Companies struggle to determine exactly who owns the proactive     and reactive responses to fraud within their organizati...
ron Works America (IWA) is a manufacturer of steel beams          MULTIPLE PEOPLE, MULTIPLE CONCERNS     used in the const...
WHO OWNS FRAUD?        Tim Pearson, executive director of the Institute for Fraud    should clearly define its overall owne...
WHO OWNS FRAUD?DEVELOPING AN EFFECTIVE ANTI-FRAUD PROGRAM                            proper tone, proactive steps and reac...
WHO OWNS FRAUD?     Seven Elements of an Effective Anti-Fraud Program40    FRAUDMAGAZINE                          www.frau...
WHO OWNS FRAUD?        A code of conduct or code of ethics establishes the guiding   them in understanding integrity issue...
To illustrate our points on how paramount the success of              In our opening scenario, Franklin’s frustrations esc...
Upcoming SlideShare
Loading in...5

Who owns fraud?


Published on

Published in: Business
1 Comment
No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Who owns fraud?

  1. 1. A P U B L I C AT I O N O F T H E A S S O C I AT I O N O F C E R T I F I E D F R A U D E X A M I N E R SFRAUDMAGAZINE Vol. 26, No. 1, January/February 2011JANUARY/FEBRUARY 2011 WHOWHO OWNS FRAUD? OWNSPUNISHMENT DEBATE FRAUD?CLIENT CONFIDENTIALITY Uniting Everyone to Effectively Manage the Anti-Fraud ProgramIPR CORRUPTION PLUS White-Collar Crime Punishment: Too Much or Not Enough?, PG. 20 Businesses Shouldn’t Sing the Credit Card Blues, PG. 24Fraud-Magazine.com Client Confidentiality and Fraud, PG. 28 Countering Corruption in Intellectual Property Rights, PG. 32
  2. 2. Companies struggle to determine exactly who owns the proactive and reactive responses to fraud within their organizations to ensure that they can prevent inefficient responses to fraud. Here are some practical ways to determine “who owns fraud” and accelerate anti- fraud programs within any company.36 FRAUDMAGAZINE www.fraud-magazine.com
  3. 3. ron Works America (IWA) is a manufacturer of steel beams MULTIPLE PEOPLE, MULTIPLE CONCERNS used in the construction of large commercial buildings. IWA’s Many companies struggle to determine who’ll be responsible for internal audit director, George Franklin, is responsible for managing fraud examinations and fraud risks. In a perfect world, monitoring the company’s fraud hotline for allegations of a company would designate one person to handle its anti-fraud misconduct made by employees. One day, Franklin received program responsibility such as the chief financial officer, chief a hotline message from a sales manager in the Columbus, compliance officer or general counsel. However, often a company Ohio, office, who claimed he had proof that an employee might not designate one person as the “owner” of its anti-fraud in the Cleveland office had created a fake vendor scheme, received kickbacks from one of his suppliers, and was embez- efforts. As a result, confusion can reign, causing a lack of trust inzling a significant amount of money through a complex revenue the proactive anti-fraud program for management and employ-recognition scheme. ees, a dangerous deficiency in sharing of knowledge, and inef- Franklin and his team quickly planned the initial stages ficient responses to fraud.of an investigation based on the allegations. However, Franklinsoon received a call from IWA’s human resources manager who MODEL FOR AN ANTI-FRAUD GROUPsaid she received a message from the sales manager in the Co- The good news is that many companies now realize that fraudlumbus office who reported a violation of the code of conduct to challenges need to be addressed. The bad news is that those sameher. As a result of this message, her department launched an in- companies might not be able to overcome inconsistencies, du-ternal investigation with assistance from IWA’s general counsel’s plicative efforts, and a lack of communication because those re-office two days before Franklin received the hotline message. sponsible for anti-fraud efforts often operate independent of each Franklin and his internal audit team members believed other and not in a coordinated way.that others in the company were encroaching on their responsi- We recommend that the “ownership” of anti-fraud effortsbilities because IWA’s charter directed their department to man- should be shared by a select group of individuals who each have,age all internal fraud examinations. Franklin became even more as part of their responsibilities, a role in addressing fraud proac-frustrated when he learned that IWA’s chief compliance officer tively and reactively. The shared responsibilities of the overallwas discussing, with the members of the