1. A
Ethical Boardroom | Spring 2015
Lessonsin
OversightLearning from what went wrong and why can
improve your organisation’s governance
lthough this exchange is
imagined, unfortunately its
underlying construct is not
fictional. This is the story of the
‘Tahitian Prince’ who worked for
the health department in the
Australian state of Queensland
and who committed the largest
fraud ever identified in Queensland public
service history.
How no one stopped to think that an invitation
to a Queensland Health employee to the wedding
of Prince William and Kate Middleton didn’t
seem strange probably sums up many aspects
of this story.
This is the play book of fraudulent
intent, ineffective systems and
processes and people willing
not to see what was right
before their eyes.
The lessons that the
imaginedconversation
represent go to the
very core of what
constitutes good
Tom McLeod
Managing Consultant,
McLeod Governance
Board Governance | Oversight
STAYING VIGILANT
To spot fraud,
organisations need
more insight into
identifying risks
Employee: “Excuse me boss, but
could I take a week’s leave?”
Employer: “Sure, but do you mind if
I ask if you are taking a break?”
Employee: “I am attending a
wedding in London.”
Employer: “Friends?”
Employee: “Yes. William
Arthur Philip Louis
Windsor and Catherine
Elizabeth Middleton.”
3. Ethical Boardroom | Spring 2015
That is where the dispassionate and regular
discussion of fraud, by its very taking place,
can ignite an improved control environment.
We have even seen an organisation that uses its
discussion of such topics as evidence that they
are an employer of choice where communication
is open, irrespective of how challenging the
subject matter may be.
The second major use of such case studies is
to improve an organisation’s fraud control
framework and training environment. If the first
benefit was “What can we learn?”, this benefit is
focused on “Could it happen here?”.
In the same way that organisations seek out
– or invent – terrible natural or man-made
disasters that are of a scale that immediately
activate the organisation’s disaster recovery plan
to assess whether the plan would withstand what
the (invented) world has thrown at it, then so can
a Tahitian Prince fraud example be used.
Assessing fraud frameworks
A strong fraud control framework is made up of a
number of interdependent factors – leadership;
organisational culture; (external) legislation or
(internal)policies;preventiontechniques;detection
mechanisms; responses and reporting mediums.
Throw the facts of the case study against the
proverbial wall and see how they fall. Would your
organisation have identified the misadventure
in a timely manner? If so, how would you have
done it without detection? If not, what are the
deficiencies that you have identified?
What would have been the response of
the senior leadership of the organisation? We
have had the experience where we had to
educate senior leadership as to what they
were and were not allowed to do as
the leadership wanted to be seen as
tough on fraud but were ignorant
oftheconceptofdueprocessand
the presumption of innocence.
Do your organisation’s
p o l i c i e s a d d r e s s t h e
hypothetical issue at hand?
To borrow the phrase about
the standards you accept are
the standards you walk past;
an organisation’s policies are
onlyasgoodastheexceptions
that they allow.
Once proven – or perhaps
even on suspicion or receipt of
the allegation – what and to
whom would the organisation
be reporting the matter? Do you
have a legal obligation to report the matter to
the relevant policing authorities and what can
you expect from that authority in terms of action
and feedback?
Equally, consideration should be given to what
governance body within your organisation the
matter should be raised to and by when. A well-
constructed audit committee charter will usually
explicitly stipulate when allegations of fraud need
to be reported to it – whether immediately or at
the convening of the next meeting.
By now you have assessed whether the matter
could have happened within your organisation
and have considered whether the process
deficiencies identified by others are applicable
to your circumstances.
So now it is time to use the case study in the
training of your employees. Many years ago after
presentingtoanauditcommitteeonarun-of-the-
mill employee expense fraud, we were challenged
by the chair as to what was the split of our
resources between prevention and investigation.
The chair insisted that if we were to only have
$100, we were to spend $90 on fraud prevention.
Additionally, he asked that we up-skill the entire
organisation in fraud awareness.
His thesis – proven correct many times
over – was that a well-funded education
programme informing a receptive workforce will
save far more money than the threat of a strong
investigative environment.
As an interesting aside to the chair’s challenge,
we dramatised using professional actors the
run-of-the-mill expense reimbursement fraud
andputtheresultingshortfilmonline.Employees
were required to identify the seven examples
of misadventure and fraud – some blatant,
such as the use of a corporate credit card in an
establishment of ill repute, and others subtle,
such as making a false invoice.
Learn from previous mistakes
The average number of instances identified was
two; showing to us that we had a workforce that
was not particularly good at seeing what was
right before their eyes.
The final benefit of such case studies is,
strangely enough, career development. Not for
the fraudster, even if the maxim that all publicity
is good publicity holds true. Rather it is
career developing if you are the person that
is seen to be committed to improving the
controlenvironmentandgovernanceframeworks
of the organisation in a constructive and
meaningful way.
This lesson-learned approach, however, should
not only be limited to fraud case studies. Every
week in nearly every country a well-researched,
well-crafted report will be released, detailing
the triumphs or, more likely, the failings of an
organisation’s internal control systems.
The sources of such reports can be many and
varied – where a company has committed to
release a report publicly; through the output of
the audit, evaluation and investigation agencies
of government; via commissions of inquiry
or in the pages of transcripts released via
court action.
Seek out those reports. Learn from
them and embrace the uncertainty that
they may deliver. For, as was once attributed
to Eleanor Roosevelt, “learn from the mistakes
of others. You can’t live long enough to make
them all yourself”!
And remember to be suspicious of anyone
that says that they have received a personal
invitation to the wedding of the second in line to
the British throne.
Board Governance | Oversight
false representation
Simple fact checking can
reveal if someone is who
they say they are
A well-funded education
programme informing a
receptive workforce will
save far more money than
the threat of a strong
investigative environment