Keep ahead of fluid global anti-fraud regulations

The compliance landscape forever shifted after the Enron and WorldCom debacles, among others. Don’t let accelerating corporate governance changes leave your organization and clients unprotected. Here’s how anti-fraud regulations evolve in phases around the globe, a review of compliance history plus practical action plans.

Kumar is a business owner keen on expanding his enterprise. He has his eye on acquiring another company in his field, Previo Industries. Kumar didn’t chance upon Previo — he’s already familiar with it from his experience a few years back when he worked for another company, Intrazio Inc., that also considered acquiring Previo. (All names have been changed.) At that time, Intrazio ran proper due diligence checks on Previo. Kumar was privy to the process and results. In the end, the company decided to change direction and didn’t acquire Previo.

But now, Kumar is eager to bring Previo into his growing company. Because he’s already familiar with Previo’s business and its processes, Kumar tells his analysts to bypass their regular scrutinization to try to speed up the process and grab Previo before his rivals do.

However, shortly after the acquisition, Kumar realizes he’s made a critical mistake. His team takes a closer look at Previo’s inner workings and discovers that the company had been convicted of some corruption violations, which it hadn’t remediated. Of course, Kumar hadn’t anticipated this, but he should’ve known better. Laws, regulations, enforcement measures and penalties are always changing. Kumar shouldn’t have relied on the due diligence Intrazio conducted a few years earlier as a bulletproof indicator of Previo’s present standing.

Regulatory landscape constantly evolving

Kumar should’ve realized that the legal and regulatory landscape for businesses worldwide is increasingly fluid. He also should’ve known that organizations’ compliance and commitment to ethical standards can vary over time.

At the turn of the century, high-profile fraud cases like Enron, WorldCom and Satyam, for example, shook the economic world and caused a huge trust deficit for corporations facing similar challenges of balancing “profitability at all costs” with ethical standards. The resulting clampdown in the U.S. was the Sarbanes-Oxley Act of 2002, which mandated an independent management certification of internal controls over financial reporting.

More reforms and statutory changes followed with the 2010 U.S. Dodd-Frank Wall Street Reform and Consumer Protection Act. And that year, the U.K. Bribery Act updated the nation’s anti-corruption laws for the first time in a century. Other countries also started legislating anti-bribery and corruption laws and regulations.

Fraud examiners, in conjunction with compliance managers, must continually counsel their managers and clients on the ever-changing corporate governance landscape and best practices. The newest generation of fraud examiners will benefit from the history of corporate governance.

Corporate governance primer

Let’s examine some of the major governance initiatives, laws and regulations from the modern era.

• The U.S. was the first nation to criminalize the bribery of foreign public officials with the passage of the seminal 1977 U.S. Foreign Corrupt Practices Act (FCPA).
• The Organisation for Economic Co-operation and Development (OECD) formed an ad hoc working group in 1986 to explore corruption in international trade. It published the Recommendation on Combating Bribery in International Business in 1994. Since then the OECD has published several additional recommendations, including the 2010 Good Practice Guidance on Internal Controls, Ethics, and Compliance.
• The United Nations Convention Against Corruption, which went into force in 2005, is considerably broader in scope than the OECD convention. It establishes a framework to combat all forms of corruption, including bribery, extortion, embezzlement, trading in official influence and general abuses of power. This further underscores my earlier point that the governance landscape is constantly changing.

Meanwhile, the private sector has also been working to raise standards and fight fraud.

• The Committee of Sponsoring Organizations of the Treadway Commission (COSO), an independent private-sector initiative, began in 1985 to study the causal factors that can lead to fraudulent financial reporting. In 1992, COSO issued its initial Internal Control — Integrated Framework, which quickly became the best-practice road map for designing, implementing and maintaining a system of internal control. COSO revised this original framework in 2013 to include 17 additional principles to assist in creating an effective internal control system.
• In 2016, COSO partnered with the ACFE to create the Fraud Risk Management Guide.
• In 2017, COSO published Enterprise Risk Management — Integrating with Strategy and Performance to update its original ERM framework and address the evolving needs and landscape related to risk management. 

All these regulations and standards were designed to make corporations and their leaders more responsible and accountable to stakeholders. They raised expectations for companies to act with ethics and integrity, rather than just deliver numbers at any cost. (See the online ACFE Fraud Examiners Manual, Section 2: Law/The Law Related to Fraud/International Initiatives Against Fraud and Corruption plus Section 4: Fraud Prevention and Deterrence/Fraud Risk Management/Risk Management Frameworks.)

Phases of governance

Even with emerging laws and regulations, some companies still resort to shortcuts and unethical practices to achieve ambitious growth numbers and targets. Let’s examine how the regulatory governance phases have evolved over the last few decades from being merely compliant to being completely committed.

While I’m writing about the phases from a largely Indian ecosystem, the same would’ve been true for many countries at some point.

Prescriptive phase of governance

In this first phase of governance, requirements are prescriptive, such as required approvals (to set up factories, for example), time frames and fees organizations need to pay. In this procedure-driven compliance phase, “permissions” from the government are important. A typical governmental body isn’t interested or even knowledgeable about business norms and practices.

Compliance is largely binary in nature: You either comply or you don’t. This procedure-heavy bureaucratic phase can spawn corruption and a “speed money” culture (greased payments to hasten processes and services).

While this aspect of governance is important, it just fosters rules-based adherence and doesn’t necessarily promote ethical compliance or even regulatory controls.

