Excerpted and adapted from “Corporate Resiliency: Managing the Growing Risk of Fraud and Corruption,” by Toby J.F. Bishop, CFE, CPA, FCA, and Frank E. Hydoski, Ph.D. ©2009 by John Wiley & Sons Inc. Used with permission.
Resilient corporations generally take a three-pronged strategy to deal with the problem of fraud: they conduct thorough fraud risk assessments and periodically revisit them; they put fraud prevention and detection strategies in place; and they develop response strategies to deal with the frauds they aren’t able to prevent.
Ben Mueller was a hard worker who moved his way up from vice president of sales and marketing to CEO of his Fortune 500 firm. But he wasn’t quite prepared when the Securities and Exchange Commission came knocking at his door requesting a meeting. When the SEC announced it would be investigating fraud at the firm, he was ill-prepared to deal with the onslaught of new public scrutiny and the investigation itself.
It wasn’t long before the firm’s board of directors was asking him to tender his resignation. It all could have been avoided if he’d had a response prepared and a fraud prevention and reporting plan already in place. Ben simply thought the extra procedures to be an unnecessary addition to the company’s current – and apparently outdated – risk-management system.
Though this example is fictitious, the problem is quite real.
BETTER SYSTEMS AND STRATEGIES
“What every senior executive needs to know about anti-fraud strategy is that you’re never going to be able to plug all the holes in your organization,” said Elizabeth Truelove McDermott, senior director of internal audit at DeVry Inc. “There’s always going to be somebody who finds a hole no one knew was there.”
The Sarbanes-Oxley Act, the USA PATRIOT Act, and the U.S. Foreign Corrupt Practices Act have armed U.S. prosecutors with a formidable arsenal of legal weapons. New support from the global community has boosted U.S. efforts, greatly extending the power and reach of numerous governmental agencies tasked with combating fraud and corruption.
Yet, there’s nothing to indicate fraud and corruption are abating. If anything, the creativity and willfulness of the perpetrators seem inexhaustible.
Like time and tide, fraud and corruption are apparently perpetual phenomena. That doesn’t mean we excuse them or accept them. It means we need to develop better systems and strategies for dealing with them. It means we need to acknowledge that the piecemeal, shotgun approaches often relied on in the past to reduce fraud and corruption are unlikely to be effective in today’s environment.
Resilient corporations take a three-pronged strategy to deal with the problem of fraud:
BEING PREPARED
Because fraud can’t be completely eradicated, wisdom suggests that preparedness is the best strategy to deal with the frauds that may occur. Resilient corporations will take steps to make certain they’re ready to respond effectively when fraud does eventually arise.
“It is fair to say that fraud investigations have become much larger and much more complex than they were in the past,” notes Bill Pollard, a colleague at Deloitte Financial Advisory Services LLP (Deloitte FAS). “The fraud schemes themselves have not changed that much, but I think they have become more sophisticated and more pervasive. So, there is a greater burden to carry when you are doing an investigation.”
In many instances, the way a company investigates an incident of fraud can be just as critical – and sometimes even more critical – than the fact that the fraud took place.
“I know of a company where the allegations were not all that significant,” Pollard said. “But the company had no records-retention policy; they kept everything. As a result, they were forced to spend millions of dollars combing through old records. If they had anticipated this risk, they could have avoided a substantial cost by putting a retention policy in place.”
The lesson, Pollard says, is that “nobody is immune.”
“You have to understand that you could be susceptible to an investigation at any time,” he said. “So you have to think strategically and follow a prudent document retention policy.”
AVOIDING PITFALLS
In our experience, we have observed that resilient corporations adopt careful, disciplined approaches to all steps of an investigation. They don’t rush to conclusions in an effort to save time or money because such behavior can lead to incomplete or erroneous conclusions, as well as raise doubts about whether the allegations have been fully explored. They also place strong emphasis on identifying vulnerabilities in business processes and internal controls in an effort to remediate them across the entire company.
