Reducing the Opportunity To Commit Fraud
March 2008
Several years ago, Nick Leeson was named the
original "Rogue Trader" for destroying his employer, the 233-year-old Baring
Bank, by losing over $1 billion through unauthorized trades on the Singapore
Monetary Exchange. Now there is a new rogue trader in France who apparently
considers $1 billion petty.
by
Scott Langlinais
Langlinais
Fraud and Audit Advisory Services
Jérome Kerviel is currently under investigation for orchestrating a loss
of $7.2 billion for one of Europe's largest banks, Société Générale, through
unauthorized trades. A preliminary investigation has revealed there is no evidence
of collusion or accomplices in his scheme. How can there not be? No one noticed
a loss of say, a hundred million Euros? Half a billion? Two billion?
Apparently not. His trades were supposed to be authorized, but Mr. Kerviel
is reported to have circumvented that control with fictitious transactions,
which is likely also how he escaped the accountants. The investigation report
reveals an absence of controls that might have identified the fraud sooner.
I am quite curious what controls the bank did have in place, if trading losses
of that magnitude can remain invisible to everyone except Mr. Kerviel.
There is another fraud investigation occurring in Munich within German conglomerate
Siemens AG. The Siemens investigation has uncovered over $500 million in odd
transactions spanning 7 years, particularly sham consulting contracts used to
bribe key customers. The corruption came to light in 2004 when executive Michael
Kutschenreuter received a phone call from a Saudi Arabian businessman. The caller
represented a firm Siemens had previously bribed for $50 million. The caller
was now requesting $910 million more, or he would alert the U.S. Securities
and Exchange commission regarding these improprieties. Whoops.
Segregation of Duties
Multimillion dollar bribes are clearly not possible without cooperation from
multiple departments and executives, and massive trading losses cannot remain
hidden without a level of blindness across multiple departments. Collusion and
blindness both point to a corruption in a company's checks and balances system.
While segregation of duties has become somewhat of a tired concept in the auditing
profession and post Sarbanes-Oxley, most of my fraud investigations have pointed
to a segregation of duties problem enabling the fraud.
At the process level, proper segregation of duties exists if a separate employee
is responsible for executing, approving, recording, and reconciling each transaction.
But to prevent the most damaging types of fraud—fraud to benefit the organization
and fraud by the executives—checks and balances must contain a greater level
of complexity.
Here is a subtle point missed by most managers and auditors who review processes
for checks and balances: it is critical to not only segregate duties by process,
but also by reporting lines in the organization. Segregation must be strict
between operations, finance and accounting, and legal/compliance executives.
Employees who execute and approve a large and highly negotiable transaction
should trace their reporting line to one executive (e.g., operations manager);
employees who account for and reconcile the transaction should trace their reporting
line to a different executive (e.g., controller); and there should be a review
of major transactions performed by a compliance department, such as Internal
Audit, that reports to an entity independent of the executives (e.g., the Audit
Committee of the Board of Directors). This creates obstacles for executives
to override control processes in favor of getting a deal done.
One fraud I investigated in Europe demonstrates a situation in which duties
were properly segregated at the process level, with critical tasks divided among
separate employees, but all of the employees reported to the same officer. An
operations director in the London-based division sold six-figure consulting
deals approved by his manager, a vice president. The deals were accounted for
and reconciled out of the accounting office in the Netherlands, and this system
provided a segregation of duties in appearance. However, the young Dutch accountant
was in reality held accountable by the operations director doing the deals.
As the investigation unwound, we discovered e-mails between the operations
director and the accountant in which the operations director told the accountant
how to book the deals, and those instructions violated fundamental accounting
principles. Shadow finance organizations within operations and sales departments,
such as the one described above, are common because they allow companies to
maintain the appearance of having checks and balances while retaining the ability
to manipulate the numbers.
Establish True Checks and Balances
Employees involved in segregated controls must also be empowered with detective
processes in which they seek and question strange or unsupported transactions.
In Mr. Kerviel's case, it is not enough to tell someone they lack the authority
to execute certain transactions—this control is too easily circumvented with
fictitious transactions and a false paper trail. Employees independent of Mr.
Kerviel's reporting line must seek curious transactions and question where appropriate,
not to spy or create an overlord culture, but to provide a healthy skepticism
which reduces the opportunity for a nine-figure fraud to remain undetected.
To determine whether or not your company has proper checks and balances,
list all of the areas in which your company could lose a significant amount
of money (the amount of significance varies with every company) from theft,
fines, or lawsuits. It could be from an executive bullying subordinates into
posting false entries. It could be from purchasing personnel engaging in elaborate
kickback schemes, a sales agent processing false customers, or in your field
operations engaging in unsafe practices such as dumping chemicals into rivers.
Within each of those areas, verify whether key transactions are executed,
approved, recorded, and reconciled by different personnel, and confirm those
personnel trace their superiors to different executives. Also determine whether
sufficient audit processes are conducted periodically by independent personnel,
and those processes enable the independent reviewers to flag and question odd
transactions.
Conclusion
Will this exercise stop all fraud? Of course not; we just seek to make fraud
more difficult to perpetrate, to reduce the opportunities of bad behavior, and
contain the damage when it does occur. Checks and balances are important, but
cannot prevent fraud alone. Segregated processes complement ethical executive
behavior. (See other corporate
fraud prevention articles.) And a culture hostile to fraud reduces the opportunity
for employees to commit wrongdoing.
Opinions expressed in Expert Commentary articles are those of the author and are
not necessarily held by the author's employer or IRMI. Expert Commentary articles
and other IRMI Online content do not purport to provide legal, accounting, or other
professional advice or opinion. If such advice is needed, consult with your attorney,
accountant, or other qualified adviser.