Designing a Robust Fraud Prevention Program (Part One)

There may not be a more opportune time for a fraud examiner to press for a full-fledged fraud prevention program.  

New York Attorney General Eliot Spitzer, Wall Street's corporate cop, has made headlines the last few years with his highly publicized probes, prosecutions, and billion-dollar settlements involving brokerage firms and mutual funds that defrauded and misled investors. The subjects of his investigations read like a Who's Who of the investment world. Credit Suisse First Boston, Merrill Lynch, and Salomon Smith Barney were accused of issuing fraudulent research reports and paid fines totaling in the hundreds of millions of dollars to settle their cases. Spitzer's office obtained the conviction of the vice chairman and chief mutual fund officer of Fred Alger & Company, a prominent mutual fund. Other ongoing investigations involve some of the top mutual funds.

Spitzer and his team of investigators and prosecutors have become the de facto fraud detection and prevention arm of these firms because the firms couldn't do the job themselves. These companies obviously had fraud prevention programs that didn't work and didn't protect their firms, their employees, or their shareholders from the devastating charges and resultant publicity. Where were the fraud prevention basics that should have been in place?

Many high-profile corporations have learned the hard way about the devastating effects of fraud. Enron, WorldCom, and Tyco - among many corporations - all had security departments but they couldn't do anything to protect employees and shareholders from executives determined to loot their own companies.

All entities - including yours - need robust fraud prevention programs staffed with savvy and cunning fraud examiners. The ideal program will protect a company from itself by:

• instituting a hotline;
• setting the principled "tone at the top";
• developing a code of conduct and a confirmation process;
• creating a positive environment;
• hiring and promoting appropriate employees;
• instituting continuous training;
• having fair and balanced discipline;
• identifying and measuring fraud risks;
• implementing and monitoring internal controls;
• having a strong and independent audit committee;
• hiring effective internal auditors and Certified Fraud Examiners;
• contracting independent external auditors;
• constructing a Fraud Investigation/Financial Integrity Unit;
• using case management and technology tools; and
• emphasizing cross-group collaboration.

I know - You've heard it all before. But as a fraud examiner you may now have some extra clout fueled by enraged stakeholders and the public, and fortified enforcers. There may be no better time to try to institute these important principles into our entities. It's either a cliché or a time-honored proverb but an ounce of prevention is worth a pound of cure.

Robust not Wimpy  

Robust is defined as "having or exhibiting strength or vigorous health, firm in purpose or outlook, and strong." Nothing less than a robust fraud prevention program is de rigueur in today's corporate environment. If companies don't get their fraud mitigation houses in order, government investigators will come knocking at their doors with search and arrest warrants.

Stopping fraud before it happens is the ultimate goal of a successful prevention and awareness program.

COSO History Lesson  

Let's review a little history. The Committee of Sponsoring Organizations (COSO) is a voluntary private-sector organization dedicated to improving the quality of financial reporting through business ethics, effective internal controls, and corporate governance. COSO was formed in 1985 to sponsor the National Commission on Fraudulent Financial Reporting, an independent private-sector initiative which studied the causal factors that can lead to fraudulent financial reporting and developed recommendations for public companies and their independent auditors.

COSO believes that internal controls are an important component of a robust fraud prevention program. Internal controls can only provide reasonable, not absolute, assurance and should be geared to the achievement of objectives. In 1992, COSO issued a landmark report on internal controls that if adopted by a company would aid in (1) efficient and effective operations, (2) accurate financial reporting, and (3) compliance with laws and regulations. The report outlined the five essential elements of an effective internal controls program:

• the control environment, which is the basis for the system by providing fundamental discipline and structure;
• risk assessment, which involves the identification and analyses by management of risks to achieving predetermined objectives;
• control activities or policies, procedures and practices to ensure that management objectives and risk mitigation are achieved;
• information and communication by management so that all employees are aware of their control responsibilities and their requirement to support them; and
• monitoring, which encompasses external oversight of internal controls by management and independent auditors outside the process to determine the quality of the program and compliance.

A COSO framework is the standard for many major corporations in the United States and there is no reason the same framework could not be universally used worldwide.

However, the voluntary COSO didn't stop many corporations from imploding. Enron had controls in place but they could and were overridden by senior management. Arthur Andersen, its auditor, developed Enron's risk assessment framework but Enron didn't follow it. Enron's "push the envelope" environment, emanating from the highest levels of the company, contributed to its implosion.

History Lesson Continues: Sarbanes-Oxley and AUS 210  

And now for some recent history. The U.S. corporate scandals occurring in the last few years resulted in the government's response - the Sarbanes-Oxley Act of 2002 (SOX). A falling stock market, billions of dollars in investor losses, and an outcry from an angry public forced the government to act. SOX is intended to improve corporate accountability and responsibility, improve fraud detection and prevention, and reassure investors that it is safe to invest in the American stock market. (See The White Paper, March/April 2003.)