“Managing the Business Risk of Fraud: A Practical Guide” (sponsored by the ACFE, the Institute of Internal Auditors, and the American Institute of Certified Public Accountants) provides a useful overview of recommended practices for conducting investigations and taking corrective actions. The guide suggests that an organization’s board of directors take responsibility for seeing that the company develops “a system for prompt, competent, and confidential review, investigation, and resolution of allegations involving potential fraud or misconduct.”
It also shares leading practices for receiving, responding to, and evaluating allegations of fraud, and recommends specific tasks for conducting an investigation.
In our experience, some of the opportunities for companies to enhance their processes in this area include:
AN OUNCE OF PLANNING …
Because the impact of fraud can be very significant and time to resolve a case might be of the essence, it’s prudent to have response plans in place beforehand. When the board of directors, audit committee, regulators, or news media suddenly wants to know what management is doing to resolve new allegations of wrongdoing, you’ll be glad you have a response prepared and already in motion.
In addition to planning an initial response to a fraud allegation, resilient corporations generally also set in place processes for communicating information about the fraud, and about the corporation’s response, to the various involved parties. This process of communicating is more complicated than you might expect, due in part to the tension between the need to calm constituents and the lawyers’ likely preference to reveal relatively little. That’s why it would be unwise to leave the development of the communication process until the last moment.
The planning process also includes steps to take (depending on the conditions related to the alleged incident’s facts, scope, nature, and timing).
Some companies train or hire crisis management teams before a crisis occurs; others wait until the crisis is upon them. We think it’s prudent to prepare and to plan internally for the worst, especially if your company is large with much shareholder value at stake.
As part of your response plan, you should consider establishing predetermined roles and responsibilities for management, legal counsel, the audit committee, the board, and other key functions within the corporation. The audit committee or a special committee of the board will likely have to handle cases of alleged fraud or corruption involving senior management or financial reporting. In addition, there would typically be a policy to notify the audit committee and the external auditors immediately for any allegations relating to financial statements or internal controls.
WHEN REGULATORS COME KNOCKING
Sometimes your company will receive allegations and be in charge of initiating an internal investigation. Other times, the first you learn of an issue may be when the government comes knocking at your door. How a company responds to an external investigation can be as important as the underlying issue being investigated. “Mishandling a government investigation can cause more problems than the original issue,” said Barry Goldsmith, partner and co-chair of Gibson, Dunn & Crutcher LLP’s Securities Enforcement Practice Group, and a member of the firm’s Securities Litigation Practice Group and White Collar Defense and Investigations Practice Group.
“It is critical to have a logical and effective response plan – if not in place already, at least prepared quickly after notice is received,” said Goldsmith, a former executive vice president for enforcement at the National Association of Securities Dealers and the chief litigation counsel for the SEC.
Ideally, the response plan would include an analysis of the documents requested by the government. Sometimes you can gain helpful insight by re-examining what has been examined by government investigators. You can also find out how the government has proceeded in similar cases. Knowing how the government has acted in the past might provide valuable clues about how it may act in your case.
It’s also good practice to develop your own set of suggested solutions to remediate the problems or issues under investigation. Some companies have preemptively drawn up lists of limitations and remedial actions they’re willing to consider. This approach might appeal to the general desire of most regulators to seek solutions.
At all points in the fact-gathering process, the guiding principles would generally be responsiveness and helpfulness.
EVALUATING THE ALLEGATION
Not every allegation requires a full-blown investigation. A preliminary analysis might indicate that the situation is a misunderstanding, that the facts don’t support the allegation, or that there’s insufficient information to enable an effective investigation to be conducted.
But don’t write off allegations prematurely. Establishing a formal process for evaluating allegations of wrongdoing, whether received through the company’s whistle-blower hotline or otherwise, is a prudent practice. A small group of individuals can be assigned to that role to help achieve consistency and provide coverage at all times. The company’s general counsel or designee might lead that process with participation from the director of internal audit or the director of fraud/security, depending on which group typically handles day-to-day investigations in the company.
