Creating a Culture Hostile to Fraud
April 2007
Do you believe your grandmother could perpetrate
a fraud? The subject of my first fraud investigation was a grandmother, an employee
who had been with our company for 20 years. Everyone knew her, everyone trusted
her, and no one believed she would steal.
by Scott Langlinais
Langlinais
Fraud and Audit Advisory Services
Management gave her responsibility over cash—a lot of responsibility over
cash. She had access to the safe. She had access to the cashier drawers. She
accounted for the daily cash inflow from customers, she prepared the daily deposits
for delivery to the bank, and she ultimately reconciled the bank statements
to her own accounting.
Every day her center would collect several hundred customer payments, mostly
in checks, but some in cash. She set aside one day's checks and took the cash
across the state line to Nevada to parlay it into some more money. She planned
to return with all of the seed cash (don't we all plan to return from Nevada
with money?) and then make the deposit whole, albeit a day late. For awhile
it worked. But when the losses mounted, she had to start lapping the cash. She
would gamble Monday's cash, lose it, and replace the losses with Tuesday's intake.
The snowball built into an avalanche—the more she lost, the later the deposits
got, until she got to the point where she was completely missing deposit cycles.
She always intended to repay the $60,000 she "borrowed."
Does $60,000 grab your attention? If not, how about $1.3 billion? That is
the amount of losses incurred by Baring's Bank thanks to Nick Leeson. Mr. Leeson
was a derivatives trader for Baring's Bank in Singapore, a 233-year-old entity
that he managed to destroy. Mr. Leeson's managers allowed him to perform his
job as Chief Trader and settle his own trades—functions that are typically segregated.
In addition, Mr. Leeson had the ability to book his trading losses in a black-hole
account. Not only did he have authority to make lousy trades without review,
but he also had the ability to hide his $1.3 billion in losses. Over 1,000 employees
lost their jobs, investors lost their savings, and Dutch Bank ING assumed nearly
all of the bank's debt and acquired Baring's for £1.1
Beliefs and Systems Matter
Was management guilty in these two frauds because they allowed these employees
so much control? Guilty, no; the grandmother and Mr. Leeson were the ones who
perpetrated the frauds. But it would be unreasonable for their managers to claim
no responsibility; they placed far too much trust in these employees and thus
established an environment that enabled the frauds.
There is a link common to these and many other frauds I've witnessed or investigated.
It lies in a belief I've heard from managers many times: "There's no fraud in
my organization because we only hire trusted employees."
Such a management belief inherently contains one logic flaw and one very
serious unintended consequence. The flaw is not in the idea of trusting employees;
it is in the implication that there is a strong cause and effect correlation
between trust and trustworthiness. The unintended consequence of the over-reliance
on trust is that it can lead managers to ignore checks-and-balances and details
and thus yield enough opportunity for employees to cause some real damage.
Is the solution then to not trust our employees? No, but many managers I
speak with seem to believe in an inverse relationship between controls and trust.
Increasing one decreases the other. Armed with this belief, managers are more
likely to fail to install checks-and-balances and review transactions. They
aggravate the situation if they also believe proper controls are too expensive,
or there is not enough time to implement them. But good controls keep the business
flowing, provide the necessary constraints, and allow employees to act ethically
within a well-defined system.
Consider our traffic control system. Red light, stop; green light, go; yellow
light, go faster. What makes us stop at a red? There is no gate that drops to
prevent cars from entering the intersection. Most of the time, there is no law
enforcement there to watch every car. So why do we do it? Because we have bought
into the system—it does a pretty good job of managing the balance between safety
and traffic flow at a reasonable cost. Or because we believe the consequences
of violation outweigh the benefits. It is not an absolute control to prevent
all violations and accidents. Because there is no physical impediment to our
running a red (other than crossing cars), the system is designed with the trust
that we will abide by the law and operate properly within the constraints of
the system.
Managers believe it is important to hire good people that they trust. But
to prevent fraud, it is even more important for them to design good systems
for their employees to operate in. Research conducted in several different industries
has demonstrated that a great system is often more important than great people.2
To illustrate the effect of bad systems on good people, we can look at mistakes
made at NASA that contributed to two shuttle explosions. Without ever having
set foot in NASA headquarters, most of us can agree that an organization that
can put men on the moon and take close-up photographs of Jupiter's moons has
to have some highly intelligent, motivated, process-oriented people. So how
does evidence of imminent danger get ignored before the explosions of Challenger and Columbia?
