Now's the Time to Update Your Anti-Fraud Plan

U.S. Laws and regulations, accounting and auditing associations, and circumstances encourage us to update our anti-fraud plans. But now we have adequate guidance to ensure compliance and deter fraud.

Public and private entities alike are subject to fraud risks as show by the seemingly never-ending stream of headlines describing financial statement frauds, asset misappropriations, and Foreign Corrupt Practices Act (FCPA) violations. Those of us with management, internal audit, and/or board-level responsibilities - whether we're CPAs or not - inevitably will be asked to assess and monitor our organizations' fraud risks and develop anti-fraud programs.

There's no need for confusion; there's plenty of guidance available. In this article, we'll apply the fundamentals of anti-fraud program assessments so we'll be better equipped to mitigate the business risk of fraud and hopefully disgorge would-be fraudsters.

FIRST THINGS FIRST 

The term "occupational fraud," as described in the ACFE's 2008 Report to the Nation on Occupational Fraud and Abuse, is defined as: "The use of one's occupation for personal enrichment through the deliberate misuse or misapplication of the employing organization's resources or assets." And a common theme in many other definitions of fraud is "an intentional act or omission designed to deceive others and achieve a gain."

Fraud risks include:

• Corruption: bribery and other improper payments
   
• Asset misappropriation: cash and inventory and theft by customers or employees
   
• Fraudulent financial reporting: revenue recognition, management estimates, and disclosures
   
• Fraud against third parties: fraud against the government or an organization's employees 

ESTABLISHING AN ANTI-FRAUD PROGRAM 

Before assessing the effectiveness of your organization's anti-fraud program, let's recall the obvious primary driver for establishing a program that will minimize the likelihood of fraud and/or improper activity: it's "the right thing to do." However, other driving forces have raised the bar since the U.S. Federal Sentencing Guidelines for Organizations first provided relief in 1991 for companies that established and tested compliance to effective and proactive crime prevention, detection, and reporting programs. These, of course, include the Sarbanes-Oxley Act of 2002 (SOX), the Federal Sentencing Guidelines of 2005 (FSG), and the current governmental focus on compliance with the FCPA of 1977.

While SOX might not specifically discuss anti-fraud programs, we can believe that management wouldn't sign the required certifications without having a process in place that provides an adequate level of assurance that "any fraud, whether or not material, that involves management or other employees who have a significant role in an issuer's internal controls" is reported to the organization's auditors and the audit committee, as required by Section 302(a)(5)(B) of SOX.

On the other hand, Chapter Eight, Part B, Section 2 of the FSG is much more specific: it provides the elements of an "Effective Compliance and Ethics Program." This is the carrot-and-stick approach: if an organization is convicted of a crime, it could receive a lighter sentence if it can demonstrate it has an effective program in place. If "the right thing to do" isn't an organization's impetus to develop an anti-fraud program, the FSG lays out a credible reason to strongly consider one. A key element of an organization's anti-fraud effort is its ethics and compliance program.

Also, in today's "instant media" environment, rumors of potentially fraudulent behavior can have a profound effect on the investing and regulatory community. An effective anti-fraud program is critical to protect shareholder value and mitigate reputation risk.

DON'T LET FCPA BITE YOU 

U.S. organizations have to be vigilant that they're complying with the FCPA because the government is clamping down. This excerpt from the Department of Justice's Lay-Person's Guide to FCPA provides an overview of the requirements:

"The antibribery provisions of the FCPA make it unlawful for a U.S. person, and certain foreign issuers of securities, to make a corrupt payment to a foreign official for the purpose of obtaining or retaining business for or with, or directing business to, any person. Since 1998, they also apply to foreign firms and persons who take any act in furtherance of such a corrupt payment while in the United States.

The FCPA also requires companies whose securities are listed in the United States to meet its accounting provisions. (See 15 U.S.C. § 78m.) These accounting provisions, which were designed to operate in tandem with the anti-bribery provisions of the FCPA, require corporations covered by the provisions to make and keep books and records that accurately and fairly reflect the transactions of the corporation and to devise and maintain an adequate system of internal accounting controls."

An organization can comply with these requirements through an anti-fraud program the addresses the need for FCPA-related education, policies, procedures, and processes including appropriate due diligence, transactional analysis, and other activities that will minimize possibilities of violating the statute.

YOU'RE NOT FLYING ALONE 

Much has been written over the years about anti-fraud programs, but recently three organizations have developed a comprehensive guide describing the elements of an effective program.

