Promises Kept

What a tremendous shock. The well-liked principal accounting officer of Wisconsin-based Koss Corporation, Sujata “Sue” Sachdeva, was accused of embezzling more than $31 million from Koss – a publicly traded maker of stereo headphones – between 2004 and 2009. On Jan. 20, the U.S. Department of Justice indicted Sachdeva.

Koss had been receiving a “clean” opinion on its audited financial statements for years. The U.S. Sarbanes-Oxley Act didn’t help; internal control section 404(b) would have applied only if Koss was bigger. So the members of its board of directors were dumbstruck when it was told about this astronomical fraud.

Many of the methods that boards of directors have historically relied upon to protect the interests of shareholders have been proven to be ineffective in identifying waste and abuse. Research findings presented in the ACFE’s 2010 “Report to the Nations on Occupational Fraud and Abuse” (RTN) indicate that external audits find frauds just 4.6 percent of the time. Those aren’t good odds considering that 8.3 percent of the time frauds are found by accident.

Thankfully, there are more effective tools to assist board members in achieving better corporate governance: 1) risk management 2) performance measurement and 3) fraud prevention and detection.

RISK MANAGEMENT 

Boards, of course, must manage various kinds of risk – not just those from possible fraud. When a risk plan isn’t properly implemented and tested for effectiveness, fraud can occur or the company can suffer additional losses.

“Many companies unfortunately seek solutions in risk management after a significant loss has already occurred,” said Michael Bechara, CPA, managing director of Granite Consulting Group Inc.

Risks to consider include both macroeconomic risks – such as regulatory changes, political upheaval, credit volatility – and microeconomic risks such as heavy reliance on a limited number of vendors and customers. After directors have identified and evaluated risks, they can decide on how they’ll address those risks – mitigating the risk by changing company procedures, transferring risk to a third party through insurance, or even abandoning the product line.

For optimal implementation, Hollis Ashbaugh-Skaife, Ph.D., associate professor of accounting at the University of Wisconsin-Madison, recommends “an individual board member, or small subset of the board, be assigned specific responsibility for risk management efforts.”
                                                          
KEY PERFORMANCE 

Board members must aim to measure company performance with actionable data in real time. At each board meeting, members should receive board packets that contain company information they can act upon. Board members should redesign their packets if they contain too many confusing data points that can obscure early signs of trouble.

Doug Beeuwsaert, MBA, CIA, who’s the governance, risk and compliance leader at the Lyndon Group, suggests that companies also “include performance reports of the compliance function in the board packet to reinforce the company’s dedication to ethical business practices.”

A company must determine its key performance indicators when developing its board packet that will help to deter fraud. Here are just a few areas that board directors should view to interpret data on company performance:

• Inventory turnover – individually and in the aggregate
• Concentrations of vendors and customers
• Profit by customers and product line
• Significant inconsistencies between reported earnings and cash flows from operations
• Unusual relationships between recorded sales volume and production statistics
• Trends in sales, cost of sales, and gross profit  
   

Ashbaugh-Skaife notes that board members must understand the top three lines of the income statement and their drivers to effectively monitor company performance. If the Koss Corporation board directors had had a better handle on gross profit and the drivers of change they might have spotted the growing fraud.

Boards should challenge management’s explanations for any significant variances and verify management assertions with third-party sources. For example, if senior management explains an increase in cost of sales as a change in raw material pricing, board directors can have a conversation with the purchasing manager to verify that explanation. Companies can also include their industry analyst reports in board packets to help members interpret and analyze internally generated reports.

Board members, when reviewing quarterly trends, will not only find red flags, but can identify wasteful spending. Board directors should see expenses that are tied to revenue levels. Too often, companies set expense levels annually and don’t vary, even if the company experiences lower-than-projected revenue levels. On the flip side, if a company is experiencing higher-than-expected revenues, additional company resources should be funneled to the high-yield division or product line to promote further growth.

FRAUD DETECTION AND PREVENTION TOOLS 

The RTN says that fraud losses cost companies worldwide 5 percent of their annual revenues. Of course, fraud is too expensive to ignore. Hard-working fraud detection and prevention tools include, among many others, whistle-blower hot lines, surprise audits, ethics training, segregation of duties, and employee support programs.

