truck's residual value, further reducing the depreciation expense."
These fraudulent actions weren't transactions, Barta says; they were policy changes. And although they dramatically affected the financial statements, the fraudulent changes were executed at a reporting level far below the financial statements they fed. That improved the bottom line by reducing expenses and boosting the appearance of profit.
"Data analytics — if focused on fixed assets and depreciation costs — could have caught that," Barta says.
In his experience, some companies have a particularly serious need for big-data-savvy CFEs. That's because, he explains, large companies execute sometimes millions of transactions — far beyond what they and their auditors can review effectively. But fraud fighters armed with data analytics can focus their attention on anomalous and high-risk data that could be red flags of fraud.
"There's a huge opportunity for antifraud specialists among once-small, relatively new companies evolving from an entrepreneurship into a long-term corporate entity," Barta says.
In his experience, such companies' controls and oversight functions haven't kept pace with these businesses' rapid growth.
"They're still running it as a mom 'n' pop shop," Barta says. "Everyone knows everyone else in the company. Segregation of duties is minimal or non-existent. But everyone's cool, so it's all great."
However, what the owners and employees of a company like that forget, Barta adds, is that the requirements for a $100 million business are much more complex than for the $1 million shop they once were. Their accounting structures aren't as sophisticated as they need to be. Their controls are lacking. Internal audit and compliance aren't at the necessary higher level.
"That's a sweet spot CFEs should aim to serve," Barta says. "These companies really need our help."
Robert Tie, CFE, CFP, is a contributing editor with Fraud Magazine and a New York business writer.
Read more insight and discuss this article in the ACFE's LinkedIn group.
The Association of Certified Fraud Examiners assumes sole copyright of any article published on www.Fraud-Magazine.com or www.ACFE.com. ACFE follows a policy of exclusive publication. Permission of the publisher is required before an article can be copied or reproduced. Requests for reprinting an article in any form must be emailed to FraudMagazine@ACFE.com.