The ACFE, the American Institute of Certified Public Accountants, and the Institute of Internal Auditors jointly released in July 2008 "Managing the Business Risk of Fraud: A Practical Guide." [Download the 80-page guide from the ACFE Web site and read "Managing the Business Risk of Fraud: Indispensable Planning," by Grace B. Ghezzi, CFE, CPA/PFS, AEP, in the January/February 2009 issue of Fraud Magazine.]

According to the publication, these principles are key to the establishment of an organization's program to proactively manage risks from fraud:

• As part of an organization's governance structure, a fraud-risk management program should be in place including a written policy (or policies) to convey the expectations of the board of directors and senior management regarding managing fraud risk. (Note that the guide indicates that a fraud-risk management program is also known as an anti-fraud program.)
   
• Periodically assess fraud-risk exposure to identify specific potential schemes and events that the organization needs to mitigate.
   
• Establish prevention techniques, where feasible, to avoid potential key fraud-risk events to mitigate possible impacts to the organization.
   
• Establish detection techniques to uncover fraud events when preventive measures fail or unmitigated risks are realized.
   
• Install a reporting process to solicit input on potential fraud, and use a coordinated approach to investigation and corrective action to help ensure potential fraud is addressed appropriately and timely.

ON THE RIGHT TRACK? 

Numerous organizations already embrace many, if not all, of the principles outlined in the guide. However, maybe your organization is struggling with finding ways to ensure all the pieces are operating as designed and are effective in deterring, detecting, and, when necessary, investigating fraud. So what should you do?

• Does your organization have a documented anti-fraud program?
   
• Has your organization defined roles and responsibilities about anti-fraud efforts for its board of directors, management, and employees? Are the roles clearly articulated in policies, code of conduct, and job descriptions?
   
• Has management set the appropriate "tone at the top" regarding no tolerance for fraud and/or improper activity?
   
• Do you have an individual responsible for your organization's anti-fraud program? If multiple individuals are responsible for the program, does a committee oversee them to help establish that the elements are effective and operating as designed?
   
• Does your organization have a fraud awareness program?
   
• Have those who are responsible for detecting and investigating fraud received training so they can identify and investigate fraud? Does your organization support those individuals with a sufficient budget to hire qualified individuals and employ the latest technology?
   
• Does your organization habitually assess fraud risk systemically? Does the organization's board of directors oversee the assessment?
   
• Has your organization implemented proactive anti-fraud-related activities specifically designed to deter and detect fraud and/or improper activity? Have you clearly defined and communicated responsibilities for those activities?
   
• Has your organization established the expectation that suspected fraud and/or improper activity must be reported immediately and provided and publicized avenues for employees to do so?
   
• Does your organization have a documented protocol directing the conduct of investigations once fraud and/or improper activity is suspected?
   
• Does your organization have policies in place that reflect the consequences and processes for those who commit and/or condone fraud and/or improper activity?
   
• Does your organization have processes in place to remediate any control deficiencies identified as a result of fraud and/or improper activity? Does it periodically evaluate the effectiveness of its anti-fraud program and continuously monitor its efforts and results?
   
• Are the results of the program's monitoring periodically reported to management and the board of directors?

REGULAR EVALUATION 

Various entities have identified key elements of effective anti-fraud programs to include fraud-risk assessments, control environments designed to manage risk from fraud, fraud prevention and detection activities, communication, and monitoring. But the mere existence of these elements alone doesn't constitute an effective anti-fraud program. The table on page 65 contains indicators of the effectiveness of an anti-fraud program. Use this table only as a guide not as a rigid mandate. Mold it to your organization.

ANTI-FRAUD PLAN FRONT AND CENTER 

As fraud examiners - whether we're CPAs or not - we not only need robust anti-fraud plans that we can but use abundant guidance to ensure we're constantly adapting our robust plans to anticipate fraudsters' machinations.

ACFE Regent Bert F. Lacativo, CFE, CPA, is a partner in PricewaterhouseCoopers LLP's Forensic Services practice in Dallas, Texas. 

Lance Youts, CFE, CPA, is a director in PricewaterhouseCoopers LLP's Forensic Services practice in Dallas, Texas.  

The contents of this article represent the opinions, positions and insights of the authors and don't represent those of PricewaterhouseCoopers LLP, its partners and/or affiliated firms.  

Before making any decision or taking any action, you should consult a competent professional adviser.  

The Association of Certified Fraud Examiners assumes sole copyright of any article published on www.Fraud-Magazine.com or ACFE.com. Permission of the publisher is required before an article can be copied or reproduced.