The Columbia Accident Investigation Board issued a report on the causes of
the 2003 shuttle explosion. The Board concluded that a culture of arrogance
and over-reliance on past successes precluded evidence-based follow-up of the
potential damage caused by the piece of insulating foam that detached and damaged
a wing enough to cause the shuttle to burn up during re-entry. More disturbing
is that the culture existed prior to the Challenger explosion. Though the people in the organization had changed, the bad systems
remained. Consider this quote from the report:
- In the Board's view, NASA's organizational culture and structure had
as much to do with this accident as the External Tank foam. Organizational
culture refers to the values, norms, beliefs, and practices that govern
how an institution functions. At the most basic level, organizational culture
defines the assumptions that employees make as they carry out their work. It is a powerful force that can persist through
reorganizations and the reassignment of key personnel. [Emphasis
added].
An effective contrast to NASA's culture is the U.S. nuclear Navy's. Nuclear-powered
warships have traveled over 127 million miles without a reactor accident—roughly
equal to 265 round trips to the moon. The success of the naval reactor depends
on several factors: communication and action, with redundant paths of communication;
relentless training and learning from mistakes; encouragement of minority opinions
and bad news, with thorough management examination where minority opinions are
absent; knowledge retention; and analysis of worst-case scenarios.3 The Navy's nuclear safety system is designed to circumvent and overcome arrogance,
bureaucracy, and over-reliance on past success.
The contrast between these systems is telling because many factors in the
study are constant; both are large, government-run organizations full of engineers
and military personnel who put people into dangerous machines. Where the people,
leadership, and mission stakes are similar, the difference in the control systems
becomes stark.
It is, of course, optimal to have great people in great systems, but most
of the frauds I've witnessed or studied were due to a severe flaw in the control
structure that afforded a person too much opportunity and removed the manager
from the process. Certainly bad people can circumvent good controls, but more
often I see people tempted by an opportunity to perpetrate a fraud when they
thought they wouldn't get caught.
Baring's Bank's system allowed one trader, Nick Leeson, to accumulate enough
losses to destroy an entity that had seen the Napoleonic Wars. Mr. Leeson's
trading practices were largely ignored because of his early success in generating
income for the bank through trading prowess. My former company had a system
that allowed one financially pressured grandmother to steal enough money to
have a significant impact on the small branch she worked in and the people she
worked with.
Culture Is the Foundation of Systems
Managers must overcome their beliefs that strong controls are unnecessary
because they have hired trusted employees who are expected to do their jobs
correctly. Also bankrupt is the belief that controls undermine trust.
Good systems make good business sense. The responsibility for establishing
a strong system starts at the top with the executives who can affect widespread
change. Executives and managers must drive the culture that is hostile toward
fraud, a culture with no tolerance for unethical behavior, and frequent recognition
of instances of ethical practices. What if you don't have access to the top?
Then change the culture in your own sphere of influence. It is critical to examine
and challenge your own organization's beliefs, and though it may be management's
primary goal and desire to generate an excellent return for the stakeholders,
there should be no evidence that those returns were generated from fraudulent
activity, and there should be plenty of evidence that the right ethical choices
were made in generating the earnings.
In subsequent articles we will discuss the practices specific to an environment
hostile towards fraud:
- High-integrity management that exercises stewardship over corporate
assets and expects ethical behavior.
- Processes designed to detect symptoms of wrongdoing and redundant communication
lines open for people to report allegations.
- A strong ethics policy that defines unethical acts and the boundaries
for investigation, and a communication process that enables the employees
to learn from violations.
- Checks-and-balances and management attention to details that reduce
the opportunity for someone to cause significant damage.
- A process to filter out those likely to perpetrate fraud.
Opinions expressed in Expert Commentary articles are those of the author and are
not necessarily held by the author's employer or IRMI. Expert Commentary articles
and other IRMI Online content do not purport to provide legal, accounting, or other
professional advice or opinion. If such advice is needed, consult with your attorney,
accountant, or other qualified adviser.