Strategic Considerations for Executives
September 2009
Whether executives of an emerging,
fast-growing company seek to establish an environment hostile to fraud, or
officers of a mature stalwart wish to review and enhance their fraud
deterrents, many of their questions share common ground.
by
Scott Langlinais
Langlinais
Fraud and Audit Advisory Services
Following are some of the most frequent questions I receive from
executives and managers related to establishing a strong control
environment, followed by my standard responses.
How Is Fraud Typically Detected within an Organization?
The Association of Certified Fraud Examiners'
2008 Report to the Nation on Occupational
Fraud & Abuse analyzed hundreds of frauds reported by their members.
The report included a chart stratifying the detection methods of the frauds,
with the most common being:
- 46 percent—tips of reported frauds
- 23 percent—internal controls
- 20 percent—accidents
With tips and accidents being the source of detection for two-thirds of
the reported frauds, it almost seems as though companies need to get lucky
for their employees to stumble across symptoms of fraud. But this survey
provides valuable information we can use to create environments hostile to
fraud. If tips and accidents account for the majority of detections, we may
as well embrace this fact and establish controls accordingly.
Most companies have an anonymous hotline enabling employees and
stakeholders to report potential unethical behavior, but not all companies
use it properly. If you manage a billion-dollar company with 5,000
employees, yet the hotline only receives 5 complaints a quarter, then either
your employees do not know of the hotline, they do not trust it, or they
fear using it because they have been threatened. In any case, the executives
must demonstrate how seriously they take the hotline. Activity on the
hotline should be reasonably robust, even if many of the allegations are
frivolous, because this demonstrates the employees know of and trust in the
process.
Companies hostile toward fraud state clearly in their fraud policy or
code of conduct: how employees can reach the anonymous hotline; how
seriously the executives take complaints reported through the hotline; and
how anyone who subverts the use of the hotline or threatens employees about
using it may have their employment terminated. Links to the hotline can also
be placed on the company intranet. But the company should also leave
multiple, redundant communication channels open to the employees, such as
contact information of the audit committee chairman, the executive in charge
of fraud investigation, and the partner in charge of external auditors.
Multiple communication options are essential in case one of the channels is
corrupt, unavailable, or perceived to be ineffective.
Is It Cost Effective To Litigate?
It's not unusual to hear a question like this: We have a $20,000 fraud
that will cost us $50,000 to litigate—should we just terminate the
perpetrator and be done with it? The companies most hostile toward fraud
treat all cases seriously, regardless of amount. In my previous company, our
Audit Committee chairman boasted of firing a vice president over a $10
infraction on an expense report. In his view, if the vice president could
not demonstrate ethical decision-making over $10, then he would fail to make
a sound decision over any amount.
To compare the cost of litigation with the amount of the fraud loss is a
short-term view; you have no idea how much your company will save in future
fraud deterrence by demonstrating you will pursue every fraud vigorously. If
your company just seeks a clean termination of anyone who steals $20,000,
then word will spread: unethical employees will see little downside to
buffering their salaries with company assets. What do they have to lose if
they are caught?
On the other hand, consider the indirect impact of treating all frauds
very seriously. Your ethical employees will appreciate working in an
environment that demonstrates solid character, and additionally, anyone who
sees an opportunity to steal is going to think twice if they know your
company sent someone to jail for stealing "only" $20,000. You will create a
long-term deterrent effect that you would never be able to measure, but
could be certain it exists.
How Big Does a Fraud Have To Be To Warrant Attention?
No company hostile toward fraud sets a baseline amount in which they can
say, "Above this amount, we consider it serious; below this amount, we
don't." If you set the threshold at $5,000, for example, then will you let
someone off the hook for stealing $4,999.99? Or what if the perpetrator
defrauded special needs children for $3,000?
Executives should consider more than just the dollar amount of the fraud
when determining whether a perpetrator has exceeded acceptable limits. Three
factors can drive a fraud beyond acceptable limits: amount, nature, and
duration.
For instance, one of my clients audits for death care frauds. Suppose
your grandmother and grandfather prepaid for caskets and cemetery plots
years ago. Your grandfather dies, and when your grandmother arrives at the
funeral home, she notices he has been placed in a cheaply constructed
casket, of much poorer quality than what they had ordered. The funeral home
director informs her that costs have increased since they bought the prepaid
contract, and so she would need to pay an additional $2,000 to bury your
grandfather the way he thought he would be buried. It matters none how much
the funeral home attempts to steal from her; the nature of the fraud is so
disgusting, amount is irrelevant.
Duration can also drive a fraud beyond acceptable limits. Consider a
$2,000 shortage in petty cash—is this a problem? How about a $2,000 shortage
once a month for 20 years?
If we simply deal with amount, this depends on the risk tolerance built
into your organization's internal controls. Some organizations, such as the
Federal Reserve banking system, have created a zero-loss system of controls.
Because of the volume of cash they handle daily, the Fed intends to not lose
a single dollar of it. High-tech companies in the late 1990s tolerated much
more risk than most companies because their executives did not want
bureaucracy of controls to impede their astronomical revenue growth.
Tolerance may even vary in different areas of your organization. Your
board of directors, for example, might possess zero tolerance of unethical
behavior amongst executives. As established by the Sarbanes-Oxley Act, any
amount of financial reporting fraud perpetrated by upper management is
intolerable. But at lower levels, especially in areas with very limited
access to company assets, the risk tolerance may be much higher, or
establishing controls to prevent loss there would be cost-prohibitive
relative to the risk.
In my view, part of the reason the Bernie Madoff fraud is getting so much
press is that it hits all three factors for beyond acceptable limits: $50
billion over a couple of decades that included defrauding dozens of
charities.
How Do We Both Seek Out Fraud and Demonstrate Trust in Our Employees?
Seeking fraud and trusting your employees are not mutually exclusive. You
may trust your employees, yet still get taken by an unethical person. It is
important to remember: all fraud is done by those we trust, because no one
would hire and retain someone they did not trust.
When you establish strong detective controls in your organization, your
goal should be to have employees follow up on the symptoms of fraud. We do
not suggest you target specific people, but rather deal with the objective
facts—checks cut to a vendor with an address matching an employee's address,
or a top salesperson whose sales have the highest rate of reversal. When an
employee submits an expense report with photocopied receipts, you have not
failed to trust your employee just by following up on the fraud symptom. If
16 paychecks every pay period are going to the same bank account, prudent
business practice dictates someone check for a ghost employee scheme. Then
the perpetrator commits the trust violation, not their managers. You trusted
them, they destroyed it.
Isn't It the Auditors' Responsibility To Detect Fraud?
Yes, it is the auditor's responsibility, along with everyone else's.
Everyone in your company knows best what transactions passing through their
area should look like, and they know when a particular transaction smells
funny.
Auditors cannot be everywhere at once, so executives must empower
everyone in their organization to report odd transactions to a trusted
managers, who can help determine whether the transaction should be reported
immediately through the hotline or to the department in charge of
investigations. Use the information presented at the beginning of this
article: tips and accidents account for the majority of fraud detection
methods, so ensure your company properly channels this information to the
right folks. Your fraud policy, which may be baked into your code of
conduct, is an excellent place to discuss the importance of all employees
being vigilant for shady transactions.
Opinions expressed in Expert Commentary articles are those of the author and are
not necessarily held by the author's employer or IRMI. Expert Commentary articles
and other IRMI Online content do not purport to provide legal, accounting, or other
professional advice or opinion. If such advice is needed, consult with your attorney,
accountant, or other qualified adviser.