Regulatory phase of governance

In the second phase of governance, regulatory arms of government become stronger and become involved in the “how” of business by mandating processes that organizations need to follow in the interests of consumers. This phase has pros and cons. Some view such governmental actions as meddlesome and invasive. However, most believe that, for example, the central bank in India (RBI) has become a good regulator and has protected Indian currency from much financial turmoil in Asia and even globally.

Developing countries are often in this second phase, but this varies from country to country. This phase of governance brings a focus on customer interests, compliance to standards and a fair degree of probity, but it doesn’t mandate organizations to be absolutely ethically upright.

Ethics and values phase of governance

In probably the most evolved of the three phases, governments expect businesses to go beyond mere compliance and demonstrate the highest levels of ethical conduct as their core principles while pursuing their goals and mission-driven priorities. Stakeholder interests are vital to businesses and are key to their survival. This isn’t to say that businesses will become less competitive and innovative. The cost of unethical practices is so high that businesses can’t afford to disregard the risks anymore. So, the best way forward is to be innovative with their products and processes to stay relevant and competitive.

This phase underscores the significance of staying ethical and morally upright as an organization. Businesses realize the existential challenges posed by unethical practices and the power wielded by enforcement authorities.

We’ve seen numerous instances in which businesses have paid huge prices for unethical deeds. Mismatches among differing governance standards across countries and cultures often cause these ethical violations. Most companies operating in diverse markets face this challenge.

Standards across the globe are fast converging to the “ethics and value” phase of governance.

Governance at corporations

In the ethics and values phase of governance (the optimum phase in ethical processes), corporations take a proactive approach in devising processes to monitor business, gauge ethical parameters, identify instances of fraud or corruption, and implement corrective and preventive actions, among other measures.

As fraud examiners, we know that an organization must institute a comprehensive program across all levels, so it’ll become ingrained into the fabric of that organization. Governance processes should embed values and principles into business decision-making. It’s not about an overtly “rules-based culture” where people just follow regulations without considering why; it’s about upholding values and principles in all interactions, especially those that involve ethical dilemmas.

Corporate leadership need to fully own a good governance model. Management should apply its principles and processes across the organization with the goal of enthusiastic employee participation. The model should have strong oversight, written policies and standards, training and development, open lines of communication, and monitoring and corrections.

Strong oversight

A governance model with strong oversight doesn’t require a hierarchical structure. An organization isn’t about one person; company leaders must be responsible for oversight of governance processes. A chief compliance officer or a governance, risk management and compliance head can manage the program.

But the ultimate responsibility must be with the CEO and board of directors, who have the authority to review the governance framework and suggest any needed changes or corrections.

Written policies and standards

Organizations need written policies and standards on ethical subjects such as bribery and corruption, conflicts of interest, gifts and hospitality, codes of conduct and similar topics. Clearly written procedures that set boundaries on what’s acceptable and what’s not are a must. These policies and procedures should define situations involving ethical dilemmas and explain the decision-making processes. An organization’s policies and procedures should be based more on values than on rules and should promote societal good.

Training and development

Organizations should have distinct training and awareness campaigns for all ethics and values aspects. Regardless of employees’ functions, organizations should educate them about subjects such as bribery and corruption, sexual harassment and conflicts of interest. Such training should focus on ethical decision making, in particular.

Open lines of communication

According to the ACFE’s 2018 Report to the Nations, the most common fraud detection method is tips. An organization should foster a culture of openness in which individuals can share their concerns with management if they observe any actual or perceived breaches of ethics without retaliation. At many large organizations, employees, vendors and other associates have access to hotlines through which they can register their concerns and even suggestions. The most effective reporting systems maintain the anonymity of those reporting.

It’s management’s responsibility to evaluate and resolve genuine concerns that employees submit through the reporting process. Ultimately, it’s the board’s responsibility to ensure that each concern is handled in a just and fair manner and that management’s response is unbiased and thoughtful.

It’s important to identify concerns before they become complaints. A complaint could refer to an incident that has happened, while a concern can be merely an indication that something is amiss and needs further investigation.

Monitoring and corrections

A good monitoring process (including internal audits, reviews, management walkthroughs) measures the process outcomes and offers evidence-based suggestions for improvements and corrections. The monitoring process should highlight successes besides identifying non-compliance, failures and gaps.

Organizations then should identify corrective measures and preventive steps and carry out the necessary remediations.

Response mechanism

Organizations need to be nimble and more than just rules-driven; they should follow their core values when they respond to any kind of ethical issue. This is particularly true if such issues can affect their reputations and ethical stances. They then must follow corrective and preventive measures discussed above in spirit and letter and consider response strategies based on sound judgment and deeply rooted in their values.

A new approach becomes the norm

We’re living in the day of high regulatory enforcements and standards. Organizations must act ethically and not just legally. On the plus side, we’ve seen countless cases of companies doing the right thing by going well beyond the law and making ethically sound decisions based on their core values and principles. For example, some companies have taken strong action in response to cases of harassment when the incidents weren’t, technically, criminal in the eyes of the law. However, we’ve seen too many cases of corporations still following a culture of “do it until you are caught” philosophy. This dubious approach might have worked in the past, but not any longer. Compliance professionals and fraud examiners are laboring to make sure of that.

Mani Padmanabhan, CFE, is co-founder and CFO of Positive Shift Technologies in Hyderabad, India. Contact him at iammani65@gmail.com.