Designing a Robust Fraud Prevention Program, Part Two

Entities worldwide must transform security departments into rigorous fraud prevention programs staffed with qualified fraud examiners.  

Failed corporations and tougher legislation are forcing entities throughout the world to transform weak, reactive security departments into robust, proactive fraud prevention programs with one goal: stop fraud before it happens.

Here I continue with the principles from the joint professional document, Fraud Prevention Checkup.

Creating Positive Environment  

Obviously, a poor working environment provides a motive and rationalization to commit fraud. Here's a quick health check: does management appear not to care about their employees? Does it have unreasonable expectations or financial targets? Is the organization autocratic or participative? Is there a lack of training or promotion opportunities? Does management say one thing but do another? Are senior executives treated differently than rank and file employees when it comes to discipline?

Hiring and Promoting Appropriate Employees  

Of course, it's important to minimize the possibility of hiring employees who lack appropriate values. The best indicator of future performance is past performance. Conduct background checks on new hires or promotions to positions of trust. Professional checks can uncover criminal convictions, credit history problems, questions about education and degrees received prior employment issues and integrity concerns.

Periodic employee training should include scenarios and discussion on ethical challenges relating to fraud, abuse, kickbacks, and other relevant issues. Regular performance reviews should measure each employee's demonstration of entity values and ethics. A review should include feedback on performance against objectives and detailed performance objectives for future review. If necessary, prepare plans to improve an employee's commitment to company values.

CASE IN POINT: I once investigated a senior executive at a private investment firm who was in charge of construction projects. I found that he had set up his own vendors and diverted money to them to build his multi-million dollar mansion. I also discovered that he had a history of bad credit and owed money to a number of creditors. A simple credit check would have saved the company thousands of dollars.

Nothing Like Training  

Employees must understand the ethical behavior expected of them. New employee orientation should detail the organization's mission, values and code of conduct, types of fraud, compliance, their responsibility to report violations of ethical behavior and impropriety, and details of the hotline or other ways to report fraud and other integrity concerns. Periodic training throughout an employee's career reinforces fraud awareness and the cost of fraud to an entity. (See "Recruiting an Anti-fraud Foot-soldier Army" on page 34.)

Fair and Balanced Discipline  

Employees must know there is zero tolerance for improper business conduct or fraudulent behavior and that it will yield a professional examination, with any discovered evidence delivered to the legal and human resources departments to determine disciplinary action. Discipline must be fair, appropriate, and consistent for all employees. As a preventive measure, communicate the inappropriate behavior and resulting discipline without naming the offender.

CASE IN POINT: An investigation determined that an employee submitted fraudulent expense reports. The employee confessed but was surprised that the company prosecuted him because it had let other previous fraudsters apologize and escape with just a reprimand.

Identifying and Measuring Fraud Risks  

Management must assess the vulnerability of the entity to fraudulent activity including financial statement fraud, misappropriation of assets, and corruption. Fraud can occur in any organization but the degree and detail involved in the risk assessment must be commensurate with the size and complexity of the organization.

Fraud risk is different from industry to industry and from country to country. Some nations have a greater vulnerability to corruption and bribery that contributes to fraud. Transparency International (TI) (www.transparency.org) is a leading non-governmental organization fighting world corruption. Each year TI publishes its Corruption Perceptions Index (CPI) reflecting the perception of business leaders, academics, and risk analysts in 133 countries. In its October 2003 study, corruption was found to be most pervasive in Bangladesh, Nigeria, Haiti, Paraguay, and Myanmar while least pervasive in Finland, Iceland, Denmark, New Zealand, and Singapore.

Implementing and Monitoring Internal Controls  

A common denominator of the recent U.S. corporate frauds is that strong internal control systems weren't in place. Controls need to detect not only errors but also theft, misappropriation of company assets, or intentional manipulation of financial reporting.

Proper internal controls - a mandatory system for any entity - require that transactions are properly authorized, recorded, and reported, and that all assets are safeguarded. I'm familiar with a fraud and kickback scheme that was uncovered because finance personnel instituted a rotation of vendor account managers and separation of duties. As a result, red flags started flying that resulted in an investigation and the discovery of an employee's involvement in the scheme.

The Securities and Exchange Commission has its own definition of internal controls and how they should be used in the design of a robust fraud prevention program:

A process designed by, or under the supervision of, the registrant's principal executives and principal financial officers, or persons performing similar functions, and affected by the registrant's board of directors, management and other personnel, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles and includes those policies and procedures that:

(1) Pertain to the maintenance of records that in reasonable detail accurately and fairly reflect the transactions and dispositions of the assets of the registrant;  

(2) Provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with generally accepted accounting principles, and that receipts and expenditures of the registrant are being made only in accordance with authorizations of management and directors of the registrant; and  

(3) Provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of the registrant's assets that could have a material effect on the financial statements.  

Independent Audit Committee  

An audit committee of the board of directors should be the independent eyes and ears of the investors, employees, and other stakeholders. Their role is to evaluate management's identification of fraud risks, the implementation of antifraud measures and (again) provide the tone at the top that fraud won't be accepted in any form. The audit committee should hire independent auditors to assess the internal controls and report on the financial health of the company. The outside auditors should only report to the audit committee and not to management. The audit committee is also responsible for ensuring that management doesn't engage in fraudulent conduct. In its policeman role, the audit committee is responsible for senior management's compliance with appropriate financial reporting and the potential for management override of controls or other inappropriate influence over the reporting process.