audit committee, plans anti-fraud program would ensure that the roles of the team mem-to conduct a companywide fraud awareness training campaign as bers would be more effective to the overall group. Each individ-the beginning of a comprehensive fraud risk assessment process. ual would then have a specific goal and greater accountability toThe chief compliance officer wanted to accomplish this training the group. This approach also would give comfort to the board orcampaign in the upcoming year. However, he hadn’t discussedit with Franklin to get his perspective on how to structure the executive management within the company that the anti-fraudprocess because he thought the chairman of the audit commit- program was effective and efficient in its approach to fraud risktee had asked Franklin to include a fraud risk assessment in his management.internal audit plan for the year. The group should select a chairperson who will “shep- This fictitious example might seem extreme, but it’s not herd” the group to the goals they want to establish and ultimatelyuncommon as companies struggle to determine exactly who owns achieve. The chairperson’s overall role is to ensure that the ele-the proactive and reactive responses to fraud within their organiza- ments established for the anti-fraud program are being met andtions. In fact, nearly half of respondents to the 2010 Ernst & Young the responsible individuals are working together to ensure thatGlobal Fraud Survey said that their organizations didn’t have well- the elements are being implemented and monitored. The chair-defined roles for different groups (internal audit, compliance, risk person would also work with the group to determine any neededand legal) when responding to reports of possible fraud. modifications to the overall anti-fraud program.January/February  2011 FRAUDMAGAZINE 37
  4. 4. WHO OWNS FRAUD? Tim Pearson, executive director of the Institute for Fraud should clearly define its overall ownership and responsibility ofPrevention (www.theifp.org/), believes that a chief compliance the implementation and continued oversight of the program.or integrity officer is best suited to chair the team and meet regu- The graphic “Who Owns Fraud?” below demonstrateslarly with the committee representatives to report anti-fraud co- this collective ownership model for an anti-fraud team and theordination efforts. recommended processes for proactive and reactive approaches to “Fraud is more likely to go undetected when the responsi- fraud risk management.bilities for education, monitoring and risk management are dif- The team members must possess diverse skill sets to ad-fused across reporting lines so no one individual or group can dress the complexities of fraud cases and proactive fraud risktruly get a handle on the fraud risks facing an organization,” initiatives. Therefore, the team should include representationPearson said. “We want everyone in an organization to support from executive management, the audit committee, the compli-anti-fraud initiatives, but someone must craft and share a visionon how fraud can best be prevented.” ance department, the controllers’ group, the internal audit de- We’ve found that this might vary from company to com- partment, information technology, security, the general counsel’spany depending on the corporate structure and the overall cor- office and the human resources department.porate governance model in place (i.e, internal audit charter, The team must clearly articulate each member’s role andcorporate compliance program, code of conduct) or the expe- responsibilities to avoid duplication of effort and ensure that therience or expertise of the team members. This anti-fraud team process will achieve the desired outcomes. Who Owns Fraud? Having a Seat at the Table38 FRAUDMAGAZINE www.fraud-magazine.com
  5. 5. WHO OWNS FRAUD?DEVELOPING AN EFFECTIVE ANTI-FRAUD PROGRAM proper tone, proactive steps and reactive steps. The elementsOnce the right team is in place, it should develop an effective to set the proper tone include: the code of conduct or code ofanti-fraud program. The objective of this program, as shown in ethics, fraud prevention policies, and communication and train-the “Who owns fraud?” graphic, is to provide the framework for ing. The proactive elements include: a fraud risk assessment andan organization to prevent, detect, report and investigate inter- monitoring controls. The reactive steps include: a fraud responsenal and external fraud. plan and ownership over the entire anti-fraud program. (See the As we’ve worked with companies in various industries to graphic, “Seven Elements of an Effective Anti-Fraud Program”develop programs, we’ve