Beyond Compliance: Fraud prevention culture that works

(Excerpted and adapted with permission from chapter 17 of
"Executive Roadmap to Fraud Prevention and Internal Control: Creating a Culture of Compliance,"
published by John Wiley & Sons, Inc. ©2006.) 

A heightened awareness of fraud and fraud prevention is critical to an organization's success. Implementing the new and enhanced corporate governance requirements is just the beginning of a culture of compliance. Having a checklist mentality is clearly not enough, no matter how many internal control mechanisms one has. Fraud can invade any organization, be it large or small, new or old. There was corporate fraud long before Sarbanes-Oxley was ever conceived. Unfortunately, there will be fraud no matter how many compliance requirements are enacted. However, with a true culture of compliance, fraud can be greatly lessened and even prevented.

As expected, not every executive has embraced the idea that Sarbanes-Oxley is necessary. In a 2005 survey of 186 corporate executives, 34 percent said that Sarbanes-Oxley should be repealed.¹ Businesses may be resistant when new and possibly onerous government regulations are enacted. An almost universal complaint from businesses has been the huge expense related to compliance with the various sections of Sarbanes-Oxley, especially Section 404, with its strong requirements for reviews of internal controls. Companies have complained that in addition to the high costs for compliance, the expensive procedures have failed to detect significant material weaknesses in internal controls. Only eight percent of companies reported material weaknesses as a result of Section 404, but these are companies with market capitalizations of more than $75 million.² Investors are jittery after their huge losses in the stock market, so even eight percent is still more than might have been publicly reported before Sarbanes-Oxley. Then Public Company Accounting Oversight Board (PCAOB) Chairman William J. McDonough stated that investors strongly support these improved financial controls because they "make financial statements more believable and more reliable."³  

Government regulators understand that the cost of compliance can be burdensome and must be balanced to protect the interests and investments of shareholders. On May 16, 2005, the Securities and Exchange Commission (SEC) released its "Commission Statement on Implementation of Internal Control Reporting Requirements." This statement commented on issues that were noted during the first year of experience with implementation of Sarbanes-Oxley's Section 404. Two central themes came out of the feedback the SEC received from public companies. The first is that "compliance with Section 404 is producing benefits, including a heightened focus on internal controls at the top levels of public companies," and the second is that costs are significant and some may be unnecessary or excessive.⁴  

The SEC had indicated that it is willing to be flexible in issuing clarifications for Section 404 implementation. It has further stated that common sense and open communication are necessary for both government regulators and corporate executives to improve internal controls and ultimately fraud prevention.⁵ The message is clear that the SEC, PCAOB, and other government regulators are willing to work with corporations to ensure compliance. Expect this trend to continue, as Sarbanes-Oxley is relatively new legislation and some issues still need to be worked out. However, do not expect Sarbanes-Oxley to be overturned or significantly weakened. Representative Oxley opposes any suggestions of changes to the act he coauthored. "Most CFOs I talk to can quote [the Act's] cost down to the dollar," said Oxley. "Actually, they'll quote it down to the dime." He argued that the cost of compliance with Sarbanes-Oxley "is an investment in the strength of the United States capital markets."⁶ The investing public has a long memory, and Congress, who heard the outcry, has an even better memory. For instance, the Mail Fraud Statute was enacted in 1872 to prosecute various schemes that used the mail to defraud. The statute is still in use today and in fact has been strengthened by Congress over the years. Expect the same for Sarbanes-Oxley in the years to come.

Former Federal Reserve Chairman Alan Greenspan is a strong supporter of Sarbanes-Oxley and its effectiveness in attacking corporate fraud over the short period of its existence. He also believes that Sarbanes-Oxley will be "fine-tuned" to make for improved compliance.⁷ He reinforces the simple truth that "shareholders own our corporations and that corporate management should be working on behalf of shareholders to allocate business resources to their optimum use."⁸ Greenspan emphasizes the importance of tone at the top for chief executives and the very positive effect it can have for employees and others outside the company. His hope is that if officers and directors have highly ethical behavior, they will, "not need detailed rules on how to act."⁹ Just in case, there are always the strengthened measures to fall back on. Greenspan also made another insightful comment about the importance of ethical conduct when he stated that "material success is possible in this world, and far more satisfying when it comes without exploiting others."¹⁰ 