Even before SOX, the Australian government introduced in April 2002, a new auditing standard, AUS 210, to hold management responsible for the detection and prevention of fraud. Like SOX, AUS 210 requires management to provide the independent auditor with an acknowledgment of management's responsibility to implement internal control systems designed to mitigate fraud. The standard also says that management could be held accountable if prevention programs are not in place but fraud occurs.

Both AUS 210 and SOX make it easier for whistle-blower employees to report suspected fraud. SOX requires that the audit committee of each publicly traded company establish procedures for receiving, retaining, and responding to complaints received by the issuers including the confidential, anonymous submission of questionable accounting, internal accounting controls or auditing matters.

With our history lessons behind us, let's concentrate on what works.

Hotlines are Still Hot  

Responsible employees will use hotlines to report irregularities anonymously without fear of retaliation. The ACFE's 2002 Report to the Nation on Occupational Fraud reported that hotlines can cut an organization's fraud losses by approximately 50 percent. A third-party vendor can set up whistle-blower hotlines, receive and screen confidential calls, and provide information to entities for action.

Communicate the existence and benefits of the hotline to all employees and others who might have knowledge of improper business practices.

CASE IN POINT: I was involved in one case in which an employee said if she hadn't known the company had a hotline, she wouldn't have reported the allegations. It's a good thing she did use the hotline; her call uncovered an employee-vendor fraud of several thousands of dollars.

Management Antifraud Programs and Controls  

In 2002, the Fraud Task Force of the American Institute of Certified Public Accountants (AICPA) commissioned a study to provide guidance to help prevent and detect fraud. The study was sponsored by the ACFE, the AICPA, the Institute of Internal Auditors , and other organizations. The resulting Management Antifraud Programs and Controls report released in November of 2002, is a road map for fraud mitigation. The document encourages entities to take proactive steps to prevent and deter fraud to preserve their financial integrity, reputations, and futures.

The study found that entities can take three actions to mitigate fraud: create a culture of honesty and high ethics, evaluate anti-fraud processes and controls, and develop an appropriate oversight process. The following fraud prevention principles are taken from the report found on the ACFE Web site at: www.CFEnet.com/services/FrdPrevCheckUp.asp. (Also check out the Fraud Prevention Check Up and the Small Business Fraud Prevention Manual on the same Web page. The check up is a simple but powerful test of your company's fraud health. The manual is designed to address small business' specific fraud-fighting needs.)

Setting Tone at the Top  

An entity's senior management team sets the moral and ethical compass for all others to follow. How often have we seen CEOs or CFOs of companies display less than ethical conduct and ultimately they and a number of lower-level employees are indicted for corporate crimes? Employees want to believe and emulate their leaders. Management must clearly communicate a zero tolerance for fraud and reinforce the message daily. CEOs can simply pledge at company meetings that what happened at Enron will never happen at their companies and then describe the fraud mitigation program. The CEOs then need to follow the pronouncement with education and awareness campaigns to reinforce polices and procedures.

CASE IN POINT: The tone at the top was discordant at HealthSouth, the largest U.S. provider of diagnostic imaging, outpatient surgery, and rehabilitation services. Last year, 16 corporate executives were charged with corporate crimes. Fifteen pleaded guilty including all five of the CFOs who ever worked for the company. The CEO was indicted in November of 2003. He was the first CEO to be charged under the Sarbanes-Oxley Act's fraudulent financial certification violations. Others charged included senior vice presidents, vice presidents, and assistant vice presidents. The bar was so low for the employees it almost touched the ground.

Develop Code of Conduct  

As stated in the Management Antifraud Programs and Controls report, the cornerstone of an effective fraud prevention program is a culture with a strong value system founded on integrity. This value system often is reflected in a code of conduct. The code of conduct should reflect the core values of the entity and guide employees in making appropriate decisions during their workday.

A code of conduct must include written standards that are reasonably designed to deter wrongdoing. It must promote honest and ethical conduct by all employees no matter their positions within the company. It should advise employees what they can and cannot do and reinforce compliance with government laws, rules and regulations. The code of conduct should be provided in both a soft and hard copy to all employees and translated in appropriate languages. Consider writing specific codes for finance procurement employees, and vendors.

Confirmation Process  

People with low integrity may not commit a fraud if they know the entity has an oversight and confirmation process. After giving the code of conduct to all employees, require that they sign a statement that says they have read and understood the code's requirements and will comply with them. Those who have signed the statement can't hide behind the claim of ignorance.

Next issue: continuation of the elements of a robust fraud prevention program.

[Some source links referenced in this article are no longer available. — Ed.]