used a wide array of approaches to unify on page 40.)companies’ fraud teams. To illustrate this point, we’ll continuewith our case study from the beginning of the article. Due to SETTING THE TONE WITH A CODE OF CONDUCT,George Franklin’s frustrations, IWA put into place a fraud task POLICIES, AND TRAININGforce made up of compliance, general counsel, internal audit, hu- When setting the proper tone, management must go beyond stat-man resources and the controllers’ group to create, implement ing that “we hire good people,” or “we operate our company withand monitor its anti-fraud program. integrity.” It must demonstrate how these principles are tactically Based on numerous meetings to design the process and as- embedded into the company’s daily operations to create a culturesess the skill sets of the task force members, the group determined of constant integrity.that internal audit and compliance would be responsible forthe companywide fraud risk assessment. The controllers’ groupwould be responsible for controls monitoring to address the fraudrisks identified from the fraud risk assessment. General counsel,human resources and internal audit would be responsible for en-suring that any fraud investigations were handled properly. Alltask force members would be responsible for creating effectiveelements to develop the tone and culture within IWA. As youcan see, these elements of the program build upon each otherand the entire anti-fraud program framework is more effectivebecause of the collaboration of the members of the task force. That framework, of course, can’t provide absolute assur-ance that fraud won’t occur within a company or that all fraudwill be identified proactively. However, a strong anti-fraudprogram will provide management and employees with opportu-nities, guidance and support to: Understand the expectations of the company and practice them every day Recognize unacceptable behavior and encourage that action be taken Prioritize fraud risks and determine those risks that warrant attention Install controls to mitigate identified risks or suspected fraud risks Formulate actions to take once fraud is detected Ensure that these actions are followed if an investigation begins Share leading practices across business functions and segments In other words, a strong and well-conceived anti-fraudprogram helps place a greater emphasis on the company’s over-sight and provides a framework for responding when issues arise. We’ve identified seven elements of an effective anti-fraudprogram, which fall into three overall categories: setting theJanuary/February  2011 FRAUDMAGAZINE 39
  6. 6. WHO OWNS FRAUD? Seven Elements of an Effective Anti-Fraud Program40 FRAUDMAGAZINE www.fraud-magazine.com
  7. 7. WHO OWNS FRAUD? A code of conduct or code of ethics establishes the guiding them in understanding integrity issues. While companies or re-principles of a company. Among other things, it should promote cruiters can’t predict who might engage in fraud, they can limithonest and ethical conduct, compliance with applicable laws their exposure by enhancing the training of their highest execu-and regulations, and prompt reporting of violations of the code. tives on such important issues. Clearly establishing fraud policies and procedures helps “We find that the best anti-fraud strategy is creating anemployees understand acceptable conduct and how to report sus- integrity culture,” Higgins says. “Processes follow culture, notpected violations. Fraud awareness training — another signifi- the other way around. And culture is determined primarily bycant and often overlooked aspect of an anti-fraud program — is the leaders’ attitudes and choices. Therefore, the integrity com-a key element in setting the proper tone within an organization. ponent must be an essential part of the equation in executive Companies that have anti-fraud training often spend too search; it must be developed constantly at the individual andmuch time focusing on occupational fraud, such as stealing as- executive team levels, and it must be rewarded as a requisite forsets from the company (i.e., inventory and petty cash), because advancement and compensation. Otherwise an organization isparticipants can easily visualize and understand these crimes. treating symptoms rather than causes.”However, they often overlook other important areas such as cor-ruption, financial statement fraud, vendor due diligence, miscon- PROACTIVELY ASSESSING FRAUD RISK ANDduct and fraud when dealing with third parties, and theft of intel- MONITORING CONTROLSlectual property and sensitive data. One size doesn’t fit all. Companies are creating fraud Execution of a robust fraud risk assessment