Some storm clouds may be on the horizon for aggressive SEC enforcement actions in the future. On June 1, 2005, SEC Chairman William Donaldson announced he was stepping down. Donaldson played a significant role in restoring credibility and trust to the financial markets. His replacement, then Representative Christopher Cox (R-California), has been critical of the SEC's aggressive market regulation and has a reputation for protecting business. He was the main sponsor of the Private Securities Litigation Reform Act of 1995, which created obstacles for investors who wished to file civil actions against those who had defrauded them.¹¹ Under Cox, the SEC may not pursue multimillion dollar fines for corporate wrongdoing but may instead focus on the actions of individual executives and in addition may only litigate clear-cut violations.¹² Still, Cox will not want to incur the wrath of the voting public by not remembering their financial pain as a result of the corporate scandals. If the SEC does not remain a strong protector of investors, others will step in. The New York State Attorney General's Office will no doubt keep up its fight against corporate fraud and will surely take action in any area in which the SEC fails to protect investors.¹³ 

Have a zero tolerance for fraud and mean it
Jack Welch, the legendary former CEO of General Electric, appeared on The Tonight Show on April 25, 2005. Host Jay Leno asked him why the general public had such a poor opinion of CEOs. In his inimitable fashion, Welch said, "Because so many of them were skunks." Indeed, a number of corporate executive "skunks" succumbed to greed and fraud and put their personal interest above those of investors and employees. The many "perp walks" and convictions show that executives are now being held accountable. All corporations and employees must be responsible for both the spirit and the letter of the law at all levels of the organization. No executive today will ever say that fraud is a good thing. However, if there are different standards of disciplinary action for executives and employees, the message is that fraud is condoned for some and not for others.

Corporate codes of conduct should address the problem of fraud by clearly stating that there is a zero tolerance for fraud of any kind. Whether it is a $50 inflated expense report or a $50 million revenue recognition issue, an organization must take appropriate action against all fraud. A good rule to follow is that the amount of the fraud is immaterial and any fraudulent activity that is disclosed and proved through professional investigation should result in termination of the employee. In addition, organizations should consider referring fraud by employers, vendors, and others to the appropriate law enforcement agency for criminal prosecution. The general counsel should be the focal point for final decisions as to criminal referrals. Companies should also consider publicizing prosecutions of employee fraudsters to reinforce a culture of compliance and a zero tolerance for fraud.

John McDermott is an expert in the investigation of corporate fraudsters. He has been a United States Postal Inspector for more than 22 years and is the team leader of the Fraud Investigations Team covering Brooklyn, Queens, and Long Island, N.Y. Over the years, he has conducted and supervised high-profile fraud cases in New York including Symbol Technologies, Spectrum Technologies, and Hanover Sterling, a huge stock fraud case that resulted in more than 60 convictions of brokers, stock promoters, and company executives. McDermott is a strong believer in criminal prosecution and punishment as a driving force for fraud prevention and compliance. He has said, "If the threat of doing twenty years, or life in jail doesn't scare anybody straight, I don't know what would. I certainly wouldn't take any risk by signing 10K's or 10Q's that I knew were fraudulent, when I knew the risk was going to jail."¹⁴ 

McDermott also hopes "that ... corporate executives ... would have learned these lessons from those who were foolish enough to commit crimes" and do a "better job of self-policing."¹⁵ His experience in investigating corporate fraud has led him to believe that corporations must improve "teaching ethics and morals to their corporate executives" and also do "a better job of listening to their internal and external auditors" when compliance issues are raised.¹⁶ 

Organizations can also send a great signal to employees, shareholders, and the government that they take fraud detection and prevention very seriously by hiring former federal agents and prosecutors with experience investigating and prosecuting fraud and white-collar crime for their internal investigation and legal departments. Smart companies know that by bringing in fraud detection talent, they are improving their compliance programs and lessening their fraud risk.

Probably the biggest sea change for corporations has been how they deal with the government in cases of fraud. Gone are the days of "us versus them" when business would hire the best defense attorneys money could buy and fight the government at every turn. Today, fighting the government means losing if the allegations of fraud are true. The age of "dinosaur" CEOs who ran their public companies their way with little concern for transparency is over. The tone at the top must be one of compliance and collaboration with government investigators, or ultimately the company will suffer.

During the New York state attorney general's investigation of Marsh and McLennan for allegedly cheating clients by bid-rigging and collusion with other insurance companies, Eliot Spitzer made it clear that he was not happy with the lack of cooperation his office was receiving from Marsh executive leadership. In announcing a civil lawsuit against Marsh in October 2004, Spitzer said publicly to the Marsh directors that they "should think long and hard, very long and hard, about the leadership of your company."¹⁷ Shortly after this strong message from a prosecutor questioning the tone at the top at Marsh, CEO Jeffrey Greenberg was forced out by the company's board of directors.¹⁸ Greenberg's replacement was Michael Cherkasky, a former prosecutor and CEO of a corporate investigative firm with a reputation for integrity.¹⁹ Marsh acted quickly to save the company at the expense of its CEO. Interestingly, Greenberg's father, Maurice "Hank" Greenberg, former president, chairman, and CEO of American International Group, was an insurance industry legend who faced his own problems.