A senior representative of the human resources function might also participate since many allegations involve HR issues, and they can also provide valuable insights on other cases.
Our colleague, Gerry Fujimoto, is an experienced forensic investigator. He offered some suggestions to help guide the decision-making processes around fraud investigations.
“The company’s internal counsel and internal auditors are often the principal players in the early phase of an investigation,” Fujimoto said. “Their goal should be to gather all necessary information about the allegation so they can make an informed decision on how the investigation should move forward.”
Fujimoto recommends key players evaluate the quality and quantity of the information that is known including who raised the concern – for example: was it anonymous or someone in a position to be knowledgeable about the issue. He said they should also find out how much information is presently known and whether it is a specific or general allegation.
Be careful not to make potentially false assumptions about the scope and scale of the problem.
“In our experience, if there is any merit to the matter at all, it tends to grow in size, number of issues, and value,” Fujimoto said.
It’s important to respond quickly and without delay. Fujimoto advises not to take a wait-and-see approach. “This usually doesn’t sit well with a number of parties that are interested in the investigation,” he said, “including your external auditors, regulatory agencies such as the SEC, and the person who initially raised the allegations.”
ASSEMBLING A TOP TEAM
When potential accounting or financial reporting irregularities are suspected, it’s recommended that the audit committee, or a special committee of the board, oversee the investigation to help avoid potential conflicts of interest with members of management. The investigation would typically be led by independent counsel, who can ensure the engagement has the strongest legal protections and that relevant legal and regulatory implications are considered.
“If the concern raised relates to an accounting or financial reporting matter, the people performing the initial steps should be disinterested parties,” Fujimoto said.
Since the goal is to conduct an investigation that will have credibility and stand up to external scrutiny, consider the skills and experiences of the individuals on your team. Be prepared, if necessary, to reach out to external resources with special skills for gathering or evaluating certain types of information.
“At the conclusion of the investigation your company will want to be able to thoroughly describe to the SEC, other regulators, and other interested parties exactly what happened,” Fujimoto said. “Based on findings, you should also be able to identify remedial actions to be taken. This can help you get the right internal controls in place and also help restore public confidence.”
The organization and structure of an internal investigation response team can be critical, said Kerry Francis, chairman of the board of Deloitte Financial Advisory Services LLP.
For example, she said if the allegation is related to financial reporting, but doesn’t include allegations against management, you would expect to see someone from internal audit with a finance/accounting background participating in the investigation. Another key concern is who will be ultimately responsible for the investigation oversight. Is it the audit committee, the board of directors, or those in management who aren’t implicated in the allegation or in the chain of command of those implicated?
A key tactical question to consider is whether the individual members of the internal investigation team have been trained to conduct investigations, she said.
“Do they understand chain of custody issues? Have they been trained to use the appropriate technologies? Are they acquiring data properly? Are they analyzing data and facts appropriately? Do they know how to conduct a proper interview? These are the questions that a company can answer to prepare itself in advance for conducting internal investigations,” Francis said.
WHEN TO CALL FOR HELP
We’ve observed that an essential aspect of corporate resiliency is to know when to escalate responses to crises. Resilient corporations develop decision-making procedures that enable them to determine when it’s necessary to call in external resources such as forensic accountants and when they can rely on internal resources. Here’s a brief list of criteria a company might consider during the decision-making process:
Not every situation rises to the level of concern that requires outside assistance. For example, everyday embezzlement cases often can be handled by suitably trained internal resources such as fraud and security personnel or internal auditors, working under the direction of in-house counsel.
As the potential impact (not just the amount) of the alleged fraud or corruption grows, or as more senior people are potentially touched by the allegations, so the value of an independent and objective investigation grows. As Fujimoto puts it, “Companies need to think about whether a management-led investigation is worth the risk.”