is the first proactiveawareness training programs for all employees on a general level step management can undertake. The assessment’s purpose isand then providing more specific, comprehensive training deal- to identify and prioritize areas that pose a higher risk of fraud.ing with relevant risks for different groups or business areas. An- Keep in mind that individuals commit fraud, not IT systems orother overlooked aspect of an effective fraud awareness training business processes. Therefore, when executing a fraud risk assess-program is ensuring that the training reaches these different ment, management must understand the reasons people commitbusiness areas within the company. It’s important that employees fraud — pressure, opportunity and rationalization — as well asunderstand why the training is relevant and that they compre- direct or indirect vulnerabilities.hend the information presented. Post-training assessments can The next proactive step is to identify and monitor internalassist with determining this comprehension by making sure the controls to mitigate the risks. Action plans should be developedemployees captured the information and the objectives of the to document and evaluate the controls that mitigate any fraudtraining were met. risks found during the assessment. These plans should specify All employees should receive annual fraud awareness who will be responsible for monitoring and testing the controls,training as part of the new-hire orientation process and as a com- and who will review the results of their work.ponent of the integration process for newly acquired companies,joint ventures or subsidiaries. Sophisticated training includes BEING PREPARED TO REACT TO FRAUD ANDmodules taught by the company’s internal audit, technology, DEFINING ROLES AND RESPONSIBILITIEScompliance and security professionals. The emphasis should be Of course, fraud will still occur even though management setson detecting schemes such as fake vendor schemes, bribery and the proper tone, trains their people on spotting problems, exe-corruption issues, and accounting fraud and revenue recognition cutes a robust fraud risk assessment, and designs internal controlsawareness. This is another way to encourage synergies from the to prevent and detect fraud. Therefore, the anti-fraud team hasresults of the fraud risk assessment by creating training programs to establish reactive elements for the anti-fraud program.to address the specific risks identified. The cornerstone of any reactive element in an anti-fraud Employees, vendors, customers and other stakeholders program is a timely response to the suspected fraud with the rightwho don’t learn a company’s anti-fraud policies and procedures,compliance and ethics programs, reporting protocols, and fraud team. The team should establish, review, approve, and maintainrisks won’t know the organization’s acceptable behavior. They policies and procedures regarding the company’s responses tocan expose the company to major problems because they don’t fraudulent activities. The fraud response plan should encompassknow how to effectively report suspected fraudulent activities. investigations, remediation and uniform disciplinary processes. Many companies are taking anti-fraud training pro- The team also should establish an investigation protocol’sgrams a step further by educating their top executives and then framework for management. The protocols should state that allevaluating them on their character development. Vincent Hig- suspected frauds, regardless of sources, will be reviewed and inves-gins, president of the Institute for Effective Leadership (www. tigated. The team will determine who’ll lead the investigations ifeffective-leadership.com), a company that provides training to external assistance is needed, such as outside forensic assistanceC-suite executives, says organizations are increasingly hiring his with fraud experience, and the results of the investigations willfirm to help evaluate executives’ leadership abilities and train be communicated to the audit committee in a timely manner.January/February  2011 FRAUDMAGAZINE 41