The Wall Street Journal Rule
What should keep an executive up at night? One big worry is the possibility of fraud occurring at the company, whether potentially fatal fraudulent financial accounting or other asset misappropriation fraud. Once detected, how a fraud is communicated to investors, employees, government authorities, and the press can make a big difference in the final resolution. Today, it is harder than ever before to contain the existence of a fraud quietly. With the abundance of whistle-blowers and self-reporting requirements for companies and corporate executives, it is extremely difficult to hide fraud. It is also foolhardy even to consider any form of concealment. Bad news always seems to be made public. How would one react if an act by a company were published on page one of The Wall Street Journal? A good rule to follow is to always think of this worst-case scenario and do everything possible to prevent it from happening.

Moving from a compliance initiative to a cultural mind-set
As stated by the SEC regarding internal controls, "A one-size fits all, bottom-up, check-the-box approach that treats all internal controls equally is less likely to improve internal controls and financial reporting than reasoned, good faith exercise of professional judgment focused on reasonable, as opposed to absolute, assurance."²⁰ Fraud risk management based on a "checklist" approach is not conducive to success in fraud prevention because fraudsters are very adaptive and imaginative in their schemes. What is better is a principle-based system because "it is impossible to develop comprehensive rules for every situation."²¹ Truly world-class companies understand that fraud prevention and enhanced internal controls are not achieved by just checking off a list. The "initiative" idea that compliance is just a project or a one-time idea must be replaced with embedding sound principles of fraud prevention into the "cultural mind-set" of all employees.

In announcing its intent to amend existing organizational sentencing guidelines on April 13, 2004, the United States Sentencing Commission strongly stated the importance of effective compliance and ethics programs for an organization. The Commission's "focus on ethical corporate behavior is a unique development in the 13-year history of the organizational sentencing guidelines," but it is altogether not surprising given the magnitude of recent corporate crime.²² The message they sent to all corporate executives is as follows:

A fundamental component of the organizational sentencing guidelines, promulgated by the Commission in 1991, is the effective compliance and ethics program. Last week, the Commission made the standards for the compliance and ethics program more rigorous and put greater responsibility on boards of directors and executives for the oversight and management of compliance programs. In particular, directors and executives now must take an active leadership role for the content and operation of compliance and ethics programs. Companies that seek reduced criminal fines now must demonstrate that they have identified areas of risk where criminal violations may occur, trained high-level officials as well as employees in relevant legal standards and obligations, and given their compliance officers sufficient authority and resources to carry out their responsibilities. Under the revised guidelines, if companies hope to mitigate criminal fines and penalties, they must also promote an organizational culture that encourages a commitment to compliance with the law and ethical conduct by exercising due diligence in meeting the criteria.²³ 

To ensure a cultural mind-set of fraud prevention, the following key elements must be in place in an organization and must stay in place.

Tone at the top
Chief executives, officers, and directors set an important tone with every word and action they take. Their accountability and responsibility and how they push the message down to the lowest level employee may be the single most important aspect of building a fraud prevention culture that actually works. No employee can be expected to follow company policy or obey laws if their leaders are not doing the same.

The 'policing' role of the board of directors and the audit committee
Along with the entire board of directors, audit committee members are truly the "police officers" of an organization; they ensure compliance with company rules and policy, as well as laws and regulations. Sarbanes-Oxley requires that boards take an active role in corporate governance, acting as "checks and balances" to executive leadership. Strong and independent audit committees ensure compliance, whereas weak and ineffectual ones foster the criminal behavior seen at disgraced companies. Directors who abdicate their important roles will be held accountable both civilly and criminally.

The challenge to internal audit
Internal audit departments must accept the challenge to take a leadership role in fraud prevention. The importance of internal audit departments has been reinforced with the enactment of Sarbanes-Oxley and the overall climate of enhanced fraud prevention and detection. In a perfect world, internal audit should uncover issues before they become headlines in The Wall Street Journal. The fraud detection, investigation, and prevention component must be added to internal audit to ensure linkage and continuous interaction with the auditing function. Adding needed professionals to the internal audit team, training and empowering them, giving them direct reporting to executive leadership, and providing high visibility to the audit committee are steps that should be considered.

The important role of managers in fraud prevention
Managers must provide oversight to their employees and be held accountable for preventing and reporting fraud. Managers are role models in developing their direct reports and ensuring compliance with both company policies and governmental regulations and laws. Managers must know how fraud can infect an organization and how to detect the warning signs. Understanding how to report potential violations of standards of business conduct is paramount for any manager. Strong and committed managers are an important element in a compliance program that is effective overall.

Integrity and honesty for all
Integrity and honesty are core values for all employees, and there can be no exceptions. A successful fraud prevention program must constantly reinforce these values among all employees at all levels wherever the organization operates. Having a zero tolerance for fraud goes hand in hand with integrity and honesty at an organization.