For example, would a management-led probe send the wrong signal? Would the fact that it was undertaken by in-house staff suggest a lack of independence that could undermine the results of the investigation? How would other interested parties, such as the external auditors, SEC, and Department of Justice, view the results of such an investigation?
Given the difficulty of these questions, it would seem wise to discuss them and incorporate the results into your fraud response plan before a serious fraud allegation occurs.
ESTABLISHING PROTOCOL UP FRONT
Companies can be adversely affected if they aren’t careful about how they conduct their investigations. Going about an investigation the wrong way can negatively impact the credibility of the investigation or lead to charges against the people and company performing the investigation.
Sometimes performing an investigation is like dancing a ballet in a minefield. Investigations require very careful choreography. For example, overzealous investigators have, at times, misrepresented their identities to obtain private telephone records to which they weren’t entitled. It’s better to hire experienced investigators who can help preserve the reputation of the company and those commissioning the investigation.
Interviews must be conducted in such a way as to avoid violations of laws, such as “false imprisonment” of interviewees. And any searches of employees’ computers, desks, or lockers need to comply with laws that protect employee privacy.
The question of privacy expectations and legal standards is increasingly complex, especially for companies operating internationally in multiple jurisdictions. One approach is for a company to seek legal opinions to develop a road map of what can and can’t be done in the jurisdictions in which they do business and to review that road map periodically.
Establishing investigation protocols governing how the investigation will be performed can help the company achieve credibility for the investigation and reduce the risk of claims against the company arising from the investigation. These protocols can be established prior to each investigation, or, better still, be established by your legal counsel for use on all investigations. If your company doesn’t have these in place already, now might be a good time to develop them.
COLLECT, PRESERVE CRUCIAL DATA
Another of our colleagues, Kevin Condon, said the most important first step in any investigation is preserving and collecting potentially relevant data as evidence. Most investigations begin in the accounting and finance departments, but important evidence can also be found in sales, warehousing, shipping, purchasing, information technology, human resources, and other key functional areas across the company.
Potentially relevant evidence can be found in both paper and electronic formats, including word processing documents, spreadsheets, presentations, ledgers, databases, e-mails, and instant messages. By some accounts, electronic data today represents 97 percent of the information companies maintain. Fraud investigations reflect this statistic; they increasingly require sophisticated computer forensics and electronic evidence-handling capabilities, which are specialty skill sets.
Quick action can be essential to secure evidence, especially electronic evidence. People who commit fraud and corruption often try to cover their trails by destroying evidence that might incriminate them. Prompt action by investigators can increase the likelihood that this evidence can be secured from backup files or recovered from deleted files that haven’t yet been overwritten.
“Many computer operating systems don’t always work as people expect,” said our colleague, Bruce Hartley, an electronic discovery specialist. “They often don’t really delete things; they may just remove pointers to things. Many times when we do a bit-for-bit copy of a hard drive and search for text strings we get all kinds of things that people don’t realize are resident on their machines. People who may be committing fraud may have deleted their cache and sent messages using a personal e-mail system or through instant messaging, but the contents may still, in fact, be traceable.”
Take the necessary precautions to ensure data isn’t corrupted, Condon said. Individuals with potentially relevant documents and other data would be instructed to safeguard them and not to modify or discard them. Investigators or lawyers working with computer forensic specialists can then identify and collect the evidence in a manner that preserves its integrity and its admissibility in potential legal proceedings. Crucial to this task is that the investigation team is trained in evidence-handling and chain-of-custody issues. You don’t want to find that your critical evidence is deemed inadmissible in court or, worse yet, corrupted or destroyed because it was mishandled.
As the relevant documents are collected and analyzed, the investigation team will move ahead and begin conducting interviews. Typically, investigators start by identifying and interviewing the most junior witnesses and work their way up the corporate structure, building their understanding of the role of the most senior individuals. This process often reveals further evidence and witnesses, identifies additional links between people and relevant documents, and brings further pressure on those higher up who may have committed fraud or other malfeasance.