  8. 8. To illustrate our points on how paramount the success of In our opening scenario, Franklin’s frustrations escalatedthe fraud response plan is to the overall fraud risk assessment, we when he became aware that other groups were involved in proac-continue our example with George Franklin and IWA. In previous tively and reactively dealing with fraud without his knowledge.years, Franklin had a concern about the effectiveness of the fraud This dysfunctional atmosphere creates an environment of ineffi-response plan. His team would identify a fraud issue during the ciencies and a lack of knowledge transfer, and impacts the abilitycourse of its internal audits and raise this issue to management, to effectively deal with fraud.but his team would never receive updates on what happened or Fraud is an extremely complex issue, and an oversightwhere the control breakdown occurred. This truly represented a committee — such as an anti-fraud program oversight teambreakdown in the effectiveness of the anti-fraud program. The — that’s committed to a common goal is often the best meth-internal audit team would be much more effective on future au- od to deal proactively and reactively with these complexities.dits if they were updated on identified and investigated issues. In The team’s anti-fraud program can then become the channeladdition, the fraud awareness training program and the fraud risk for the dissemination of messages from the top of the orga-assessment process could benefit from this knowledge. nization to all employees. This new environment will help For an effective fraud response plan to work, it has to com- reinforce an atmosphere of constant integrity throughout themunicate those who’ll work on specific tasks from the moment company that will allow the company to more effectively dealthe allegation is identified to the point of reporting the results. with fraud.The anti-fraud program oversight team will be responsible for Companies that have built anti-fraud programs, whichreviewing the allegations and then determining, based on their include setting the proper tone, forming proactive and reac-assessment, who should get involved, and to whom the results tive measures, and clearly defining roles and responsibilities,should be reported. The team will do this on a case-by-case will stand the best chance of mitigating risks and effectivelybasis, but the fraud response protocol will guide the team toward addressing fraud.a documented, consistent process. The views expressed here are those of the authors and don’t necessarily reflect the views of Ernst & Young LLP.THE ULTIMATE SUCESS IS THROUGH SYNERGYThe team’s key to success is to produce synergy among the team Dan Torpey, CPA, and Mike Sherrod, CFE, CPA, aremembers by developing excellent communication. The team members of Ernst & Young LLP’s Fraud Investigation & Disputemembers should share a common goal and approach to fraud de- Services practice. Their e-mail addresses are: daniel.torpey@ey.comtection and response, which results in greater accountability in and mike.sherrod@ey.com.executing a task. What’s Driving the Focus on Anti-Fraud Efforts? Effectively managing fraud in the most cost-effective way is paramount to the success of an anti-fraud program especially in the current economic environment. Streamlining communications and aligning resources is critical to the process. Added pressure is coming from several important regulatory and market drivers: On June 20, 2007, the Securities and Exchange In November 2009, President Barack Obama announced Commission (SEC) published interpretive guidance on a new Financial Fraud Enforcement Task Force comprised management’s report on internal control over financial of representatives from more than 20 federal agencies, reporting, including references to dealing with fraud risk. which included the Departments of Justice, Treasury, and The guidance indicated that management should consider Housing and Urban Development; and the SEC. performing an analysis of their fraud risks. On April 7, 2010, the U.S. Sentencing Commission voted In July 2008, the ACFE, the Institute of Internal Auditors, to amend the federal Sentencing Guidelines relating to the American Institute of Certified Public Accountants, corporate compliance and ethics programs. These and representatives from the Big Four accounting firms amendments took effect on Nov. 1, 2010. and other consulting businesses published “Managing the On Oct. 6, 2010, the Center for Audit Quality (CAQ) Business Risk of Fraud: A Practical Guide” (ACFE.com/ issued a report entitled, “Deterring and Detecting Financial documents/managing-business-risk.pdf). Also see Reporting Fraud – A Platform for Action,” as part of its “Managing the Business Risk of Fraud: Indispensable anti-fraud initiative. The report contains a thoughtful Planning,” by Grace B. Ghezzi, CFE, CPA/PFS, AEP in the , examination of the motivators behind fraudulent financial January/February 2009 issue of . reporting and explores themes for mitigating the In mid-2009, the SEC announced a reorganization and a conditions that can lead to fraud. renewed emphasis on fraud-related enforcement including specialist teams of enforcement officials.42 FRAUDMAGAZINE www.fraud-magazine.com