In two separate fraud cases—once in trial and once in a deposition—the attorney defending the perpetrator asked me this question: Does the company have a policy against stealing? A question like that seems so fundamentally baffling.
I always suggest to my clients that they incorporate a strong fraud policy into their code of conduct because it provides an excellent opportunity to communicate their corporate ethic, to provide a deterrent for those tempted by an opportunity to perpetrate fraud, and to guide employees on the proper methods for handling fraud. In turn, this helps protect the company from countersuits due to mishandling fraud cases. Most companies have a code of conduct, but not all include a fraud policy or verbiage that assist in creating an environment hostile to fraud.
Elements of a Sound Fraud Policy
A strong fraud policy defines unacceptable behavior, and it also communicates who in the organization is responsible for detecting fraud. As I established in my September 2007 article, the answer to this is the same for all organizations: it is everyone's responsibility to detect fraud. While most believe fraud detection is limited to the auditors, security personnel, or special investigators, auditors and investigators cannot be everywhere, nor are they even the best trained at understanding the characteristics of abnormal transactions in every area. Who better than an operations clerk to spot a transaction that stands out from every other transaction as odd or curious? No one is better than a procurement agent to know which vendors are offering kickbacks. A customer service assistant might be the first to notice a customer making their 24th address change in the last year. These are the people you want to mobilize in your organization, to recruit into the fraud detection process. The fraud policy is an excellent way to accomplish this.
In 2006, the Association of Certified Fraud Examiners issued a report summarizing their analysis of over 1,000 fraud cases investigated by their members. The most common methods of detection of all fraud cases were:
A Association of Certified Fraud Examiners, 2006 ACFE Report to the Nation on Occupational Fraud & Abuse, 24-5. The sum of percentages in this chart exceeds 100 percent because in some cases, responders identified more than one detection method.
Shocking at first that tips and accidental discovery were the most common detection methods—though unsurprising on further thought—this analysis confirms importance of empowering everyone in the organization and promoting redundant communication channels through which people can report wrongdoing. And if people in your organization forget about their responsibility to participate in the fraud watch, an excellent way to remind them is to have everyone sign the code of conduct regularly—once a year if not more often.
Most organizations have their people sign the code of conduct upon hiring, but how many frauds in the organization do people know about when they are hired? And how much attention do new hires dedicate to the code of conduct amid the mountain of material they must sign during their orientation? Repetition reminds people of their responsibility to engage in the fraud detection process, and your organization will inevitably see increased activity on the anonymous hotline during the signing period.
Whereas it is everyone's responsibility to detect fraud, it is not everyone's responsibility to investigate, and it should be clear in your fraud policy that employees do not perform their own investigations. As soon as they suspect wrongdoing, it is time to pass the evidence on to the investigative team. The fraud policy should clearly state how to report a potential fraud. There should be multiple communication channels that are independent and redundant. For example, communication channels should emphasize the leader of the investigative team, whether it is the Internal Audit Director, General Counsel, Security Director, or Special Investigator, and redundant communication channels can include the website or phone number of the third-party anonymous hotline, the Audit Committee Chairman, or the partner on your external audit engagement.
The policy must also forbid cover-up; fraud is bad news, but cover-up can aggravate the loss and cause it to slide into a disaster. Martha Stewart went to jail not because she turned a five-figure profit on inside trades, but because she refused to cooperate with investigators and initiated a cover-up. Arthur Andersen did not dissolve because it performed a few poor audits; it dissolved because it shredded documents which covered up its potential knowledge of Enron's transgressions, which angered the Department of Justice, which in turn spooked all of Anderson's clients into jumping ship before an indictment was even handed down on the audit firm.
The key here is to recognize that all companies experience internal or external fraud at some point, and it should be dealt with quickly, openly, and firmly. Though a fraud may occasionally get your company some attention with a blip in the local paper, a fraud left to fester from lack of attention or one covered up draws the attention of national media, meaning the fraud also attracts organizations such as the Department of Justice or the Securities and Exchange Commission.
When I perform high-level risk analyses for organizations, I match their fraud policy against the following checklist to evaluate the strength of the policy, and you may use this to construct your own fraud policy or check your organization's for the following key items:
A clear statement forbidding illegal activity, including fraud for the benefit of the organization.
A definition of responsibility, usually internal audit or security, for conducting investigations.
A requirement of any employee who suspects wrongdoing to immediately notify their superior or those responsible for investigations.
A listing of the appropriate communication channels for reporting fraud.
A statement that suspected wrongdoing will be fully investigated.
A statement that suspects will be treated consistently without regard to position held or length of service.
A statement that management is responsible for knowing the fraud risks in their areas and for detecting suspected wrongdoing.
A statement requiring management to cooperate fully with law enforcement and regulators, including reporting to law enforcement and support of prosecution.
A statement forbidding cover-up and retaliation against witnesses.
A requirement that all investigative activity be reported to the audit committee.
A statement of responsibility for notifying the bonding company and filing bonding claims.1
Reinforcing the Policy
One final concept to consider is the reinforcement of the policy after employees have signed it. Your company can reinforce the importance of the policy and the company's zero tolerance of fraud through its emphasis on strong and definitive action against perpetrators. There are four common and standard actions organizations take against fraud:
Pursue criminal prosecution.
Initiate a civil fraud suit.
Offer a clean termination of the perpetrator's employment, sometimes with negotiated restitution.
Doing nothing is obviously unacceptable, because, among other things, it demonstrates a void in organizational ethics, potentially invalidates bond coverage, and paves a swath for other employees to perpetrate wrongdoing with impunity. But then there is the argument of whether to terminate and be finished with the matter or pursue legal action. Even as I write this article, some of the professionals in the fraud seminar I am teaching this week engaged in a debate about how to handle the terminate-versus-sue argument. Investigators and auditors almost always want to pursue legal action. Often, though, they hit the obstacle of management or Legal foregoing pursuit of a case because they believe it would be too costly to litigate relative to any benefit the company would receive from litigation. This is short-sided and incorrect.
If your organization spends $50,000 litigating a $20,000 fraud, and then broadcasts that to all employees, it sends a very strong message about its ethic: this company will not tolerate fraud and will fight it even if it means a short-term loss. Such a statement will not only sustain the morale of the best and most ethical employees, but will also deter employees who are wavering on the cusp of committing an act of wrongdoing upon spotting an opportunity. It is far easier to rationalize bad behavior if the potential benefit outweighs the perceived cost. But if the person realizes that lifting a few grand might land them in jail?
Strong corporate ethics and well-stated policies are only offensive to people you would not want in your organization. A strong policy, signed regularly, and reinforced through strong, definitive action against wrongdoing, not only raises the morale of your most ethical employees, but it also protects the innocent from false accusation and the pressure from temptation. Cost-benefit dictates that companies cannot and should not implement controls airtight enough to stop all fraud, but controls such as a strong fraud policy can be designed to catch and stop frauds before they metastasize.
Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.
1 Courtenay Thompson & Associates, Fighting Fraud with Data Mining Techniques, and other various fraud seminars.