NEW CHALLENGES, TECHNOLOGIES
Changes in corporate record keeping and document retention practices, whether undertaken to prepare for disasters or to comply with heightened regulations or enforcement and litigation requirements (for example, electronic discovery obligations under the 2006 revisions to the Federal Rules of Civil Procedure), have led to new challenges and opportunities for corporate investigators facing exploding volumes of electronic data.
One challenge is that courts and regulators are becoming less sympathetic to companies that fail to preserve, locate, and produce responsive evidence from their electronically stored information (ESI). The revised U.S. Federal Rules and those of many state equivalents, for example, place heightened obligations on litigants and potential litigants to prepare and provide data maps showing the location of all ESI in a company’s active and archived computer systems.
The failure to comply with these obligations puts a company at a disadvantage vis-à-vis opposing parties who come to the “meet-and-confer” more prepared or government investigators who give credit for “cooperation.” Conversely, opportunity arises for those companies that are prepared at the “meet and confer” or who can “cooperate” with the government investigations.
Another challenge is the pervasiveness and complexity of certain ESI, especially e-mail. Nearly everyone uses e-mail. Some employees have multiple accounts plus instant messaging, and such communications often grow into ongoing “threads” involving multiple recipients and numerous responses back and forth. E-mails can be archived on the user’s computer or on a network server. However, sometimes e-mails are automatically deleted through IT retention policies.
It’s not difficult to imagine the challenges of having to identify potentially relevant ESI – e-mails, documents, spreadsheets, even voice mails – throughout a sprawling enterprise and at the individual personal computer (PC) level. Preserving and collecting that data, both at a point in time and incrementally as information is added or modified, is a monumental task that can be costly and complicated. It also poses distinct dangers if not carried out in a way that’s compliant with the law. Courts increasingly are willing to impose sanctions on lawyers and companies for missteps in the electronic discovery process, and in some instances are effectively deciding the merits of the case based on the lack of fidelity to procedure.
Fortunately, newer technologies are being developed to help companies with these requirements. Especially promising are remote collection technologies. These technologies can be installed on every PC within a company and used to centrally search PCs for potentially relevant evidence, then collect it onto servers designed to preserve the evidence. Moreover, the search commands can be configured to remain on the PCs and collect any newly developed information that’s potentially relevant and transfer it to the storage server. This process can be initiated whenever desired, such as upon notice of litigation or when the company learns of a government investigation, or as part of an ongoing control to protect the company’s assets from loss, misappropriation or misuse.
As technology improves, the challenges of ESI open new opportunities for investigators. Already the complexities of e-mail preservation and review are mitigated by new tools to uncover fraud. Recently released software packages can track e-mail communications graphically, giving an edge to investigators looking to discover who told what to whom and when. Other tools visually cluster e-mails by concepts, making it easier to focus on the suspect activity.
The day might soon come when investigators will be able to scour corporate computers for potentially relevant evidence, such as e-mails, collect and preserve it for legal compliance, and investigate the fraud, all remotely from a centralized location. Challenges, of course, remain in the form of PDAs, thumb drives, personal e-mail accounts, personal server accounts, and other forms of noncorporate devices.
COMMUNICATION CONTROL
It’s important to maintain an open channel of communication among members of the investigation team so people understand the purpose of the process and their roles. But communications to others outside the team are generally tightly controlled to avoid prejudicing the investigation, inadvertently waiving legal privileges, or leading to charges of defamation.
“Keep all interested parties informed on a timely basis,” Condon said. “Make sure various parts of the team are communicating among each other and that updates are provided to the audit committee, external auditors, regulators, and management, as appropriate.”
Legal counsel leading the investigation typically manages the communication process to ensure that only appropriate information is shared.