A well-communicated and responsive reporting system
Every organization, public or private, large or small, must have an effective reporting mechanism such as a hotline to allow employees and others outside the company to report financial fraud or other violations of standards of business conduct. People must feel confident that they can anonymously and confidentially report issues and that whistle-blowers will be protected from retaliation. Whatever the form of the reporting mechanism, it must be well communicated and accessible to ensure full reporting of all issues.

Cross-group collaboration
Consistency and linkage of all components within an organization are essential and translate to effective cross-group collaboration among chief executives, officers, directors, and the various legal, compliance, internal audit, finance, human resources, investigative, and corporate security functions.

Embracing a culture of compliance
Truly outstanding companies view Sarbanes-Oxley and the other compliance enhancements as an opportunity for improved corporate governance. They understand and embrace the importance of creating a stronger fraud prevention program and internal control system that ultimately give them a competitive advantage.

The road ahead
All organizations must have a roadmap for reaching the highest levels of compliance in fraud prevention and internal control. The trip is not always easy and there can be many roadblocks and detours - but stay the course. Building a fraud prevention culture that works is no longer an option in today's business world. It is a requirement for survival. Sarbanes-Oxley, the Federal Sentencing Guidelines for Organizations, and other corporate governance enhancements require accountability and oversight on an ongoing basis. However, there is another simple and straightforward reason for compliance - it is the right thing to do.

It is unfortunate that so many people had their first experience with fraud as a result of the corporate scandals, large and small, resulting in billions of dollars of investor losses. Shareholders and others came to learn firsthand what professional fraud investigators have long known. Fraud can happen anywhere, and its damaging effects go far beyond the financial loss. The impact to reputation can be long lasting and often fatal. Fraud is really simple when one gets right down to it. The definition is clear. It is lying, cheating, and stealing. It is motive, opportunity, and rationalization. What is far more important than the definition is how to prevent it. "The potential of being caught most often persuades likely perpetrators not to commit the fraud. Because of this principle, the existence of a thorough control system is essential to fraud prevention."²⁴ Fraud prevention is about being proactive rather than reactive. Accountability and integrity stop fraud.

1.  2005 Christian & Timbers survey of 186 United States executives, Business Week, May 23, 2005, 16. 
2.  Floyd Norris, "Regulators Seek to Trim Cost of Rules on Auditing," The New York Times, May 17, 2005, C6. 
3.  Ibid. 
4.  United States Securities and Exchange Commission, "Commission Statement on Implementation of Internal Control Reporting Requirements, May 16, 2005, 2005-74, www.sec.gov/news/press/2005-74.htm. 
5.  Ibid. 
6.  Tim Reason, "Feeling the Pain: Are the Benefits of Sarbanes-Oxley Worth the Cost?," CFO, cfo.com, May 1, 2005. 
7.  Byron Acohido, "Greenspan Marvels at How Effective Sarbanes-Oxley Has Been So Far," USA Today, May 16, 2005, 3B. 
8.  Ibid. 
9.  Ibid. 
10.  Ibid. 
11.  Robert Kuttner, "Cox's SEC: Investor Beware," Business Week, June 20, 2005, 42. 
12.  Amy Borrus, "What to Expect from Chris Cox." Business Week, June 20, 2005, 42. 
13.  Ibid. 
14.  Statements to the authors on April 22, 2005. 
15.  Ibid. 
16.  Ibid. 
17.  Monica Langley and Ian McDonald, "Marsh Directors Consider Having CEO Step Aside," The Wall Street Journal, October 22, 200, A1. 
18.  Thor Valdmanis, "Spitzer Backs Down a Bit after Marsh CEO Resigns," USA Today, Oct. 26, 2004, A1. 
19.  Ian McDonald, "The New Sheriff at Marsh," The Wall Street Journal, Oct. 26, 2004, C1. 
20.  United States Securities and Exchange Commission, "Commission Statement on Implementation of Internal Control Reporting Requirements, May 16, 2005, 2005-74, www.sec.gov/news/press/2005-74.htm. 
21.  Peter Norton, "Risky Business," camazine.com, May 2005. 
22.  "Sentencing Commission Toughens Requirements for Corporate Compliance Programs," News Release of the United States Sentencing Commission, Washington, DC, April 13, 2004. 
23.  Ibid 
24.  Association of Certified Fraud Examiners. Fraud Examiners Manual. (Austin, TX: ACFE, 2006) 4.601. 

Martin T. Biegelman, CFE, ACFE Fellow, is director of financial integrity for Microsoft Corporation. He's a member of the Board of the ACFE Foundation. 

Joel T. Bartow, CFE, CPP, is director of fraud prevention at ClientLogic, an international outsourcing company.