Whistle-blower Hot Lines: The ACFE has found since 2002 that whistle-blower hot lines are the most effective fraud detection technique. According to the RTN, a total of 40.2 percent of frauds are discovered through anonymous tips. In organizations that had hot lines, 47 percent of frauds were detected by tips. In organizations without hot lines, only 34 percent of cases were detected by tips.

Many highly qualified, national providers of whistle-blower hot lines offer companies toll-free numbers and handle complaints and tips with 24/7/365 coverage. These companies’ experienced operators conduct 15- to 20-minute intake interviews with callers and deliver incident reports to be distributed to key personnel within entities.

To maximize the benefits of a hot line, direct the provider to deliver the incident reports to somebody above the reach of senior management such as the owner, a board director, or an outside consultant. CFEs can recommend to boards those incident reports that require further investigation and/or those that should be referred to law enforcement.

RTN reports that just 49.2 percent of tips come from employees, so it’s important to extend the pool of available informants to include vendors and customers. “Include contact information for the company’s whistle-blower hot line on the company’s website, customer receipts, and vendor code-of-conduct agreements,” Beeuwsaert said.

Surprise Audits: One of the best things about surprise audits is they don’t need to be performed consistently, or across whole systems, to be powerful deterrents. Companies have uncovered frauds by testing just one item. For example, state regulators can mitigate health insurance fraud with periodic surprise audits. Physicians know regulators will come to their hospitals or clinics every quarter, but they don’t know which doctor or procedures will be selected for testing.

Surprise audit procedures can be designed to focus on high-risk areas. For example, a business might have numerous cash transactions, so forecasting cash sales or performing a spot audit of cash registers can be useful. Some companies might have a good deal of travel and entertainment expenses, so performing tests on expense reports for accuracy and compliance with company policy could help. CFEs can also use highly effective data-based selection techniques that leverage the power of computers to select questionable transactions, vendors, or customers for further investigation.

For companies fortunate to have an internal audit department, William Haslinger, associate professor of computer security and information assurance at Hilbert College, warns that “care must be taken to ensure that internal auditors can work without interference. Witness the WorldCom fraud case, in which the CFO himself attempted to obstruct the internal auditors’ investigation.” Companies that don’t have internal audit departments should at least hire outside consultants such as CFEs and CPAs to perform quarterly or annual testing procedures.

Ethics Training: According to Stella Tsai, a business litigation partner at the Philadelphia office of Archer & Greiner P.C., “directors would be well-served to ensure that the organization has an effective ethics and compliance program, which operates as a mitigating factor under the federal sentencing guidelines and, not coincidentally, a deterrent against corporate wrongdoing.” Clearly defined ethics and compliance policies and training are crucial in setting appropriate expectations for employee conduct.

Although not conclusive, the following items provide some important standards to consider for your entity’s code of conduct. (Please consult a business law attorney before making any changes to your organization’s employment policy.)

Anti-Fraud Policy: An anti-fraud policy is important because it helps management inform and educate employees about prohibited acts and how to report violations. Define fraudulent acts including personal use of office supplies, company vehicles, cell phones, and computers. Kickbacks and extravagant gifts from vendors or customers should be prohibited, as well as reporting inflated hours for hourly employees. Employees should be aware that punishment for fraudulent acts can include docked pay, reduction in job responsibilities/title, and termination.

Desks and Lockers: Often, the central issue in privacy litigation is if the employee had a legitimate expectation of privacy in the area that was subject to investigation. Employees’ expectation of privacy can be waived. Employers should have written and posted policies that desks and lockers are company property and are subject to inspection at all times. The policy should state that employees shouldn’t expect these areas to be private, even if locked or secured by the employee. Computer equipment, including laptops, smart phones, thumb drives, and PDAs, should be explicitly listed as items subject to search.

E-mails and Voice Mails: Employment policies should indicate that e-mail communications and voice mails are subject to review. Courts that have considered if employees have an expectation of privacy in voice mails and e-mails have focused on whether an employer had a written policy on the subject.

Video Surveillance: By increasing the threat of discovery, video surveillance serves as a strong deterrent to theft. In general, video surveillance isn’t permissible in areas where employees have a legitimate expectation of privacy, but the reasonable use of surveillance cameras in public places is lawful. Some courts, however, have held that employees have a reasonable expectation that their conversations won’t be taped. Notification posted in areas that are monitored by video should suffice to dispel any reasonable expectations of privacy employees might have.

