Charging anti-fraud costs to investigated business units might backfire

Consider keeping investigative charges within corporate security and other anti-fraud functions. You might then increase reporting of fraud and other crimes.

My company has a significant number of corporate clients. Some are in the Fortune 100, and some are far from making the list. My staff and I have a front-row seat into robust corporate security functions and anti-fraud methodologies of some prestigious firms. This allows me to see the best (and worst) practices of each firm.

One of the corporate security best practices that’s a personal favorite is the team approach to investigations. Instead of the security department (or any anti-fraud department) taking full authority and responsibility for an investigation, members of appropriate business partners would achieve consensus. Most ethics and compliance investigations, for example, would have legal and human resources team members involved in the case. Organizations would include other corporate citizens — such as business unit managers, auditors, and IT professionals — as needed. When necessary, they’d bring in outside consultants, such as interview specialists, forensic computer specialists or forensic accountants.

Another corporate security best practice occurs in a corporation that has clear and codified procedures for how a business unit or the on-site security function to the corporate security professionals report security, fraud and ethics violations (and all other matters that will potentially lead to investigations). These procedures have a positive impact on ensuring that the corporate security function receives full reporting of all appropriate issues and can adequately assign the appropriate resources. Such procedures also help prevent on-site human resources or business units from investigating themselves when the corporate security department, depending on the case, might be more appropriate.

Trend of offloading expenses

However, one trend greatly concerns me on behalf of my numerous clients that have adopted it. It must have sounded brilliant in the boardroom, but it might have dire consequences in the real world: the trend of the corporate security function or other anti-fraud departments to charge the business unit recipient of the security services for the costs incurred in an investigation. An organization does this so the security department doesn’t bear the cost of the investigation and, instead, the profit-and-loss statement of the business unit(s) that have benefited from the investigation is affected.

Let’s use as an example a fictional corporation, ABC Inc., with its headquarters in Houston, Texas (where I’m based), and with production facilities across North America and perhaps elsewhere. The plant manager of its facility in Podunk, Iowa, receives a tip about an organized theft ring. The plant manager correctly contacts the corporate security team. After review, the team decides to send a CFE — a security professional named Phil — from Houston to Podunk to lead the investigative efforts.

Let’s assume that Phil solves the caper, collects all the pertinent evidence and even gets confessions from appropriate parties. We’ll also assume ABC Inc. recovers the stolen goods, obtains successful prosecutions, seeks restitution, terminates the thieves and metes out other administrative actions.

It’s a clear security “win” by all accounts. High fives and hearty handshakes all around. ABC Inc. identifies lessons learned that will allow for the “hardening of the target” plus fraud and theft detection and prevention to protect the corporation from similar abuses, and they communicate these lessons to other sites and other business units.

The disconnect might happen when a business allows, even mandates, the corporate security department to code the expense of the investigation to the business unit it investigated with little, if any, “net spend” attributed to the security function. This allows the security budget to remain at a reasonable and manageable level.

When the costs are transferred from security to the business unit(s), each investigation, especially those involving travel, don’t eat into the security director’s specific budget. After all, the organization might say, shouldn’t the investigated business unit pay for the investigation? Shouldn’t the cost of an investigation only affect the bottom line of the business unit that had the issue and required the investigation in the first place?  I’d suggest that it might not be the best practice.

Sticker shock

The business unit leader experiences sticker shock when the security function sends its “bill.” The expense of the investigation is now added to the losses that the theft or fraud caused. Even with recoveries and restitution, if any, the obtained value seldom matches the full loss amount. Also, hidden costs mount up, such as post-investigation liaison fees if the organization initiates criminal prosecution or civil litigation for recovery plus third-party forensic IT or forensic accounting fees.

The result, which I’ve seen time and time again, is that a business unit leader is less likely to notify corporate security or other anti-fraud functions for similar issues in the future — even if it means violating codified policies of making such notifications. They fear that the security department will again transfer all investigation expenses to their business unit without regard to its profit-and-loss statement. They feel they don’t have control of expenses, choice of investigators or how they’ll investigate the case.

When the next incident occurs, a business unit often decides to “save money” by handling the investigation itself through local human resources or local physical security professionals. Often, these professionals aren’t as qualified as fraud examiners for particular investigations and complex interviews. Sometimes business units hire outside professionals, such as private investigators, who might not have proper training, experience or insurance coverage, all of which is a liability to the firm.

Organizations that have implemented this pay-as-you-go system experience have less business unit and employee violations reported.

Unfortunately, some organizations see this as just another way to save money. Some have even wrongly concluded that reductions in reported incidents, ethics and compliance violations, and investigations signify sizeable corporate security successes.

Nonsense. Reductions in reporting and investigation of violations don’t equate to a reduction in violations — especially if a well-meaning corporate policy doesn’t have the desired or intended consequences because it’s based solely on accounting merits. Theft, fraud, and other employee and vendor malfeasance increase.

Conversely, an increase in anti-fraud, ethics and compliance training; fraud prevention checkups, security audits and other proactive measures typically results in an uptick in violation reporting because employees and management pay more attention to the reporting and investigation of violations. No one believes, of course, that such proactive measures cause an increase in criminal activity or ethics and compliance violations.

An apt analogy

Consider a municipal police department that operates with a minimal budget because every response and investigation is billed to the person or entity that requested it or benefited from it. In such a scenario, a homeowner who calls the police after a burglary would get billed for those police services. So, that homeowner probably won’t call the police again for a non-life-threatening situation, especially if the police failed to recover their stolen property. The police department, of course, has statistics that reflect that burglaries are down because reported burglaries have declined.

Instead, it makes sense for an organization to fund the corporate security or other anti-fraud function as a “central service” — one of the essential core departments that’s truly a part of the cost of doing business for the organization. Employees and management would then view the security team as a resource that can provide the appropriate support — instead of the people to call as a last resort, if at all. Security leadership can still pick and choose how they spend their budget resources, but the reporting business unit’s profit-and-loss statement shouldn’t be negatively impacted by an organization’s decision to have a centralized, vetted, trained and experienced corporate security department — a “corporate police department” — handle certain types of incidents. This is especially true when we realize that properly conducted investigations reduce liability.

Ironically, the impact to an organization’s bottom line is the same if the expenses are coded to the security function or the investigated business unit. The business unit might logically be the better recipient of that expense for accounting reasons, but the unintended and common consequences outweigh any such benefit — as does the potential for increased liability.

I realize that security and other anti-fraud departments might hesitate about absorbing investigation charges. So, upper management must first be on board and then should substantially increase anti-fraud budgets.

A return to separately funded and appropriately budgeted corporate security functions might increase the reporting of suspicious activities. This could allow corporate security professionals to have more impact on an actual reduction in fraud-based activities, corporate ethics and compliance violations, plus corporate liability. In other words, all the things that made an organization realize it needed a corporate security or other anti-fraud function in the first place.

David P. Frizell, Jr., CFE, is president of Frizell Group International, LLC, based in Houston, Texas. He and his team specialize in compliance and ethics investigations, financial asset investigations and off-duty police services. He’s a former federal law enforcement and counter-intelligence agent and has been in the private sector for more than 20 years. Contact him at dfrizell@frizellgroup.com.