CASE MANAGEMENT
It can be a challenge for senior management to keep tabs on the status of a single fraud investigation, especially if it spans multiple business units in the company and involves many different people. Now imagine a large multinational company that might deal with hundreds of situations of potential wrongdoing within the course of a year. Ensuring each of those situations is handled appropriately and consistently can be extremely difficult.
Leading companies will often use case management systems to keep track of allegations received and the status of the company’s actions to address the issues. The most sophisticated systems provide workflow capabilities to help companies assign follow-up tasks and direct them to the appropriate personnel while keeping track of the outstanding items. This functionality has the potential to enhance productivity while driving consistency and quality.
Some external providers of whistle-blower hotlines offer such case management systems and can feed new hotline reports directly into the system. They might also enable the company to enter into the system reports received through other means, such as those communicated directly to any other part of the company.
When a case management system is used to track the resolution of allegations of wrongdoing, it can become a rich repository of information that can be used to enhance the company’s fraud and corruption risk assessment process. It can provide data to measure the company’s performance in resolving issues promptly or applying discipline consistently. In short, it can enable performance improvement.
Legal counsel may be involved in structuring the contents and use of the case management system so as to avoid breaches of legal privilege or confidentiality. Deploying case management tools can bring a new level of sophistication and management to the resolution of fraud, corruption, and other allegations in today’s more complex companies.
AVOID REPEATING HISTORY
Leading companies use fraud and corruption investigations not only to find out what happened but also to identify vulnerabilities in their core business processes and weaknesses in their internal controls. Then they fix them – not only in the business unit in which the issue arose, but enterprisewide. That way they get more value out of fraud investigations and increase their fraud prevention capabilities.
This might seem like simple common sense, but too often companies fixate on putting out the immediate fire and don’t take the time to better prevent future ones. Or they implement process and control improvements, but only in the business unit where the issue arose. Operating silos, communication challenges, or the lack of a collective anti-fraud culture can deter people from sharing insights that result from fraud investigations, leaving other parts of the company to learn them the hard way. That can be a costly way to operate.
What distinguishes more effective companies in this area is that they embrace the opportunity to learn from incidents of fraud and corruption. They take the time to identify vulnerabilities in business processes and weaknesses in internal controls that permitted the wrongdoing to occur. They involve their internal auditors and other consultants in designing process and control improvements. In short, they take steps to improve resiliency.
And they implement those improvements enterprisewide. It’s not rocket science; but it takes diligence and management support to make it happen. Companies that employ these principles will be more resilient when confronted by fraud and corruption.
Toby J.F. Bishop, CFE, CPA, FCA, is the director of the Deloitte Forensic Center for Deloitte Financial Advisory Services LLP in Chicago. He is the former president and CEO of the ACFE. He has been named five times to Accounting Today’s Top 100 Most Influential People in the Accounting Profession.
Frank E. Hydoski, Ph.D., is the leader of the Analytic and Forensic Technology practice of Deloitte Financial Advisory Services LLP. He served as chief of forensics for the Independent Inquiry Committee into the United Nations Oil-for-Food Programme and led a key forensic effort in the investigation of Holocaust-era accounts held by Swiss banks.
The Association of Certified Fraud Examiners assumes sole copyright of any article published on www.Fraud-Magazine.com or ACFE.com. Permission of the publisher is required before an article can be copied or reproduced.
Unlock full access to Fraud Magazine and explore in-depth articles on the latest trends in fraud prevention and detection.
Read Time: 12 mins
Written By:
Annette Simmons-Brown, CFE
Read Time: 16 mins
Written By:
Dick Carozza, CFE
Read Time: 6 mins
Written By:
Patricia A. Johnson, MBA, CFE, CPA
Read Time: 12 mins
Written By:
Annette Simmons-Brown, CFE
Read Time: 16 mins
Written By:
Dick Carozza, CFE
Read Time: 6 mins
Written By:
Patricia A. Johnson, MBA, CFE, CPA