CASE IN POINT: The Securities and Exchange Commission is going after board members who ignore corporate wrongdoing. In April 2003, the SEC charged a company of fraudulently overstating revenue in 1998 by 177 percent. A member of the audit committee knew of the financial transgressions but still approved the company's financial statements. The SEC said that the board member "completely neglected his duties as a director and an audit committee member."

Internal Auditors  

As stated in the Standards for the Professional Practice of Internal Auditing issued by the Institute of Internal Auditors, "The internal auditor should have sufficient knowledge to identify the indicators of fraud but is not expected to have the expertise of a person whose primary responsibility is detecting and investigating fraud." Internal auditors evaluate fraud risk and internal controls and report on their findings. They should work in conjunction with an entity's fraud examiners for follow-up to fraud risks that are identified. As stated in the Management Antifraud Programs and Controls report, internal auditors should determine whether:

• the organizational environment fosters control consciousness;
• realistic organizational goals and objectives are set;
• written policies (such as a code of conduct) exist that describe prohibited activities and the action required whenever violations are discovered;
• appropriate authorization policies for transactions are established and maintained;
• policies, practices, procedures, reports, and other mechanisms are developed to monitor activities and safeguard assets, particularly in high-risk areas;
• communication channels provide management with adequate and reliable information; and
• recommendations need to be made for the establishment or enhancement of cost-effective controls to deter fraud.  

Independent External Auditors  

Independent outside auditors can provide management and the audit committee an assessment of the organization's internal controls environment and compliance, and checks and balances to protect the company from fraud. The key word is independence. The process only will work if the outside auditors are truly objective and have no ties to the entity that would impair their judgment. The corporate scandals in the United States caused many people to ask, "Where were the accountants?" As a result, there is now greater government oversight of auditors to ensure true independence and truthful reporting of fraud and fraud risks.

Certified Fraud Examiners  

The Certified Fraud Examiner certification has become the gold standard in fraud detection and prevention. CFEs are known the world over as fraud-fighting experts. The ACFE has built a respected organization that is at the forefront of fraud research and education. Robust fraud prevention programs must use CFEs as staff members or consultants. CFEs can also assist the audit committee, internal auditors, and independent auditors in their oversight capacities. CFEs in fraud prevention programs can be deterrents to potential fraud perpetrators.

Fraud Investigation/Financial Integrity Unit  

The mandatory investigative response component is responsible for the detection, investigation and prevention of fraud and the recovery of assets. Senior management and the audit committee must strongly support the unit so that all know the entity is ready to respond quickly and appropriately respond to any fraud allegations.

Though most fraud investigation units (FIUs) are based within corporate security departments, it's more beneficial for them to be in internal audit departments because the unit employees will have access to internal and independent auditor findings. Proactive FIUs need audit findings to find red flags.

The FIU must communicate its entity-wide fraud prevention program mission and written objectives to its stakeholders. The unit also should work closely with other entity departments such as legal, human resources, and the office of compliance.

Case Management and Technology Tools  

What good is a fraud prevention program if it doesn't track cases, weaknesses in controls and lessons learned? Fraud examiners must review statistical information to capture trends and metrics and share information with stakeholders. Also, they must identify key performance indicators to improve investigative performance. Automate the case management system to include all information from initiation through resolution.

Whether it's Benford's Law, Microsoft's Excel and Access or fraud detection software from ACL and I2 - today's forensic sleuths are embracing computers and technology to mitigate fraud. "Classic signs of impropriety can be identified faster and more regularly with the help of technology," says Toby J. F. Bishop, CFE, CPA, FCA, President and CEO of the ACFE. "Identifying patterns is a key strength of a computer," he says.¹

Today's modern fraud investigation unit must have digital evidence recovery capabilities for identifying, preserving, recovering, and examining electronic evidence and forensic data analysis tools to identify anomalies or irregularities in electronic data that are indicative of fraud or abuse. The investigative staff must be trained in the use of these technology tools but a fraud investigation unit also should have a dedicated forensic data analyst to support complex investigations.

Importance of Cross-group Collaboration  

The members of the fraud investigation unit cannot work in a vacuum; they need to collaborate with senior management, the legal department, human resources, the compliance officer, internal audit, corporate security, and public relations. Employees from these groups may need to resolve employment, legal and public relations concerns.

Watchword is Always Prevention  

As detailed in the ACFE's 2002 Report to the Nation, occupational fraud and abuse are on the rise. Of course, that's not news to any fraud examiner. Fraud has always been a growth industry. Yet, the explosion of fraud worldwide has changed the way we not only look at fraud but how we prevent it. Fraud prevention and reduction programs are a necessity in today's business environment. Incorporating the elements described in this article will do much to establish a culture that puts fraud prevention at the forefront of a successful business strategy. An ounce of prevention does equal a pound of cure. That must be the rallying cry for global entities as they design robust fraud prevention programs.

Martin T. Biegelman, CFE, ACFE Fellow, is the director of the financial integrity unit at Microsoft Corporation in Redmond, Wash. A former U.S. postal inspector, he is a Regent Emeritus and an ACFE faculty member.  

1 "IT Matters," Dec. 17, 2002, http://itmatters.com.ph/news/news_12172002h.html