Proprietary Information: Employees should be reminded not to share proprietary information with unauthorized personnel. This can include employees not involved with a particular project or product. Proprietary information includes customer lists, vendor lists, raw material costs, price lists, and employee lists.

Managerial Performance Benchmarks: Notify employees prior to the beginning of an evaluation period if compliance with fraud prevention goals will be used in evaluations.

Document Retention Policies: Define the length of time that paper, digital, and electronic work products will be maintained. Include a “litigation hold” provision to prevent the destruction of evidence when litigation is reasonably anticipated.

Credit Reports: Periodic credit checks can show early signs of trouble because financial burdens often push otherwise trustworthy employees to commit fraud, but the Fair Credit Reporting Act (FCRA) provides that employers can’t use a consumer reporting agency to collect credit-report information about an employee unless that employee has received certain notices and provided authorization. The U.S. Federal Trade Commission, the federal agency responsible for enforcing the FCRA, has provided some guidance on how to obtain an employee’s authorization to obtain credit reports.

Employers must make the disclosure that consumer reports might be obtained in a separate document from any other employment agreements. Employers may obtain “blanket” authorizations from their employees as long as the employees are advised that the disclosure and authorization are continuing in nature. Employers should consult with an employment attorney before taking adverse action based on a credit report.

Segregation of Duties: Many accounting departments have duties divided by function: revenue, expenditures, and payroll. For offices with three or fewer employees, that often leaves accounting clerks with incompatible pairs of control activities. For example, you wouldn’t want the same person to handle both posting customer receipts and issuing credit memos. Duties should be assigned so that the same employee can’t both steal and conceal.

Achieving a better arrangement of duties often can be done by just shuffling duties rather than adding staff. A company interested in reassigning duties to separate incompatible pairs can have a team-building exercise in which accounting department clerks are given index cards with the duties they currently perform.

Approximately 25 cards, prepared in advance, will list the basic accounting functions. The cards for a set of incompatible control functions are marked with a matching letter or symbol. So the cards that contain “post-customer payments” and “issue credit memos” would both have a capital letter “A” in the right corner to indicate those tasks should be performed by separate employees. The next step in the exercise involves staff members swapping cards until they no longer hold incompatible pairs.

This exercise is good for morale because the team members realize no new duties are added to the department, and it’s a simple, easy way to improve controls. Also, since they were able to swap tasks themselves, they feel that they co-own the solution.

In a very small company in which separating incompatible controls functions is impossible within the accounting department, the receptionist or business owner can perform one side of the set of incompatible control functions. For example, the receptionist can open mail and prepare deposit slips for customer payments. The business owner can open bank statements and review quarterly reports of credit memos issued and vendors added.

Employee Support Programs: According to Cressey’s Fraud Triangle, three elements must be present for an ordinary person to commit fraud: opportunity, rationalization, and financial pressure. Interviews with fraud perpetrators indicate that many of them knew of ways to steal well before they actually started. However, they didn’t begin to steal until they experienced financial pressure. That’s why employee support programs have the potential to be so effective. They help employees with credit and psychiatric counseling that can ease their burdens and direct their energies into more productive ways to solve their financial problems.

LEVERAGING EFFORTS AND DETERRING FRAUD 

Companies should understand that board directors’ traditional corporate governance duties performed are now insufficient to protect shareholders’ interests. Shareholders are demanding increased accountability and economic growth. These dual mandates might seem incompatible, but Brad Ockene, a partner in the Chicago office of Lovells LLP, said he “has seen many companies motivated to improve their compliance programs based purely on the economic benefits of effective corporate governance.”

Board directors looking to step up their compliance efforts will find that focusing their energies on risk management, performance measurement, and fraud detection/prevention will allow them to leverage their efforts for maximum impact.

Sheila Keefe, CFE, CPA, is the principal of Access Resource Management, LLC, in Lake Geneva, Wisc.  

The Association of Certified Fraud Examiners assumes sole copyright of any article published on www.Fraud-Magazine.com or ACFE.com. Permission of the publisher is required before an article can be copied or reproduced.